Tagged: hackrf

SDR Academy Talks: RPiTX TX for the Masses, Transmitter Localization with TDOA, HackRF as a Signal Generator and more

Over on YouTube the Software Defined Radio Academy channel has uploaded some new interesting SDR related conference talks, some of which may be of interest to readers. Some of our favorites are posted below. Other new interesting talks from channel include:

  • Derek Kozel, AG6PO, Ettus: Hardware Accelerated SDR: Using FPGAs for DSP (Link)
  • Mario Lorenz, DL5MLO: Across the Solar System – using SDRs for real long-distance communication (Link)
  • Andras Retzler, HA7ILM: Demodulators from scratch: BPSK31 and RTTY (Link)
  • Gerald Youngblood, K5SDR (President of FlexRadio): Direct Sampling and Benefits of the Architecture (Link)
  • Dr. Selmeczi Janos, HA5FT: A new lightweight data flow system (Link)
  • Chris Dindas, DG8DP: Standalone SDR-TRX, Highend – Lowcost – Homebrew (Link)
  • Erwin Rauh, DL1FY: Charly25 – SDR Transceiver Project – Community Development (Link)
  • Črt Valentinčič, S56GYC, Red Pitaya: HamLab (Link)

Evariste Courjaud, F5OEO: Rpitx : Raspberry Pi SDR transmitter for the masses

Low cost RTL-SDR democratize access to SDR reception, but is there an equivalent low cost solution for transmission : Rpitx is a software running on Raspberry Pi which use only GPIO to transmit HF. This presentation describes how to use it as a SDR sink but also describes details of how it is implemented using PLL available on the Raspberry Pi board. Warnings and limits of this simple SDR are also provided before going “on air”. Last paragraph shows what are potential evolutions of this system : low cost DAC and third party software integration.

Stefan Scholl, DC9ST: Introduction and Experiments on Transmitter Localization with TDOA

Time-Difference-of-Arrival (TDOA) is a well-known technique to localize transmitters using several distributed receivers. A TDOA system measures the arrival time of the received signal at the different receivers and calculates the transmitter’s position from the delays. The talk first introduces the basics of TDOA localization. It shows how to measure signal delay with correlation and how to determine the position using multilateration. It also covers further aspects and challenges, like the impact of signal bandwidth and errors in delay measurement, receiver placement and synchronization as well as the requirements on the network infrastructure. Furthermore, an experimental TDOA system consisting of three receivers is presented, that has been setup to localize signals in the city of Kaiserslautern, Germany. The three receivers are simple low-cost devices, each built from a Raspberry PI and a RTL/DVB-USB-Stick. They are connected via internet to a master PC, which performs the complete signal processing. The results demonstrate, that even with a simple system and non-ideal receiver placement, localization works remarkably well.

Frank Riedel, DJ3FR: The HackRF One as a Signal Generator

The usability and performance of the HackRF One SDR experimental platform as a signal generator up to 6 GHz is examined by means of an HPIB driven measurement system. The effective circuit of the HackRF One used in the CW TX mode is described and its components are linked to the parameters of the command line tool ‘hackrf_transfer’. The frequency accuracy of the HackRF One is measured against a frequency standard, output signal levels and spurious emissions are determined using a spectrum analyzer.

Video Tutorials: Setting up an RTL-SDR and HackRF with SDR-Console V3, Using the HackRF to find your Cellphone Signal and more

Over on his YouTube channel user Corrosive has uploaded a set of videos that show how to install and get started with an RTL-SDR or HackRF with SDR-Console V3.  The video series starts from the very beginning with installing the drivers via zadig, and then goes on to show how to download, install and use SDR-Console V3.

In one of his later videos Corrosive also shows how to optimally configure the settings in SDR-Console V3 and SDR# for optimal reception and viewing.

In a newer video he also shows how he uses the HackRF as a spectrum analyzer to find his cellphone signal. Regarding this video, Corrosive wrote in to us and said the following:

For a while now I’ve been trying to find the frequency of my cell phone, looking frequencies up online and trying to find an app that would tell me my current frequency. None of these things seem to work and scanning the band manually I always came up dry because I wasn’t 100% sure where I needed to look.

