Wednesday, August 7, 2013
SDR Showdown: HackRF vs. bladeRF vs. USRP
This and next year look like the golden age of Software Defined Radio! With three new Software Defined Radios being released by three different companies, there is a lot of choice in terms of hardware. This article compares the HackRF produced by Great Scott Gadgets, the bladeRF produced by nuand, and the USRP produced by Ettus.
The HackRF is developed by Michael Ossmann, who also developed Ubertooth, which is really the first and only Bluetooth sniffer available on a hacker budget. Michael has a history of developing great open source hardware for hackers. The HackRF has been in development for many months and Michael has distributed 500 HackRF beta units for free to hackers around the world. Currently he is working on revisions for the production release of the HackRF which is now being sold on his Kickstarter campaign. This will be the least expensive complete Software Defined Radio on the market, and it will be able to tune to a huge portion of the radio spectrum to boot.
The bladeRF Kickstarter campaign was successfully funded and all of those units have been shipped. The bladeRF provides access to a large portion of the radio spectrum along with a large FPGA and fast USB3 link. The developers have invested heavily into their clocking architecture and provide a VCTCXO that has been calibrated within 50 ppb. All of the components were designed to be in sync so that no ClockTamer is necessary. This device is available for purchase right now from the nuand website.
Originally this article compared the Ettus USRP B100 and the N210 to the HackRF and the bladeRF. When I sent the earlier revision of this article to the company for fact checking, they informed me that a new USRP, the B200 and B210, were due for release very soon and sent me a B210 from their R&D department. Since then I revised this article to include information about the B210, and the product has just been released for shipping!
Ettus is probably the oldest Software Defined Radio producer around and they have made many different products and revisions. Their B210/B200 is drastically different from all of their old products because it is a single board solution, rather than a mother/daughterboard combination. It uses USB3 and can tune to a huge portion of the spectrum. The B210/B200 also has a header for a newly designed GPSDO (not included) so that it can be tamed to a few ppb. The B210 is also Ettus's first board that will be fully capable of 2x2 MIMO by itself. I will be doing some testing of the B210, so be sure check back on this blog for my testing results! Also, I've taken some high resolution images of the board for you to gawk at :)
With that introduction, dive in below for a blow-by-blow comparison in the Software Defined Radio Showdown!
Specs
| HackRF | bladeRF | USRP | ||||
| x40 | x115 | B100 Starter | B200 | B210 | ||
| Radio Spectrum | 30 MHz – 6 GHz | 300 MHz – 3.8 GHz | 50 MHz – 2.2 GHz [1] | 50MHz – 6 GHz | ||
| Bandwidth | 20 MHz | 28 MHz | 16 MHz [2] | 61.44 MHz [3] | ||
| Duplex | Half | Full | Full | Full | 2x2 MIMO | |
| Sample Size (ADC/DAC) | 8 bit | 12 bit | 12 bit / 14 bit | 12 bit | ||
| Sample Rate (ADC/DAC) | 20 Msps | 40 Msps | 64 Msps / 128 Msps | 61.44 Msps | ||
| Interface (Speed) | USB 2 HS (480 megabit) | USB 3 (5 gigabit) | USB 2 HS (480 megabit) | USB 3 (5 gigabit) | ||
| FPGA Logic Elements | [4] | 40k | 115k | 25k | 75k | 150k |
| Microcontroller | LPC43XX | Cypress FX3 | Cypress FX2 | Cypress FX3 | ||
| Open Source | Everything | HDL + Code Schematics | HDL + Code Schematics | Host Code [5] | ||
| Availability | January 2014 | Now | Now | Now | ||
| Cost | $300 [6] | $420 | $650 | $675 | $675 | $1100 |
| [1] – Separate daughterboards are required to receive/transmit. The WBX transceiver is included in this kit [2] – Half this if 16 bit samples are used [3] – 56 MHz for single half duplex channel, 30.72 MHz per channel full duplex [4] – There is a CPLD on the board, but no FPGA [5] – Ettus confirmed that the HDL + Code + Schematics will be released for the B210/B200 [6] - Estimated retail price, cheaper though Kickstarter |
Radio Spectrum
The HackRF and the USRP B210 can tune to a huge amount of the radio spectrum. The HackRF can tune about 20 MHz lower than the B210/B200, but both devices can tune as high as 6 GHz. The B210/B200 transceiver is largely based on the AD9361 IC, which can tune from 70 MHz to 6 GHz, based on available information from the manufacturer. So it looks like the the B210/B200 will be using the chip slightly out of spec to get down to 50 MHz. The HackRF on the other hand uses many different components rather than a single IC for tuning. If you look at the schematics, you will find a hodgepodge of chips each designed to operate in a certain portion of the spectrum, which are then connected by at least six radio frequency switches, if I count correctly. Hopefully all of these added components will not add too much noise to the system.
