Breaking Down RF Signals: New Harogic SAStudio4 Features
Hello everyone I hope you're doing well, this is Sebastien Dudek speaking. And today we'll continue to speak about Spectrum analyzers. Because sometimes, you need for EMC tests, but also for Side-Channel attacks to use a Spectrum analyzer. And if you use a Spectrum
analyzer, it's good to look at some properties of a signal, particularly if you want for example to in depth into that (looking at properties), I mean generally, you would probably use your own tools after retriving the capture. But if some features already exist in order to look at these properties, I mean, it's probably better at at the first side, so you can directly look into that just before analyzing the raw capture. And beyond side-channel attacks and also EMC tests, the use of a spectrum analyser can be very helpful in order to debug what is going on with your transmitter. So let's say that for example here I want to transmit something with this graph as you can see here on 868 MHz, I can also see that here on the screen with the peak search, directly, so if I'm just looking at this for example I can go to mode RT Analysis, and I can maybe inspect what is actually transmitted in there. Also I can go a little bit deeper, and look at the digital demodulation, and see that this signal is a QPSK signal where we can also see some noise also around showing. So this is actually what you can see with your transmitter,
and that allows you to then debug what is going on if something is not transmitting well and thanks to our partner Versys, and also Harogic, we are able to test it on our PXE-200, we own and you will see it's very awesome because you may probably guess that using digital demodulation in tablet, it will be a mess, because you have a lot of noise, etc. but you will see that the PXE-200 is well made, and also the digital demodulation is well working of course. If you want to have less noise as possible, probably using for an external SA is always better, but you can be amazed with the PXE-200, and also I prefer also to have it (the feature) on the PXE-200 because, if I want to move for example with the tablet and want to directly look at the properties of the signal instead of using a capture, and putting the capture in the laptop for example or in any computer. So yeah! Basically I will test that and also I
will compare it with the BB60D with Spike, so you will also see that some feature are still missing, but theree was like a lot of improvement put since my last video from Harogic. All right let's go!!! And to do so, for side-channel attacks, but also EMC test, and also all the measurements, here are the devices that I considered the most. For example, you can see on the left the KC908A that is very very sensitive from 100 kHz to 10.8GHz, so this is the device that I consider the most. Then there are two devices that I really like; like the Harogic which is very performant, and has a very quick sweep speed, and is very very well made. I mean if you watch my last video about Harogic, you will be amazed! And about the efficiency, and for the same range of price you have the BB60D from SignalHound, that is a little bit more expensive,; but what I really like with SignalHound is also the software (Spike). They have very good products, and a very good software which is free, for now. I mean; of course this year, or maybe before in the late 2024,
they decided also to skip one free feature, and put it with a license with a $2k license per year, so yeah of course I hope Spike will not be subject to full license, I mean all the features will not be licensed at this price, because at the end, I will probably just like stop using it. But yeah! You will see that Harogic is improving a lot since our last video, also the software was improved a lot, because they included a tablet mode, even for a computer, but also implemented some new tools inside SAStudio4, so you don't need to use a capture, or the API with your tool in order to inspect some properties you can already use some features that are existing, and if they exist you can use directly them on SAStudio4, you probably also remember that in here, I had also the AAronia device (SpectrumV6). That was the Spectrum V6, but I had to refund it because, the dynamic range was not right, and also it gets very noisy because of external noise, and also internal noise. So
yeah! At the end, I could also listen to Wi-Fi signal, and also some other signal around with an input load of 15 Ohm, so it was probably not the best device to use it for EMC tests, and also side-channel attacks, but maybe running the device on a very large bandwave, and also those who just like very quick Wi-Fi test could be like very good, but for our purpose, in security, I prefer a tool that has a high dynamic range, and don't get like too much noise. Also in our tests, I will use the PXE-200 against the generator from SignalHound, which is the VSG60A, which allows me to generate signal from 50 MHz to 6 GHz, so like that I would just like use one of the frequency and see it. And then use the digital demoodulation feature from Harogic in order to see how the PXE200, and also this feature is handling things. And for the tests, I will use RF Swift which is a toolbox that also includes a lot of tools, and especially the VSG60A tool. So let's also run it! I will use RF Swift I will execute an already made a container, and then UP! I will just bring it in here like that... Up! So it will be our rftools okay this is already here, and VSG60D... all right... we'll just bring the screen there, like that, could be better,
and I will also need to connect the device to my computer, let's do that... right so now I can actually inject some modulations in here yeah basically, I really like to do like digital mod, but also you can choose to do Bluetooth or some Wi-Fi here, technique of modulation here, LTE, and so on... Here it only works with windows so yeah some of the mods are also only working working with Windows. But! Don't worry. I will use first the digital demodulation like that, so now we are just checking we are using a frequency of 1 GHz in here. We can just do like RF mode "on", Mod "on", and also we're using QPSK, so we just define also the symbols that we want to send like this ones... Perfect! So 0 to three like that, so the symbols 0 0 0 1 1 0 1 1, etc. using
those constellations. So there after everything in "On", ten we can also see what is happening in there. So for example, if I'm just bringing things in here, you can probably see also that I mean something is happening of course if you go there then zoom on it if you want to go to pick search, you will see a pick on 1 GHz frequency, then I can go to digital demodulation, I can probably go to modulation, which is QPSK like that, and use also the right symbolrate, now it is enabled yeah sorry I was actually also missing here this little option. yeah if this little option is not enable, you can mess things up. But here you can see the QPSK is working properly, also you may probably
