An engineer's tour of the HackRF One, the PortaPack, and where the Pro fits, with depth indices into Volumes 2–12

Section	Topic
1	About this Series
2	What the HackRF Is — and What It Isn’t
· 2.1	What it is
· 2.2	What it isn’t
· 2.3	Where it sits in tjscientist’s lineup
3	The H2R4 Bundle — What’s on the Bench
· 3.1	What’s in the bundle
· 3.2	Identifying genuine GSG vs clone
· 3.3	The Clifford Heath modified version — a deliberately-improved ‘clone’
4	The HackRF One Hardware Family — How r4 Fits
5	The HackRF Pro — When the Pro Is Worth $400
6	The PortaPack Family — H1 through H4M
7	The Decision Tree — When to Reach for the HackRF
8	The Software Ecosystem — What Talks to a HackRF
9	The Three Currents of Firmware
· 9.1	HackRF firmware (host-facing)
· 9.2	Mayhem firmware (PortaPack-facing)
· 9.3	CPLD bitstream (CoolRunner-II)
10	Cost Reference
11	Where Each Volume Goes Deeper
12	Maintenance, Updates, and Forward-Looking Notes
13	Resources
· 13.1	Authoritative documentation
· 13.2	Mayhem / PortaPack
· 13.3	Software ecosystem
· 13.4	Community
· 13.5	Books and free curricula
· 13.6	In-series cross-references

1. About this Series

This is Volume 1 of a twelve-volume reference for the HackRF One software-defined radio (SDR) and the PortaPack H2 add-on — together commonly sold as the “H2R4” bundle when paired with a HackRF One revision-4 board. The series is written for an engineer’s bench. It treats the user as someone who reads schematics, recognises the parts in a block diagram, knows what a mixer does, and would rather be told that the LO synthesizer is a Qorvo RFFC5072 with a 1.5 Hz step size than be told that “the HackRF can tune to almost any frequency”.

The series is structured by subsystem and workflow rather than by tutorial:

Vol	Title	Audience focus
1	Series Overview, the H2R4 Bundle, and the Upgrade Landscape (this)	What the platform is, where it sits, what’s on the bench
2	The HackRF One RF Chain & the Revision Matrix (r1 → r10)	Schematic-grade RF front-end walk + every PCB rev’s delta
3	The Digital Subsystem — LPC4320, CoolRunner-II CPLD, SGPIO, Clocks	How samples actually move from the ADC to USB
4	Firmware, DFU, Recovery, and Building from Source	hackrf firmware source tree, DFU, `hackrf_spiflash`, version pinning
5	Host Tooling — `hackrf_*` CLI, `libhackrf`, Python	Day-to-day driver, capture, sweep, debug
6	GNU Radio Companion 3.10+ Workflows	osmocom source, common flowgraphs, OOT modules
7	Protocol Analysis — URH, Inspectrum, SigDigger	IQ → bits → packets → state machine, decoders
8	Antennas, LNAs, Filters, and the 8-bit ADC’s Dynamic-Range Budget	Real-world front-end pairing for the bands you care about
9	The PortaPack H2 — Hardware, and the H1 / H2+ / H4 / H4M Comparison	Schematic walk + a defensible upgrade-path matrix
10	Mayhem Firmware — App Catalog, Navigation, Plugins, Building	The standalone-radio personality
11	Operations, RF Safety, Legal, and Lab Discipline	Capture/decode/replay end-to-end, FCC Part 15 / Part 97, never-TX list
12	Cheatsheet — The Laminate-Ready Field Card	One-pagers; the synthesis volume

Each volume has its own contents table, footnoted citations, cross-references to neighbouring volumes, and a closing resources block. The hyperlinks between volumes are real (this is an HTML render — the source markdown is the same that pandoc could turn into docx if you want a printed copy later). Cross-references appear as “Vol n §x.y” — Cmd/Ctrl-clicking jumps; back-arrow returns.

If you already know which subsystem you need to understand, skip to the corresponding volume. Volumes 2 and 3 together are the schematic walk; Volume 9 is the equivalent for the PortaPack add-on. Volumes 5–7 are the software workflow. Volumes 8 and 11 are bench discipline. Volume 12 is the printable summary.

2. What the HackRF Is — and What It Isn’t

2.1 What it is

The HackRF One is a half-duplex software-defined radio peripheral that reaches from 1 MHz to 6 GHz, samples (or generates) up to 20 MS/s of complex baseband at 8-bit resolution, and connects to a host computer over USB 2.0 high-speed. It is open-hardware (CERN OHL) and open-firmware (GPL). It is the de-facto wideband SDR of the open-source community: dozens of tools assume its presence and dozens of published research projects target it as their reference platform^[Michael Ossmann, “HackRF: An Open Source SDR Platform” — DEF CON 21 launch talk, 2013, set the project’s positioning. The product has shipped since 2014 with the same fundamental architecture.].

