Category: HackRF

Canada Moves to Ban Flipper Zero and Possibly Software Defined Radios

Dominic LeBlanc, Canada's Minister of Public safety has recently declared that they plan to ban devices "used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero". The text specifically calls out the Flipper Zero, however the wording appears to imply that any device that can copy a signal will be banned. This means the ban could extend to RX/TX SDRs like the HackRF and possibly even RX only SDRs like RTL-SDRs.

The Flipper Zero is an affordable handheld RF device for pentesters and hackers. It is not based on SDR technology, however it uses a CC1101 chip, a digitally controlled RX/TX radio that is capable of demodulating and modulating many common digital modulations such as OOK/ASK/FSK/GFSK/MSK at frequencies below 1 GHz. There are many CC1101 devices on the market, but the Flipper Zero has gained huge popularity on social media because of it's excellent software support, as well as its cute marketing tactic. In the past it was even featured on the popular Linus Tech Tips YouTube channel.

Flipper Zero has had a long line of setbacks including PayPal freezing 1.3M of its cash, and US customs temporarily seizing its shipments, then passing a $70,000 bill on to them for storage fees and Amazon banning the product on their marketplace.

In our opinion, we believe that the ban appears to be misguided. The Flipper Zero is a basic device that can only perform a simple replay attack, which is to record a signal, and replay it at a later time. These sorts of attacks do not work on vehicles built after the 90's which now use rolling codes or more sophisticated security measures. To defeat rolling code security, a more sophisticated attack called Rolljam can be used. A Rolljam device can be built for $30 out of an Arduino and two cheap transceiver modules.

However, according to arstechnica the biggest cause for concern in terms of car theft is a different sort of attack called "signal amplification relay".

The most prevalent form of electronics-assisted car theft these days, for instance, uses what are known as signal amplification relay devices against keyless ignition and entry systems. This form of hack works by holding one device near a key fob and a second device near the vehicle the fob works with. In the most typical scenario, the fob is located on a shelf near a locked front door, and the car is several dozen feet away in a driveway. By placing one device near the front door and another one next to the car, the hack beams the radio signals necessary to unlock and start the device.

This sort of attack is a lot less sophisticated in many ways as all you are doing is amplifying a signal, and no clever hardware like the Flipper Zero or a software defined radio is even required. The X video below demonstrates such a hack where a criminal holds up a loop antenna to a house. The loop antenna is connected to a signal amplifier which amplifies the keyfob signal, tricking the car into thinking the keyfob is nearby, and allowing the door to be unlocked by touching the handle, and then turned on with the push to start button.

Flipper zero note that they have not been consulted about the ban, and replied on X stating that they are not aware of the Flipper Zero being used for car theft.

Tech Minds: A Beginners Guide to the HackRF and Portapack with Mayhem Firmware

In one of his latest videos Matt from the Tech Minds YouTube channel has created a beginners guide to the HackRF and Portapack with the Mayhem Firmware. The HackRF is a popular affordable software defined radio with wide frequency range and transmit capabilities. An addon called the Portapack allows the HackRF to go portable, and custom firmware called 'Mayhem' significantly expands it's capabilities.

Matt uses a Chinese HackRF and Portapack clone set from Banggood which can be found very cheaply for around $200 shipped. The original Portpack can be found from the Sharebrained store for $200, and then original HackRF can be found form various resellers listed on the greatscottgadgets website.

In the video Matt unboxes the Portapack, shows an overview of the hardware and then goes on to show how to update the stock firmware to the Mayhem firmware. He then demonstrates a few of the capabilities of the Mayhem firmware.

Beginner's Guide To The HackRF & Portapak With Mayhem

Tech Minds: Making your own SDR Software With GNU Radio Companion

In his latest video out on YouTube, Matt from the Tech Minds channel gives us an overview of GNU Radio, and shows a few examples of how it can be used to receive, transmit and decode digital data.

GNU Radio is a popular open source DSP framework for software defined radios. With it you can graphically implement any sort of digital signal processing chain that you like, which can be used for decoding/encoding and demodulating/modulating signals.

GNU Radio can be extremely complex and powerful, but in the video Matt shows some simple starter example flowgraphs like an LSB demodulator, and a simple wav file source transmitter for the HackRF. 

How To Make Your Own SDR Software With GNU Radio Companion

Downloading Stored Images and Data from the NOAA Weather Satellite GAC Broadcast

With polar orbiting weather satellite reception we as amateur ground station operators with SDR receivers typically download images via "Direct Broadcast", which provides imagery of what the satellite is currently seeing live. However, the main way satellites such as the NOAA POES (NOAA 15, 18 & 19) satellites downlink is via "Global Area Coverage" (GAC) broadcast which provides the full stored imagery data of the entire global pass. However, GAC is only broadcast in locations where the satellite operator operates ground stations.

