Category: Security

ESP32 Bus Pirate: Turn your ESP32 into a Multi-Purpose Hacker Tool

Thank you to "Geo" for writing in and sharing with us his open source project called "ESP32-Bus-Pirate" which he thinks might be of interest to those in the RTL-SDR community. The ESP32 is a popular low-cost microcontroller due to the fact that it has WiFi and Bluetooth capabilities built in. Although the ESP32 does not have true SDR capabilities, it can leverage its numerous built-in hardware radio components to achieve various interesting feats. Geo writes:

This firmware turns an inexpensive ESP32-S3 board into a multi-protocol debugging and hacking tool, inspired by the original Bus Pirate and the Flipper Zero.

It currently supports a wide range of protocols and devices, including I²C, SPI, UART, 1-Wire, CAN, infrared, smartcards, and more. It also communicates with radio protocols as Subghz, RFID, RF24, WiFi, Bluetooth.

Compared to existing solutions, the focus is on:

Accessibility — runs on cheap ESP32-S3 hardware (around $7–$10).

Versatility — one device can probe, sniff, and interact with multiple buses.

Extensibility — open-source and modular, making it easy to add new protocol support.

I believe this could be useful for hardware hackers, security researchers, and hobbyists looking for a low-cost, flexible alternative to commercial tools.

With the firmware installed on a compatible ESP32 device, it is possible to create WiFi, Bluetooth, and RF24 sniffers, scanners, and spoofers, as well as perform general sub-GHz and RFID sniffing, scanning, and replay attacks. It also has a host of non-RF capabilities useful for hacking devices.

Flipper Zero DarkWeb Firmware Bypasses Rolling Code Security

Over on YouTube Talking Sasquach has recently tested custom firmware for the Flipper Zero that can entirely break the rolling code security system used on most modern vehicles. Rolling code security works by using a synchronized algorithm between a transmitter and receiver to generate a new, unique code for each transmission, preventing replay attacks and unauthorized access.

In the past we've discussed an attack against rolling code security systems called RollJam, which works by jamming the original keyfob signal so the vehicle cannot receive it, and at the same time recording it for later use. However, this attack is difficult to perform in reality.

For this new attack to work, all that is needed is a single button-press capture from the keyfob, without any jamming. Just from that single capture, it is able to emulate all the keyfob's functions, including lock, unlock, and unlock trunk. A consequence of this is that the original keyfob gets out of sync, and will no longer function.

According to the Talking Sasquatch, the attack works by simply reverse engineering the rolling code sequence, either through sequence leaks or prior brute forcing of the sequence from a large list of known codes. However, another article mentions that the firmware is based on the "RollBack" attack, which works by playing back captured rolling codes in a specific order to initiate a 'rollback' of the synchronization system.

Regardless of the method, videos demonstrating the attack show that only a single capture is needed to emulate a keyfob completely.

Affected vehicles include Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi and Subaru. As of yet, there appears to be no easy fix for this, other than mass vehicle recalls.

I Copied My Car's Key Fob With a Flipper Zero

TEMPEST-LoRa: Emitting LoRa Packets from VGA or HDMI Cables

University researchers from China have recently shown in a research paper that it is possible to maliciously cause a VGA or HDMI cable to emit LoRa compatible packets by simply displaying a full-screen image or video. This has potential security implications as a malicious program could be used to leak sensitive information over the air, completely bypassing any internet or air-gap security systems.

In the past, we have demonstrated that TEMPEST techniques can be used to spy on monitors and security cameras by analyzing the unintentional signals they emit. This research takes the idea a step further by determining what particular images need to be displayed to create a LoRa packet with data. 

In the paper, the researchers mention using either off-the-shelf LoRa devices or low-cost SDRs such as the HackRF to receive the packets. The advantage of the SDR method is that it allows for customization of the frequency and the use of LoRa-like packets, which can achieve even longer ranges and higher data rates. The team show that they were able to achieve a receive range of up to 132 meters and up to 180 kbps of data rate.

TEMPEST-LoRa Test Setup
TEMPEST-LoRa Test Setup
Geek Trick! This picture is transmitting LoRa wireless signals!

Saveitforparts: Tracking US Government Spy Planes over your Neighbourhood

In his latest YouTube video, Gabe from the saveitforparts channel has uploaded an interesting video detailing how he's tracking government spy planes over his neighbourhood using SDRs to monitor ADS-B data, and Orbic hotspots to detect Stingray activity (fake cell tower basestations).

In the video, Gabe highlights how he detects and follows a suspicious aircraft, concluding that it is most likely a DEA surveillance plane. This conclusion is supported by the fact that the ADS-B data is censored on FlightRadar24, something which normally only happens with law enforcement aircraft, as well as private jets. Upon zooming in on the aircraft with a camera, various antennas and cameras are also visible on the belly. Finally, Gabe found that the plane's registration number is linked to a Texas-based shell company with connections to the DEA.

In the video Gabe also tests out the RayHunter custom firmware for Orbic mobile internet to WiFi hotspot devices. This custom firmware turns these devices into Stingray detectors. A Stingray is a fake cellular base station that is often used by law enforcement to spy on cell phone activity.

