Tagged: hackrf

Combining the Bandwidth of two HackRF’s

RTL-SDR.com reader Syed Ghazanfar Ali Shah Bukhari from the Frequency Allocation Board in Pakistan recently emailed us to let us know a trick he’s found which lets you combine the bandwidths of two HackRF software defined radios in GNU Radio. Syed’s program is based on Oliver’s flowgraph that we posted previously, which was used to combine the bandwidth of two RTL-SDR dongles.

Syed also sent us the GRC file to share which we’ve uploaded here.

He writes:

I have used grc flow graph of Oliver as mentioned in the link :-
http://www.rtl-sdr.com/combining-the-bandwidth-of-two-rtl-sdr-dongles-in-gnu-radio and modified it to be used with 2 HackRF Ones. I also shifted the two bandwidths inward by 1 MHz instead of 0.2 MHz to make a smooth continuation for a 38 MHz spectrum. Unfortunately one of my HackRF Ones has its RF Amp burnt up so I adjusted its IF and BB gain to have same noise floor as that of other HackRF One. It’s really awesome. I am sending you the diagram and grc file. The attached image is showing complete GSM900 downlink spectrum (38 MHz) in my area with active 2G and 3G signals.

Multi HackRF Spectrum
Multi HackRF Spectrum
Multi HackRF GRC flowgraph
Multi HackRF GRC flowgraph

GNURadio Conference 2016 Talks

Back in September the GNU Radio 2016 (GRCon16) conference was held. GRCon16 is an annual conference centered around the GNU Radio Project and community, and is one of the premier software defined radio industry events. GNU Radio is an open source digital signals processing (DSP) tool which is often used with SDR radios.

A few days ago videos of all the presentations were released on their YouTube channels, and all the slides can be found on their webpage.

One of our favorite talks from the conference is Micheal Ossmanns talk on his idea to create a low cost $150 RX/TX radio. Micheal Ossmann is the creator of the HackRF which is a $299 USD RX/TX capable SDR. It was one of the first affordable general purpose wide frequency TX capable SDRs. Micheal also mentions his other projects including Neapolitan which will be an add on for the HackRF which will enable full-duplex communications and Marizpan which will essentially be a single board Linux SDR using the HackRF circuit.


Another is Balints talk on “Hacking the Wireless World” where he does an overview of various signals that can be received and analyzed or decoded with an SDR. Some applications he discusses include Aviation, RDS Traffic Management Channel, Radio Direction Finding, OP25, IoT, SATCOM and his work on rebooting the ISEE-3 space probe.


Using a Yardstick One, HackRF and Inspectrum to Decode and Duplicate an OOK Signal

Over on his YouTube channel user Gareth has uploaded a video that shows a full tutorial on quickly decoding an On Off Keyed (OOK) signal with a HackRF (or RTL-SDR) and the Inspectrum software. Once decoded he then shows how to use a Yardstick One to duplicate the signal.

Inspectrum is a Linux based program that allows you to easily determine various parameters of a digital modulated signal by positioning an overlay over the waveform of a signal recorded with an SDR. Basically Gareth’s process is to first extract signal level values using Inspectrum, then secondly use a simple Python program to turn these values into binary bits, which gives him the data packet. He is then finally able to write another quick Python program to interface with the Yardstick One and retransmit the string.

The Yardstick One is a multipurpose radio (not a SDR) for transmitting modulated signals like OOK.


Building an S-Band Antenna for the HackRF

Mario Filippi, a regular contributor to our blog and to the SDR community recently wrote in with an article showing how he built an S-Band (2 – 4 GHz) antenna for use with the HackRF. Of course the antenna can be used with any other SDR that can receive in this range, or with an RTL-SDR and downconverter. We post his article below.

S -Band Antenna for use with the HackRF One
Author: Mario Filippi, N2HUN

Ever since purchasing a HackRF One, which receives from 1 MHz – 6.0 GHz I’ve always wanted to explore the world above 1 Gig, specifically the 2.0 – 2.7 GHz portion of the S-band. This portion of the band is populated with satellite communications, ISM, amateur radio, and wireless networks. A good, homebrew antenna for S-band was needed, so with parts mostly from the junk box, a 2250 MHz S-band right hand circularly polarized omni-directional antenna was built. Below is a step by step tutorial on building this antenna. Plans were from UHF-Satcom’s site.

