 Yeah some of you who might have been at Osmo Defcon last year might already know about Osmo FL2K. I finally found some time to actually clean up the code and fix some remaining bugs and it's already committed but the repository is not yet set to public but it is now okay yeah great and yeah so for some of you who might not yet know what we're talking about those are basically USB 3 to VGA adapters which look like this and the I'm going to talk about it in a minute why the ones with the FL 2000 chip from a company called Presco Logic are quite interesting and they come in quite different shapes and sizes here two of them this black one for example here in this case can be found on ebay amazon aliexpress and sites like that for around five to ten dollars then those smaller ones in some dongle size and they are a bit more expensive but also like 15 dollars. The main idea behind this is basically transmitting RF signals with VGA and using the harmonics of the VGA DAC to transmit those signals. This idea actually has a very long history I think the first publicly documented or publicly documented on the internet approach was by a guy called Erik Thiele which published Tempest for Elisa and he was transmitting AM radio with a CRT monitor still attached so probably also the monitor was transmitting mainly which was just I think an X-Winno application which outputted black and white patterns so that you actually had AM radio at a couple of megahertz and then in 2005 Fabrice Pellard took the approach even further he attached a piece of wire to a I think ATI radio graphics card and transmitted TVBT and analog TV. He wrote his own OFDM modulator that encodes M-Pack transport stream into DVBT and then transmitted it by changing the X server configuration to basically just output one long line and yeah and then there are a couple of others there's a project called VGA sick by a guy called Bartek Kania he was transmitting white band FM stereo even and some guys at the German hackerspace called Das Labor they even built a PCB with an IQ modulator and baseband filters and did some experimentation with how to speed up up sampling in software and so on and yeah they also had some success with that and I mean a similar idea which is quite popular these days is RPI TX which basically uses a pin of the Raspberry Pi to high speed PWM where the frequency is modulated and they put the data via DMA in there and that's all kinds of software even for transmitting FM with RDS or using the harmonics to transmit in the 400 megahertz band so yeah but when when trying to use VGA there's one major problem where you have the h-sync and v-sync gaps basically this stems from the old days where you used CRT monitors so the the cathode ray needed some time to get back for each line and go back up with the horizontal synchronization vertical synchronization to go back to the top left so there's basically this front porch back porch and the v-sync pulse and there basically all the graphics cards just blank the the actual data there's nothing output it on the on the actual color decks so we are using this for SDR basically means well those are lost samples and this is not user controllable and this is very bad for especially for analog modulation types OFDM can sort of cope with it like like Fabrice Pilar presented with his dvbt because yeah you integrate over the symbol duration and so it doesn't really affected that much but yeah and which brings us to USB VGA adapters well there are two main manufacturers that I'm aware of which one is display link they all already built ones for USB 2 like couple of years ago they are quite popular and yeah the design is basically a classic classical graphics card with the USB interface so you have a frame buffer ram deck and then the frame buffer is just filled with the USB interface and if the USB connection has some issues then well it's there's still the picture might hang but there's still something output it and but a company called fresco logic took a different approach they even patented it and this is the more or the less software defined VGA the frame buffer is residing in host memory so in the in the ddr memory of the host and the image is just constantly being streamed via USB 3.0 which also means you yeah you need USB 3.0 because they have a fallback mode with USB 2.0 where they use some RLE compression and the resolution is then limited to 800 by 600 so yeah and for everything higher you need USB 3.0 and if you happen to have a bad USB 3.0 host controller which really makes a difference that it's some benchmarks on that then it might be that your screen is flickering and or doesn't work at all so yeah I wouldn't really actually use it for VGA but but this approach makes the adapters very cheap because you have no external RAM you have this basically single chip solution so this sounds very interesting for yeah for further investigation and that's why I did there look closer at it so this is a picture of one of those adapters taken apart so the actual hardware there's as you can see the main chip is this Fresco Logic FL-2000 DX chip and it actually comes in two different versions this is called 1L0 which has a smaller TQFN package and just the VGA output pins but there's also one which exposes basically 24 bit RGB interface where you can attach a an HDMI interface chip so they're even adapters which have this larger chip and then have VGA output DVI output and HDMI output so and they even do stuff like output also audio then they use because here in the middle you see this is the classic USB 2.0 connection or one of those I don't know which one and probably this they insert just another IC in there a USB 2.0 hub to just attach a audio interface IC so yeah those adapters are quite large but then you also get audio but yeah this isn't really interesting for our use case and some of them even have a small eight megabyte SPI flash IC where they store the Windows driver and it enumerates as a mass storage device as well so you basically can attach it to any Windows machine and then you also have the driver on there this is kind of annoying under Linux because you need to detach the kernel driver first or blacklist it for this device because otherwise the connection might just drop when somebody accesses the the SPI flash there some of the cheaper adapters don't