Operationally the HackRF gives you four different things at once:

A wideband receiver that scans a band, captures IQ to disk, and lets you analyse it later in any of half a dozen graphical tools (gqrx, CubicSDR, SDR++, GNU Radio, SigDigger, Inspectrum).
A wideband transmitter that plays back arbitrary IQ at the same rate range. With the HackRF’s modest +10 to +15 dBm output you can replay a captured remote-control signal, transmit ham-band experiments under a license, or feed a benchtop antenna for testing your own receivers — but you are not operating a base station.
A spectrum-survey instrument via hackrf_sweep, which steps the LO across a wide range and shows you a coarse FFT picture of “what’s transmitting where”. It is to a $30,000 Anritsu what a digital multimeter is to a Fluke 8588: the same shape of measurement, with the precision rounded off until the price drops two orders of magnitude.
A target for embedded hacking and firmware work — the firmware is GPL, the schematic is public, and the LPC4320 in the middle is reachable over JTAG via the same Black Magic Probe / J-Link tools you’d use for any other Cortex-M4F design.

When you bolt a PortaPack H2 onto the top, the same hardware becomes a standalone handheld — the LPC4320 boots Mayhem firmware, drives a 320×240 LCD, takes input from a navigation control, and runs a catalogue of receive/transmit/decode apps without a host computer.

2.2 What it isn’t

A HackRF One is not:

A high-dynamic-range receiver. The 8-bit ADC gives roughly 50 dB of in-band dynamic range^[Theoretical 8-bit SNR: 6.02 × 8 + 1.76 ≈ 49.8 dB. Real-world HackRF One performance typically lands at ~48–52 dB depending on gain settings.]. A strong signal in the band of interest desensitises the receiver for everything else. For weak-signal HF DX work the SDRplay RSPdx or the Airspy HF+ Discovery (both 12-bit+) are dramatically better; for general benchwork the HackRF’s wider tuning range still wins.
Frequency-stable. The factory reference is a 25 MHz crystal — not a TCXO. Frequency drift over 30 minutes can be tens of ppm; absolute-frequency claims should not be made until either the unit has been warmed up for half an hour or an external 10 MHz reference has been wired to the front-panel CLKIN. The HackRF Pro’s built-in TCXO removes this complaint (Vol 2 §4 walks the upgrade rationale.)
Full-duplex. You cannot transmit and receive at the same time — there is one analogue chain, multiplexed by the SKY13350/SKY13453 RF switches. Anything that requires hearing an acknowledgement during transmission needs either two HackRFs synchronised over a shared clock^[See hackrf_clock and the synchronisation checklist at https://hackrf.readthedocs.io/en/latest/synchronization_checklist.html.] or a different platform (LimeSDR, USRP, BladeRF).
A jammer or a high-power transmitter. With +10 to +15 dBm of TX power and a stock antenna, the HackRF’s range is short by design — a few metres into a benchtop antenna, perhaps tens of metres into a tuned outdoor antenna. Pairing with a power amplifier crosses regulatory and ethical lines that this series treats explicitly in Vol 11.
A toy. The hardware is precise enough, and the software stack mature enough, that real research happens on this device — published exploits against rolling-code remotes, ADS-B reception, GSM passive surveys, ZigBee mesh analysis, BLE traffic capture. The legal and ethical envelope is real (Vol 11). Treat it accordingly.

2.3 Where it sits in tjscientist’s lineup

Tool	Frequency range	TX?	Sample rate	Best at
Flipper Zero	300–928 MHz (sub-GHz)	yes (limited)	n/a	Field instrument for known sub-GHz protocols
HackRF One	1 MHz – 6 GHz	yes	20 MS/s	Lab analysis of arbitrary signals + transmit experiments
RTL-SDR	24 MHz – 1.7 GHz	no	2.56 MS/s	$30 receive-only spectrum survey + ADS-B + casual decode work
Proxmark3 RDV4	125 kHz / 13.56 MHz only	yes	n/a	Lab-grade RFID/NFC research

The HackRF is the lab-grade SDR — the device you reach for when the Flipper Zero says “I see a signal but I don’t know that protocol”. You bring the HackRF to capture the IQ, walk it through Universal Radio Hacker or GNU Radio to understand its structure, and then either (a) write a Flipper FAP that decodes it natively for field use, or (b) keep it as a HackRF + GRC workflow because the protocol is too complex to fit on the Flipper.

For the cross-tool comparison see _shared/comparison.md.

3. The H2R4 Bundle — What’s on the Bench

The phrase “H2R4” is a bundle name — two designators concatenated:

H2 = PortaPack H2 (the LCD + control add-on PCB that bolts onto the HackRF One’s expansion header).
R4 = HackRF One hardware revision r4 (manufactured 2014–2020).

Per Great Scott Gadgets’s revision matrix^[https://hackrf.readthedocs.io/en/latest/list_of_hardware_revisions.html — the canonical revision list. Revision strapping pins were added in r6 onwards, so r1–r4 cannot self-identify in firmware; the silkscreen near U18 (MAX5864) is the source of truth.], r2, r3, and r4 are electrically identical to r1 — only the silkscreened revision number differs across manufacturing runs. Every component, every value, every routing detail is the same as the 2014 first-shipping board.

