Tagged: hackrf

Exposing Cordless Phone Security with a HackRF

Over on YouTube user Corrosive has been uploading some videos that explore cordless phone security with a HackRF. In his first video Corrosive shows how he’s able to use a HackRF to capture and then replay the pager tones (handset finding feature) for a very cheap VTech 5.8 Gigahertz cordless phone. He uses the Universal Radio Hacker software in Windows.

In the second video corrosive shows how bad the voice security on the VTech 5.8 GHz phone can be. It turns out that while advertised as a 5.8 GHz phone and the handset does transmit at 5.8 GHz, the VTech basestation actually transmits voice in clear NFM at around 900 MHz. Cordless phones advertised as 5.8 GHz are typically considered as more secure due to their high frequency which is inaccessible to most scanner radios. In the video he also shows some of the digital pairing signals that the phone and basestation transmits.

Cordless Phone Security Exposed With HackRF SDR

Signal Reverse Engineering Tool DSpectrum Upgraded to DSpectrumGUI

DSpectrum is a reverse engineering tool that aims to make it trivial to demodulate digital RF transmissions. It is built on top of the Inspectrum tool which makes it easy to visualize and manually turn a captured digital RF waveform into a string of bits for later analysis by providing a draggable visual overlay that helps with determining various digital signal properties. DSpectrum added features to Inspectrum like automatically converting the waveform into a binary string with thresholding. RF .wav files for these tools can be captured by any capable radio, such as an RTL-SDR or HackRF.

DSpectrum has recently been depreciated in favor of the new DSpectrumGUI which builds on the success of DSpectrum by providing a full interactive GUI that helps with the reverse engineering workflow. Some interesting new features include things like automatic analysis of the binary to determine the modulation and encoding types, the ability to submit/download reverse engineering worksheet templates to/from the community and binary generation for transmitting with a RFCat.

A similar tool is Universal Radio Hacker.

DSpectrumGUI
DSpectrumGUI

HackRF Receives Negative Press in the UK’s ‘DailyMail’ Newspaper

The HackRF is a $300 USD RX/TX capable software defined radio which has a wide tuning range from almost DC – 6 GHz, and wide bandwidths of up to 20 MHz. It uses an 8-bit ADC so reception quality is not great, but most people buy it for its TX and wide frequency/bandwidth capabilities.

Recently the HackRF received some negative press in the ‘Daily Mail’, a British tabloid newspaper famous for sensationalist articles. In the article the Daily Mail show that the HackRF can be used to break into £100,000 Range Rover car in less than two minutes. The exact method of attack isn’t revealed, but we assume they did some sort of simple replay attack. What they probably did is take the car key far away out of reception range from the car, record a key press using the HackRF, and then replay that key press close to the car with the HackRF’s TX function. Taking the key out of reception range of the car prevents the car from invalidating the rolling code when the key is pressed. 

Of course in real life an attacker would need to be more sophisticated as they most likely wouldn’t have access to the keyfob, and in that case they would most likely perform a jam-record-replay attack as we’ve seen with cheap homemade devices like RollJam. The HackRF cannot do this by itself because it is only half-duplex and so cannot TX and RX at the same time.

We should also mention that the HackRF is not the only device that can be used for replay attacks – potentially any radio that can transmit at the keyfob frequency could be used. Even a very cheap Arduino with ISM band RF module can be used for the same purpose.

Transmitting Analog TV Broadcasts with a HackRF

Over on the user submitted hackaday.io community, user marble has shared his work about using a HackRF to transmit PAL analog colored TV images with his rad1o (the rad1o is a slight variation of the HackRF One) using a GNU Radio flowgraph.

In his submission he shares a tutorial that explains the theory behind the PAL analog video standard. He explains the different components of the PAL signal, including the luma (black and white part), frame rates, and modulation. He then goes on to explain how color is encoded onto the PAL by using Quadrature Amplitude Modulation (QAM).

Finally in the files section marble also supplies us with the GNU Radio flowgraph which can be used to transmit PAL video with a HackRF.

PAL test signal transmitted with a HackRF.
PAL test signal transmitted with a HackRF.