Over on YouTube dereksgc has uploaded a video showing how to receive GAC data from the NOAA POES satellites. He notes that GAC is now broadcast at 2247.5 MHz in the S-band, and the ground station it now downlinks to is likely in Svalbard, rather than in the USA. This means that amateur satellite stations close to the North Pole can receive the GAC signal, including dereksgc's station which (we believe) is in the Czech Republic.

Dereksgc uses a large 250cm offset dish with S-band feed connecting to a HackRF. In the video he demonstrates him receiving the signal, and then decoding it using SatDump. Finally he shows all the images from various locations around the earth that he was able to receive from one satellite pass.

Lab401: HackRF on Windows YouTube Tutorials

Over on the Lab401 YouTube channel, 'RocketGod' has uploaded three videos that are various tutorials for the HackRF on Windows. The first video covers the basics like installing software and shows how to decode pager signals with PDW.

The second video shows how to decode police transmissions, car key fobs, use rtl_433, and how to use Universal Radio Hacker to capture and analyze signals. 

The third video is not yet released, but is due to premier on YouTube in 10 hours from the time of this post. In that video RocketGod will show how to install and use DragonOS, and how to install and use SDR Trunk which turns the HackRF into a police scanner. Finally, he will demonstrate SDR Angel and show it decoding ADS-B signals from aircraft to show you live flight tracking data.

Part 1 is embedded below, and Part 2 and Part 3 are linked here.

ROCKETGOD's HackRF One guide - part 1/3 Basics, Windows apps, setting up - LAB401

Receiving Images from the US DoD Coriolis Satellite

Over on dereksgc's YouTube channel another recent video from his satellite decoding series shows how to download images from the Coriolis satellite, a US Department of Defense satellite launched in 2003, that is among other uses designed to measure wind speed and direction from space using a radiometer.

The entire history of an orbit is only downlinked in the S-band when over an official ground station, however it also has a 'tactical' downlink for live data that the US Navy uses. As the data is unencrypted, with a satellite dish, 2.2 GHz feed, LNA and a software defined radio like the HackRF, anyone can receive the data.

In his video dereksgc explains the satellite, shows his hardware, and demonstrates reception. He then passes the recording into SatDump which results in the images. The images themselves are nothing interesting to look at, as they are produced by a sensor designed to measure wind. But dereksgc shows how multiple images can be composited into something a little more interesting.

Receiving Unintentional Voice Transmissions from GPS Satellites

Over on dereksgc's YouTube channel we've discovered a few more recent interesting videos from his satellite decoding series that people may be interested in. One from two weeks ago shows how it's possible to receive voice transmissions on navigation satellites such as GPS.

Many navigational and meteorological satellites carry a search and rescue (SAR) repeater which is intended to receive UHF emergency locator beacons and rebroadcast them in the L-band or higher. However the repeaters appear to be picking up all sorts of other signals from the ground, including voice transmissions. Dereksgc notes that the theory is that there are some land based communications systems in some countries that are sharing frequencies that emergency locator beacons use, or that malicious pirates may be actively using these SAR repeaters for their own communications.

Dereksgc shows examples of retransmitted signals on the Beidou, GLONASS and Elektro-L satellite downlinks at 1.5442 GHz and at 2.226 MHz for the GPS satellites. He also shows what sort of satellite dish and feed setup you need. In the video he uses a HackRF as the SDR, but you could also use an RTL-SDR for the satellites that transmit at 1.5442 GHz.

Receiving voice transmissions from GPS satellites || Satellite reception pt.10

OpenWebRX+ Updates: HFDL, ISM Band, FLEX, SELCALL decoders added

Back in March of this year we posted about an OpenWebRX fork called OpenWebRX+, which adds multiple built-in and ready to use decoders such as SSTV, AIS, CW and RTTY. OpenWebRX+ is a fork of the OpenWebRX project which is now officially maintained by DD5JFK.

Since our last post OpenWebRX+ has progressed in development further, and now includes a HFDL decoder via dumphfdl, various ISM band equipment decoders via rtl_433,  FLEX pager decoding via multimon-ng, and a SELCALL decoder has also been added. Many other improvements and changes to the software have also been added, and the full changelog can be viewed here.

OpenWebRX+ is software for Linux. If you want to install OpenWebRX+, an easy path is to use the ready to use Raspberry Pi 4 image available on the releases page, or to use their PPA.

SSTV Image received by the luarvique fork of OpenWebRX. Credit: Neil Howard
SSTV Image received by the luarvique fork of OpenWebRX. Credit: Neil Howard