A Review of the HackRF PortaPack (With Havoc Firmware)

The PortaPack is a US$220 add-on for the HackRF software defined radio (HackRF + PortaPack + Accessory Amazon bundle) which allows you to go portable with the HackRF and a battery pack. It features a small touchscreen LCD and an iPod like control wheel that is used to control custom HackRF firmware which includes an audio receiver, several built in digital decoders and transmitters too. With the PortaPack no PC is required to receive or transmit with the HackRF.

Of course as you are fixed to custom firmware, it's not possible to run any software that has already been developed for Windows or Linux systems in the past. The official firmware created by the PortaPack developer Jared Boone has several decoders and transmitters built into it, but the third party 'Havoc' firmware by 'furrtek' is really what you'll want to use with it since it contains many more decoders and transmit options.

As of the time of this post the currently available decoders and transmit options can be seen in the screenshots below. The ones in green are almost fully implemented, the ones in yellow are working with some features missing, and the ones in grey are planned to be implemented in the future. Note that for the transmitter options, there are some there that could really land you in trouble with the law so be very careful to exercise caution and only transmit what you are legally allowed to.

Some screenshots from the HackRF Portapack Havok Firmware
Some screenshots from the HackRF Portapack Havoc Firmware
More Havok firmware screenshots from the GitHub page.
More Havoc firmware screenshots from the GitHub page.

Although the PortaPack was released several years ago we never did a review on it as the firmware was not developed very far beyond listening to audio and implementing a few transmitters. But over time the Havok firmware, as well as the official firmware has been developed further, opening up many new interesting applications for the PortaPack.

Doing a replay attack on a wireless keyfob using the Portapack.
Doing a replay attack on a wireless keyfob using the PortaPack.

Testing the PortaPack with the Havoc Firmware

Capture and Replay

One of the best things about the PortaPack is that it makes capture and replay of wireless signals like those from ISM band remote controls extremely easy. To create a capture we just need to enter the "Capture" menu, set the frequency of the remote key, press the red 'R' Record button and then press the key on the remote. Then stop the recording to save it to the SD Card.

Now you can go into the Replay menu, select the file that you just recorded and hit play. The exact same signal will be transmitted over the air, effectively replacing your remote key.

We tested this using a simple remote alarm system and it worked flawlessly first time. The video below shows how easy the whole process is.

Portapack Replay

Portapack Microphone Transmitter
PortaPack Microphone Transmitter

Microphone TX

Using the 3.5mm audio jack the Portapack can also be used as a standard Push to Talk or voice activated walkie talkie radio. With a microphone plugged into the audio jack simply hold down the right button to push to talk. If required you can also enable multiple CTCSS tone options, as well as tones that look like they enable transmission to wireless headphones.

Portapack SSTV Transmitter
PortaPack SSTV Transmitter

Other Transmitters

We also briefly tried transmitting with the SSTV feature and we were easily able to receive the transmitted image on a PC using an RTL-SDR and SSTV decoding software. Other ham modes available for transmitting include APRS and Morse code.

There is also a generic OOK transmitter which can be programmed with custom data. This mode might be useful for experimenting with simple keyfobs, or things like home automatation switches.

What might be disturbing to some is that there are also numerous transmit modes implemented that are illegal in most countries and could get you into huge trouble. One obvious one is the signal jammer. To test the jammer we connected the PortaPack to a dummy load to prevent the signal from travelling more than a few centimeters away, and placed an RTL-SDR with antenna nearby. With that it was easy to see the jamming signal as shown in the image below.

Jamming with the Portapack
Jamming with the PortaPack

There are also more niche troubling transmitters implemented such as the NTTworks burger pager transmitter, which presumably activates some of those small pagers that you receive at some restaurants to tell you when the food is ready. There is also a Keyfob transmitter which looks like it might possibly be able to lock and unlock certain models of older flawed Subaru vehicles. Then there's a BHT Xy/EP transmitter which we think might be able to turn on and off street lights in some European countries, and the implementation of TEDI/LCR which is possibly used for French electronic street signs. Also troubling is the implementation of an ADS-B and POCSAG transmitter.

If you are experimenting with the PortaPack and the aptly named 'Havoc' firmware be very careful not to activate these modes unless you have some legit purpose as they could indeed cause some serious trouble, possibly even landing you in jail.

Receivers

By connecting speakers to the Portapack's 3.5mm audio jack we were easily able to listen in on standard NFM and WFM audio signals. The displayed bandwidth is only as wide as the signals are, so it can be a bit hard to explore the frequency bands if you don't already known the frequencies, so we'd recommend having a frequency list handy first.

Receiving WFM and NFM audio with the Portapack.
Receiving WFM and NFM audio with the PortaPack.

We also tested ADS-B reception with our ADS-B LNA. The bias tee on the HackRF can be easily enabled on the PortaPack by selecting the inductor and lightning symbol on the top right. With the bias tee enabled we were able to receive aircraft.

Conclusion

The PortaPack is a very handy partner to the HackRF. It allows you to experiment with, record, listen, decode and transmit RF signals out in the field, without the need for any computer. You do need to be responsible and careful with the device though, as there is the huge potential of getting in trouble with it if you start transmitting illegal things.

The biggest use that we see for the PortaPack is for testing capture and replay attacks, and perhaps for capturing IQ data out in the field, for later analysis back in the lab on a computer. But many of the receivers and transmitters implemented can be fun to play around with too.

9 comments

  1. Onkel

    Is this worth buying today? Hackrf is old hardware and portapack too. 700$ is not exactly cheap. I love the idea but will there be anything like this but new version?

    Hackrf 2.0
    Limesdr mini

  2. RadioEarz

    “….be very careful not to activate these modes unless you have some legit purpose as they could indeed cause some serious trouble, possibly even landing you in jail.”

    Two years inside for building, owning or operating a mobile phone jammer in Australia, ouch.

    Although as a clean skin SDR geek you will probably get 6 month first offence.

  3. Siva_Tango_Delta

    Backed HackRF on KS & love it.
    Is the PortaPack software available for use on other platforms so we can use it on a laptop, tablet or cell phone?

    • unixpunk

      @Siva_Tango_Delta – No, only runs on the little processor on the portapack I believe, not sure it can be cross-compiled due to the specific hardware used.

    • Short: No

      > Is the PortaPack software available
      The full GPL source code is available.
      https://github.com/sharebrained/portapack-hackrf
      https://github.com/furrtek/portapack-havoc

      > For use on other platforms so we can use it on a laptop, tablet or cell phone?
      Short answer: Nope.

      Long answer: Your question is a lot like asking can the engines from a Saturn V rocket be installed on a pickup truck. The software is custom written and extremely optimized for one physical device, to modify that would require a massive amount of work and some crazy outside the box thinking. Even then not everything will function. There will be latency issues, with the CPU directly connected to the ADC/DAC latency is of the order of nanoseconds to microseconds (Port-a-pack). But accessing an SDR over USB 2.0 the latency is in the order of milliseconds, somethings will just never work with 1000 times the delay (two way protocol handshakes).

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.