HackRF Initial Review

The HackRF One is a new software defined radio that has recently been shipped out to Kickstarter funders. It is a transmit and receive capable SDR with 8-Bit ADC, 10 MHz to 6 GHz operating range and up to 20 MHz of bandwidth. It can now be preordered for $299 USD. We just received ours from backing the Kickstarter and here’s a brief review of the product. We didn’t do any quantitative testing and this is just a first impressions review. So far we’ve only tested receive on Windows SDR#.


Inside the box is the HackRF unit in a quality protective plastic casing, a telescopic antenna and a USB cable. We show an RTL-SDR next to the HackRF for size comparison.

HackRF + Telescopic Antenna + USB Cable + Box (RTL-SDR Dongle Shown for Size Comparison)
HackRF + Telescopic Antenna + USB Cable + Box (RTL-SDR Dongle Shown for Size Comparison)
Back of the box
Back of the box

Continue reading

Reverse Engineering Wireless Wall Outlets And Automatically Cloning OOK Signals

Wireless wall outlets are electrical outlets that can be turned on or off by a wireless remote. Fabien is an experimenter who was looking for a way to control the power of his home devices from a remote location using HTTP. He thought of building his own from scratch, but quickly realized that the device would need to be certified for insurance purposes. Instead he bought a cheap commercially made certified wireless wall outlet and reverse engineered the protocol using an RTL-SDR.

To do that he used the existing OOK-Decoder software available on GitHub. From the analysis provided by OOK-Decoder, Fabien was able to successfully reimplement the transmission using an AVR microcontroller and 433 MHz transceiver circuit from Sparkfun.

After being successful with this, Fabien decided to take the project a step further and create the OOKLONE – a device that could automatically clone any 433.92 MHz OOK signal and replay it. The video below shows the OOKLONE in action.

Videos from DEFCON 22 Wireless Village Talks

Another security and hacking conference that recently finished is Defcon 2014. During this conference there was a “Wireless Village” were there were talks discussing all things related to radio frequency. During this conference there were many talks related to Software Defined Radio.

A list of all talks at the Defcon Wireless Village 2014 can be found on this page. The most interesting talks that we found related to SDR are shown below.

Hacking the Wireless World with Software Defined Radio

Presented by Balint Seeber, SDR Evangelist as Ettus Research. Balint presented a similar talk at Black Hat and the slides to go along with that can be found here.

Ever wanted to spoof a restaurant’s pager system? How about use an airport’s Primary Surveillance RADAR to build your own bistatic RADAR system and track moving objects? What sorts of RF transactions take place in RFID systems, such as toll booths, building security and vehicular keyless entry? Then there’s ‘printing’ steganographic images onto the radio spectrum…

Wireless systems, and their radio signals, are everywhere: consumer, corporate, government, amateur – widely deployed and often vulnerable. If you have ever wondered what sort of information is buzzing around you, this talk will introduce how you can dominate the RF spectrum by ‘blindly’ analysing any signal, and then begin reverse engineering it from the physical layer up. I will demonstrate how these techniques can be applied to dissect and hack RF communications systems, such as those above, using open source software and cheap radio hardware. In addition, I’ll show how long-term radio data gathering can be used to crack poorly-implemented encryption schemes, such as the Radio Data Service’s Traffic Message Channel. If you have any SDR equipment, bring it along!

14 Hacking theWireless world with software defined radio 2 0

So ya wanna get into SDR?

Not explained through erotic interpretive dance, though could be, this presentation will cover the essentials for getting into the software defined radio hobby. Hardware requirements, distributed nodes, architecture designs, tips/tricks, random projects and common mistakes will be explained. This will be a technical talk that will be open for harassment, jokes, interaction and presented in a way that everyone will be able to take something away from it; wait, this is Vegas… but we’re hackers…

01 so you want to sdr

SDR Tricks with HackRF

HackRF and some other Software Defined Radio platforms can be used in creative ways. I’ll show methods, including a dirty trick or two, for using HackRF outside the advertised frequency range. I’ll also show how the HackRF design lends itself to use as an oscilloscope or function generator suitable for many hardware hacking tasks.

18 SDR Tricks with the hackrf

PortaPack: Is that a HackRF in your Pocket?