Further videos on his channel also show how to receive ADSB data with an RTL-SDR and Android phone, and how he repurposed a rabbit ears antenna into a V-dipole antenna for receiving Satcom pirates.

Corrosive has done a good job putting out SDR and radio related videos over the past couple of weeks so it may be a channel to subscribe to if you are interested in this type of content.

Receiving NOAA 19 HRPT with a HackRF, LNA4All and Cooking Pot Antenna

Over on his YouTube channel Adam 9A4QV has uploaded a video that shows him receiving the NOAA 19 HRPT signal at 1698 MHz with his HackRF, LNA4ALL and the simple circularly polarized cooking pot antenna that we saw in his last videos.

HRPT stands for High Resolution Picture Transmission and is a digital protocol that is used on some satellites to transmit much higher resolution weather images when compared to the APT signal that most people are familiar with receiving. The HRPT signal is available on NOAA19, which also transmits APT. However, unlike APT which is at 137 MHz, HRPT is at 1698 MHz, and is typically a much weaker signal requiring a higher gain motorized tracking antenna.

However in the video Adam shows that a simple cooking pot antenna used indoors is enough to receive the signal (weakly). The signal is probably not strong enough to achieve a decoded image, but perhaps some tweaks might improve the result.

Over on his Reddit thread about the video Adam mentions that a 90cm dish, with a proper feed and two LNA4ALLs should be able to receive the HRPT signal easily. User devnulling also gives some very useful comments on how the software side could be set up if you were able to achieve a high enough SNR.

GNU Radio has HRPT blocks in the main tree (gr-noaa) that work well for decoding and then David Taylor has HRPT reader which will generate an image from the decode GR output. http://www.satsignal.eu/software/hrpt.htm

http://usa-satcom.com has a paid HRPT decoder that runs on windows that has some improvements for lower SNR locking and works very well.

– devnulling

On a previous post we showed @uhf_satcom‘s HRPT results where he used a motorized tracking L-band antenna and HackRF to receive the signal. Some HRPT image examples can be found in that post.

Testing the HackRF and Portapack with an LNA4ALL

Over on YouTube Adam 9A4QV has been testing out his HackRF and Portapack with his LNA4ALL. The LNA4ALL is able to be powered inline via the bias tee on the HackRF. In the first video Adam shows that the HackRF and LNA4ALL is capable of receiving L-band satellites easily. The antenna he uses is a homemade circularly polarized antenna with a cooking pot being used as the reflector.

In the second video Adam shows the HackRF, Portapack and LNA4ALL receiving a telemetry signal on 442 MHz.

Finally in the last video Adam shows himself making a full QSO contact using the HackRF, Portapack and LNA4ALL. The software he uses on the Portapack is Furtek’s ‘Havoc’ firmware which has microphone to TX functionality. The LNA4ALL is able to work in transmit mode without trouble. Adam has written instructions for modifying the LNA4ALL so that it can transmit and use the HackRF’s bias tee power at the same time over on his website lna4all.blogspot.com.

Precisely Synchronizing Multiple HackRFs

Recently Marco Bartolucci & José A. del Peral-Rosado wrote in and wanted to let us know about their work in creating multiple precisely synchronized HackRF’s. They plan to use the synchronized HackRFs for solving at a low cost some interesting navigation problems which are described in detail in their academic paper (IEEE link). The abstract of the paper reads:

This paper describes a new method for the synchronisation of multiple low-cost open source software-defined radios (SDR). This solution enables the use of low-cost SDRs in interesting navigation applications, such as hybrid positioning algorithms, interference localisation, and cooperative positioning among others. Time synchronisation is achieved thanks to a time pulse that can be generated either by one of the SDRs or by an external source, such as a GNSS receiver providing 1PPS signal. Experimental results show that the proposed method effectively reduces the synchronisation offset between multiple SDRs, to less than one sampling period.

In simple terms, hybrid positioning is the process of using multiple signals such as WiFi, Bluetooth and cell phone signals etc together to get an accurate position of the receiver. By using several sources localization accuracy can be improved, but to do this each receiver much be precisely synchronized to the same clock source.