Reverse Engineering and Controlling an RC Toy Tank with a HackRF and GNU Radio

Last year during a Russian wireless ‘capture the flag’ (CTF) competition one of the goals was to reverse engineer a remote controlled toy tank, and then to control it with a HackRF. One of the Russian CTF teams has posted a thorough write up on the reverse engineering process that was used on the toy tank (the link is in Russian, but Google Translate works okay).

The write up first shows the reception of the signal from the wireless controller, and then moves on to show how to receive it in GNU Radio and obtain a time domain graph of the digital signal. From the pulses it is simple to visually work out the binary string. Next an instruction decoder is created in GNU Radio which automatically obtains the binary string from the signal directly. Then once the codes for back, forward, left and right were obtained it was possible to write another GNU Radio program to transmit these codes to the RC toy tank from the HackRF.

HackRF used to control an RC toy tank
HackRF used to control an RC toy tank

Using a HackRF as a Beacon Transmitter on a Drone for Antenna Calibration

Over on his Twitter feed Sylvain Azarian (@sylvain_azarian / F4GKR) has been tweeting about his new antenna calibration method which involves the use of a HackRF SDR and Raspberry Pi mounted on a drone.

The idea is to use the drone as a remote beacon which can move all around the antenna. As the drone flies around, the HackRF on the drone emits a data chirp containing GPS telemetry of the drones position. The receiver on the ground decodes this data and also determines the SNR of the received signal. By plotting the received SNR together with the drones GPS position, the radiation pattern of the antenna under test could be determined.

The software is called “RadiantBee” and is developed by both F4GKR and F5OEO. It is available over on GitHub. The flying hardware consists of a quadcopter, GPS, Raspberry Pi 3, HackRF, 10 GHz upconverter, band pass filter and horn antenna. The base station consists of an RTL-SDR dongle, 10 GHz downconverter, GPS and the antenna under test.

[Also seen on Hackaday]

The RadiantBee Quadcopter.
The RadiantBee Quadcopter

Testing SSTV Transmission with the HackRF and Portapack

Last week we made a post about the HackRF Portapack, and gave some examples of it in action. Recently the furtek Havoc firmware for the portapack was updated, and it now supports SSTV transmission. Over on Twitter, Giorgio Campiotti‏ @giorgiofox has uploaded a video showing an example transmission in action.

In the video the HackRF with Portapack transmits a test SSTV image to an Elecraft K3 ham radio, which is linked to a PC. SSTV decoding software on the PC turns the data back into an image.

SSTV stands for ‘Slow Scan TV’, and is a method used by hams to send images over radio. Typically this activity occurs on HF frequencies. Sometimes the ISS transmits SSTV images down to earth as well to commemorate special events.

Some HackRF Portapack Demos

The PortaPack is an addon created by Jared Boone for the HackRF software defined radio. It costs $200 USD at the sharebrained store and together with a USB battery pack it allows you to go completely portable with your HackRF. The HackRF is a multi-purpose SDR which can both receive and transmit anything (as long as you program it in) from 1 MHz to 6 GHz. 

Since we last posted about the PortaPack many new features have been added, and the firmware has matured significantly. Now the official PortaPack firmware allows you to receive and demodulate SSB, AM, NFM, WFM and display up to an 18 MHz wide waterfall. You can also decode marine AIS, the automobile tyre pressure monitoring system (TPMS) and utility ITRON ERT meters.

There is also a popular fork of the official PortaPack firmware called portapack-havoc, which is created by a dev who goes by the handle ‘furrtek’. This firmware is a bit more risky in terms of the trouble it can get you into as it enables several new features including:

  • Close call – See if anyone is transmitting near to you
  • A CW generator
  • a GPS and various other jammers
  • an LCR transmitter – the wireless protocol used in France for programming traffic related signage
  • a microphone transmitter
  • a pocsag receiver and transmitter – receive and send to pagers
  • a PWM RSSI output – useful for crude automatic direction finding
  • an RDS transmitter – transmit radio station text data to compatible broadcast FM radios
  • a soundboard – play a stored bank of wav sounds on a frequency
  • an SSTV tranmitter – transmit slow scan TV signals
  • an OOK transmitter – control on-off-keying devices such as doorbells.

Below we’ve created a YouTube playlist showing several videos that show the portapack in action.

PortaPack H1 Firmware 20160222

And below we show a tweet from @furrtek showing off the recently added SSTV transmit feature, and a tweet from @giorgiofox showing off the microphone transmit feature.