Tech Minds: Taking a look at the new HackRF PortaPack Mayhem Version 2 Firmware
A few days ago the programmers of the popular Mayhem firmware for the HackRF Portapack released version V2.0.0. The new version includes multiple improvements specified in the release text below.
We are super excited to share the what's new with v2.0.0
- Apps are now stored on the MicroSD Card so we can fit more apps on the device.
- New file format that contains both the firmware and SD card apps to make updating super easy. (mayhem_v2.0.0_OCI.ppfw.tar)
- Working USB serial communication when in Portapack mode
- USB serial web interface (see details a few lines later)
- One click update using https://hackrf.app
- New USB serial commands
- A bunch of bug fixes (see the changelog for the various bugs)
- Updated 'Settings' (app settings editor, encoder options, date ,config mode, brightness...)
- BLE apps
- Raw auto record and replay (see Recon in wiki)
A brand new website to manage your device, https://hackrf.app
- Can work offline once loaded first (Offline PWA)
- Remote screen support
- Remote file system access
- One click firmware updates
- Requires a chromium based browser to work
A new organization, Mayhem: https://github.com/portapack-mayhem where you can fin the sources of all our projects! Pull Requests are welcome :-)
Over on the Tech Minds YouTube channel Matt has uploaded a video showing off the new features of the Mayhem V2.0.0 firmware, and also showing how to install it. In the video Matt shows the new SD card browsing features, the new easy firmware one click update procedure, and the new web UI.
The Portapack is an accessory designed to enhance the HackRF software-defined radio (SDR), enabling portable operation. It integrates a display, user interface controls, and onboard processing capabilities. This setup allows for the direct demodulation/modulation and decoding/encoding of a wide variety of signal types without the need for an external computer.
Tech Minds: A Beginners Guide to the HackRF and Portapack with Mayhem Firmware
In one of his latest videos Matt from the Tech Minds YouTube channel has created a beginners guide to the HackRF and Portapack with the Mayhem Firmware. The HackRF is a popular affordable software defined radio with wide frequency range and transmit capabilities. An addon called the Portapack allows the HackRF to go portable, and custom firmware called 'Mayhem' significantly expands it's capabilities.
Matt uses a Chinese HackRF and Portapack clone set from Banggood which can be found very cheaply for around $200 shipped. The original Portpack can be found from the Sharebrained store for $200, and then original HackRF can be found form various resellers listed on the greatscottgadgets website.
In the video Matt unboxes the Portapack, shows an overview of the hardware and then goes on to show how to update the stock firmware to the Mayhem firmware. He then demonstrates a few of the capabilities of the Mayhem firmware.
Testing the Mayhem Firmware on a HackRF Portapack
The Portapack is an add on for the popular HackRF SDR which allows the HackRF to be used portably without a PC. Recently the cost of this hardware duo has come down to below US$150 due to low cost Chinese clones now being available on the market. Generally the clones are of good quality too.
Once you have the hardware it is possible to install third party custom firmware such as "Mayhem" on the Portapack which enables many features such as the ability to receive and transmit various different types of RF protocols. Back in 2018 we did a review of Mayhems predecessor which was known as the "Havok" firmware. More recently Tech Minds did a video overview of Mayhem.
Now over on his blog A. Petazzoni has started a new blog series which aims to introduce the basics of the Mayhem firmware, including installation and some hands on testing with RF spoofing, denial-of-service (DoS) and replay attacks. Currently only his first post is out, and in the post he show how to install Mayhem onto the Portapack, then goes on to briefly overview some applications such as RF replay attacks, replicating wireless remote controls, receiving and transmitting POCSAG, receiving and transmitting ADS-B, and creating a jammer.
Obviously a lot of what you can do with a Portapack and the Mayhem firmware is extremely illegal and very dangerous, so please do be careful with what and where you transmit especially if you are new to RF hobby. These signals should remain in your test area only, and not leak out into the wider environment.