That means the r4 in front of you behaves exactly like the device every published HackRF tutorial, every academic paper, every YouTube walkthrough since 2014 was written about. There is no “is my unit too old” doubt — the r4 is the canonical HackRF One.

3.1 What’s in the bundle

The genuine GSG H2R4 bundle through an authorised reseller typically contains:

Item	Quantity	Notes
HackRF One r4 board	1	Aluminium-housed, SMA female RF, micro-USB (r4 era predates USB-C)
PortaPack H2	1	2.4″ 320×240 TFT LCD, 5-way nav stick, headphone jack, microSD slot
ANT500 telescopic antenna	1	75 cm whip, SMA male, 75 MHz – 1 GHz primary use
micro-USB cable	1	Quality varies — replace with a known-good shielded cable for serious work (Vol 2 §6.3)
Acrylic / 3D-printed shell	1	Protects the H2 PCB and screen; clones often skip this
Pre-flashed Mayhem firmware	(on H2)	Reseller-flashed; first thing to do is upgrade to current nightly (Vol 10 §3)

What’s typically not included:

LiPo battery (PortaPack H2 supports a JST-PH 3.7 V cell ~1500–2000 mAh; not always shipped because of air-freight battery rules).
microSD card (the H2 needs one to log captures and to hold app payloads).
Higher-band antenna (ANT500 is sub-1 GHz; for 2.4 / 5.x GHz work you need ANT700 or a mounted antenna of choice).
USB-C-to-micro-USB adapter (most modern bench setups assume USB-C upstream).

Vol 8 §3 covers the antenna selection in detail.

3.2 Identifying genuine GSG vs clone

Even when sourced from an authorised reseller, the first bench task is a positive identification. The relevant checks:

USB enumeration. A genuine HackRF One running stock firmware enumerates as USB VID:PID 1d50:6089 with manufacturer string Great Scott Gadgets. A unit in DFU mode enumerates as 1d50:6088. Clones frequently use generic IDs like 0x04b4:1234. From a Linux host:
```
$ lsusb | grep -i hackrf
Bus 003 Device 005: ID 1d50:6089 OpenMoko, Inc. HackRF One
```
The vendor ID 1d50 is registered to OpenMoko, Inc., and is shared with several open-hardware projects^[https://devicehunt.com/view/type/usb/vendor/1D50/device/6089].
hackrf_info output. Run hackrf_info and look at the reported board ID, part ID, serial number, and (from r6+) hardware revision. Genuine GSG boards report consistent serial-number formatting (16 hex characters, two 32-bit halves). Clones sometimes report all-zero or duplicate serials.
Firmware fingerprint. A board running stock GSG firmware will report a release version string that matches one of the official tagged releases on github.com/greatscottgadgets/hackrf/releases. Anything else suggests a third-party fork — common with PortaPack-bundled units that ship a stale build.
Above-1-GHz performance. Clones have been documented as ~22 dB worse than genuine units at 6 GHz, with broadband performance issues across the whole RF range^[https://www.rtl-sdr.com/comparing-a-hackrf-clone-against-the-original/ — RTL-SDR.com’s bench comparison from 2021. Not all clones are bad — some are bench-quality — but the variance is real and the worst clones are very bad.]. The bench check is hackrf_sweep -f 1000:6000 against a known reference (a strong cellular tower; a known WiFi access point at 5.8 GHz) and verifying the noise floor and signal level look right.
PCB silkscreen. Genuine GSG boards have the revision number printed near U18 (MAX5864). Counterfeit units sometimes either (a) omit this, (b) screen “r1” because the BOM is r1-vintage and they did not refresh it, or (c) mismatch — claim r9 on silkscreen but ship r1-era components.

For the porta unit on this bench: the silkscreen reads “HackRF One” + “30 October 2022” with no GSG branding (so it’s not genuine), but it’s also not a generic clone — it’s the Clifford Heath modified design, manufactured by JSTVRO. See §3.3 for what that actually means. Vol 2 §8 documents the bench-test procedure end-to-end so any of these checks can be reproduced on a unit of unknown provenance.

3.3 The Clifford Heath modified version — a deliberately-improved ‘clone’

Not every non-GSG HackRF is a cheap copy. The most consequential exception is the Clifford Heath modified design (github.com/cjheath/hackrf), which improves the open-hardware reference in ways GSG declined to merge upstream.

The story: Heath designed a series of RF front-end modifications and offered them to Michael Ossmann (GSG) as a pull request. Ossmann rejected the PR. Heath then worked directly with manufacturers — JSTVRO, Rabbit Labs, OpenSourceSDRLab, Wired Hatters, SDR Store — to produce the modified design under various brands and case treatments. The Mayhem firmware project tracks Heath’s variant on a dedicated wiki page: Clifford’s-version.