The PortaPack H1 transforms the HackRF One software-defined radio into a hand-held radio exploration tool. Spectrum analysis, monitoring and logging, and demodulation and injection of simpler digital modes will be demonstrated by Jared Boone, a HackRF project contributor.

16 Porta pack is that a hackrf in your pocket

PHYs, MACs, and SDRs

The talk will touch on a variety of topics and projects that have been under development including YateBTS, PHYs, MACs, and GNURadio modules. The talk will deal with GSM/LTE/WiFi protocol stacks.

17 PHYs MACs and SDRs

SDR Unicorns

A panel with SDR Gurus Michael Ossmann, Balint Seeber and Robert Ghilduta.

Black Hat Software Defined Radio Talks

Black Hat, a large conference about information security related topics has recently finished and videos of some of the talks given have now been uploaded to YouTube. This year we have found three talks related to Software Defined Radio.

Breaking the Security of Physical Devices by Silvio Cesare

We posted about Silvio’s successful attempt at breaking into a car wirelessly earlier this month and now here is his presentation.

In this talk, I look at a number of household or common devices and things, including a popular model car and physical security measures such as home alarm systems. I then proceed to break the security of those devices. The keyless entry of a 2004/2005 popular make and widely used car is shown to be breakable with predictable rolling codes.

The actual analysis involved not only mathematics and software defined radio, but the building of a button pushing robot to press the keyless entry to capture data sets that enable the mathematical analysis.

Software defined radio is not only used in the kelyess entry attack, but in simple eavesdropping attacks against 40mhz analog baby monitors. But that’s an easy attack. A more concering set of attacks are against home alarm systems. Practically all home alarm systems that had an RF remote to enable and disable the system were shown to used fixed codes. This meant that a replay attack could disable the alarm.

I built an Arduino and Raspberry Pi based device for less than $50 dollars that could be trained to capture and replay those codes to defeat the alarms. I also show that by physically tampering with a home alarm system by connecting a device programmer, the eeprom data off the alarm’s microcontroller can be read. This means that an attacker can read the secret passcode that disables or enables the alarm.

In summary, these attacks are simple but effective in physical devices that are common in today’s world. I will talk about ways of mitigating these attacks, which essentially comes down to avoiding the bad and buying the good. But how do you know what’s the difference? Come to this talk to find out.

Breaking the Security of Physical Devices by Silvio Cesare

Bringing Software Defined Radio to the Penetration Testing Community

Online slides.

“The large adoption of wireless devices goes further than WiFi (smartmeters, wearable devices, Internet of Things, etc.).

The developers of these new types of devices may not have a deep security background and it can lead to security and privacy issues when the solution is stressed.

However, to assess those types of devices, the only solution would be a dedicated hardware component with an appropriate radio interface for each one of them.

That is why we developed an easy-to-use wireless monitor/injector tool based on Software Defined Radio using GNU Radio and the well-known scapy framework.

In this talk, we will introduce this tool we developed for a wide range of wireless security assessments: the main goal of our tool is to provide effective penetration testing capabilities for security auditors with little to no knowledge of radio communications.”

Bringing Software Defined Radio to the Penetration Testing Community

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0

Attacking AIS using software defined radio.

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0 by Marco Balduzzi

RTL-SDR Software Radio with CTypes

Thomas Winningham, author of the rtl_fm_python web application for the RTL-SDR has given a talk at the PyOhio 2014 conference. In Thomas’ presentation he gives an overview of the RTL-SDR dongle and then goes on to discuss his RTL-SDR Python library and software.

If you are interested in developing your own software for the RTL-SDR this talk may be of interest to you as he discusses several aspects of the code used in his RTL-SDR library.

Software Radio with CTypes

XiOne – A RTL2832U based Portable Software Defined Radio: Indigogo Funding Campaign

A new funding campaign for an RTL2832U based software defined radio has gone up on Indiegogo. The new SDR is called the XiOne and is intended to be the first SDR that is easy to use with smartphones and open to the maker community.

With its 100 kHz to 1.7 GHz receiving range, the XiOne has a similar tuning range to the standard RTL-SDR dongles when an upconverter or the direct sampling mod is used. What makes the XiOne different is that it will have a built in MIPS processor, an internal rechargeable battery for portability and it will connect directly through WiFi to a smart device. They are also developing SDR GUI software for mobile devices including decoders for things like ADS-B, AIS and NOAA Satellites.