The system they created uses a 1PPS GNSS based time source connected to the SYNC_IN inputs on both HackRFs. The synchronization code is run in hardware on the HackRF’s onboard CPLD (complex programmable logic device). Furthermore they also write the following regarding the system and code which has been adopted into the HackRF repository:

A new time synchronization feature has been recently adopted in the HackRF official repository thanks to the collaboration between SPCOMNAV group, Università di Bologna, and the European Space Agency (ESA).

This contribution allows any user to precisely synchronize multiple HackRF devices below 50 ns, by means of a minor hardware modification and the firmware update. 

More information about the driver updates and instructions for use can be found in this Git pull request. The team also write that their work was presented at the NAVITEC 2016 conference.

HackRF Synchronization with a 1PPS GNSS Reference.
HackRF Synchronization with a 1PPS GNSS Reference.

Exposing Cordless Phone Security with a HackRF

Over on YouTube user Corrosive has been uploading some videos that explore cordless phone security with a HackRF. In his first video Corrosive shows how he’s able to use a HackRF to capture and then replay the pager tones (handset finding feature) for a very cheap VTech 5.8 Gigahertz cordless phone. He uses the Universal Radio Hacker software in Windows.

In the second video corrosive shows how bad the voice security on the VTech 5.8 GHz phone can be. It turns out that while advertised as a 5.8 GHz phone and the handset does transmit at 5.8 GHz, the VTech basestation actually transmits voice in clear NFM at around 900 MHz. Cordless phones advertised as 5.8 GHz are typically considered as more secure due to their high frequency which is inaccessible to most scanner radios. In the video he also shows some of the digital pairing signals that the phone and basestation transmits.

Signal Reverse Engineering Tool DSpectrum Upgraded to DSpectrumGUI

DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions. It is built on top of the Inspectrum tool which makes it easy to visualize and manually turn a captured digital RF waveform into a string of bits for later analysis by providing a draggable visual overlay that helps with determining various digital signal properties. DSpectrum added features to Inspectrum like automatically converting the waveform into a binary string with thresholding. RF .wav files for these tools can be captured by any capable radio, such as an RTL-SDR or HackRF.

DSpectrum has recently been depreciated in favor of the new DSpectrumGUI which builds on the success of DSpectrum by providing a full interactive GUI that helps with the reverse engineering workflow. Some interesting new features include things like automatic analysis of the binary to determine the modulation and encoding types, the ability to submit/download reverse engineering worksheet templates to/from the community and binary generation for transmitting with a RFCat.

A similar tool is Universal Radio Hacker.


HackRF Receives Negative Press in the UK’s ‘DailyMail’ Newspaper

The HackRF is a $300 USD RX/TX capable software defined radio which has a wide tuning range from almost DC – 6 GHz, and wide bandwidths of up to 20 MHz. It uses an 8-bit ADC so reception quality is not great, but most people buy it for its TX and wide frequency/bandwidth capabilities.

Recently the HackRF received some negative press in the ‘Daily Mail’, a British tabloid newspaper famous for sensationalist articles. In the article the Daily Mail show that the HackRF can be used to break into £100,000 Range Rover car in less than two minutes. The exact method of attack isn’t revealed, but we assume they did some sort of simple replay attack. What they probably did is take the car key far away out of reception range from the car, record a key press using the HackRF, and then replay that key press close to the car with the HackRF’s TX function. Taking the key out of reception range of the car prevents the car from invalidating the rolling code when the key is pressed. 

Of course in real life an attacker would need to be more sophisticated as they most likely wouldn’t have access to the keyfob, and in that case they would most likely perform a jam-record-replay attack as we’ve seen with cheap homemade devices like RollJam. The HackRF cannot do this by itself because it is only half-duplex and so cannot TX and RX at the same time.

We should also mention that the HackRF is not the only device that can be used for replay attacks – potentially any radio that can transmit at the keyfob frequency could be used. Even a very cheap Arduino with ISM band RF module can be used for the same purpose.