The modifications, all on the RF front end (the main signal-path silicon — MAX2837, RFFC5072, MAX5864, LPC4320, Si5351 — is unchanged):

What Heath changed	Stock GSG part	Heath replacement	Why
Antenna-line protection	(none)	CLA4611-085LF	Protects both LNA and TX amp from transmit-into-mismatch and out-of-spec RX. Headline mod.
MMIC amplifiers	MGA-81563-TR1G	TRF37B73	Modern part, broader operating range, the MGA is obsolete
RF switches	SKY13350-385LF	SKY13453-385LF	Current production (the same switch GSG moved to in r6/r8/r10 — Heath went there earlier)
Bias-T design	original	improved	Better high-frequency response, better RF sensitivity even when disabled

The newer Heath revisions (USBC V1, sold by Rabbit Labs; R10 / R10+, sold by OpenSourceSDRLab and Wired Hatters; H4M Clifford Edition, sold by SDR Store) add USB-C in place of the legacy USB mini-B. The pre-USBC-V1 Heath revisions (which is what porta is) keep mini-B, matching the original r4/R5 reference connector.

What this is not: a sensitivity tune or a power upgrade. The Mayhem wiki testing is honest about it — user reports on receiver sensitivity vs. genuine GSG are mixed (some better, some worse), and there’s no standardized test methodology. What the Heath design is: a robustness upgrade. The CLA4611-085LF protection is the unambiguous practical win. Blowing the LNA via TX-into-mismatch or hot-RF-into-RX is the most common way HackRFs get bricked, and the Heath protection chip mitigates that.

How to identify a Heath-modified board if it’s in your hands: the silkscreen on the main signal-path side reads “HackRF One™” without “Great Scott Gadgets” or any GSG company branding. The date stamp varies — some Heath manufacturers preserve the canonical “13 February 2014” Gerber date; others restamp with their own production date. The unit on porta’s bench reads “HackRF One™” + “30 October 2022”, no GSG mark; that’s the JSTVRO build pattern (the case label credits “Robert in China” rather than Heath, but the design lineage is Heath’s). The Heath-vs-stock differences are small SMT parts in the network around the antenna SMA — too small to identify from an overview PCB photo. Close-up part-number inspection (CLA4611-085LF antenna protection, TRF37B73 MMICs, SKY13453-385LF switches) is one route, but the reliable identifier is vendor disclosure: vendors selling the Heath design typically advertise it explicitly (“Clifford Heath HackRF USBC V1”, “Clifford 2025 R10+”, “H4M Clifford Edition”). If you bought a JSTVRO-branded HackRF in the H2R4 / H2 bundle around 2022–2024, it is almost certainly a Heath-modified board.

4. The HackRF One Hardware Family — How r4 Fits

The HackRF One has shipped in eight production revisions across eleven calendar years (r5 was experimental and never manufactured). Most of the deltas are sourcing-driven — the project leans on a small number of specialised RF parts (MAX2837 transceiver, RFFC5072 mixer, Si5351 clock generator, MAX5864 dual ADC/DAC), and when those parts have gone allocation-constrained the design has had to substitute. The result is a revision matrix that looks like a spaghetti diagram if you read it cold but makes perfect sense once you understand the supply-chain pressure:

Rev	Years	Switches	Transceiver	Clock gen	Antenna feed	Why this rev exists
r1–r4	2014–2020	SKY13350	MAX2837	Si5351C	(no diode)	Original design + identical reships
r5	—	—	—	—	—	Experimental, never shipped
r6	2020	SKY13453	MAX2837	Si5351C	(no diode)	SKY13350 hard to source; new switch with simpler control. Rev-strap pins added so firmware can self-identify
r7	2021	SKY13350	MAX2837	Si5351C	(no diode)	SKY13350 came back; r6 reverted. USB VBUS-detect Rs updated
r8	2021–2022	SKY13453	MAX2837	Si5351C	(no diode)	SKY13350 went away again
r9	2023	SKY13453	MAX2839	Si5351A + extra distribution	diode	The chip-shortage rev: MAX2837 unavailable, substituted MAX2839. New clock-distribution to compensate. Series diode at antenna feed protects against external LNA bias mishaps
r10	2024+	SKY13453	MAX2837	Si5351C	diode	Reverts r9 back to r8 silicon (MAX2837 returned). Keeps the antenna-feed diode improvement

The r4 in your bundle is the original design — same parts, same routing, same RF performance as the day Michael Ossmann shipped the first batch. Vol 2 walks the schematic in detail.

The interesting thing for “should I upgrade?” planning (Vol 2 §10) is that r10 is functionally the closest current GSG part to an r4. Both run the MAX2837. Both run the Si5351C. The only thing r10 does differently from r4 is (a) the SKY13453 switches (better part, no behavioural difference at the firmware level) and (b) the bias-T series diode (a safety improvement; matters if you intend to use bias-T-powered active antennas).

In other words: the r4 you have is not “old hardware” in any meaningful sense — it is the same hardware GSG ships today with two minor manufacturing improvements layered in. The case for an r10 upgrade is weak unless you specifically want bias-T safety or have damaged the r4. The case for a HackRF Pro upgrade is much stronger and quite different — see the next section.

A wrinkle for tjscientist specifically: porta is the Clifford Heath modified r4 design (see §3.3), which already brings the SKY13453 switches forward (the r6 / r10 improvement) and adds the CLA4611-085LF antenna protection chip that no GSG revision has. So porta is in some respects ahead of a stock r10 on robustness, while still being r4-vintage on the digital section and the main RF transceiver chain.