have this flash it costs something but you also just can desolar it and populate I think this resistor here with 10k and then flash is disabled and there's also no endpoint yeah did you try installing Osmo FLTK on the flash um yeah for later maybe it would be interesting to just do a very small just linux kernel and just boot from it and stream out the htd content but yeah so reverse engineering this yeah I basically took the same approach as when I wrote the initial version of RTL-SDR just use a virtual box VM with windows in there the original driver installed forward the USB device to the machine and then sniff the USB traffic with wireshark on linux and then just yeah try to replay those just USB transfers and see what happens and then remove stuff until it doesn't work anymore so you figure out okay what's really needed and then play with the register contents and see what changes and what happens so I then basically played with the figured out where the h-sync and v-sync stuff is set and yeah also figured out the the actual USB or the format in the USB buffer this is which is kind of weird um by just basically using full screen picture in the VM with just one red pixel at the top left for example and then look at wireshark and see okay this is this must be the first pixel and yeah then actually try to understand how the the PLL is set up with 32 bit register and they are played with the with the values in there to to get to a structure and just attach the use um oscilloscope and see what frequencies output and then yeah deduct from that how to set the PLL and after quite some experimentation I basically ended up with this yeah this is just a 100 mega hertz oscilloscope so it's quite band limited I was outputting a 150 megahertz signal here but as you can see there was still I got completely rid of h-sync and v-sync but there were still a couple of samples lost at this point I already played around and transmitted DAB successfully I mean it's OFDM so I think six samples we're missing here and this is easily fixed by the receiver but of course for example when transmitting wide band FM or so you had a crackle with a certain period of course and it took me quite some time to figure out what was what was going wrong and I mean at this point it wasn't even clear if it's possible at all to output a continuous stream of samples but yeah I looked again at the wire shock traces and I noticed well the last up of the usb transfer was actually smaller than all the other herbs and this was because I was using full hd resolution so the biggest buffer size the device can support but actually this isn't the multiple of the herb size so I yeah just yeah this is basically the smaller yeah smallest transfer unit of the of a usb transfer on the bus it split into those herbs on the lowest layer and yeah then I used a resolution in this case in this case 1280 times 124 times three colors is exactly the herb size times 64 so in even multiple and this worked the result is basically 150 megahertz on some intel chips that's even up to 156 megahertz and three channel 8 bit deck with the usb interface so without any lost samples and of course you can use this for for lots of different applications and yeah so now we have a library called lip osmo fl2k which can initialize the device set the sample rate by configuring the pll and you can feed it with 8 bit signed or unsigned samples it does the conversion of the buffer format and it even uses zero copy buffers which are quite neat now not that new anymore but they are in lib usb for quite some time and I think starting with linux kernels is 4.6 it's supported by the linux kernel or 4.11 even yeah this reduces the cpu load quite a bit because you save all this copy to user copy from user copy from user in this case with yeah up to 450 megabytes per second basically and this library comes with a couple of applications like similar to to the structure on rtlsdr there's fl2k file which just streams the file with samples to the device and repeats you can actually disable this wire command line if you just want to output this file once and then there's fl2k tcp which just yeah takes tcp input and streams it to the device for example you can use a new radio tcp sync and then use that to stream it to the device and there's fl2k fm which works in real time and even on not so powerful hardware for example i tested it on the galaxy s5 which actually has usb otg support and yeah it can be used together with socks to transmit white band fm and the actual modulation code was taken from the vg asic project which i mentioned earlier from from 2009 and the the m modulation code is from basically by using dds and then changing the modulation frequency and just last week i've implemented the yeah rds support which is from another project called pi fm rds where they used this raspberry pi tx thing and so rds is working there as well now i also ported a rtl test which is now called fl2k test and which can be used to determine the clock inaccuracy basically of those dongles they are not really worse than rtl str it's like plus minus 20 ppm or something like that and yeah and what's still needed is basically an efficient up sampler to to up sample from baseband rate to yeah 150 megahertz or 130 megahertz in real time um hernchen started with it but there's still some more work needed to make the filter better and if you have a powerful enough machine it actually works with a radio flow graph in real time i did that with basically streaming it over tcp into fl2k tcp so this works as well and i did quite some testing with with different signals and yeah for example yeah whiteband fm is working with fl2k fm dab with samples generated by odr depth mod dvbt gsm with samples from osmo tx um tx where i took samples from open vts um tx and lte and surprisingly even gps which is then already the 11th harmonic of the main deck signal so it's really weak but yeah gps receivers are quite sensitive and yeah it works nice with gps str sim and yeah just as an example for for gsm transmission yeah i've up sampled the samples with new radio and also just use a fractional resampler and uh my dongle for example the fl2k dongle has a ppm offset of 15 ppm and just resample this as well and then you have accurate accurate enough clock that can be seen by a mobile phone and in this