Additionally, the HackRF is bundling the Ham It Up, up converter, to one of their Kickstarter packages for a $35 upcharge. This device will allow the HackRF to tune as low as 300 KHz, and is available for purchase by itself as well, for about $43. Because the lower frequency limits of the HackRF, B210/B200, and WBX daughterboard (in the B100 starter kit) are similar, I imagine that Ham It Up will work with these devices as well.
For the older USRP B100, different daughterboards are used to access different portions of the spectrum. The WBX daughterboard is included with the starter kit, and is able to tune from 50 MHz to 2.2 GHz. However new duaghterboards can be swapped in, such as the CBX which can tune up to 6 GHz. The downside to this approach is that the BX series duaghterboards, when purchased separately, cost more than the HackRF or the lower end bladeRF.
Finally there is the BladeRF which can tune from 300 MHz to 3.8 GHz thanks to the LMS6002D. This single chip is responsible for the majority of the radio work. It contains all of the mixers, ADCs, DACs and more. It is comparable to the AD9361 used in the B210/B200. However with this single chip approach, it is unlikely that the bladeRF will ever be able to tune higher than 3.8 GHz. This means that you won't be able to see any 802.11n traffic in the 5 GHz band. Currently there are plans to release an expansion board that will allow the device to tune down to 10 MHz, but that is still in the works.
Duplex
It should be noted that the HackRF is not capable of full duplex communication unlike the other boards. This means that in order to switch from receive to transmit and vice versa, commands must be sent from the controller every time. This is only supposed to take microseconds when the decision to switch is made by the microcontroller, but in the case of complex signals being processed on the PC, it could take a lot longer to switch.
The bladeRF and the USRP B210/B200 are both full duplex and should not have any issues with two way communication. The B100 motherboard also supports duplex. Some of the older daughterboards used by the B100 are not full duplex, but the WBX (which is included in the starter kit) and the other BX series boards (W, S) will do full duplex just fine.
According the the documentation on github, the B200 will have one full duplex channel. The B210 on the other hand actually has two receivers and two transmitters. The purpose of this is for a 2x2 MIMO configuration. Both receivers must be tuned to the same frequency and both the transmitters must be tuned to the same frequency (possibly different than the receivers). The purpose of this to spacial diversity and the multipath nature of wireless signals, to transmit more data. Having a pair of receive antennas communicate with a pair of transmitting antennas on the same frequency frequency will actually allow more data to be transmitted. This technology is implemented in 4G LTE and 802.11n.
It should be noted that while transmitting and receiving at the same time, the transmitter will likely cause a lot of noise on the receiver for every board, since the receiver and transmitter reside very close to one another.
Communication
The method of communication is important to the implementation of a Software Defined Radio because it determines how much data can be transmitted to a host and if it can be transmitted reliably. Both the USRP B100 and the HackRF rely on USB 2.0 High Speed. Due to USB overhead, this limits the peak data transmission speed to about 35 MBytes/second. However since most of us have more than just our SDR plugged in to USB ports, the bus must be shared with all devices in the network. If you think your going to store your SDR samples on a USB Hard Drive, you are dreaming. Most likely samples will begin being lost as you transmit more data.
Both the bladeRF and the USRP B210/B200 use USB 3.0, which is capable of moving 400 MBytes/second after overhead is taken into account. This should be more than enough for the SDR. However if some other device is hogging the bus, it could still cause lost samples if the buffers get overfilled, however it seems much less likely.
One potential issue with USB 3.0 is the interference it may cause. Intel warns of potential interference on the 2.4 GHz band with USB 3.0 devices and they give some advice on shielding. Basically, giving your SDR a tin foil hat will help, but this could still be an issue for Software Defined Radios. The developers of the bladeRF and the B210/B200 both have done extensive testing on the devices and do not believe this to be an issue for the devices. The bladeRF actually comes with a can around the RF components and copper cans can easily be added to the B210/B200. Additionally, the huge ground plains are obvious when looking at the B210/B200 and will help shield even without cans.
