Tagged: hackrf

Analyzing a Car Security Active RFID Token with a HackRF

Some car security systems from around 2001 – 2003 use an embedded RFID tag inside the car key as an added security measure against key copying. Using his HackRF, ChiefTinker was able to analyse and decode the data from an active RFID token used in a car key. He notes that the same analysis could also be performed with an RTL-SDR dongle.

Upon powering the RFID tag with a power supply, ChiefTinker noticed that the tag emitted a short transmission every 5 seconds in the ISM band at 433.920 MHz. On closer inspection he determined that the transmitted data was encoded with a simple AM on-off keying (OOK) scheme. After importing the audio into Audacity and cleaning up the signal a little, he was able to clearly see the OOK square wave showing the transmitted binary data.

Next he analysed the data and compared the binary output against two different RFID keys. From the comparison he was able to determine that the tag simply beacons a unique serial number, which is susceptible to capture and replay attacks. After further processing he was able to convert the transmitted binary serial number into hexadecimal, then ASCII to find the unique serial number being broadcast in decimal.

RFID Car Key Tokens
RFID Car Key Tokens

Micheal Ossmann’s Software Defined Radio Course

Micheal Ossmann, creator of the HackRF is starting an online video course on the topic of software defined radio (SDR). His course will cover GNU Radio and will help you to learn the fundamentals of digital signal processing. The first video has been released and in this video Micheal shows how to set up a broadcast FM receiver in GNU Radio.

To do the exercises in the course you will need a HackRF or other similar SDR radio. Most exercises involving reception only should be compatible with the RTL-SDR with some small modifications relating to things like the changing sample rate.

HackRF Initial Review

The HackRF One is a new software defined radio that has recently been shipped out to Kickstarter funders. It is a transmit and receive capable SDR with 8-Bit ADC, 10 MHz to 6 GHz operating range and up to 20 MHz of bandwidth. It can now be preordered for $299 USD. We just received ours from backing the Kickstarter and here’s a brief review of the product. We didn’t do any quantitative testing and this is just a first impressions review. So far we’ve only tested receive on Windows SDR#.

Unboxing

Inside the box is the HackRF unit in a quality protective plastic casing, a telescopic antenna and a USB cable. We show an RTL-SDR next to the HackRF for size comparison.

HackRF + Telescopic Antenna + USB Cable + Box (RTL-SDR Dongle Shown for Size Comparison)
HackRF + Telescopic Antenna + USB Cable + Box (RTL-SDR Dongle Shown for Size Comparison)
Back of the box
Back of the box

Continue reading

Hak5: Exploring With The PortaPack and HDSDR

In this Hak5 episode Darren discusses the HackRF PortaPack which is a portable LCD screen device that connects to a HackRF SDR and allows portable frequency spectrum visualization. The PortaPack is currently under development and in the future it will allow demodulation of multiple audio modes and possibly digital demodulation and recording capabilities as well.

Later in the episode Shannon presents a tutorial on HDSDR, an SDR GUI alternative to SDR#. She shows how to install and use the HDSDR program.

Simulating Estimote’s iBeacon using a HackRF

Over on YouTube user Jiao Xianjun has uploaded a video showing a HackRF simulating an Estimote iBeacon which is being received by an iPhone. An Estimote iBeacon is a wireless beacon that uses Bluetooth Low Energy (BLE) and can be use to notify nearby mobile devices of the beacons presence. This can be used for many things like indoor positioning or by retail shops to for example alert owners of special coupons.

Jiao used this tutorial to help clone an iBeacon on his HackRF.

hackrf tx to simulate Estimote' iBeacon, and detected by iPhone successfully

Hak5: The NSA Playset and SDRSharp Plugins

Hak5 a popular YouTube hacking and electronics enthusiast channel has uploaded a new video interviewing Micheal Ossman, the creator of the HackRF about the NSA’s ‘Playset’. The NSA playset describes the set of tools the NSA has access to for spying which was leaked by the documents released by Edward Snowden. Previously we posted how the HackRF was used to help reverse engineer some NSA spy tools called retro reflectors.

In the second part of the episode presenter Shannon also shows off the SDRSharp frequency manager and scanner plugin that can be used with the RTL-SDR.

The NSA Playset and SDRSharp Plugins, Hak5 1622

Reverse Engineering NSA Spy ‘Retro Reflector’ Gadgets with the HackRF

In 2013 whistleblower Edward Snowden leaked (along with other documents) some information about the American National Security Agencies (NSA) spy tools. One such group of tools named ‘retro reflectors’ has recently been investigated and reverse engineered by Micheal Ossmann, the security researcher behind the recently available for preorder HackRF software defined radio. The HackRF is a SDR similar to the RTL-SDR, but with better performance and transmit capabilities.

Newscientist Magazine has written an article about Ossmann’s work here. From their article a retro reflectors are described in the following quote.

One reflector, which the NSA called Ragemaster, can be fixed to a computer’s monitor cable to pick up on-screen images. Another, Surlyspawn, sits on the keyboard cable and harvests keystrokes. After a lot of trial and error, Ossmann found these bugs can be remarkably simple devices – little more than a tiny transistor and a 2-centimetre-long wire acting as an antenna.

The HackRF comes in to play in the following quote

Ossmann found that using the radio [HackRF] to emit a high-power radar signal causes a reflector to wirelessly transmit the data from keystrokes, say, to an attacker. The set-up is akin to a large-scale RFID- chip system. Since the signals returned from the reflectors are noisy and often scattered across different bands, SDR’s versatility is handy, says Robin Heydon at Cambridge Silicon Radio in the UK.

Ossmann will present his work at this years Defcon conference in August.

retro-reflector-surlyspawn     retro-relector    retro-reflector-ragemaster

 

Transmitting ADS-B with a HackRF and Receiving it with an RTL-SDR

Over on YouTube user Jiao Xianjun has uploaded a video showing how he was able to transmit an ADS-B signal from his HackRF One and receive it using an RTL-SDR with dump1090. He transmits a low power signal which shows a fake plane flying over the Senkaku islands.

Important Note: While this warning is also on the video we feel that we should re-emphasize that you should never transmit anything at 1090 MHz unless you are authorized to do so and are in a controlled RF environment.

ADS-B out by HACKRF and received by rtl-sdr + dump1090