In a video uploaded to YouTube last week, Tech Minds explored the HackRF Portapack, which is an add on for the HackRF SDR that allows the HackRF to be used portably without a PC. In that video he demonstrated it running the stock firmware.
In his latest video Tech Minds explores the Mayhem firmware, which is firmware developed by a third party in order to add significantly more features. The Mayhem firmware is a fork of the Havok firmware which is no longer maintained. If you're interested, back in 2018 we did our own review of the Havok firmware.
In the video Tech Minds first explains how to install the Mayhem firmware which also requires you to add an external SD card into your portapack. He goes on to demonstrate the various RX decoders available including ADS-B, ACARS, AIS, AFSK, BTLE, FM/AM/SSB audio, analog TV, ERT meters, POCSAG, Radiosonde and TPMS. Next he shows the various transmittable signals available including, ADS-B, APRS, BHT, GPS Sim, Jammer, Key Fob, LGE, Mic, Morse, Burger Pagers, OOK, POCSAG, RDS, Sounds, SSTV, TEDI/LCR and TouchTune.
MAYHEM Firmware for the HackRF Portapack Installation / Overview
The Portapack is an add on for the HackRF SDR that allows the HackRF to be used portably without a PC. If you're interested, in the past we reviewed the Portapack with the Havok firmware, which enables many TX features such as POCSAG transmissions as well as various other RX modes.
In a recent video Tech Minds reviews a Portapack clone, which is essentially exactly the same as the original Portapack. In the video he shows how to connect the Portapack to the HackRF, how download the Firmware and flash it to the HackRF. He then goes on to show some of the Portapack RX features in action. In this review he uses the official Portapack firmware, but notes that he will test the third party Havok and Mayhem firmware which have many more features in a future video.
This weeks episode of Hak5 (an information security themed YouTube channel) features Dale Wooden (@TB69RR) who joins hosts Shannon and Darren to demonstrate a zero day vulnerability against Ford keyless entry/ignition. More details about the vulnerability will be presented at this years DEF CON 27 conference, which is due to be held on August 8 - 11.
In the video Dale first demonstrates how he uses a HackRF with Portapack to capture and then replay the signal from a Ford vehicle's keyfob. The result is that the original keyfob no longer functions, locking the owner out from the car. After performing a second process with another keyfob, Dale is now able to fully replicate a keyfob, and unlock the car from his HackRF.
Dale explains that unlike the well known jam-and-replay methods, his requires no jamming, and instead uses a vulnerability to trick the car into resetting the rolling code counter back to zero, allowing him to capture rolling codes that are always valid. Dale also notes that he could use any RX capable SDR like an RTL-SDR to automatically capture signals from over 100m away.
The vulnerability has been disclosed to Ford, and the full details and code to do the attack will only be released at DEF CON 27, giving Ford enough time to fix the vulnerability. It is known to affect 2019 Ford F-150 Raptors, Mustangs and 2017 Ford Expeditions, but other models are also likely to be vulnerable.
The video is split into three parts. In part 1 Dale demonstrates the vulnerability on a real vehicle and in part 2 he explains the story behind his discovery, how he responsibly disclosed the vulnerability to Ford and how to reset the keyfob yourself. Finally in part 3 Darren interviews Dale about his experiences in the RF security field.
Netxing's idea was to use an FM transmitter connected to a computer to transmit known magnetic stripe card data via FM to the Portapack. The Portapack then receives and outputs this as FM audio to an electromagnet connected to the audio out jack, allowing it to activate the magnetic card reader.
Using this method it could be possible to make a payment by transmitting card data remotely over an FM signal. We're not sure on why you'd want to do this, but it is an interesting experiment regardless.
Over on the Wireless LAN Professional Podcast Keith and Blake Krone discuss the HackRF, PortaPack and the Havoc firmware in episode 138. The HackRF is a US$299 transmit capable SDR which has been very popular in the past as it was one of the first affordable TX capable SDRs to hit the market. The PortaPack is a US$220 add on which allows you to go portable with the HackRF. And finally Havoc is a third party firmware for the HackRF+PortaPack which enables multiple RX and TX capable features.