case the the synthesized carrier frequency basically contained in the samples is 14 40.6 megahertz and when using a deck sample rate of 138 megahertz you basically get the uh yeah the the first harmonic at 138 plus minus 14 40.6 third harmonic at 414 and so on and the seventh harmonic then is at 4 966 plus minus 40.6 where the lower image is at 925.4 which is afkin 976 so you can actually receive it on your phone so you don't even need to attach a piece of wire or an antenna which yeah creates all kinds of interference but if you put it close enough to your receiver it can be basically used to do on desk testing and you see here this is the osmocom monitor tool yeah i mean it's really close to the device but yeah you get minus 78 dbm and even a android phone close by this signal in the network search and yeah further ideas i mean of course you could do connect for example an iq modulator to the donnell you have three decks so yeah two of them are enough to do iq do attach a low pass filter to do baseband filtering and then then transmit it which is basically the approach that the that the guys at dust labor were taking with a normal vga card but they still had the issue of job samples so yeah this is um this is better or just yeah also a reconstruction filter and use it as a lab signal generator and of course if you want to do simultaneous transmission um just synchronize the the clock with rtls they ask somehow either use a common clock source um the fl2k donnell has a 10 megahertz oscillator and use it as a very cheap transceiver i mean of course there's still some buffering going on in the library because at those high rates um if you do something on the desktop otherwise the the transfer will simply interrupt and so this is something that needs to be yeah worked on to minimize the latency yeah and one thing that could be done for example is use one of the deck channels to just output 28.8 megahertz so you can actually use that as a clock source for rtls tr and you would have a synchronized transmitter and receiver yeah and and there are quite some quality differences between the exact models of those doors because the fl the fl2000 chip has two two inputs one is the normal 3.3 volt digital supply and then a 1.2 volt deck reference voltage and the best device are actually those which use two ldo's for both deck reference and digital supply so here you can see this is a screenshot of a spectrum analyzer um of course you have some phase noise on there um but otherwise it's it's kind of clean but okay i took a very bad example if you use one with two switching regulators you can see basically the the signal being modulated but with the switching frequency of the regulator i think in this case um it was like 1.1 megahertz switching frequency and you just can see here the harmonics so yeah most of the cheap ones actually have switching regulators but of course you just can solder in an ldo or yeah try to get a device with with ldo's and yeah this is basically the whole output spectrum until 500 megahertz so yeah i mean there's lots of harmonics but yeah you actually can use that to even receive something in the in the gps band or an l band i think with uh with a uh two to sdr i've seen harmonics up to 1.8 something gigahertz so it's uh yeah really lots of harmonics yeah which brings me to the end you can find more information in the in the wiki any questions if you manage to uh synchronize rtr sdr with your transmitter in in frequency did you think how to synchronize them in in time yeah and this is of course something that's also an issue um you could um yeah just transmit for example gsm and then use some noise yeah some noise um or um some yeah some pilot signal or what what i also thought about is yeah most of the rtr sdr dongles these days uh use the vi 20t receiver right and um basically one of the adc's is unused on the on the rtr sdr which they which are using for um direct sampling input and as you have three decks here which are also synchronized in time you basically just could use one of them to directly feed to the adc of the rtr sdr and then just output a pulse because you can switch between the with the with rtr sdr um set direct sampling mode or something like this you can um basically switch to the other um adc input on the rtr sdr so you basically could use this to do some periodic or initial uh synchronization this is interesting because i would think about transmitting just transmitting something do some software digital software processing and then i would get some uh offset and adjust i mean yeah of course of course this is very interesting yeah i mean this would work as well but yeah if you want to do it basically without transmitting anything then this would also be an idea yeah so there's there are lots of different approaches but yeah i have a question um especially um concerning the problem of synchronizing things i mean the sch sync uh ncv sync signals still available um couldn't set be used or could or there are some problems that prevents the use of that i mean that could be used to generate some sync clock or something uh the sch of the the h sync and the v sync the outputs on the uh under the vji the synchronization outputs they are already there and that could be used to synchronize other circuits yeah yeah would also be possible yeah but actually in this case there's nothing outputted anymore because it's completely disabled so you would need to enable it again and then yeah it's problem is it somehow difficult or is it just some flag in the usb package you sent in order to enable it you would need to basically increase the h sync interval again and then you have a gap between the samples which you then need to take into account in the synchronization as well and i'm not entirely sure if you change those parameters on the fly so enables the sync would bring us back to the problem where we have the lost sample so then exactly okay so that's how much hardware but actually as you have three decks you just can put into the buffer you can just can output a rect angle sign whatever small pulse so you just do it you can do it by software so yeah thanks all right more questions all right then thanks for your attention and yeah you can find the code apparently in the github repository on our github server and more information in the wiki thank you