5. The HackRF Pro — When the Pro Is Worth $400

Great Scott Gadgets announced HackRF Pro on 2025-06-26^[https://greatscottgadgets.com/2025/06-26-meet-hackrf-pro/], opened pre-orders through authorised resellers in summer 2025, and started shipping in September 2025. As of HackRF firmware v2026.01.1 (the current release as of this volume), the Pro is supported in legacy compatibility mode — anything that runs on a HackRF One runs on the Pro — with extended-precision modes coming in subsequent firmware drops^[https://github.com/greatscottgadgets/hackrf/releases/tag/v2026.01.1 — release notes from January 2026 confirm initial Pro support with future precision-mode enablement.].

What the Pro changes versus the One:

Axis	HackRF One	HackRF Pro	Why this matters in practice
Frequency range	1 MHz – 6 GHz	100 kHz – 6 GHz operating; tunable 0 Hz – 7.1 GHz	Pro sees HF directly without a Ham-It-Up upconverter
Reference	25 MHz crystal	Built-in TCXO	No more 30-min warm-up before frequency claims; absolute frequency drift drops from tens of ppm to sub-ppm
Transceiver	MAX2837 (or MAX2839 on r9)	MAX2831	Different IF/baseband front-end with flatter response and improved IIP3
Glue logic	Xilinx CoolRunner-II XC2C64A CPLD	Lattice iCE40 UltraPlus FPGA	More gates → headroom for sample-pipeline improvements; iCE40 has a well-loved open toolchain (Yosys + nextpnr)
Flash	Winbond W25Q80BV (8 Mbit)	Winbond W25Q32 (32 Mbit)	4× the firmware budget; future feature additions don’t have to fight for space
Bandwidth	20 MHz	20 MHz initially; planned wider modes	Software-driven — the FPGA enables future expansion
Half/full duplex	Half	Half	Both still half-duplex
Price	~$300 retail	$400 through resellers	$100 premium

The decision is not really about “is the Pro better?” — it obviously is, on every axis. The decision is “is the $100 premium worth it for the work I’m doing?”. The honest answer:

Yes, get the Pro if (a) you do significant HF work and have been working around the One’s 1 MHz lower limit with a Ham-It-Up upconverter, or (b) you make absolute-frequency claims (RF compliance work, GPS-disciplined references, ham-radio digital modes that demand stable carriers) and the One’s crystal drift is a daily friction point.
Stay with the One if (a) your work is mostly above 100 MHz with a tolerance for a few-ppm drift, (b) you’ve already invested in upconverters or external GPSDOs that take care of the One’s weaknesses, or (c) you want to learn the One’s open-firmware deeply — the One is the documented, tutorial-rich device; the Pro’s firmware ecosystem is still catching up.

For tjscientist’s H2R4 specifically: the Pro is interesting as a future second device (pair an r4 + H2 for the standalone Mayhem workflow with a Pro on the bench for stable-frequency lab work). It is not a “throw the r4 out” upgrade. Vol 2 §10 expands this analysis into a decision tree.

6. The PortaPack Family — H1 through H4M

The PortaPack is a community add-on, not a Great Scott Gadgets product. It was originated by Jared Boone (sharebrained.com) as an LCD + nav-control accessory that piggybacks on the HackRF One’s expansion header, providing the PortaPack with access to the LPC4320, the I²S audio codec lines, and the ADC/DAC clock. The hardware has gone through five generations:

Variant	Year	Display	Power switch	USB	Audio	Battery telemetry	GPIO	Firmware
H1	~2016	2.4″ 320×240 TFT (TN)	momentary push	from HackRF	through HackRF audio	none	none	sharebrained → Mayhem (legacy)
H2	2020–2022	2.4″ 320×240 TFT (TN)	momentary push	from HackRF	through HackRF audio	none	none	Mayhem
H2+	2022	2.4″ 320×240 TFT (TN)	momentary push	from HackRF	through HackRF audio	none	none	Mayhem
H4	2023	2.4″ 320×240 IPS	sliding (full cut)	USB-C	dedicated codec	basic	I²C breakout	Mayhem
H4M	Q4 2024	2.4″ 320×240 IPS, anti-glare	sliding (full cut)	USB-C	dedicated codec + auto headphone/speaker switch	percent + voltage + current + ETA	I²C-capable GPIO connector	Mayhem (co-developed)

The H4M is the current best-of-class. It addresses every reasonable complaint about the H2: phantom drain when “off” (sliding switch fully isolates the battery), poor screen visibility (IPS + anti-glare), no battery information (full telemetry exposed in firmware), micro-USB (USB-C with faster charging), no audio path (dedicated codec with auto-routing), no I/O for accessories (I²C-capable GPIO connector). It costs $50–100 more than an H2 bundle and the consensus on r/HackRF and the Mayhem GitHub issues is that it is worth the premium^[https://www.rtl-sdr.com/a-review-of-the-new-hackrf-portapack-h4m/ — the RTL-SDR.com review from 2025 walks the full upgrade rationale and confirms the firmware-level battery features.].