After testing the USRP B210, it had issues with the ASMedia controller in my computer and the device would only really work on a USB 2 port. The developers at Ettus actually warned me that ASMedia USB 3 doesn't conform to standards before I even received the device. This may prove to be an issue for some people. I got around the issue by buying a PCIe USB 3 card with a VL805 controller, which cost about $20 and worked just fine. Since the bladeRF uses the same FX3 chip, it too may not like ASMedia controllers, unless its kernel module takes care of this issue somehow.
 |
| HackRF, a controlling an RC car |
ADC/DAC
The sample size of the ADC and DAC plays an important role in how precise your sample will be. Adding a single bit is effectively doubling the precision. So when the HackRF uses an 8 bit DAC and the USRP B100 uses a 14 bit DAC, it is effectively 64 times the precision. How much does this actually matter? Well, a cheap RTL-SDR can receive NOAA satellite images and it receives 8 bit samples, so a lot can be done with the small samples, but larger samples will definitely help. Better antennas and gain settings will help a lot with this as well.
Another issue with the the ADCs and DACs is how fast they can take samples. The larger the number of samples, the more bandwidth they can process. Many older technologies can get away with using very slow ADCs and DACs. For example AM radio, FM radio, and GSM channels can all be demodulated just fine with a 1 Msps ADC. However high bandwidth digital signals such as WiFi a/b/g need at minimum a 20 Msps ADC/DAC. In fact the only board that would be capable of receiving the 40 MHz 802.11n channel is the USRP B210/B200. However processing such large chunks of data in real time will be quite a challenge. In fact even storing the data fast enough could be troubling.
Bandwidth
Software Defined Radios produce more data than they know what to do with. Transporting all of the data to a PC is one of the main bottlenecks of an SDR. This is clearly an issue with the USRP B100 and the HackRF and this is reflected in the amount of bandwidth that can be analyzed. With USB 3.0 this bottleneck is definitely widened, and more samples can be transmitted across the lines for the bladeRF and the B210/B200. Even though the bladeRF and the B210/B200 use the same USB 3 controller, the bladeRF will not be able to capture the same amount of bandwidth due to the bandpass filtering limitations of the LMS6002D. There is talk on their forums of being able to disabling this filter all together so that an external hardware filter can be used. This would likely increase the devices bandwidth to the ADC/DAC sampling rate. The filter sizes of the B210/B200 will effectively allow 56 MHz on any given channel.
FPGA
So how is all of this data going to be made useful to us? It needs to be transmitted to a PC for processing, or the devices themselves need to take care of the processing. In terms of computation power, it seems like the bladeRF and the USRP B210/B200 are the front runners. Both these devices have large FPGAs as well as an FX3 microcontroller. The B210 has a Spartan 6 LX150 FPGA with 150k logic elements and based on the file size of the B200's bitstream, it has a LX75 FPGA with 75k logic elements. The bladeRF has a Cyclone 4 FPGA with the x40 having 40k logic elements and the x115 having 115k logic elements. The USRP B100 has a relatively small FPGA, with 25k logic elements. The HackRF has a CPLD, but no FPGA, relying primarily on the onboard microcontroller.
The number of logic elements correlates directly with how powerful the FPGA is, so obviously the more the merrier. The advantage of an FPGA is that processing can be done in parallel, rather than serial. The downside is that FPGAs often clock slower than microcontrollers, and the designs are created by the user and may not be as efficient if the creator is not well versed in HDL.
Some of the usage statistics for older USRPs are reported on their FAQ page . Based on these numbers and the fact that the B100 is relatively small, I would imagine that it will have very little room for user designs. The B210/B100 FPGAs however are probably mostly empty and likely will have room for a lot of user designs. The makers of the bladeRF have reported that the x40 FPGA is currently only about 15% utilized, so there will be a lot of room for user designs as well. The FPGAs act first as an intermediary between the ADC/DAC and the FX3 controller but also provides DSP and logic resources that can apply digital filters, basebands, etc. Out of the box, Ettus also has up/down converters, deciminators and interpolators in their UHD implementation. I have not looked into bladeRF, but it is likely they have the same.
One notable difference between the FPGAs is that Ettus uses Xilinx chips while nuand uses Altera chips, so they have different features. Xilinx DSP blocks in the FPGA have more features than Altera, including a preadder , multiplier and accumulator, while Altera FPGAs only have a multiplier in their DSP modules. This means the adders will likely need to be implemented in the logic fabric, and the same design in an Altera FPGA could take more logic elements than it would in a Xilinx FPGA. Also Altera has less RAM available per logic element than Xilinx does. The Altera chips may run into memory concerns later, but given the size of the FPGA, the onchip memory might be enough. It should also be noted that the LX150 in the B210 is not supported in the free Xilinx ISE, while the LX75 in the B200 and the Altera FPGAs all have free development tools.
