In his submission he shares a tutorial that explains the theory behind the PAL analog video standard. He explains the different components of the PAL signal, including the luma (black and white part), frame rates, and modulation. He then goes on to explain how color is encoded onto the PAL by using Quadrature Amplitude Modulation (QAM).
Finally in the files section marble also supplies us with the GNU Radio flowgraph which can be used to transmit PAL video with a HackRF.
The write up first shows the reception of the signal from the wireless controller, and then moves on to show how to receive it in GNU Radio and obtain a time domain graph of the digital signal. From the pulses it is simple to visually work out the binary string. Next an instruction decoder is created in GNU Radio which automatically obtains the binary string from the signal directly. Then once the codes for back, forward, left and right were obtained it was possible to write another GNU Radio program to transmit these codes to the RC toy tank from the HackRF.
The idea is to use the drone as a remote beacon which can move all around the antenna. As the drone flies around, the HackRF on the drone emits a data chirp containing GPS telemetry of the drones position. The receiver on the ground decodes this data and also determines the SNR of the received signal. By plotting the received SNR together with the drones GPS position, the radiation pattern of the antenna under test could be determined.
The software is called “RadiantBee” and is developed by both F4GKR and F5OEO. It is available over on GitHub. The flying hardware consists of a quadcopter, GPS, Raspberry Pi 3, HackRF, 10 GHz upconverter, band pass filter and horn antenna. The base station consists of an RTL-SDR dongle, 10 GHz downconverter, GPS and the antenna under test.
Last week we made a post about the HackRF Portapack, and gave some examples of it in action. Recently the furtek Havoc firmware for the portapack was updated, and it now supports SSTV transmission. Over on Twitter, Giorgio Campiotti @giorgiofox has uploaded a video showing an example transmission in action.
In the video the HackRF with Portapack transmits a test SSTV image to an Elecraft K3 ham radio, which is linked to a PC. SSTV decoding software on the PC turns the data back into an image.
SSTV stands for ‘Slow Scan TV’, and is a method used by hams to send images over radio. Typically this activity occurs on HF frequencies. Sometimes the ISS transmits SSTV images down to earth as well to commemorate special events.
The PortaPack is an addon created by Jared Boone for the HackRF software defined radio. It costs $200 USD at the sharebrained store and together with a USB battery pack it allows you to go completely portable with your HackRF. The HackRF is a multi-purpose SDR which can both receive and transmit anything (as long as you program it in) from 1 MHz to 6 GHz.
Since we last posted about the PortaPack many new features have been added, and the firmware has matured significantly. Now the official PortaPack firmware allows you to receive and demodulate SSB, AM, NFM, WFM and display up to an 18 MHz wide waterfall. You can also decode marine AIS, the automobile tyre pressure monitoring system (TPMS) and utility ITRON ERT meters.
There is also a popular fork of the official PortaPack firmware called portapack-havoc, which is created by a dev who goes by the handle ‘furrtek’. This firmware is a bit more risky in terms of the trouble it can get you into as it enables several new features including:
Close call – See if anyone is transmitting near to you
A CW generator
a GPS and various other jammers
an LCR transmitter – the wireless protocol used in France for programming traffic related signage
a microphone transmitter
a pocsag receiver and transmitter – receive and send to pagers
a PWM RSSI output – useful for crude automatic direction finding
an RDS transmitter – transmit radio station text data to compatible broadcast FM radios
a soundboard – play a stored bank of wav sounds on a frequency
an SSTV tranmitter – transmit slow scan TV signals
an OOK transmitter – control on-off-keying devices such as doorbells.
Below we’ve created a YouTube playlist showing several videos that show the portapack in action.
Over on YouTube a video titled “Hunting Rogue WiFi Devices using the HackRF SDR” has been uploaded. The talk is given by Mike Davis at the OWASP (Open Web Application Security Project) Cape Town. The talk’s abstract reads:
Rogue WiFi Access Points are a serious security risk for today’s connected society. Devices such as the Hak5 Pineapple, ESP8266-based ‘throwies’, or someone with the right WiFi card and software can be used to intercept users’ traffic and grab all of their credentials. Finding these rogue devices is a very difficult thing to achieve without specialised equipment. In this talk Mike will discuss the work he has been doing over the past year, to use the HackRF SDR as a RF Direction-finding device, with the goal of hunting down various malicious RF devices, including car remote jammers.
The talk starts off with the basics, explaining what the problems with WiFi devices are, what the HackRF and SDR is, and then goes on to explain some direction finding methods that Mike has been using.
A few weeks ago the HackRF drivers and firmware were updated and one new feature added was hackrf_sweep. This new feature allows us to scan across the spectrum at up to 8 GHz per second, which means that a full 0 – 6 GHz scan can complete in under a second.
We gave the software a test and it ran flawlessly with our HackRF. The features include:
Optimized for only one purpose – to use HackRF as a spectrum analyzer
All changes in settings restart hackrf_sweep automatically
hackrf_sweep integrated as a shared library
High resolution waterfall plot
Remember that to run the software you will need to have updated your HackRF to the latest firmware. The spectrum analyzer software is also Java based, so you’ll need to have the Java JRE for Windows x64 installed.
After noting down the FCC ID printed on the device, they determined that the operating frequency was 315 MHz. They discovered from the documentation that each wireless DX device is encoded with a unique code that is precoded at the factory. Only remotes with the correct code programmed in can open the door.
The first attack they tried was a simple replay attack. They used a HackRF to record the signal, and then play it back again. This worked perfectly first time.
Next they decided to take this further and reverse engineer the protocol and see if a brute force attack could be applied. By doing some logic analysis on the circuit, they were able to figure out how to iterate over the entire key space. It turns out that the lock can be brute forced in at most 14.5 hours, or 7.25 hours on average.