The PortaPack is a US$220 add-on for the HackRF software defined radio (HackRF + PortaPack + Accessory Amazon bundle) which allows you to go portable with the HackRF and a battery pack. It features a small touchscreen LCD and an iPod like control wheel that is used to control custom HackRF firmware which includes an audio receiver, several built in digital decoders and transmitters too. With the PortaPack no PC is required to receive or transmit with the HackRF.
Of course as you are fixed to custom firmware, it's not possible to run any software that has already been developed for Windows or Linux systems in the past. The official firmware created by the PortaPack developer Jared Boone has several decoders and transmitters built into it, but the third party 'Havoc' firmware by 'furrtek' is really what you'll want to use with it since it contains many more decoders and transmit options.
As of the time of this post the currently available decoders and transmit options can be seen in the screenshots below. The ones in green are almost fully implemented, the ones in yellow are working with some features missing, and the ones in grey are planned to be implemented in the future. Note that for the transmitter options, there are some there that could really land you in trouble with the law so be very careful to exercise caution and only transmit what you are legally allowed to.
Although the PortaPack was released several years ago we never did a review on it as the firmware was not developed very far beyond listening to audio and implementing a few transmitters. But over time the Havok firmware, as well as the official firmware has been developed further, opening up many new interesting applications for the PortaPack.
Testing the PortaPack with the Havoc Firmware
Capture and Replay
One of the best things about the PortaPack is that it makes capture and replay of wireless signals like those from ISM band remote controls extremely easy. To create a capture we just need to enter the "Capture" menu, set the frequency of the remote key, press the red 'R' Record button and then press the key on the remote. Then stop the recording to save it to the SD Card.
Now you can go into the Replay menu, select the file that you just recorded and hit play. The exact same signal will be transmitted over the air, effectively replacing your remote key.
We tested this using a simple remote alarm system and it worked flawlessly first time. The video below shows how easy the whole process is.
Last week we made a post about the HackRF Portapack, and gave some examples of it in action. Recently the furtek Havoc firmware for the portapack was updated, and it now supports SSTV transmission. Over on Twitter, Giorgio Campiotti @giorgiofox has uploaded a video showing an example transmission in action.
In the video the HackRF with Portapack transmits a test SSTV image to an Elecraft K3 ham radio, which is linked to a PC. SSTV decoding software on the PC turns the data back into an image.
SSTV stands for ‘Slow Scan TV’, and is a method used by hams to send images over radio. Typically this activity occurs on HF frequencies. Sometimes the ISS transmits SSTV images down to earth as well to commemorate special events.
The PortaPack is an addon created by Jared Boone for the HackRF software defined radio. It costs $200 USD at the sharebrained store and together with a USB battery pack it allows you to go completely portable with your HackRF. The HackRF is a multi-purpose SDR which can both receive and transmit anything (as long as you program it in) from 1 MHz to 6 GHz.
Since we last posted about the PortaPack many new features have been added, and the firmware has matured significantly. Now the official PortaPack firmware allows you to receive and demodulate SSB, AM, NFM, WFM and display up to an 18 MHz wide waterfall. You can also decode marine AIS, the automobile tyre pressure monitoring system (TPMS) and utility ITRON ERT meters.
There is also a popular fork of the official PortaPack firmware called portapack-havoc, which is created by a dev who goes by the handle ‘furrtek’. This firmware is a bit more risky in terms of the trouble it can get you into as it enables several new features including:
Close call – See if anyone is transmitting near to you
A CW generator
a GPS and various other jammers
an LCR transmitter – the wireless protocol used in France for programming traffic related signage
a microphone transmitter
a pocsag receiver and transmitter – receive and send to pagers
a PWM RSSI output – useful for crude automatic direction finding
an RDS transmitter – transmit radio station text data to compatible broadcast FM radios
a soundboard – play a stored bank of wav sounds on a frequency
an SSTV tranmitter – transmit slow scan TV signals
an OOK transmitter – control on-off-keying devices such as doorbells.
Below we’ve created a YouTube playlist showing several videos that show the portapack in action.
HackRF + PortaPack OOK transmit (PT2262, HK526E, HT12E encoders…)
And below we show a tweet from @furrtek showing off the recently added SSTV transmit feature, and a tweet from @giorgiofox showing off the microphone transmit feature.