Category: HackRF

Hacking the Z-Wave Protocol with a HackRF

Z-wave is a wireless protocol that is used often in applications like smart home and industrial automation. It essentially allows various wireless nodes to connect and talk to one another within your house, using 900 MHz wireless technology. Some common examples of Z-wave node products might be wireless controlled lights, door locks, thermostats and other security devices like motion detectors.

Recently at Shmoocon 2016 (a yearly hacking and security themed conference), presenters Joseph Hall and Ben Ramsey showed how they were able to use a HackRF software defined radio and some GNU Radio based software to not only sniff Z-wave packets, but to also control Z-wave devices. What’s also interesting is that they found that encryption on z-wave devices was rarely enabled, except for five out of nine door locks that they tested where it was enabled by default.

See the full story at Hackaday and have a look at their code on GitHub.

Joseph and Ben holding a HackRF and z-wave controlled light.
Presenters Joseph and Ben holding a HackRF and z-wave controlled light.

Talk by Micheal Ossmann at Toorcon 2015: Rapid Radio Reversing

Toorcon is a yearly conference that focusus on information security related topics. At the 2015 Toorcon conference Micheal Ossmann (inventor of the HackRF SDR) gave an interesting talk about reverse engineering wireless systems using software defined radio.

Back in November Micheal gave a bit of a quick tutorial on reverse engineering in a November edition of the YouTube web series Hak5. Now his full conference talk has been released over on his website. In his talk he uses a HackRF and a Yardstick One to show how to reverse engineer a wireless cabinet lock.

The video can be viewed below or over on Micheal’s site greatscottgadgets.

Hak5: Reverse Engineering Radio Protocols with SDR and the Yardstick One

Over on YouTube the popular security and hacking themed channel Hak5 have created two videos together with Mike Ossmann (creator of the HackRF and Yardstick One) that give a good introduction and overview on reverse engineering unknown radio protocols. In the video they show how to use a SDR like the RTL-SDR or HackRF to initially capture the radio signal, and then how to use the Yardstick One to reverse engineer and recreate the signal. Using this process they reverse engineer the radio protocol for a wireless liquor cabinet lock.

The Yardstick One is a computer controlled wireless transceiver (but it is not an SDR). The Yardstick One understands many radio protocols by default and can be programmed in Python, lowering the learning barrier for reverse engineering signals.

Mike Ossmann has also been slowly releasing very detailed video tutorials about DSP and radio related topics. If you are interested in reverse engineering radio signals it is a very helpful series to watch.

Radio Hacking: Reverse Engineering Protocols Part 1 - Hak5 1913

Radio Hacking: Reverse Engineering Protocols Part 2 - Hak5 1914

Another L-Band Antenna Build and comparing L-Band reception on the RTL-SDR, HackRF and SDRplay

Over on Reddit user killmore231 has made a post showing his comparison of L-Band reception with RTL-SDR, HackRF and SDRplay software defined radios. killmore231 built the L-band patch antenna which Adam 9A4QV showed how to build on his YouTube channel late last month.

When testing the antenna on his RTL-SDR he saw no reception of any L-band signals at all. The RTL-SDR requires an external LNA to properly receive signals at this frequency range, which he did not have. Next he tried it on his HackRF and saw that some signals were weakly visible. When he tried it on his SDRplay the L-band satellite signals were clearly visible, probably due to the SDRplay’s good sensitivity at this frequency range and the fact that it has a built in LNA. His results show that the SDRplay is a good SDR for receiving L-band satellites as it does not need an external LNA for decent reception. An external LNA may still be needed if a long run of coax cable is used however.

SDRplay reception of L-band satellite signals with no external LNA.
SDRplay reception of L-band satellite signals with no external LNA.
L-band patch antenna
L-band patch antenna

Reverse engineering a public parking electronic display to play Tetris

Recently we received an email from RTL-SDR.com reader @Ivoidwarranties about his latest project which involved using a HackRF to reverse engineer the RF protocol used by a public parking electronic display. Once reverse engineered @Ivoidwarranties used a XR-2206 monolithic function generator, hybrid RF amplifier and an Arduino to create a device that overrides the public parking display and plays a game of Tetris on it.

We don’t have any details on the HackRF reverse engineering side of things, but he has uploaded a video to YouTube showing the hack in action.

Real hacking of public parking electronic display

Spoofing GPS Locations with low cost TX SDRs

At this years Defcon 2015 conference researcher Lin Huang from Qihoo 360 presented her work on spoofing GPS signals. Qihoo 360 is a Chinese security company producing antivirus software. Lin works at Qihoo as a security researcher where her main job is to prevent their antivirus software and users from becoming vulnerable to wireless attacks. Her research brought her to the realm of GPS spoofing, where she discovered how easy it was to use relatively low cost SDRs like a USRP B210/BladeRF/HackRF to emulate GPS signals which could allow a wireless attacker to manipulate the GPS on smartphones and cars.

Previous attempts at GPS spoofing have all used more expensive custom hardware. One attempt in 2013 allowed university researchers to send a 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011.

In Lin’s presentation she shows how she was able to trick a smartphone into thinking it was in a different location. In addition she writes how this method could be used to trick the phone into changing it’s time, as many smartphones will periodically refresh the clock accuracy by using GPS satellites. She also shows how she was able to bypass a DJI drones forbidden area no fly zone policy. DJI drones come with a feature where the engines will not power up if the on board GPS detects that it is in a no drone fly zone. By spoofing the GPS she was able to get the drone to power up inside a no fly zone in Beijng.

Lin Huangs presentation can be downloaded from the defcon media server (pdf). An article on Lin and her research into GPS spoofing has also been run on Forbes.com.

Spoofed GPS logs on a smartphone
Spoofed GPS logs on a smartphone

Micheal Ossmann’s First Look at the Rad1o Badge

Last month we posted about the Rad1o badge, a HackRF inspired software defined radio that is being given out for free to participants of the Chaos Computer Club (CCC) camp conference in Germany. The Rad1o has an operating frequency range of 50 MHz – 4000 MHz, an ARM Cortex M4 CPU, a color LCD screen, a 2.5 GHz ISM band PCB antenna, an audio connector for headphone and microphone connections and an on board battery for portable use. It is also fully compatible with HackRF software. It is not for sale at the moment and only available to conference participants.

Micheal Ossmann, creator of the original HackRF was able to get a Rad1o from a CCC member who helped in the design. He has posted his first impressions of the radio on his blog. Micheal writes how the Rad1o is a variation on the HackRF and how it is kind of similar to a HackRF plus Portapack on a single PCB. He also mentions how he noticed some peculiar component choices on the Rad1o, which is due to the fact that they had to use several components freely obtained from sponsors, in order to be able to afford give them away for free to conference antendees.

The Rad1o Prototype
The Rad1o Prototype

Using a HackRF to convert ADS-B packets into Bluetooth packets for reception on your Smartphone/Tablet

HackRF experimenter Jiao Xianjun has recently posted about his new firmware which allows a single HackRF to receive an ADS-B data packet at 1090 MHz, and then retransmit it as a Bluetooth low energy (BTLE) packet at 2.4 GHz. A smartphone or tablet can then be used to view the ADS-B data. It appears that the system works by broadcasting several fake Bluetooth peripheral names as the received flight data, so there is no way to currently view the data on a map.

The firmware needs to be flashed into the HackRF RAM or ROM, and he provides instructions for this over on his post. The video below shows the HackRF and software in action on an iPad.

ADS-B to BTLE HackRF Relay
ADS-B to BTLE HackRF Relay
Air relay ADS-B to BTLE via single HACKRF in realtime