also guess thatI will also zoom on it, you have the constellation, you have the FFT you have the summary, and you have the eye diagram. Now let's zoom on it! So using a USB- C to HDMI adapter, I could bring up the screen in here. Unfortunately, I'm a little bit dumb about the resolution, so I couldn't actually bring what is in the bottom, so you will probably not see the range of frequency on which I'm sweepping, but you will be able to see the digital demodulation working. So first,
for example, you may see here the modulation. We will just like go to 1MSps like that, and also say hey! This is a QPSK signal, so then I will use the computer here to also generate a signal. Here I'm just now showing you the signal that I'm generating. The QPSK signal here, so this is nicely working. Then I will change it something else. I will probably just like, go forward, and use maybe, you know 8PSK like that, let's go! So this is now showing you 8PSK signal, so we'll have to also move in here to PSK8, and as you can see still here I may probably boost things with an external clock in here, so maybe I can just decrease a bit the frequency error in here. But first let's seeyou have the eye diagram in here also showing. So as a first test, I actually choose the PBSK signal, I could actually also use 2-FSK signal in here but yeah we will probably see it also later, but here in the constellation map you can see the two symbols showing like the 1, I mean the 0 here, and the 1 on the right so at -1 you have a zero and at +1 you have a one. You have also, I mean FFT showing here you can also for use it if you want. In order to see
how large is the bandwidth is, so this is one of the tool that you may also use to inspect the signal as well as the FFT. You may also look at the summary, because it shows you possible bits that have been demodulated, but also the errors so like that you may also inspect what is going on with your signal, or with your generator, or also with the receiver because the problems can happen everywhere. Here we can see also that the frequency error is quite highin here, and as you know I'm not using for the moment any external reference clock in here, so as we are using for tablets we may also have some errors generated by that some other things. Also we may inspect the
eye, because the eye pattern is another tool that may also show us the pattern of the signal, so we may inspect which kind of signal we are facing, but also if there's any issue thanks also with the shape of the eye. We can perform the same tests with a 2-FSK signal like that for example or just using the mod type. I can also maybe just use also a 2-ASK like that and precises on The Mod type like that that. So yeah here's the shape. I will probably just bring up also the eye like that, so you may also see that completely. And yeah! There like many things you can do. And if for example, I want to look at, I mean, inspect some more complex modulations like the QPSK, and even QAM, I can also make that. This is the QPSK signal here like that, you can also have the QAM 16...
Here, I will change it, here QAM16 here perfect! This is nice and then also the QAM64. Here QAM64 like that. This is wonderful right! So you see also the eye pattern of that, I mean this is amazing! And so I can actually do that with just the tablet that directly on the tablet without having to capture and analyze it with my own tool. I can just like move on with the tablet and inspect to the signal properties like that so it's quite of amazing and a very very good Improvement for SAStudio4. And as you remember, SAStudio4 was not in the same shape before. It
was very basic at the beginning, and today it has progressed like a lot. So I imagine that features are still a little bit limitated in here this is not an issue, but I think that you know many other modulation will also be present. Moverover, I think that's also an improvement for Harogic will be fine to do, is like SignalHound did is, that you can also create your own demodulator. So you can map the symbols yourself, and then try to acquire them yourself. Like that it will
make also the tool very flexible, so if you hear me Harogic... this is also perfect improvement! But in the future you do so I mean that will be perfect. All right! So here I'm generating some pulses, and I am expecting to have possible pulses of a width of 40 microsecondes, and a period of 500 microseconds, so that means a duty cycle of 8%, for example here. So let's just like enable it, and see here we can see the pulses, the duty cycle that we are expecting so that's kind of nice because for a tool like that, very very compact tool, and also affordable and accessible it is a nice feature to have. I'm very honest guys! I I'm impressed by all the improvements Harogic
made on the SAStudio4, because before you had to use the API, but they also saw that a lot of people want to directly use the software so they made also a lot of improvement just in a year, it's amazing. So I expect that maybe this software will beat the other softwares, and especially Spike software from SignalHound, but let's see what is actually missing on SAStudio4 now compared to Spilke. So still using RF Swift, I will now use the Spectrum analyzer which is on here, not here, but analyzer Spike like that! And I will make alias for this tool also to directly be able to run it later. So now we can bring now the screen there. I can also show spectrogram so like that we have everything and see! Still it's very clear the Spike software is quite nice for measurments, and you can see that on the analysis mode you have digital modulation analysis. So as we are actually using a QAM64 modulation, let's probably just use it here. We have also to make sure that the frequency is the good one like that, and as you can see we able to see for all the bits in here so we have exactly pretty the same view we have the eye diagram, the constellation plot, the Spectrum plot displaying you the FFT, and we have the EVM summary. From my point of view what
is actually good with this view on the EVM summary, is also that you have the average, and the peak values. You don't have a real time value. The problem is that with Harogic, for now we have real time values, so you don't know exactly what is the average value. It's kind of difficult to read for the moment, but I think this is an improvement for Harogic to make, and I think that also they will do the Improvement very quickly because it just need an extra column to make with average and peak. I would probably also maybe display the minimum maximum average too.