For tjscientist’s H2 specifically: the H2 is not obsolete — Mayhem firmware is maintained for H1/H2/H2+/H4/H4M in parallel, and every feature listed in Vol 10’s app catalogue runs identically on the H2 as on the H4M. The downsides of the H2 are quality-of-life (phantom drain, mirror-prone screen, no battery info) rather than capability. If the H2 is bench-tethered most of the time, those downsides do not bite. If it spends time in a backpack, an H4M upgrade pays for itself in not-having-to-charge-tomorrow.

Vol 9 walks the H2 schematic and the H1 → H4M comparison in full. Vol 10 covers the firmware that runs on both.

7. The Decision Tree — When to Reach for the HackRF

A signal exists in the band of interest → what do I want to do?

├── Just listen to a known modulation (FM voice, AM aviation,
│   broadcast, weather sat APT, NOAA, ADS-B 1090 MHz)
│   → reach for an RTL-SDR ($30) and gqrx / SDR++ / dump1090.
│     The HackRF works too, but is overkill.
│
├── Listen to something below 24 MHz (HF — ham, time signals,
│   aviation HF, marine HF)
│   → HackRF + Ham-It-Up upconverter, OR HackRF Pro
│     (which sees HF directly thanks to its 100 kHz lower limit).
│
├── Capture an unknown sub-GHz signal off a remote, sensor, or
│   short-range telemetry
│   ├── Flipper-known protocol → use the Flipper Zero in the
│   │   field; it is the right tool.
│   ├── Unknown protocol → HackRF + Inspectrum/URH on a laptop.
│   │   Capture as `.cfile`, walk it through URH for protocol
│   │   structure, decode in GNU Radio or write a Flipper FAP
│   │   once the protocol is understood.
│
├── Survey the spectrum across multiple bands
│   → `hackrf_sweep -f 1:6000` is the right tool. RTL-SDR is too
│     narrow (covers 24 MHz – 1.7 GHz) and slower per-band.
│
├── Transmit a captured signal back (replay attacks, sensor
│   testing under your own license / on your own hardware)
│   → HackRF (the ONLY half-decent open-hardware TX-capable SDR
│     under $500). Stay within license / ownership limits — Vol 11.
│
├── Decode something that requires bit-level synchronous timing
│   below 8 µs (ZigBee, BLE, advanced WiFi)
│   → HackRF + GNU Radio with the right OOT module (gr-zigbee,
│     gr-bluetooth, etc.). This is real research-grade work.
│
└── Operate as a handheld — capture, decode, sometimes transmit —
    away from a laptop
    → HackRF One + PortaPack (H2 today; H4M for the upgrade) running
      Mayhem firmware. This is the H2R4 use case.

The decision tree’s branches map onto the volumes:

Sub-GHz unknown-protocol work → Vol 6 (GRC) + Vol 7 (URH) workflow.
Spectrum survey → Vol 5 (hackrf_sweep) + Vol 6 (FFT in GRC).
HF work → Vol 8 (Ham-It-Up + antenna selection) or eventual Pro upgrade per Vol 5.
Replay / TX → Vol 5 + Vol 11 (legal/ethics).
Synchronous bit-level decode → Vol 6 + Vol 7.
Handheld field use → Vol 9 (PortaPack hardware) + Vol 10 (Mayhem firmware).

8. The Software Ecosystem — What Talks to a HackRF

The HackRF presents itself to the host as a USB device implementing a relatively simple protocol that libhackrf wraps. From libhackrf the rest of the software stack flows out:

Layer	Software	What it does
Driver / kernel	`libusb` + udev rules	USB transport; no kernel module
C library	`libhackrf`	Open / close / set-frequency / start-rx / start-tx primitives
CLI tools	`hackrf_info`, `hackrf_transfer`, `hackrf_sweep`, `hackrf_clock`, `hackrf_debug`, `hackrf_spiflash`, `hackrf_cpldjtag`	Day-to-day CLI for capture, sweep, firmware, reference clock
Python	`pyhackrf2` (pip)	Python wrapper around `libhackrf`
GNU Radio	`gr-osmosdr` (osmocom) source/sink	Use HackRF inside any GNU Radio flowgraph
Graphical receivers	gqrx, CubicSDR, SDR++, SDR# (via shim)	Real-time spectrum + audio demod
Protocol analysers	URH, Inspectrum, SigDigger	Capture-then-analyse workflow
Automated decoders	rtl_433 (with HackRF source), gr-air-modes, gr-rds, gr-gsm	Specific protocol stacks
Standalone firmware	Mayhem (on PortaPack)	LPC4320 boots Mayhem instead of stock HackRF firmware

Vols 5, 6, 7, and 10 cover these layers in full. The takeaway for Vol 1 is that the HackRF is an instrument with a deep software hinterland — buying the device is the entry fee; the time investment is in learning the half-dozen tools that live above it.