I wanted to note the prices of the FPGAs. The x40 Cyclone IV costs about $100, and the x115 Cyclone IV costs about $315. These priced are based on the available prices on Digi-Key and are probably not what the manufacturer pays. This shows that the nuand really isn't making a premium of their higher end model, it's just what it costs.
Microcontroller
All of the boards mentioned here have powerful microcontrollers, with the exception of the USRP B100. On the B100, the FX2 is used for the USB2 link to the host and only has 16 kilobytes of RAM for the code/data. The bladeRF and the B210/B200 actually share the same microcontroller, the FX3, for dealing with the USB3 link. The HackRF has a dual core LPC43XX for handling its USB2 link and controlling the radio hardware.
The HackRF microcontroller runs at 204 MHz and it made by NXP. It has an ARM M4 core and a M0 coprocesser. It contains a 64 kilobyte boot ROM and 264 kilobytes of SRAM. This chip has a lot of responsibility. It is responsible for sending and receiving data over the USB link as well as controlling all of the radio components on the board. There are plans to add decimation and interpolation code to the microcontroller as well. The choice to do this on the microcontroller rather than the FPGA will allow people to make quick changes using C, rather than working with HDL. With the PortaPack as a display aid, the microcontroller on the HackRF is capable of headlessly (no computer necessary) becoming a spectrum analyzer, and more headless applications are expected as well.
The FX3 used in the bladeRF and the B210/B200 contains a 200 MHz microcontroller with a ARM926EJ-S core. This chip has a GPIF that, once set up, will allow the ARM core to be mostly idle. It contains a 512 kilobyte SRAM and no ROM. The chip can be bootstrapped in a number of ways, including from USB. In fact this is the way firmware is often loaded. The bladeRF also has a 4 megabyte SPI Flash, which will contain the code for the microcontroller and the FPGA, while it is running headless. The B210 prototype that I have, has only a 32 kilobyte EEPROM which is used for storing settings and has no flash device. Without flash, running headless will be pretty difficult for the B210/B200. The developers at nuand hope to be able to run OpenBTS and OpenLTE headless on the bladeRF. The folks at Ettus have already implemented LTE on the B210 with the aid of a computer with a Core i7, but doubt that it will be able to run on the FX3.
| |
| bladeRF used to control a RC Helicopter |
Community
Software Defined Radio is a massive idea that has been in the works for over a decade. The community that uses the device is as important as the device itself. These are the people that provide support for new designs. These are the people that bring and share innovations to the field. Theses are the people that keep you from reinventing the wheel. So it is important that companies which produce Software Defined Radios embrace the community and provide support to the community. One of the easiest ways to do this is to open the source and open the hardware. The following sections highlight how these companies have allowed hackers to hack!
Source
The software is a very important aspect when choosing an SDR. Luckily all of the boards mentioned support GNU Radio, which contains a vast amount of source code which is free and open source. It also contains a nice GUI for quick development and testing. The drivers for HackRF and bladeRF are a part of the driver package gr-osmosdr , the same package used to communicate with the RTL-SDR dongles. The bladeRF portion was just added within the last few weeks, so be sure to update your code for bladeRF support. HackRF has been part of the package for a while. The gr-uhd package itself is part of GNU Radio, but relies on the UHD driver libraries which are provided separately by Ettus.
All of the code, HDL files and schematics are freely available for all of the SDR platforms, with exception of the unreleased B210/B200, however HackRF goes above and beyond in this aspect and provides all of the KiCad files used to produce the board, including the schematics in their original form (not PDF) and the PCB layout. The USRP B100 and bladeRF schematics are provided in PDF form and I expect the same level of openness will apply to the B210/B200 as well. This extra bit provided by the HackRF will come in handy for allowing others to help refine the HackRF design and will also be a great learning aid to the community. I imagine it would be easy reuse parts of the design unique radio products, learning from the previous revisions of the HackRF.
