Category: HackRF

Measuring the Noise Figure of Airspy and HackRF SDRs in Real Time

The Noise Figure (NF) is an important metric for low noise amplifiers and SDRs. It's a measure of how much components in the signal chain degrade the SNR of a signal, so a low noise figure metric indicates a more sensitive receiver. The Noise Figure of a radio system is almost entirely determined by the very first amplifier in the signal chain (the one closest to the antenna), which is why it can be very beneficial to have a low NF LNA placed right at the antenna

Over on his blog Rowetel has been attempting to measure the noise figure of his HackRF and Airspy, and also with the SDRs connected to an LNA. He's managed to come up with a method for measuring the noise figure of these devices in real time. The method involves using a GNU Octave script that he created and a calibrated signal generator.

It’s a GNU Octave script called nf_from_stdio.m that accepts a sample stream from stdio. It assumes the signal contains a sine wave test tone from a calibrated signal generator, and noise from the receiver under test. By sampling the test tone it can establish the gain of the receiver, and by sampling the noise spectrum an estimate of the noise power.

As expected, Rowetel found that the overall noise figure was significantly reduced with the LNA in place, with the Airspy's measuring a noise figure of 1.7/2.2 dB, and the HackRF measuring at 3.4 dB. Without the LNA in place, the Airspy's had a noise figure of 7/7.9 dB, whilst the HackRF measured at 11.1 dB.

Some very interesting sources of noise figure degradation were discovered during Rowetel's tests. For example the Airspy measured a NF 1 dB worse when used on a different USB port, and using a USB extension cable with ferrites helped too. He also found that lose connectors could make the NF a few dB's worse, and even the position of the SDR and other equipment on his desk had an effect.

Noise figure measurement
Noise figure measurement

Viewing Drone Signals with HackRF being used as a Wideband Spectrum Analyzer

Over on his YouTube channel user Andy Clarke has uploaded a video where he demonstrates his HackRF being used as a wideband spectrum analyzer with the HackRF Spectrum Analyzer software. About a year ago the HackRF team released a new firmware update which enabled the HackRF to be able to sweep through the frequency spectrum at a rate of up to 8 GHz per second. This allowed the HackRF to be used as a wideband spectrum analyzer which is able to display an arbitrarily large swath of spectrum. Shortly after the firmware update spectrum analyzer program by 'pavsa' was released on GitHub.

In the video Andy demonstrates the HackRF being used to view the WiFi band and show a 2.4 GHz WiFi connection between a drone and it's controller. He also shows it working with a handheld radio and the uplink of his mobile phone. Andy hopes to use the HackRF to avoid losing his drones due to interference.

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.


Pseudo-Doppler Direction Finding with a HackRF and Opera Cake

Last week we posted about Micheal Ossmann and Schuyler St. Leger's talk on Pseudo-Doppler direction finding with the HackRF. The talk was streamed live from Schmoocon 18, but there doesn't seem to be an recorded version of the talk available as of yet. However, Hackaday have written up a decent summary of their talk.

In their direction finding experiments they use the 'Opera Cake' add-on board for the HackRF, which is essentially an antenna switcher board. It allows you to connect multiple antennas to it, and choose which antenna you want to listen to. By connecting several of the same type of antennas to the Opera Cake and spacing them out in a square, pseudo-doppler measurements can be taken by quickly switching between each antenna. During the presentation they were able to demonstrate their setup by finding the direction of the microphone used in the talk.

If/when the talk is released for viewing we will be sure to post it on the blog for those who are interested.

OperaCake running with four antennas
OperaCake running with four antennas
Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.
Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.


Schmoocon 18: Live Stream of Micheal Ossmann and Schuyler St. Leger on Psuedo-Doppler begins in 15 minutes

Micheal Ossmann @michaelossmann (famous for creating the HackRF SDR and various other projects) and Schuyler St. Leger @DocProfSky (a very talented young man) will soon be presenting their "Pseudo-Doppler Redux" talk at the Schmoocon 2018 conference at 3:30pm EST. The talk is available for all to watch live on Livestream.

Michael Ossmann and Schuyler St. Leger demonstrate their new take on Pseudo-Doppler direction finding techniques, using SDR to enhance direction finding capabilities.

Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.
Schyler's Poster on Pseudo Doppler from GNU Radio Con 17.

Reverse Engineering or Brute Forcing Wireless Powerplug Remote Controls with a HackRF One

Over on his blog "Foo-Manroot" has created a post where he shows us how he can control a wirelessly controlled powerplug with his HackRF. These power plugs can be used to turn electrically devices on or off remotely, and their wireless protocol is often simple On-Off Keying (OOK) with little to no security.

Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.

If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.

HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets
HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets


Reverse Engineering for a Secure Future: Talk by Samy Kamkar

During the Hackaday superconference held during November 2017, Samy Kamkar presented a talk on how he reverse engineers devices, and in particular passive entry and start systems in vehicles. In the talk he also explains what tools he uses which includes SDRs like the HackRF One and RTL-SDR dongle and explains the methodology that he takes when looking at how to reverse engineer any new device. Samy is most famous for writing the Samy MySpace computer worm and also popularizing the "RollJam" wireless car door vulnerability. The talk blurb reads:

In this talk Samy Kamkar shares the exciting details on researching closed systems & creating attack tools to (demonstrate) wirelessly unlocking and starting cars with low-cost tools, home made PCBs, RFID/RF/SDR & more. He describes how to investigate an unknown system, especially when dealing with chips with no public datasheets and undisclosed protocols. Learn how vehicles communicate with keyfobs (LF & UHF), and ultimately how a device would work that can automatically detect the makes/models of keyfobs nearby. Once the keyfobs have been detected, an attacker could choose a vehicle and the device can wirelessly unlock & start the ignition. Like Tinder, but for cars.

Securing the Bitcoin network against Censorship with WSPR

Bitcoin WSPR Test Setup
Bitcoin WSPR Test Setup

If you didn't know already Bitcoin is the top cryptocurrency which in 2017 has begun gaining traction with the general public and skyrocketing to a value of over $19,000 US per coin at one point. In addition to providing secure digital transactions, cryptocurrencies like Bitcoin are intended to help fight and avoid censorship. But despite this there is no real protection from the Bitcoin internet protocol being simply blocked and censored by governments with firewalls or by large ISP/telecoms companies.

One idea recently discussed by Nick Szabo and Elaine Ou at the "Scaling Bitcoin 2017" conference held at Stanford University is to use the something similar to WSPR (Weak Signal Propagation Reporting Network) to broadcast the Bitcoin network, thus helping to avoid internet censorship regimes. To test their ideas they set up a HackRF One as a transmitter and RTL-SDR and used GNU Radio to create a test system.

Other ideas to secure the Bitcoin network via censorship resistant radio signals include kryptoradio, which transmits the network over DVB-T, and the Blockstream satellite service which uses an RTL-SDR as the receiver.

If you're interested in the presentation the talk on WSPR starts at about 1:23 in the video below. The slides are available here.