9. The Three Currents of Firmware

There are three independent firmware streams in the HackRF world, and they confuse newcomers regularly:

9.1 HackRF firmware (host-facing)

The official Great Scott Gadgets firmware that runs on the LPC4320 when the HackRF is plugged into a laptop. It implements the USB protocol, the libhackrf command surface, the hackrf_sweep mode, and the bring-up of the RF chain. Source: github.com/greatscottgadgets/hackrf. Latest: v2026.01.1 (released January 2026)^[https://github.com/greatscottgadgets/hackrf/releases/tag/v2026.01.1].

This is what you flash with hackrf_spiflash when running through hackrf_info’s upgrade prompt. Every fresh reseller-bundled unit should be brought up to current.

Vol 4 covers this firmware end-to-end: the build toolchain (GCC ARM Embedded), the source-tree layout, the DFU recovery procedure, the hackrf_cpldjtag workflow when the CPLD bitstream needs reflashing.

9.2 Mayhem firmware (PortaPack-facing)

The community firmware that runs on the LPC4320 when a PortaPack is attached, replacing the stock HackRF firmware. It implements the LCD UI, the navigation control, the on-device app catalogue (~80 apps for receive, transmit, capture, decode, debug), the SD card filesystem, and the standalone-radio modes. Source: github.com/portapack-mayhem/mayhem-firmware. Latest: nightly 2026-05-05 (most recent stable nightly tag: 2026-03-07)^[https://github.com/portapack-mayhem/mayhem-firmware/releases].

Mayhem started as Jared Boone’s sharebrained/portapack-hackrf firmware, was forked by Furrtek, and is now maintained by the Mayhem org. The H4M was co-developed between GSG-PortaPack-vendor and the Mayhem team and the firmware reflects this — H4M-specific features (battery telemetry, audio codec, GPIO) are first-class.

Vol 10 covers the Mayhem firmware end-to-end: app catalogue organised by RX / TX / Utility / Debug, the navigation conventions, the settings.ini file, building from source, the OTA / SD-card update workflow, the plugin ecosystem.

9.3 CPLD bitstream (CoolRunner-II)

The Xilinx CoolRunner-II XC2C64A CPLD on the HackRF One holds a small bitstream that translates between the MAX5864’s parallel ADC/DAC interface and the LPC4320’s SGPIO pins. This bitstream is not the same thing as the firmware — it’s a much smaller artefact (a few KB) and changes very rarely. Source: in the same greatscottgadgets/hackrf repo under firmware/cpld/sgpio_if/. Updated via hackrf_cpldjtag after a fresh firmware flash.

Vol 3 §5 walks the CPLD’s role; Vol 4 §6 walks the hackrf_cpldjtag recovery procedure.

The HackRF Pro replaces the CoolRunner-II with an iCE40 UltraPlus FPGA, which has roughly 6× the LUT count and an open-source toolchain (Yosys + nextpnr). Vol 4 §10 covers the Pro’s flash / FPGA-config workflow.

10. Cost Reference

Approximate retail prices in May 2026, from authorised US/EU resellers:

Item	Approx price	Notes
HackRF One r10 (genuine GSG, bare)	$300	What you buy if you want a HackRF One today
HackRF One r4 + PortaPack H2 bundle	$300–350	Used / NOS — the H2R4 bundle
HackRF One + PortaPack H4M bundle	$400–500	Current best handheld bundle
HackRF Pro (genuine GSG, bare)	$400	Sept 2025 launch
ANT500 antenna (replacement)	$30	Often included in bundles
ANT700 antenna	$40	For 400 MHz – 7.2 GHz work
NooElec Ham-It-Up upconverter	$50	HF (0–30 MHz) into HackRF One — Pro doesn’t need this
Mini-Circuits ZRL-1150LN+ LNA	$90	Small-signal LNA for above 1 GHz
LiPo 1500 mAh JST-PH (PortaPack)	$15	For handheld H2/H4 use
32 GB microSD (PortaPack)	$10	Mayhem capture / app payload storage
External 10 MHz GPSDO reference	$80–250	When you need absolute-frequency stability without buying a Pro
50 Ω SMA dummy load	$8	Mandatory for any TX bench testing — Vol 11
RF shielded enclosure (Faraday tent)	$100–500	For TX bench testing without radiating outdoors — Vol 11

Vol 8 §7 has the full antenna + filter + LNA pairing matrix.

11. Where Each Volume Goes Deeper

Question	Volume
What’s actually on the HackRF PCB?	Vol 2 — RF chain walkthrough; Vol 3 — digital subsystem
What changed from r4 to r10? Should I upgrade?	Vol 2 §10
What’s the HackRF Pro decision tree?	Vol 1 §5 (this volume) + Vol 2 §11 (technical comparison)
How do I update the firmware on a fresh unit?	Vol 4 §3 — DFU + `hackrf_spiflash` workflow
How do I capture an IQ file from the command line?	Vol 5 §4 — `hackrf_transfer -r capture.cfile`
How do I see a spectrum picture?	Vol 5 §6 — `hackrf_sweep`; Vol 6 §3 — GRC FFT scope flowgraph
What’s the right antenna for 433 MHz remotes?	Vol 8 §3.1
How do I figure out an unknown protocol?	Vol 7 §2–4 — URH workflow; §5 — Inspectrum cursors
How do I write a GNU Radio flowgraph?	Vol 6 §2 onwards
How do I run a HackRF as a handheld?	Vol 9 — PortaPack H2; Vol 10 — Mayhem firmware
What apps are on the PortaPack?	Vol 10 §3 — categorised app catalogue
Can I transmit on amateur radio bands legally?	Vol 11 §3 — license-conditioned bands; §4 — never-TX list
What’s the lab discipline for TX work?	Vol 11 §5 — dummy load, Faraday tent, attenuation
The cheatsheet?	Vol 12 — the laminate-ready field card

