Category: HackRF

Hacking Beepers at a Fish & Chip Shop with an RTL-SDR and HackRF

Over on YouTube Paul from "Tall Paul Tech" has uploaded a video showing how he was able to reverse engineer the wireless protocol used by a simple restaurant beeper (aka 'burger pager') notification system that is used to let customers know when their food is ready.

By reading the label on the base unit, Paul found that the beeper system transmits at 433 MHz. He was then able to record it's transmissions with an RTL-SDR. Then using Inspectrum, he was able to determine the bit string and the symbol period.

From there he was able to use a GNU Radio program to replicate the signal, allowing him to use a HackRF to activate the beepers on demand.

In the past we've posted similar stories [1][2][3].

Hacking A Fish & Chip Shop

Tech Minds: Testing an RTL-SDR Wideband Scanner with WebUI

Over on YouTube Matt from the Tech Minds YouTube channel has put up a video demonstrating an open source program released on GitHub called "RTL SDR Scanner", or "rtl-sdr-scanner-cpp". This program is compatible with RTL-SDR and HackRF software defined radios, and allows users to record multiple analogue FM audio channels within the active bandwidth simultaneously. 

To get a wider bandwidth, you can use a HackRF as your SDR, or you can also use multiple RTL-SDR dongles, or a device like the KrakenSDR which has multiple RTL-SDRs built into it. Alternatively, you can also have the software scan a much larger swath of bandwidth, however this could result in some transmissions being missed. 

The audio is recorded as a wav file, and can be accessed through a web UI. We note that currently only FM recordings are supported but AM may be supported in the future.

RTL SDR Scanner - FULL Bandwidth Recording With WEB UI

SDRangel Now Available on Android: Mobile ADS-B, AIS, APT, Digital Voice, POCSAG, APRS, RS41 Radiosonde Decoders

SDRangel is a free open source software defined radio program that is compatible with many SDRs, including RTL-SDRs. SDRAngel is set apart from other programs because of it's huge swath of built in demodulators and decoders.

Thank you to reader Jon for writing in and noting that SDRangel has recently been released for Android as a free Google Play download. This is an amazing development that could open up many doors into portable decoding setups as the Android version supports almost every decoder implemented on the desktop version. Jon writes:

It includes most of the functionality of the desktop version of SDRangel, including:

  • AM, FM, SSB, Broadcast FM and DAB, AIS, ADS-B, Digital Voice (DMR, dPMR, D-Star, FreeDV), Video (DVB-S, DVB-S2, NTSC, PAL), VOR, LoRa, M17, Packet (AX.25), Pager (POCSAG), Radiosonde (RS41), Time signal (MSF, DCF77, TDF and WWVB) modems.
  • RTL SDR, Airspy, Airspy HF, LimeSDR, HackRF and SDRplay support via USB OTG as well as networked SDRs
  • 2D and 3D signal analysis in both time and frequency domain with statistical measurements of SNR, THD, THD+N, SINAD, SFDR and channel power
  • Satellite tracker, star tracker, maps and rotator controller

It should work on Android 6 and up. It’s a straight port of the desktop application, so although it will run on a phone, probably best used on a large tablet with a stylus or mouse.

SDRangel on Android
SDRangel on Android

Car Hacking in the Mr Robot TV Show Explained

Over on YouTube David Bombal has uploaded a video titled "Warning! This is how cars are hacked. Just like in Mr Robot." which explains how the car hacking scenes in Mr Robot worked. Mr Robot is a TV drama series about cybersecurity hackers, and it is known for portraying realistic hacks and scenarios. Back in 2019 we posted about an episode where they used a HackRF and Raspberry Pi to jam a garage door, before using the HackRF as an IMSI catcher. RTL-SDRs were also briefly used in some episodes.

David's video goes into greater detail about how realistic the hacking concepts displayed in the Mr Robot series are and if they would work in real time. In this video he goes into particular detail about car hacking. He uses a HackRF and RTL-SDR and demonstrates attacks like jamming, and signal replay.

This video is a part of a series exploring the hacks shown on Mr Robot. The full playlist can be found here.

Warning! This is how cars are hacked. Just like in Mr Robot.

HackRF Opera Cake Released: A Rapid RF Switching Board

Back in 2016 Michael Ossmann, founder of Great Scott Gadgets and creator of the HackRF released schematics for 'Opera Cake', a rapid RF switching add on board for the HackRF. We also saw back in a January 2018 post how Opera Cake was capable of being used as the switching hardware for Pseudo-Doppler direction finding. Up until now Opera Cake has only been available as a schematic, for advanced hackers who could produce and build the board themselves.

Earlier this week Opera Cake was released for sale via various resellers in the US, UK and EU. The pricing from the US reseller is US$190.

Opera Cake is an antenna switching add-on board for HackRF One that is configured with command-line software either manually, or for automated port switching based on frequency or time. It has two primary ports, each connected to any of eight secondary ports, and is optimized for use as a pair of 1x4 switches or as a single 1x8 switch. Its recommended frequency range is 1 MHz to 4 GHz.

