Over on YouTube user Mike has uploaded a video showing a quadcopter being controlled by the HackRF, a low cost transmit capable software defined radio. Mike uses a Hubson X4 quadcopter and controls it with a USB joystick coupled with GNU Radio. According to a tweet by Micheal Ossmann (the inventor of the HackRF), there were initially USB latency issues that caused problems, but have since been fixed by Mike.
Earlier in the year the HackRF One was released by Micheal Ossmann. It is a transmit and receive capable software defined radio with a 10 MHz to 6 GHz range which currently sells for around $300 USD. Since the HackRF is open source hardware, anyone can make changes to the design and build and sell their own version.
The HackRF Blue is a HackRF clone that aims to sell at a lower cost. By sourcing lower cost parts that still work well in the HackRF circuit, the team behind the HackRF Blue were able to reduce the price of the HackRF down to $200 USD. They claim that the HackRF Blue has the same performance as the HackRF One and is fully compatible with the HackRF software. They are currently seeking funding through an IndieGoGo campaign.
Their main goal through the funding is to help provide underprivileged hackerspaces with a free HackRF.
Wireless alarms consist of multiples devices such as sensors and detectors which all communicate to a central control box via RF signals. Blogger “fun over ip” decided that he wanted to understand the design and security measures used by his Verisure wireless alarm by reverse engineering the system.
First, he took his HackRF software defined radio and monitored the 433 MHz and 868 MHz ISM bands whilst pushing keys on his alarms remote control. In the 868 MHz band he found a corresponding signal that had two spikes in the RF spectrum, indicating that it was likely a 2-FSK (frequency shift keyed) signal.
Next he created a GNU Radio program to demodulate the 2-FSK signal into a binary sequence. He then used Audacity to view and analyze the binary sequence, decoding it into 0’s and 1’s and determining the sync word (or access code). With further analysis he also determined the symbol rate and samples per symbol. With all this information gathered, he was then able to expand his GNU Radio program to automatically detect and decode packets sent by the various wireless devices connected to the alarm system.
His post goes into good detail about the steps that he took and is a great aide in understanding how to reverse engineer wireless protocols.
Previously we posted about the new RFAnalyzer Android app for the HackRF which has a RF spectrum and waterfall display. Now RFAnalyzer is available on the Google Play store with experimental support for the RTL-SDR dongle. The app also now supports AM and FM audio demodulation.
The app is fully open source and the code and APK can be downloaded for free from its Git repository. Alternatively, the app can be downloaded from the Google Play store at a small cost of $0.99 USD.
To use the app you’ll need a USB OTG cable to connect your HackRF or RTL-SDR to your Android phone. More information on the app can be found on the authors blog.
An alternative Android app to RFAnalyzer is SDR Touch.
Earlier this month we posted about a new port of the HackRF software defined radio Linux library for Android. Now the author of the Android port has created a new app called RF Analyzer. The app is basically a real time spectrum viewer that includes a waterfall display. The app can be downloaded from Github at https://github.com/demantz/RFAnalyzer.
The app currently supports the following features.
- Browse the spectrum by scrolling horizontally
- Zoom in and out, both horizontally and vertically
- Adjust the sample rate and center frequency to match the current view of the screen by double tapping
- Auto scale the vertical axis
- Jump directly to a frequency
- Adjust the gain settings of the HackRF
- Select a pre-recorded file as source instead of a real HackRF
- Change the FFT size
- Setting the frame rate either to a fixed value or to automatic control
- Activate logging and showing the log file
In the future the author intends to support the RTL-SDR and implement demodulation for basic modes such as AM, FM and SSB.
To use the app you’ll need an USB OTG (on-the-go) cable to connect your Android device to the HackRF.
Micheal Ossmann’s HackRF Linux library has recently been ported to Android by programmer Dennis Mantz. Dennis has also made a blog post showing how to use the library. In addition he’s uploaded a YouTube video showing off the library using an example app. The app is capable of recording an RF signal and replaying it via the HackRF’s TX capabilities. In the video Dennis shows the example app recording a broadcast FM station and then retransmitting the recording to his car radio.
On this episode of Hak5, a popular technology YouTube channel, Shannon does a tutorial on how to get started with the HackRF. The HackRF is a recently released software defined radio similar to the RTL-SDR dongle, but with transmit capabilities.
In the video she shows how to set up the HackRF on Pentoo Linux and GNU Radio. She then shows how to use a GNU Radio program that can receive multiple broadcast FM signals simultaneously. The GNU Radio program is one that is based on Micheal Ossmans GNU Radio video tutorials.
Some car security systems from around 2001 – 2003 use an embedded RFID tag inside the car key as an added security measure against key copying. Using his HackRF, ChiefTinker was able to analyse and decode the data from an active RFID token used in a car key. He notes that the same analysis could also be performed with an RTL-SDR dongle.
Upon powering the RFID tag with a power supply, ChiefTinker noticed that the tag emitted a short transmission every 5 seconds in the ISM band at 433.920 MHz. On closer inspection he determined that the transmitted data was encoded with a simple AM on-off keying (OOK) scheme. After importing the audio into Audacity and cleaning up the signal a little, he was able to clearly see the OOK square wave showing the transmitted binary data.
Next he analysed the data and compared the binary output against two different RFID keys. From the comparison he was able to determine that the tag simply beacons a unique serial number, which is susceptible to capture and replay attacks. After further processing he was able to convert the transmitted binary serial number into hexadecimal, then ASCII to find the unique serial number being broadcast in decimal.