12. Maintenance, Updates, and Forward-Looking Notes

This series is built to last through the natural pace of HackRF / PortaPack evolution. The expected update cadence:

Quarterly — refresh the latest-firmware-version line in Vol 4 §3 and Vol 10 §3 from the upstream GitHub release tags. Mayhem releases nightlies almost daily; pin to the most recent stable tag for the canonical reference.
On hardware-revision change — when GSG ships an r11 (or a hypothetical r12), append a row to the revision matrix in §4 (this volume) and Vol 2 §10. The r9 → r10 transition is the template — the matrix is meant to grow.
On HackRF Pro firmware milestones — the extended-precision modes are coming; when they ship in upstream firmware, Vol 5 (CLI) and Vol 6 (GRC) need revisits to capture the new sample-rate options and the new flag bits.
On PortaPack hardware change — when an “H5” appears, append to Vol 9’s comparison matrix.

The source markdown lives in 02-inputs/volume_sources/. The build pipeline (build_html.py and inject_toc.py) lives in 02-inputs/volume_sources/build/. The deliverables under 03-outputs/html/ are regenerable from source. See the README in 02-inputs/volume_sources/ for the rebuild commands.

13. Resources

13.1 Authoritative documentation

Resource	URL
HackRF official docs	https://hackrf.readthedocs.io/en/latest/
HackRF GitHub repo	https://github.com/greatscottgadgets/hackrf
HackRF Pro page	https://greatscottgadgets.com/hackrf/pro/
HackRF One page	https://greatscottgadgets.com/hackrf/one/
Hardware revisions list	https://hackrf.readthedocs.io/en/latest/list_of_hardware_revisions.html
Hardware components list	https://hackrf.readthedocs.io/en/latest/hardware_components.html
Updating firmware	https://hackrf.readthedocs.io/en/latest/updating_firmware.html
HackRF Pro launch announcement	https://greatscottgadgets.com/2025/06-26-meet-hackrf-pro/

13.2 Mayhem / PortaPack

Resource	URL
Mayhem firmware	https://github.com/portapack-mayhem/mayhem-firmware
Mayhem releases	https://github.com/portapack-mayhem/mayhem-firmware/releases
Mayhem wiki	https://github.com/portapack-mayhem/mayhem-firmware/wiki
MayhemHub web UI	https://github.com/portapack-mayhem/MayhemHub
H4M review	https://www.rtl-sdr.com/a-review-of-the-new-hackrf-portapack-h4m/

13.3 Software ecosystem

Tool	URL
GNU Radio	https://www.gnuradio.org/
gr-osmosdr	https://osmocom.org/projects/gr-osmosdr
Universal Radio Hacker	https://github.com/jopohl/urh
Inspectrum	https://github.com/miek/inspectrum
SigDigger	https://github.com/BatchDrake/SigDigger
gqrx	https://gqrx.dk/
CubicSDR	https://cubicsdr.com/
SDR++	https://sdrpp.org/
pyhackrf2	https://pypi.org/project/pyhackrf2/
Michael Ossmann’s free SDR course	https://greatscottgadgets.com/sdr/

13.4 Community

Forum	URL
r/HackRF	https://reddit.com/r/HackRF
RTL-SDR.com (HackRF tag)	https://www.rtl-sdr.com/tag/hackrf/
GSG Slack	(linked from https://greatscottgadgets.com/hackrf/)

13.5 Books and free curricula

Resource	URL or citation
”Software Defined Radio with HackRF” — Michael Ossmann	https://greatscottgadgets.com/sdr/
PySDR — Marc Lichtman	https://pysdr.org/
GNU Radio tutorials	https://wiki.gnuradio.org/index.php/Tutorials

13.6 In-series cross-references

This volume’s footnotes draw on every other volume; the main entries:

Volume	Topic
Vol 2 §10	r4 → r10 upgrade decision tree (technical)
Vol 2 §11	HackRF Pro vs HackRF One technical comparison
Vol 4 §3	DFU and `hackrf_spiflash` recovery
Vol 4 §6	`hackrf_cpldjtag` CPLD bitstream flashing
Vol 8 §3	Antennas paired with HackRF
Vol 9	PortaPack H2 schematic walk + comparison matrix
Vol 10 §3	Mayhem app catalogue
Vol 11 §3	Legal frequency boundaries
Vol 11 §4	Never-TX list
Vol 11 §5	Bench TX discipline (dummy load + Faraday tent)
Vol 12	Laminate-ready cheatsheet

HackRF One Volume 1 — Series Overview, the H2R4 Bundle, and the Upgrade Landscape

Contents