When HackRF One is used to transmit, Opera Cake can automatically route its output to the appropriate transmit antennas, as well as any external filters, amplifiers, etc. No changes are needed to the existing SDR software, but full control from the host is available.

Opera Cake also enhances the HackRF One’s use as a spectrum analyzer. Antenna switching works with the existing hackrf_sweep feature, which can sweep the whole tuning range in less than a second. Automatic switching mid-sweep enables the use of multiple antennas when sweeping a wide frequency range.

Opera Cake connected to multiple antennas
Opera Cake connected to multiple antennas

Software Defined Radio Academy 2022 Conference Talks

Videos of talks from the Software Defined Radio Academy 2022 (SDRA22) conference have recently been uploaded to YouTube. SDRA22 was held during the HAMRadio World Fair in Friedrichshafen, Germany during June 2022. The talks include topics on:

  • Usage of SDR in a contest
  • HackRF Supercluster
  • PLLs in software defined radios
  • M17 Project: A new digital voice mode for VHF and up
  • RM Processor to Xilinx FPGA Connection for SDR
  • User-Assisted Spectrum Labeling
  • The perfect HF Receiver. How would it look like today?
  • FutureSDR: An Async SDR Runtime for Heterogeneous Architectures
Playlist: SDR Academy 2022 @HAM Radio Fair

Fissure: An Open Source RF Reverse Engineering Framework

FISSURE (Frequency Independent SDR-Based Signal Understanding and Reverse Engineering) is a recently released open source framework that runs on Linux, and includes a whole suite of previously existing software that is useful for analyzing and reverse engineering RF signals. On top of that it includes a custom GUI with a bunch of custom software that ties everything together in a full reverse engineering process.

Recently the developers spoke at this years Defcon conference, and the talk video is supplied at the end of this post. In their talk they explain the purpose of FISSURE, before going on to demonstrate it being used to reverse engineer a wireless X10 doorbell. FISSURE makes analyzing the signal easy, starting with spectrum analysis to find the signal, then signal recording, signal cropping, signal replay, crafting packets and crafting attacks.

News and developments about FISSURE can also be seen on their Twitter.

FISSURE is an open-source RF and reverse engineering framework designed for all skill levels with hooks for signal detection and classification, protocol discovery, attack execution, IQ manipulation, vulnerability analysis, automation, and AI/ML. The framework was built to promote the rapid integration of software modules, radios, protocols, signal data, scripts, flow graphs, reference material, and third-party tools. FISSURE is a workflow enabler that keeps software in one location and allows teams to effortlessly get up to speed while sharing the same proven baseline configuration for specific Linux distributions.

The framework and tools included with FISSURE are designed to detect the presence of RF energy, understand the characteristics of a signal, collect and analyze samples, develop transmit and/or injection techniques, and craft custom payloads or messages. FISSURE contains a growing library of protocol and signal information to assist in identification, packet crafting, and fuzzing. Online archive capabilities exist to download signal files and build playlists to simulate traffic and test systems.

The friendly Python codebase and user interface allows beginners to quickly learn about popular tools and techniques involving RF and reverse engineering. Educators in cybersecurity and engineering can take advantage of the built-in material or utilize the framework to demonstrate their own real-world applications. Developers and researchers can use FISSURE for their daily tasks or to expose their cutting-edge solutions to a wider audience. As awareness and usage of FISSURE grows in the community, so will the extent of its capabilities and the breadth of the technology it encompasses.

FISSURE RF Framework - Griffiss Institute & AIS Monthly Lecture + Education Series

Rolling-Pwn: Wireless rolling code security completely defeated on all Honda vehicles since 2012

Back in May we posted about CVE-2022-27254 where university student researchers discovered that the wireless locking system on several Honda vehicles was vulnerable to simple RF replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR. This vulnerability only affected 2016-2020 Honda Civic vehicles which came without rolling code security.

Recently a new vulnerability discovered by @kevin2600 that affects ALL Honda vehicles currently on the market (2012-2022) has been disclosed. The vulnerability is dubbed 'Rolling-PWN' (CVE-2022-27254) and as the name suggests, details a method for defeating the rolling code security that exists on most Honda vehicles. Rolling code security is designed to prevent simple replay attacks, and is implemented on most modern vehicles with wireless keyfobs. However @kevin2600 notes the following vulnerability that has been discovered:

A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.

The vulnerability has been tested on various Honda vehicles with HackRF SDRs, and this seems to indicate that all Honda vehicles since 2012 are vulnerable.

Although no tools have been released, the vulnerability is simple enough and we've already seen people replicate results.

The story of Rolling-Pwn has already been covered by magazines and news organizations such as TheDrive, Vice, NYPost, and FoxLA.

It should be noted that when the previous replay attack vulnerability was highlighted, Honda released a statement noting that it has no plans to update its older vehicles. It is likely that Honda will not issue updates for this vulnerability either. It is possible that this vulnerability extends beyond just Honda vehicles too.