Tech Minds: Testing the Mayhem Firmware on the HackRF Portapack
In a video uploaded to YouTube last week, Tech Minds explored the HackRF Portapack, which is an add on for the HackRF SDR that allows the HackRF to be used portably without a PC. In that video he demonstrated it running the stock firmware.
In his latest video Tech Minds explores the Mayhem firmware, which is firmware developed by a third party in order to add significantly more features. The Mayhem firmware is a fork of the Havok firmware which is no longer maintained. If you're interested, back in 2018 we did our own review of the Havok firmware.
In the video Tech Minds first explains how to install the Mayhem firmware which also requires you to add an external SD card into your portapack. He goes on to demonstrate the various RX decoders available including ADS-B, ACARS, AIS, AFSK, BTLE, FM/AM/SSB audio, analog TV, ERT meters, POCSAG, Radiosonde and TPMS. Next he shows the various transmittable signals available including, ADS-B, APRS, BHT, GPS Sim, Jammer, Key Fob, LGE, Mic, Morse, Burger Pagers, OOK, POCSAG, RDS, Sounds, SSTV, TEDI/LCR and TouchTune.
Tech Minds: A First Look at the HackRF Portapack
The Portapack is an add on for the HackRF SDR that allows the HackRF to be used portably without a PC. If you're interested, in the past we reviewed the Portapack with the Havok firmware, which enables many TX features such as POCSAG transmissions as well as various other RX modes.
In a recent video Tech Minds reviews a Portapack clone, which is essentially exactly the same as the original Portapack. In the video he shows how to connect the Portapack to the HackRF, how download the Firmware and flash it to the HackRF. He then goes on to show some of the Portapack RX features in action. In this review he uses the official Portapack firmware, but notes that he will test the third party Havok and Mayhem firmware which have many more features in a future video.
Hak5: Hacking Ford Key Fobs with a HackRF and Portapack
This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.
In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.
Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.
The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.
The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.
Dales discovery has also been written up in an article by The Parallex which explains the exploit in more detail.
![Hacking Ford Key Fobs Pt. 1 - SDR Attacks with @TB69RR - Hak5 2523 [Cyber Security Education]](https://www.rtl-sdr.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fk8rNQ3mBZQ4%2F0.jpg)
![Hacking Ford Key Fobs Pt. 2 - SDR Attacks with @TB69RR - Hak5 2524 [Cyber Security Education]](https://www.rtl-sdr.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FUAVYZvd0ACQ%2F0.jpg)
![Hacking Ford Key Fobs Pt. 3 - SDR Attacks with @TB69RR - Hak5 2525 [Cyber Security Education]](https://www.rtl-sdr.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F6Wz1eZmTqQI%2F0.jpg)
Using the HackRF PortaPack To Perform a Mag-Stripe Audio Spoof
Over on his blog author "netxing" has uploaded a post describing how he was able to use a Portapack to spoof mag-stripe info stored on credit/debit cards. The idea based around an old trick called magnetic stripe audio spoofing. This is essentially using an electromagnet and a music player like an iPod or smartphone to trick a magnetic card reader into thinking that you're swiping a card through it.
Netxing's idea was to use an FM transmitter connected to a computer to transmit known magnetic stripe card data via FM to the Portapack. The Portapack then receives and outputs this as FM audio to an electromagnet connected to the audio out jack, allowing it to activate the magnetic card reader.
Using this method it could be possible to make a payment by transmitting card data remotely over an FM signal. We're not sure on why you'd want to do this, but it is an interesting experiment regardless.
Wireless LAN Professionals Podcast: What is HackRF, PortaPack, and HAVOC?
Over on the Wireless LAN Professional Podcast Keith and Blake Krone discuss the HackRF, PortaPack and the Havoc firmware in episode 138. The HackRF is a US$299 transmit capable SDR which has been very popular in the past as it was one of the first affordable TX capable SDRs to hit the market. The PortaPack is a US$220 add on which allows you to go portable with the HackRF. And finally Havoc is a third party firmware for the HackRF+PortaPack which enables multiple RX and TX capable features.
Recently we also released our own review of the HackRF, PortaPack and Havoc firmware too.
