rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio. rtl_sdr / rx_sdr: Allows you to record raw samples for future processing. rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.
rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.
rx_power scan with the HackRF at 5 GHz over 9 hours.
"Pokémon Go" is the latest in smartphone augmented reality gaming crazes. You may have already heard about the game on the news, or seen kids playing it in your neighborhood. To play, players must walk around in the real world with their GPS enabled smartphone, collecting different virtual Pokémon which appear at random spots in the real world, replenishing the virtual items need to collect Pokemon at "Pokéstops" and putting Pokémon to battle at "Gyms". Pokéstops and gyms are often city landmarks such as popular shops, fountains, statues, signs etc. For those who have no idea what "Pokémon" are: Pokémon are fictional animals from a popular children's cartoon and comic.
Since the game is GPS based, Stefan Kiese decided to see if he could cheat at the game by spoofing his GPS location using a HackRF software defined radio. The HackRF is a relatively low cost multipurpose TX and RX capable software defined radio. When playing the game, players often walk from Pokéstop to Pokéstop, collecting Pokémon along the way, and replenishing their items. By spoofing the GPS signal he is able to simulate walking around in the physical world, potentially automating the collection of Pokémon and replenishment of items at Pokéstops.
To do this he used the off the shelf "GPS-SDR-Sim" software by Takuji Ebinuma which is a GPS Spoofing tool for transmit capable SDR's like the HackRF, bladeRF and USRP radios. At first, when using the software Stefan noticed that the HackRF was simply jamming his GPS signals, and not simulating the satellites. He discovered the problem was with the HackRF's clock not being accurate enough. To solve this he used a function generator to input a stable 10 MHz square wave into the HackRF's clock input port. He also found that he needed to disable "Assisted GPS (a-gps)" on his phone which uses local cell phone towers to help improve GPS location tracking.
Next he was able to use the GPS-SDR-Sim tools to plot a simulated walking route and see his virtual character walking around on the real world map. A warning if you intend on doing this: Remember that 1) spoofing or jamming GPS is highly illegal in most countries outside of a shielded test lab setting, so you must ensure that your spoofed GPS signal does not interfere with anything, and 2) the game likely has cheating detection and will probably ban you if you don't simulate a regular walking speed.
Over on his ‘SDR4Everyone’ blog author Akos has recently uploaded a new post that reviews the HackRF One, and also compares it against the SDRplay RSP and RTL-SDR. In his review he discusses his first impressions of the HackRF, his concerns about it being labelled as a transceiver, and some of its various features. He also does a screenshot comparison of the HackRF, RSP and RTL-SDR on shortwave reception and image rejection performance. Akos also notes that there are not many applications in the high gigahertz range that cannot be done with cheaper or more specialized equipment. Finally he concludes that the HackRF is not very sensitive or good at RX in general, but still has enough features to make it a worthwhile purchase for some people.
To reverse engineer the drones wireless communications system the teams used software defined radios like the HackRF and BladeRF, and also an alternative method involving just using an Arduino and nRF24L01+ receiver chip. Once the signal was received, they used GNU Radio to decode the signal into packets of data. After analyzing the data they found that the data bytes were easily reverse engineered and then were able to transmit their own data packets to control the drone. The post goes into further detail on the specifics of the reverse engineering.
The Syma X8C drone to be stolen in the competition.
Over on his blog Caleb Madrigal has written a short article that describes how he was able to perform a simple relay attack against a Jeep Patriot vehicle which allowed him to unlock and lock his car via his HackRF. The replay attack is a very simple attack that can easily be performed with a TX capable SDR, like the HackRF. Essentially, all that is done is that a signal is recorded, and then rebroadcast (replayed) again. Normally, wireless car locks have rolling code security measures that prevent such an attack, but it appears that the 2006 Jeep Patriot has no such measures.
Caleb first recorded the unlock and lock signals using his HackRF with GNU Radio. He then took the step of opening the recorded file up in Audacity and isolating the unlock and lock audio signals, and then saving each signal to a separate file. Finally, after doing this he was able to transmit the unlock and lock waveforms which successfully locked and unlocked the Jeep.
Previously we posted news about the upcoming release of SoDeRa/LimeSDR, a low cost 100 kHz – 3.8 GHz range RX/TX capable software defined radio. Due to copyright reasons SoDeRa have renamed the product to LimeSDR.
LimeSDR is a low cost, open source, apps-enabled (more on that later) software defined radio (SDR) platform that can be used to support just about any type of wireless communication standard. LimeSDR can send and receive UMTS, LTE, GSM, LoRa, Bluetooth, Zigbee, RFID, and Digital Broadcasting, to name but a few.
While most SDRs have remained in the domain of RF and protocol experts, LimeSDR is usable by anyone familiar with the idea of an app store – it’s the first SDR to integrate with Snappy Ubuntu Core. This means you can easily download new LimeSDR apps from developers around the world. If you’re a developer yourself, you can share and/or sell your LimeSDR apps through Snappy Ubuntu Core as well.
The LimeSDR platform gives students, inventors, and developers an intelligent and flexible device for manipulating wireless signals, so they can learn, experiment, and develop with freedom from limited functionality and expensive proprietary devices.
The price for a single board is $299 USD for regular backers, but there is an early bird price of $199 USD. At the time of this post there are still over 200 boards left to go at the lower price. There are also higher end options such that add turn-key support and acrylic and aluminium enclosures as well as a PCIe interface option.
The LimeSDR can tune from 100 kHz – 3.8 GHz, can have a bandwidth of up to 61.44 MHz, uses a 12-bit ADC, has two transmit channels, two receive channels, is full duplex and comes with a 4 PPM stable oscillator. To achieve such a high bandwidth the board requires a USB 3.0 connection, and will likely require a modern PC to reach a high bandwidth. From its pricing and specs it looks like it can be thought of a next generation HackRF, or lower cost version of the high end Ettus SDR’s.
Recently Jared Boone, creator of the HackRF portapack posted on his blog about his experience with trying to receive Iridium satellite signals. The HackRF is 8-bit, ~0 – 6 GHz, RX/TX capable SDR, and the Portapack is a kit that allows the HackRF to go portable, by adding an LCD screen, battery pack and control wheel. Iridium is an L-band satellite service that provides products such as satellite phones and pagers. Back in December 2014 we posted how it was found that Iridium pager messages could be decoded.
To receive Iridium Jared used a simple ceramic patch antenna mounted on a piece of cheap copper clad fibreglass. This simple antenna was good enough to receive the Iridium signals with good strength. With this set up Jared was able to easily go outside and receive some packets and record them. He writes his next steps are to try and run the Iridium pager decoder on them and see what packets he captured.
Differential GPS (DGPS) are signals that exist between 285 – 325 kHz and are used to enhance the accuracy of GPS receivers. The system can improve GPS accuracy from 15m down to 10cm in some cases. It works using a network of ground stations at a very accurate known location that continuously measure the GPS error they receive. They then broadcast this error to DGPS capable receivers. The receiver can then use this error knowledge to correct their own readings.