The IndieGoGo backer price for a XiOne is $179 USD, but if you act fast there are 100 units available at the promotional price of $139 USD. At the moment they have a working prototype with completed firmware, portable Java based SDR GUI, iPhone demodulation software, a MacOS ADS-B receiver, an iPad AIS receiver and an iPad spectrum analyzer. The fundraiser is to help them begin serial production.

There is a Reddit thread discussing the project here.

XiOne Prototype Internals
XiOne Prototype Internals
XiOne Casing
XiOne Casing

Hak5: ToorCamp Finale And More Fun With SDR

In this episode of Hak5 amongst other things presenter Shannon explores yet another SDR GUI alternative at around the 14 minute mark. This time she shows SDR-RADIO which is an RTL-SDR compatible alternative to SDR# and HDSDR. She shows how to install SDR-RADIO and how to use it. If you are interested in SDR-RADIO we also have installation instructions available on our Quickstart Guide.

ToorCamp Finale And More Fun With SDR, Hak5 1625

Brute Force Unlocking a Car with a USRP Software Defined Radio

Wired.com has posted an article showing how security researcher Cesare was able to use his USRP software defined radio to unlock a car with wireless entry. Essentially his hack involves brute forcing the rolling security code used by the wireless unlocking security protocol. Even with just a brute force attack he was able to unlock his car in just a few minutes. While this hack probably won’t work with newer cars which disable unlocking for a few minutes after a number of failed code attempts, Cesare notes that the hack will probably work for many similar cars of the 10 years or older generation.

This article goes along with their previous one discussing how thieves could hack into a home alarm system using a software defined radio.

The USRP is an advanced software defined radio that sells for around a thousand dollars but we note that the same attack could be performed with the cheaper and almost available HackRF SDR.

Hak5: Exploring With The PortaPack and HDSDR

In this Hak5 episode Darren discusses the HackRF PortaPack which is a portable LCD screen device that connects to a HackRF SDR and allows portable frequency spectrum visualization. The PortaPack is currently under development and in the future it will allow demodulation of multiple audio modes and possibly digital demodulation and recording capabilities as well.

Later in the episode Shannon presents a tutorial on HDSDR, an SDR GUI alternative to SDR#. She shows how to install and use the HDSDR program.

Exploring With The PortaPack and HDSDR; Then Relaxing In A HotTub, Hak5 1624

Updates on Keenerds RTL-SDR Improvement Project

If you didn’t already know Keenerd (aka Kyle Keen), author of rtl_fm, rtl_power, rtl_adsb and rtl_sdl is having a fundraiser to raise funds to pay for a month of RTL-SDR improvement programming. As of the time of this post we’re about halfway through the fundraiser’s 30 day time limit and it has already generated $2,260 USD out of the minimum desired $3000 USD. Keenerd has also written a report on the status of the fundraiser so far.

Remember that the more funds raised, the more time he will have to work on the software meaning a better RTL-SDR experience for everyone. (Note that the improvements are for Windows, Mac and Linux).

Having raised this much already Keenerd has begun work and has already made some improvements to the RTL-SDR drivers based on Teejeez’s work. A list is shown below.

  • dithering[3] - Possibly the secret sauce to phase aligned multiple dongles. I don’t have the setup to operate this or the math to confirm. rtl_sdr -N or rtlsdr_set_dithering() to access it.
  • IF freq and bandwidth filters[4] - Extend the HF range somewhat. Less out-of-band aliasing.
  • register caching[5] - Don’t re-send values that have not changed. Slightly modified the noise floor in my tests, which it should not have.
  • register batching[6] - Delay changing registers until a command finishes, then send them all.
  • cache i2c repeater[7] - Normally the i2c port is enabled and disabled between every single byte. Leave it open while its in use.
  • pll tweaks[8] - People smarter than me wrote these, and it didn’t seem to make anything worse. Might also extend the HF range.

See the original Reddit thread discussing these improvements here and here for a link to the GitHub download page. Note that at the moment you will need to compile the drivers yourself.