Tagged: hackrf

Hak5 at Shmoocon 2017: Shock Collar Radio Roulette, GNU Radio, Sniffing IR (Terrahertz) Signals and More!

Over on YouTube the popular Hak5 channel has uploaded a video with several SDR related topics mentioned during Shmoocon 2017 conference.

One fun event talked about in the video was the Shmoocon wireless village SDR contest by Russell Handorf which involved wireless dog shock collars. These are collars usually placed on dogs, that emit a mild electric shock when a button on a wireless remote is pressed. This can help train the dog into better behaviors. Contestants were able to first make recordings of the wireless signals made by the shock collars. Then each contestant strapped a wireless shock collar to their leg and the goal was then to reverse engineer and understand the protocol as quickly as possible, then use that knowledge and a HackRF to shock the other contestants.

Another part of the video discuss GNU Radio reverse engineering with representatives from bastille.net who are wireless IoT security researchers. The video then goes on to interview Micheal Ossmann (creator if the HackRF) who talks a bit about his work in building an infrared (IR) software defined radio. Micheal explains how infrared is essentially just radio at terrahertz frequencies and that many SDR concepts can be applied by using a photodiode sensor. He mentions that there are several IR systems used these days, such as the common remote control, toys, and high bandwidth wireless IR headphones used in car entertainment systems and conferences. The hardware Micheal has created is called “Gladiolus” and is still in development.

Shmoocon 2017: Sniffing IR Signals and More! - Hak5 2120

Running a 1G Mobile Phone Network with a HackRF

First generation (1G) mobile phone technology was brought out in the 80’s and was an unsecured analogue system. These days 1G technology is completely phased out in favor of digital standards like 2G (GSM), 3G and 4G LTE and so those old 1G handsets are now useless. However, at Shmoocon 2017 presenter Brandon Creighton delivered a talk where he showed how to use a TX capable SDR like a USRP or HackRF to create your own home 1G system that allows those old brick phones to be useful once again.

The actual video of the conference talk won’t be available online until about half way through the year but the blurb read:

AMPS, the first widely deployed cellular network in the US, was old enough that it had been designed by pre-breakup Bell, yet robust enough to survive for decades in service. Unlike LTE or even GSM, it was also a protocol simple enough to be described in a fairly short specification; if you wanted to you could listen to calls with a TV tuner (or modified phone).

This is a talk on the design and implementation of gr-amps, a set of GNU Radio blocks that can turn a TX-capable software-defined radio into a base station for AMPS devices–including that brick phone in your basement. No background in SDR is necessary to follow along (but it doesn’t hurt).

Expect detours into near-forgotten phreaker history: the weaknesses that enabled phone cloning, the efforts of wireless carriers and the US government to fight exploitation, and more.

The GNU Radio code to run your own AMPS (1G) system is available on GitHub.  It has been tested on a USRP and HackRF.

lethalweaponcellphone

[Also seen on Hackaday]

Combining the Bandwidth of two HackRF’s

RTL-SDR.com reader Syed Ghazanfar Ali Shah Bukhari from the Frequency Allocation Board in Pakistan recently emailed us to let us know a trick he's found which lets you combine the bandwidths of two HackRF software defined radios in GNU Radio. Syed's program is based on Oliver's flowgraph that we posted previously, which was used to combine the bandwidth of two RTL-SDR dongles.

Syed also sent us the GRC file to share which we've uploaded here.

He writes:

I have used grc flow graph of Oliver as mentioned in the link :-
https://www.rtl-sdr.com/combining-the-bandwidth-of-two-rtl-sdr-dongles-in-gnu-radio and modified it to be used with 2 HackRF Ones. I also shifted the two bandwidths inward by 1 MHz instead of 0.2 MHz to make a smooth continuation for a 38 MHz spectrum. Unfortunately one of my HackRF Ones has its RF Amp burnt up so I adjusted its IF and BB gain to have same noise floor as that of other HackRF One. It's really awesome. I am sending you the diagram and grc file. The attached image is showing complete GSM900 downlink spectrum (38 MHz) in my area with active 2G and 3G signals.