Is That Really A Government Spy Plane Over My Neighborhood?

US Trains are Vulnerable to Derailment via RF Attacks to the End of Train Device

A recently published CVE (Common Vulnerabilities and Exposures) states that a software-defined radio can be used to remotely send a brake command signal to the End-Of-Train wirelessly linked control box.

Security researcher Neil Smith reported the vulnerability. Neil explains more in X, explicitly noting that he has been trying to get this published for 12 years and how no one from the American Association of Railroads (AAR) seems to consider this vulnerability a significant issue.

US trains use wireless RF communications devices, called "End-of-Train" (EoT) and "Head-of-Train" (HoT), to enable data communication between the head and end of the train. The two systems interface with the train's braking and control system, allowing the engineer to view information from both sides of the train, and command systems at ends of a long train instantaneously. Such signals can easily be received with an RTL-SDR and the softEOT decoder, or the PyEOT decoder.

The vulnerability stems from the fact that a software-defined radio can easily be used to replicate an EoT RF signal that can command braking. The signal could be transmitted over a long distance with an appropriate amplifier and antenna. Unexpected braking could cause derailment, amongst other problems.

As of right now, the vulnerability is still unpatched, but AAR have noted that they intend to replace the system with the 802.16t standard. However, in the X thread, Neil notes that this replacement won't be in place until 2027 in the best-case scenario.

If you're interested, another security researcher did a talk about railroad telemetry systems back at DEF CON 26, 6 years ago.

An EoT device (aka FRED) on a US Train. Attribution: https://commons.wikimedia.org/wiki/File:FRED_cropped.jpg

DragonOS: LTE IMSI Sniffing using the LTE Sniffer Tool and an Ettus X310 SDR

DragonOS creator Aaron recently uploaded a video on YouTube showing how to capture IMSI data from an LTE-enabled phone by using the open-source LTE sniffer tool and Ettus X310 software-defined radio.

In the video, Aaron uses a simulated environment involving a Signal SDR Pro to simulate the LTE cell phone, a B205 Mini operating as the eNodeB (base station), and an Ettus X310 SDR for the actual LTE sniffing. The SRSRAN software running on DragonOS is used to simulate the LTE network environment.

Aaron goes on to show how the LTE sniffer software passively decodes the physical downlink control channels and captures IMSI numbers from user cell phones.

An IMSI is a unique identifier associated with a cell phone user's SIM card. IMSI sniffing cannot be used to listen to or decode voice, text, or data as they are all encrypted. However, bad actors can use IMSI sniffing to track the movement of devices/people.

DragonOS Noble Sniff + Passively Capture LTE IMSI (x310, b205mini, SignalSDR Pro)

RTL-SDR Jamming Detector Software

Over on GitHub, Alejandro Martín has recently released his open-source 'rtl-sdr-analyzer' software, which is an RTL-SDR-based signal analyzer and automatic jamming detector. The software is based on Python and connects to the RTL-SDR via an rtl_tcp connection.

Alejandro's software is advertised as having the following features:

  • 📊 Real-time Visualization: Advanced spectrum analysis with waterfall display
  • 🔍 Smart Detection: Automatic signal anomaly and jamming detection
  • 📈 Dynamic Analysis: Adaptive baseline calculation and threshold adjustment
  • ⚙️ Flexible Configuration: Fully customizable detection parameters
  • 🌐 Network Support: Built-in RTL-TCP compatibility for remote operation

The software works by continuously monitoring a frequency range, and creating a log whenever a signal is detected that exceeds a certain power value and duration. It can also monitor 'z-score', which determines if the current signal mean has deviated significantly from the baseline, which could indicate a jamming or interference event.

rtl-sdr-analyzer: An RTL-SDR Signal Analyzer & Jamming Detector
rtl-sdr-analyzer: An RTL-SDR Signal Analyzer & Jamming Detector

Saveitforparts: Listening in on Russian Soldiers Hijacking US Military Satellites

Over on the saveitforparts YouTube channel, Gabe has uploaded a video showing how he uses WebSDR streams to show how Russians, including Russian soldiers, are using old US Military satellites for long-range communications around Ukraine.

In the '70s and '80s, the US government launched a fleet of satellites called "FLTSATCOM," which were simple radio repeaters up in geostationary orbit. This allowed the US military to easily communicate with each other worldwide. However, the technology of the time could not support encryption or secure access. So security relied entirely on only the US military's technological superiority of being the only one to have radio equipment that could reach the 243 - 270 MHz frequencies in use by these satellites. Of course, as time progressed, equipment that could reach higher frequencies became commonplace.

In the video, Gabe explains how many Russian soldiers involved in the Ukraine war are using these legacy satellites to communicate with each other. He notes that apart from voice comms, some channels are simply Russian propaganda and music, as well as some channels that appear to be jammed. Gabe also notes that the "UHF Follow-On Satellite" (UFO) satellites that were launched as recently as 2003 are also being hijacked, as they also have no encryption or secure access.

In the past, we also posted a previous video by Gabe about attempting to receive these satellites from his home in North America. However, on that side of the world, the satellites are being hijacked by Brazilian pirates instead.

Russia Is Hijacking US Military Satellites