{"id":270,"date":"2019-02-09T17:50:52","date_gmt":"2019-02-09T17:50:52","guid":{"rendered":"https:\/\/freezion.com\/?p=270"},"modified":"2023-01-20T17:58:03","modified_gmt":"2023-01-20T17:58:03","slug":"setting-up-the-nuand-bladerf-on-mac-os-x-for-bluetooth-low-energy-ble-hacking","status":"publish","type":"post","link":"https:\/\/freezion.com\/?p=270","title":{"rendered":"Setting Up The Nuand BladeRF On Mac OS X for Bluetooth Low Energy (BLE) Hacking"},"content":{"rendered":"\n<p><em>(Cross-posted to <\/em><a href=\"https:\/\/www.peerlyst.com\/posts\/setting-up-the-nuand-bladerf-on-mac-os-x-for-bluetooth-low-energy-ble-hacking-jason-ross\"><em>peerlyst.com<\/em><\/a><em>) <\/em><\/p>\n\n\n\n<p>This is a quick guide to getting the Nuand BladeRF software defined radio (SDR) up and running on Mac OS X. The end goal is to have an environment that can be used to perform basic Bluetooth Low Energy (BLE) hacking. The initial focus will be getting it set up to perform BLE scanning and advertising. <\/p>\n\n\n\n<p>A note on formatting: I&#8217;ve&nbsp;<strong>bolded<\/strong>&nbsp;commands that should be entered in at the command prompt. Any other code formatted content is output from running the commands, shown for reference.<\/p>\n\n\n\n<p>Here&#8217;s the steps needed:<\/p>\n\n\n\n<p>1. Install the dependencies, clone the repo, compile the software:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><strong>brew install libusb pkgconfig cmake libtecla<br \/>git clone --recursive <a href=\"https:\/\/github.com\/Nuand\/bladeRF.git\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/github.com\/Nuand\/bladeRF.git<\/a><br \/>cd bladeRF\/host<br \/>mkdir build ; cd build<br \/>cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=\/opt\/local ..<br \/>make<br \/>sudo make install<\/strong><\/pre>\n\n\n\n<p>2. Make sure the device is recognized by the system:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ <strong>bladeRF-cli -p<\/strong><br \/>&nbsp; Description: &nbsp; &nbsp;Nuand bladeRF<br \/>&nbsp; Backend: &nbsp; &nbsp; &nbsp; &nbsp;libusb<br \/>&nbsp; Serial: &nbsp; &nbsp; &nbsp; &nbsp; 7ddf0461b8c6cb36ffe8358189bc5d1d<br \/>&nbsp; USB Bus: &nbsp; &nbsp; &nbsp; &nbsp;20<br \/>&nbsp; USB Address: &nbsp; &nbsp;6<\/pre>\n\n\n\n<p>3. Download the most recent&nbsp;<a href=\"http:\/\/www.nuand.com\/fpga_images\/\" rel=\"noreferrer noopener\" target=\"_blank\">FPGA image<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Make sure you get the correct version for your FPGA size.&nbsp;<\/li><li>You can get the size by running: `<strong>bladeRF-cli -e info<\/strong>`<\/li><li>Look for a line similar to: `<em>FPGA size: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;40 KLE<\/em>`<\/li><\/ul>\n\n\n\n<p>4. Setup the FPGA auto-load up so you don&#8217;t have to do this manually every time you reconnect the SDR:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Create the Nuand directory: `<strong>mkdir -p $HOME\/.Nuand\/bladeRF\/<\/strong>`<\/li><li>Move the FPGA image to the Nuand directory: `<strong>mv $HOME\/Downloads\/hostedx40-latest.rbf $HOME\/.Nuand\/bladeRF\/hostedx40.rbf<\/strong>`<\/li><\/ul>\n\n\n\n<p>5. Run the CLI, and you will likely see a warning message, followed by the bladeRF command prompt:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">$ <strong>bladeRF-cli<\/strong><br \/><br \/>table not found. Manual gain control will be used instead.<br \/>[INFO @ \/&lt;redacted&gt;\/bladeRF\/host\/libraries\/libbladeRF\/src\/board\/bladerf1\/bladerf1.c:1706] To enable AGC, see \"Generating a DC offset table\" at <a href=\"https:\/\/github.com\/Nuand\/bladeRF\/wiki\/DC-offset-and-IQ-Imbalance-Correction\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/github.com\/Nuand\/bladeRF\/wiki\/DC-offset-and-IQ-Imbalance-Correction<\/a><br \/>bladeRF&gt;<\/pre>\n\n\n\n<p>6. Setup the AGC. This can be done either manually each time, or a table can be created:<\/p>\n\n\n\n<p>&nbsp; 1. To set the AGC Manually:<\/p>\n\n\n\n<p>&nbsp; &nbsp; 1. Set the frequency you wish to use. Since BLE uses 2.4 GHz, we&#8217;ll want to use that. In the example below, we set the frequencies to BLE Frequency Channel 37, which is used for BLE advertising. Channel 37 is centered at 2402 MHz, so we can set transmit to 2401 MHz, and receive to 2402 MHz:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&nbsp; &nbsp; bladeRF&gt; <strong>set frequency tx 2401M<\/strong><br \/><br \/>&nbsp; &nbsp; &nbsp; TX1 Frequency: 2401000001 Hz (Range: [237500000, 3800000000])<br \/><br \/>&nbsp; &nbsp; bladeRF&gt; <strong>set frequency rx 2402M<\/strong><br \/><br \/>&nbsp; &nbsp; &nbsp; RX1 Frequency: 2401999999 Hz (Range: [237500000, 3800000000])<\/pre>\n\n\n\n<p>&nbsp; &nbsp; 2. Set the gain (we set it to 8 dB here. There&#8217;s nothing magic about that, I picked it on a whim):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&nbsp; &nbsp; bladeRF&gt; <strong>set rxvga2 8<\/strong><br \/>&nbsp; &nbsp; &nbsp; Note: This change will not be visible until the channel is enabled.