September 2018 Update:

An rtl-sdr user with nick JAAP had some query pertaining to calculation of center frequency of each HackRF. The values I used were a bit erroneous. If you the previous flow graph I sent you, the center frequencies for both HackRFs are same in the SDR source box. That should be different for both with a 20 MHz difference between the two. Some spectrums started repeating themselves on those values. I have improved the flowgraph using variables and equations to remove the logical bug. I have added a slider for bandwidth cropping that can be used for test pupose only to understand the concept behind the frequency shifting and cropping of spectrum of both HackRFs. I have attached the new grc file and the image. Gain values can be adjusted as per user requirement and sensitivity of your own SDRs. I am working on grc which will show a spectrum using 5 rtl-sdrs and two hackRFs thus combining BWs to give a span of 50 plus MHz.

Update GRC File available here.

Multi HackRF Spectrum
Multi HackRF Spectrum
Multi HackRF GRC flowgraph
Multi HackRF GRC flowgraph

GNURadio Conference 2016 Talks

Back in September the GNU Radio 2016 (GRCon16) conference was held. GRCon16 is an annual conference centered around the GNU Radio Project and community, and is one of the premier software defined radio industry events. GNU Radio is an open source digital signals processing (DSP) tool which is often used with SDR radios.

A few days ago videos of all the presentations were released on their YouTube channels, and all the slides can be found on their webpage.

One of our favorite talks from the conference is Micheal Ossmanns talk on his idea to create a low cost $150 RX/TX radio. Micheal Ossmann is the creator of the HackRF which is a $299 USD RX/TX capable SDR. It was one of the first affordable general purpose wide frequency TX capable SDRs. Micheal also mentions his other projects including Neapolitan which will be an add on for the HackRF which will enable full-duplex communications and Marizpan which will essentially be a single board Linux SDR using the HackRF circuit.

GRCon16 - Low-Cost SDR Hardware, Mike Ossmann

Another is Balints talk on “Hacking the Wireless World” where he does an overview of various signals that can be received and analyzed or decoded with an SDR. Some applications he discusses include Aviation, RDS Traffic Management Channel, Radio Direction Finding, OP25, IoT, SATCOM and his work on rebooting the ISEE-3 space probe.

GRCon16 - Hacking the Wireless World, Balint Seeber

Using a Yardstick One, HackRF and Inspectrum to Decode and Duplicate an OOK Signal

Over on his YouTube channel user Gareth has uploaded a video that shows a full tutorial on quickly decoding an On Off Keyed (OOK) signal with a HackRF (or RTL-SDR) and the Inspectrum software. Once decoded he then shows how to use a Yardstick One to duplicate the signal.

Inspectrum is a Linux based program that allows you to easily determine various parameters of a digital modulated signal by positioning an overlay over the waveform of a signal recorded with an SDR. Basically Gareth’s process is to first extract signal level values using Inspectrum, then secondly use a simple Python program to turn these values into binary bits, which gives him the data packet. He is then finally able to write another quick Python program to interface with the Yardstick One and retransmit the string.

The Yardstick One is a multipurpose radio (not a SDR) for transmitting modulated signals like OOK.

My quickest and easiest method for OOK signal decoding & replication in 2016

Building an S-Band Antenna for the HackRF

Mario Filippi, a regular contributor to our blog and to the SDR community recently wrote in with an article showing how he built an S-Band (2 – 4 GHz) antenna for use with the HackRF. Of course the antenna can be used with any other SDR that can receive in this range, or with an RTL-SDR and downconverter. We post his article below.

S -Band Antenna for use with the HackRF One
Author: Mario Filippi, N2HUN

Ever since purchasing a HackRF One, which receives from 1 MHz – 6.0 GHz I’ve always wanted to explore the world above 1 Gig, specifically the 2.0 – 2.7 GHz portion of the S-band. This portion of the band is populated with satellite communications, ISM, amateur radio, and wireless networks. A good, homebrew antenna for S-band was needed, so with parts mostly from the junk box, a 2250 MHz S-band right hand circularly polarized omni-directional antenna was built. Below is a step by step tutorial on building this antenna. Plans were from UHF-Satcom’s site.