The USRP has a distinct advantage in terms of available code. It has been available since around 2006 and has had many years to develop and be adopted. In fact many academic papers have been published based on the use of the USRP and GNU Radio. This created a lot of novel uses and novel code. The UHD, used by all of the USRPs, has had a lot of time to be refined and added to. Since all USRPs use the UHD, it means that if one product gets a new feature, they all do, as long as the hardware can support it. Much of the code uses GNU Radio and should be portable, however if it has only been tested on a USRP, it might not quite function as planned on other devices. That being said, the support for the USRP in GNU Radio is second to none. Ettus actually released a free Linux image with GNU Radio and a bunch of other tools installed, which makes setting up a SDR environment a snap. It is designed with the UHD in mind, but adding support for gr-osmosdr should be easy since all of the required libraries are already installed.
HackRF has been around for considerably less time than the USRP and is only beginning to develop a code base, but is showing great progress. It should work well with GNU Radio, but testing is ongoing. HackRF also has an advantage, it has followers! At least 500 HackRF beta units have already been distributed for free to hackers everywhere and at the time of writing, 1100 units have been ordered from the Kickstarter campaign. It is very likely that these people will have the skills and be able to add to the code base of the HackRF. There is a difference between hackers and academics, although there is overlap, I see the hackers being able to contribute a large amount of great code to the cause.
The nuand team just recently released the GNU Radio driver for the bladeRF. I estimate that close to 400 people received a bladeRF from their Kickstarter campaign. There are probably also a lot of people that have ordered from their website as well since the bladeRF is now shipping. This group of people will definitely be able to add to the code base and some will probably own both a HackRF and a bladeRF. Still, the developers seem to be making progress on the code and also seem open to suggestions from owners of bladeRF units. Since the bladeRF and the USRP B210 are similarly designed with a FX3, a large FPGA and a single chip RF transceiver, I imagine there can be a lot of code sharing between the platforms. The Xilinx/Altera divide might make things difficult, but I imagine that with enough hackers, the bladeRF could also run the UHD and benefit from Ettus's years in the field.
Hardware
One of the great things about the HackRF is the openness of everything involved, including the hardware. This definitely contributes to its hackability. One possible issue with the B210/B200 is the AD9361. Little information is available on this IC and the Analog Devices website only provides a 1 page data breif on the device. This makes it much more difficult for people other than Ettus employees to interface with the device without signing an NDA. However the developers at Ettus told me that their drivers will be open source. Other than this chip, it looks like documentation is available for the rest of the ICs on the B210/B200. The LMS6002D used on bladeRF provides a 15 page datasheet and a 45 page programming and calibration guide, which will come in handy for developers.
| |
| USRP prepping to run OpenBTS at Burning Man |
Final Thoughts
The HackRF is a great platform for accessing a huge portion of the radio spectrum at a great price. It is open source everything. This means KiCad files too! The downsides to this board is that is does not have an FPGA and it connects over USB2. It also has a relatively small sample size in terms of the ADC/DAC. That being said, Michael Ossmann has a history of delivering. This product will be very hacker friendly and very wallet friendly as well.
The bladeRF is all about the speed with it's huge FPGA and USB3 connection. It has access to a large portion of the spectrum, but cannot tune quite as high as the other solutions. The resolution of the ADC/DAC is great and so is the available bandwidth. I would recommend this board to people who want to run headless applications and don't need access to higher frequencies.
The USRP B100 is an older product from Ettus and will have trouble if large bandwidth applications are required. It is expandable through daughterboards that can be swapped out, and will likely be compatible with future Ettus daughterboards, which may expand to frequencies over 6 GHz. This board interfaces with the UHD and will have great support. This B100 starter kit is the same price as the B200, and covers a smaller portion of the spectrum and has a USB 2 connection. I would only recommend this if you have specific applications that require the B100, or if you have custom daughterboards or plan to make some.
The USRP B210/B200 can tune to a huge portion of the spectrum and can provide a tremendous amount of bandwidth to the host. It has a huge FPGA and a a fast USB3 connection. However its AD9361 is not hacker friendly due to the lack of information. The B210/B200 are the most expensive options being reviewed. However, many of the features of this board are competitive with the high end N210 offered by Ettus. The B210 is the first board that fully supports 2x2 MIMO. Overall, I believe the B210/B200 will be the most powerful Software Defined Radio on the market and will be well supported by Ettus. I would recommend these devices to anybody who needs huge chunks of bandwidth in a huge portion of the spectrum, but does not need a headless device.
Overall, it looks like we will have three great new Software Defined Radios this and next year. I look forward to seeing what great innovations people will produce when they get started on their devices. I have put weeks into researching and reviewing these devices and there is a lot I was not able to fit into this article, so if you have any questions, ask them in the comments! Thanks for reading and stop back for my testing results of the B210!