GSoC 2015 Project Ideas - greatscottgadgets/misc GitHub Wiki

Ubertooth

ANT and ANT+ Protocol Monitoring

ANT is a widely used wireless protocol, often found in sporting equipment; ANT+ is an advanced version of the protocol that implements device profiles on top of ANT. The goal of this project would be to add ANT and ANT+ protocol support to the Ubertooth One device. The project would consist of one or more of the following:

  1. Passive ANT packet receiver, involving host code and firmware for the Ubertooth. (Language: mostly C)

  2. Passive ANT+ reception, based on [1], extracting additional information such as device profiles and network layout. This will require extracting data from received ANT packets and displaying it appropriately, perhaps in Wireshark. (Language: preferably C, maybe Python)

  3. ANT packet injection, using an Ubertooth to inject packets in to ANT connections. For timing reasons this will most likely need to be implemented in firmware on the Ubertooth. (Language:C)

Potential mentor: Dominic Spill

Daisho

All-Channel Bluetooth Monitoring

Using Daisho as a high bandwidth Software Defined Radio platform, implement simultaneous passive monitoring of all 79 classic Bluetooth channels. Daisho hardware, including a pre-release front-end module for 2.4 GHz radio reception, will be provided to the student by Great Scott Gadgets. HDL for the Daisho FPGA and other software will be developed by the student. The project may consist of one or more of the following phases:

  1. Stream radio samples over USB 3.0 to the host computer. Post-process the data with gr-bluetooth and libbtbb and pass Basic Rate (BR) Bluetooth packets to Wireshark for analysis.

  2. Implement Enhanced Data Rate (EDR) decoding in gr-bluetooth and libbtbb.

  3. Channelize the 79 Bluetooth channels using a polyphase filter in the FPGA.

  4. Implement a GFSK demodulator in the FPGA, instantiated 79 times, and stream demodulated Bluetooth baseband data to the host computer.

  5. Perform packet detection (either on the FPGA or using libbtbb on the host computer) for real-time all-channel Basic Rate Bluetooth monitoring using the demodulated baseband data streams.

  6. Implement EDR demodulation on the FPGA. Fully monitor all classic Bluetooth (Basic Rate and EDR) packets on all 79 channels in real-time with packets visualized in Wireshark.

  7. Implement Bluetooth Low Energy (LE) monitoring. This will be very similar to Basic Rate monitoring.

A student well suited to this project would have some C experience, some FPGA experience, and some DSP experience.

potential mentor: Michael Ossmann

Protocol Analysis Software?

Any Wireshark dissectors needed? Anything that can be done differently than dumping into Wireshark?

HackRF

RF-Disciplined Oscillator

Many radio signals are transmitted with high stability time sources. These include WWV, WWVB, and other time stations; GPS and other GNSS systems; and GSM and other cellular systems. Develop a software tool based on GNU Radio that can extract frequency information from any of several such sources and can be used to discipline a reference oscillator in software. Provide an example application that uses two clock-synchronized HackRF Ones, one to receive the time reference signal and one to transmit or receive another signal with carrier frequency and symbol clock disciplined in software. Port the capability to firmware for HackRF One, allowing a single HackRF to produce an RF-disciplined 10 MHz reference clock output on the CLKOUT port.

potential mentor: Michael Ossmann

802.11 on HackRF

Other

Advanced Signal Visualization and Analysis

Interest in Software-Defined Radio (SDR) is intensifying in the hacker community. Software for locating, visualizing, and dissecting unknown target signals is lacking at present. I propose creating an open framework for viewing wideband signal captures, identifying and extracting interesting features, and analyzing those features to obtain the data within:

  1. Display simultaneous spectrogram and time-domain views of a captured signal.
  2. Ability to select regions of the frequency- or time-domain view for deeper analysis. This includes support for 2D selection within the spectrogram to eliminate signals outside the frequency range of interest.
  3. Demodulation view, showing the selected signal's instantaneous amplitude, frequency, and other characteristics.
  4. Signal analysis, allowing symbol filters to be applied to the target signal.
  5. Symbol filter processing options to combine the symbol filter outputs into a symbol stream suitable for clock and symbol recovery.
  6. Clock recovery view which allows manual grid placement of symbol timing, or application of algorithmic clock recovery.
  7. Recovered bits output.
  8. GNU Radio flow graph generation from the symbol and clock recovery parameters.
  9. Analyze the entire capture file (or another capture file) using the obtained parameters.
  10. Statistical analysis of bits recovered candidate data from the analysis, to identify likely packet length(s), preamble/access code/header/ID) fields, CRC/checksum field, and data field boundaries.

I have already done some preliminary work on this, including:

  1. Identification of signals against the noise floor.
  2. ASK/OOK and FSK demodulation algorithms with tweak-able parameters.
  3. Somewhat successful attempts at identifying modulation characteristics.
  4. Heuristics and techniques for identifying bit encoding (e.g. Manchester vs. differential Manchester), data field delineation, CRC vs. checksums vs. parity vs. check fields.
  5. Viewing and zooming of spectrograms of large capture files.

potential mentor: Jared Boone, ShareBrained Technology

Pentoo on the Beagle Bone Black?

PCIe stuff?