The final S-band antenna
The final S-band antenna

Continue reading

rx_tools: RTL-SDR Command Line Tools (rtl_power, rtl_fm, rtl_sdr) Now Compatible With Almost Any SDR

Developer R. X. Seger has recently released rx_tools which provides SDR independent ports for the popular command line RTL-SDR tools rtl_power, rtl_fm and rtl_sdr. This means that these tools can now be used on almost any SDR, such as the bladeRF, HackRF, SDRplay, Airspy and LimeSDR. If you don’t know what the tools do, then here is a quick break down:

rtl_fm / rx_fm: Allows you to decode and listen to FM/AM/SSB radio.
rtl_sdr / rx_sdr: Allows you to record raw samples for future processing.
rtl_power / rx_power: Allows you to do wideband scans over arbitrarily wide swaths of bandwidth by hopping over and recording signal power levels over multiple chunks of spectrum.

rx_tools is based on SoapySDR which is an SDR abstraction layer. If software is developed with SoapySDR, then the software can be more easily used with any SDR, assuming a Soapy plugin for that particular SDR is written. This stops the need for software to be re-written many times for different SDR’s as instead the plugin only needs to be written once.

rx_power scan with the HackRF at 5 GHz over 9 hours.
rx_power scan with the HackRF at 5 GHz over 9 hours.

Cheating at Pokémon Go with a HackRF and GPS Spoofing

"Pokémon Go" is the latest in smartphone augmented reality gaming crazes. You may have already heard about the game on the news, or seen kids playing it in your neighborhood. To play, players must walk around in the real world with their GPS enabled smartphone, collecting different virtual Pokémon which appear at random spots in the real world, replenishing the virtual items need to collect Pokemon at "Pokéstops" and putting Pokémon to battle at "Gyms". Pokéstops and gyms are often city landmarks such as popular shops, fountains, statues, signs etc. For those who have no idea what "Pokémon" are: Pokémon are fictional animals from a popular children's cartoon and comic.

Since the game is GPS based, Stefan Kiese decided to see if he could cheat at the game by spoofing his GPS location using a HackRF software defined radio. The HackRF is a relatively low cost multipurpose TX and RX capable software defined radio. When playing the game, players often walk from Pokéstop to Pokéstop, collecting Pokémon along the way, and replenishing their items. By spoofing the GPS signal he is able to simulate walking around in the physical world, potentially automating the collection of Pokémon and replenishment of items at Pokéstops.

To do this he used the off the shelf "GPS-SDR-Sim" software by Takuji Ebinuma which is a GPS Spoofing tool for transmit capable SDR's like the HackRF, bladeRF and USRP radios. At first, when using the software Stefan noticed that the HackRF was simply jamming his GPS signals, and not simulating the satellites. He discovered the problem was with the HackRF's clock not being accurate enough. To solve this he used a function generator to input a stable 10 MHz square wave into the HackRF's clock input port. He also found that he needed to disable "Assisted GPS (a-gps)" on his phone which uses local cell phone towers to help improve GPS location tracking.

Next he was able to use the GPS-SDR-Sim tools to plot a simulated walking route and see his virtual character walking around on the real world map. A warning if you intend on doing this: Remember that 1) spoofing or jamming GPS is highly illegal in most countries outside of a shielded test lab setting, so you must ensure that your spoofed GPS signal does not interfere with anything, and 2) the game likely has cheating detection and will probably ban you if you don't simulate a regular walking speed.

GPS spoofing is not new. One attempt in 2013 allowed university researchers to send a 80 million dollar 213-foot yacht off course, and it is suspected that hackers from the Iranian government have used GPS spoofing to divert and land an American stealth drone back in 2011. In past posts we also showed how security researcher Lin Huang was able to spoof GPS and bypass drone no fly restrictions.

[Also seen on Hackaday.com] / [Russian Readers: There is a translation of this article by softdroid now available]

The "Pokemon Go" GPS spoofing set up.
The "Pokemon Go" GPS spoofing set up.