Like that you have all the information, and so like that as you can see here in SignalHound with the average value you have also the ability to see for example what's the freq error in here and so the average freq error is ~50 Hz. So yeah! For a device that is a little bit more external/isolated from a computer. I mean for device that is not directly embedded with a computer. And the frequency error also appears a little bit lower than the PXCE-20 tablet itself, butI may show you another video where I mean also the devices are synchronized with a clock where the frequency error with Haorgic is lesser than that. On Spike you have also QAM64, you have also QAM256, but what is also cool is that you can, if you want, you can customize your own modulation. It may also give you the ability and the flexibility to the demodulate much more signals than the ones that are implemented so that means that if for example you know that there are some symbols in the constellation you can also use this to create your own modulation. For example for BPSK, you have a symbol zero and one that are shown in here on the rear part between one minus one and one so minus one and one like that you may also just mess a bit things like that for example let's say that on the imaginary part you want also to play with it, you can for example just like say hey! Let's go to Pi/4 right! Something also cool with SignalHound, I mean Spike is that in the analysis mode, you can look at the VLAN Bluetooth LE, and so on, I mean you know there's like already some features that are already prepared for some complex work. And something that you may find cool is that you can
also look at the coordinates in the constellation plot like that, so you can put a mark in there which is very cool also. For each screen, you have some sub-features, so maybe in the near future, we'll be able to see that with Harogic, because we also have some sub-features but probably a bit limitated for the moment compared to SH. But we'll see! Maybe in the future we'll have something very interesting right! Features that could be very helpful, especially also when you're looking for side-channel attacks, you want to look at harmonics. That could be also a cool thing to have, like a list of harmonics that could be interesting to evaluate and also extract some nice things. Something a little bit frustrating is that still on version 3.9.1, you could access to the feature, which is the phase noise here, so here you could actually measure the phase noise. But
since version 4.0.0 here you cannot access to this feature anymore and you have to pay a license, so if you want to access this feature now you have to pay a license of $2.5k/year which is too much because you have to pay it by year and after 10 years, or I mean 20 years you could actually buy something know quite better. So I hope this is the only feature that will have a license. I hope that they will not remove all features, and ask for a license, because I think
that's probably people will actually move to another type of device and if they want to move they can actually move to Harogic, because after a year, if you remember my last video about Harogic, you can see the interface was also very basic and now the interface completely changed, and it's nearly full featured, you have digital demodulation feature which didn't exist before, like a year ago. So they there was like a lot of progress after a year, and we may also expect much more improvements after some time. And I think that they will get the same maturity as SignalHound later, or even better because also SignalHound stays with the same interface which is a little bit old school today, compared to this one, but yeah I mean there was like a lot of progress on Harogic software, and not only the hardware but also the software is becoming something! You don't have to just use the API or the raw data (IQ) in order to use it with your tool, you can directly use included tools with SAStudio4 for a lot of work. So I hope that you liked it and now you have also a better insight of you which device maybe for you, also I have know I've been able to the introduce you the Harogic device with new features which are incredible, and I think that also in the future they will introduce some new features that will just like blow your mind completely! But yeah, I have to just admit that for the PXE-200 is a very mobile device, that you can bring everywhere and is very compact and light, at the end and is very practicle to have this kind of feature inside. So basically if you are doing test outside,
it's probably one of the perfect device with the screen that you may have. Unfortunately the KC908 from Deepace, does not have as much features (yet?) as the Harogic has,; but the KC908 could be very good also to make captures with a limited bandwidth with a high sensitivity, but you know for some larger bands, if you want to inspect like a 120 or even more than 120 MHz bandwidth, the PXE-200, with the digital demodulation features, and also the pulse detector feature is a very nice device. The BB60D for the nearly the same price cannot do the same, it's limitated to ~20 MHz bandwidth and at the end, it's complicated because you know of course Spike is very good, but still if I want to go outside and expect some unknown frequency outside, the sweep is better than the BB60D on Harogic. I hope that I've been able to give you as much input to make your choice and if you have any feedbacks don't hesitate also to comment it out, I mean constructive ones... Also hesitate to thumb up! And subscribe to the channel for new videos. And I hope that
also you will enjoy! So thank you very much for watching and see you later bye-bye thank you! ;)
2025-02-25 18:01