The final S-band antenna
The final S-band antenna

Continue reading

rx_tools: RTL-SDR Command Line Tools (rtl_power, rtl_fm, rtl_sdr) Now Compatible With Almost Any SDR

Developer R. X. Seger has recently released rx_tools which provides SDR independent ports for the popular command line RTL-SDR tools rtl_power, rtl_fm and rtl_sdr. This means that these tools can now be used on almost any SDR, such as the bladeRF, HackRF, SDRplay, Airspy and LimeSDR. If you don’t know what the tools do, then here is a quick break down:

rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio.
rtl_sdr / rx_sdr: Allows you to record raw samples for future processing.
rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.

rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.

rx_power scan with the HackRF at 5 GHz over 9 hours.
rx_power scan with the HackRF at 5 GHz over 9 hours.

Cheating at Pokémon Go with a HackRF and GPS Spoofing

“Pokémon Go” is the latest in smartphone augmented reality gaming crazes. You may have already heard about the game on the news, or seen kids playing it in your neighborhood. To play, players must walk around in the real world with their GPS enabled smartphone, collecting different virtual Pokémon which appear at random spots in the real world, replenishing the virtual items need to collect Pokemon at “Pokéstops” and putting Pokémon to battle at “Gyms”. Pokéstops and gyms are often city landmarks such as popular shops, fountains, statues, signs etc. For those who have no idea what “Pokémon” are: Pokémon are fictional animals from a popular children’s cartoon and comic.

Since the game is GPS based, Stefan Kiese decided to see if he could cheat at the game by spoofing his GPS location using a HackRF software defined radio. The HackRF is a relatively low cost multipurpose TX and RX capable software defined radio. When playing the game, players often walk from Pokéstop to Pokéstop, collecting Pokémon along the way, and replenishing their items. By spoofing the GPS signal he is able to simulate walking around in the physical world, potentially automating the collection of Pokémon and replenishment of items at Pokéstops.

To do this he used the off the shelf “GPS-SDR-Sim” software by Takuji Ebinuma which is a GPS Spoofing tool for transmit capable SDR’s like the HackRF, bladeRF and USRP radios. At first, when using the software Stefan noticed that the HackRF was simply jamming his GPS signals, and not simulating the satellites. He discovered the problem was with the HackRF’s clock not being accurate enough. To solve this he used a function generator to input a stable 10 MHz square wave into the HackRF’s clock input port. He also found that he needed to disable “Assisted GPS (a-gps)” on his phone which uses local cell phone towers to help improve GPS location tracking.

Next he was able to use the GPS-SDR-Sim tools to plot a simulated walking route and see his virtual character walking around on the real world map. A warning if you intend on doing this: Remember that 1) spoofing or jamming GPS is highly illegal in most countries outside of a shielded test lab setting, so you must ensure that your spoofed GPS signal does not interfere with anything, and 2) the game likely has cheating detection and will probably ban you if you don’t simulate a regular walking speed.

GPS spoofing is not new. One attempt in 2013 allowed university researchers to send a 80 million dollar 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011. In past posts we also showed how security researcher Lin Huang was able to spoof GPS and bypass drone no fly restrictions.

[Also seen on Hackaday.com]
The "Pokemon Go" GPS spoofing set up.
The “Pokemon Go” GPS spoofing set up.

SDR4Everyone: Review of the HackRF

Over on his ‘SDR4Everyone’ blog author Akos has recently uploaded a new post that reviews the HackRF One, and also compares it against the SDRplay RSP and RTL-SDR. In his review he discusses his first impressions of the HackRF, his concerns about it being labelled as a transceiver, and some of its various features. He also does a screenshot comparison of the HackRF, RSP and RTL-SDR on shortwave reception and image rejection performance. Akos also notes that there are not many applications in the high gigahertz range that cannot be done with cheaper or more specialized equipment. Finally he concludes that the HackRF is not very sensitive or good at RX in general, but still has enough features to make it a worthwhile purchase for some people.

If you are interested in the HackRF, we also have our own review that compares the HackRF, SDRplay RSP and Airspy.

The SDRplay and HackRF One.
The SDRplay and HackRF One.

Stealing a Drone with Software Defined Radio

PHDays (Positive Hack Days) is a yearly forum with a focus on ethical hacking and security. During this years forum which took place in June, the organizers set up a competition where the goal was to “steal” or take control of a Syma X8C quadcopter drone. The drone runs on the nRF24L01 module, which from previous posts we have seen can easily be sniffed and decoded with an RTL-SDR or other SDR.

To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.

The Syma X8C drone to be stolen in the competition.
The Syma X8C drone to be stolen in the competition.