<br \/>&nbsp; &nbsp; &nbsp; Setting RX1 rxvga2 gain to 8 dB<br \/>&nbsp; &nbsp; &nbsp; &nbsp; rxvga2: &nbsp; &nbsp;6 dB (Range: [0, 30])<\/pre>\n\n\n\n<p>&nbsp; &nbsp; 3. Calibrate the LMS module:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&nbsp; &nbsp; bladeRF&gt; <strong>cal lms<\/strong><br \/>&nbsp; &nbsp; &nbsp; LPF tuning module: 23<br \/><br \/>&nbsp; &nbsp; &nbsp; TX LPF I filter: 27<br \/>&nbsp; &nbsp; &nbsp; TX LPF Q filter: 39<br \/><br \/>&nbsp; &nbsp; &nbsp; RX LPF I filter: 30<br \/>&nbsp; &nbsp; &nbsp; RX LPF Q filter: 30<br \/><br \/>&nbsp; &nbsp; &nbsp; RX VGA2 DC reference module: 25<br \/>&nbsp; &nbsp; &nbsp; RX VGA2 stage 1, I channel: 37<br \/>&nbsp; &nbsp; &nbsp; RX VGA2 stage 1, Q channel: 45<br \/>&nbsp; &nbsp; &nbsp; RX VGA2 stage 2, I channel: 30<br \/>&nbsp; &nbsp; &nbsp; RX VGA2 stage 2, Q channel: 33<\/pre>\n\n\n\n<p>&nbsp; &nbsp; 4. Run the DC offset calibration routines (look for `Error` values to be near 0:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&nbsp; &nbsp; bladeRF&gt; <strong>cal dc rx<\/strong><br \/><br \/>&nbsp; &nbsp; RX DC I: Value = &nbsp; 352, Error = &nbsp;0.456<br \/>&nbsp; &nbsp; RX DC Q: Value = &nbsp; 640, Error = &nbsp;0.265<br \/><br \/>&nbsp; &nbsp; bladeRF&gt; <strong>cal dc tx<\/strong><br \/><br \/>&nbsp; &nbsp; TX DC I: Value = &nbsp;-208, Error = &nbsp;0.347<br \/>&nbsp; &nbsp; TX DC Q: Value = &nbsp; 160, Error = &nbsp;0.349<\/pre>\n\n\n\n<p>&nbsp; 2. To generate a table:<\/p>\n\n\n\n<p>&nbsp; &nbsp; 1. Run the&nbsp;<em>cal<\/em>&nbsp;command. This will take some time, and should be done after the bladeRF has been running a bit so it is properly warmed up:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&nbsp; &nbsp; bladeRF&gt; <strong>cal table dc rx<\/strong><br \/>&nbsp; &nbsp; Calibrated @ &nbsp;237500000 Hz: I= 384 (Error: 3.63), Q= 224 (Error: 0.95) &nbsp; &nbsp; &nbsp;DC-LUT: Max (I=-46, Q=-38) Mid (I= &nbsp;7, Q= 10) Min<br \/>&nbsp; &nbsp; Calibrated @ &nbsp;247500000 Hz: I= 384 (Error: 2.44), Q= 224 (Error: 1.81) &nbsp; &nbsp; &nbsp;DC-LUT: Max (I=-43, Q=-39) Mid (I= &nbsp;7, Q= 10) Min<br \/>&nbsp; &nbsp; Calibrated @ &nbsp;257500000 Hz: I= 384 (Error: 0.81), Q= 224 (Error: 0.30) &nbsp; &nbsp; &nbsp;DC-LUT: Max (I=-41, Q=-39) Mid (I= &nbsp;8, Q= 10) Min<br \/>&nbsp; &nbsp; ...<br \/>&nbsp; &nbsp; Done.<\/pre>\n\n\n\n<p>&nbsp; &nbsp; 2. Once complete, check the current directory on the file system. There should be a file named `<em>&lt;serial #&gt;_dc_rx.tbl<\/em>`.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>For example: Using the device shown in the&nbsp;<em>info<\/em>&nbsp;command above, the file name would be `<em>7ddf0461b8c6cb36ffe8358189bc5d1d_dc_rx.tbl<\/em>`<\/li><\/ul>\n\n\n\n<p>&nbsp; &nbsp; 3. Move the file to the Nuand directory:&nbsp;<strong>mv 7ddf0461b8c6cb36ffe8358189bc5d1d_dc_rx.tbl $HOME\/.Nuand\/bladeRF<\/strong><\/p>\n\n\n\n<p>That&#8217;s all there is to it. Now when you run `<em>bladeRF-cli<\/em>`, the FPGA will be auto-loaded, and the AGC table will be loaded as well, leaving you ready to rock. In a future post, I&#8217;ll talk about where to go next to start listening to beaconing BLE devices near you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>(Cross-posted to peerlyst.com) This is a quick guide to getting the Nuand BladeRF software defined radio (SDR) up and&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-270","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=270"}],"version-history":[{"count":1,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/270\/revisions"}],"predecessor-version":[{"id":293,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/270\/revisions\/293"}],"wp:attachment":[{"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}