Demos using hackrf sdr

1. Getting started with
SDR and GNURadio
Prashanth Varma
23-06-2018

2. About me
• Security analyst at Defmax
• Full Stack(MERN) & iOS developer
• Part time bug bounty participant
• Beginner in IOT security
• Twitter - @cymtrick

3. What is Frequency?
What is Radio Frequencies?
What is SDR?

4. Frequency
Frequency : Frequency is the number of occurrences of a repeating event
per unit of time.
The relation between the frequency and the period of a repeating event or
oscillation is given by f=1/T
Frequency is measured in Hz
High Frequencies
Low Frequencies

5. Radio Frequencies
Radio frequency (RF) refers to the rate of oscillation of electromagnetic
radio waves in the range of 3 kHz to 300 GHz, as well as the alternating
currents carrying the radio signals.

6. Radio Frequencies - Bands

7. Radio Frequencies - Bands
Common RF Protocols
• Bluetooth/BLE (2.4GHz)
• Zigbee(2.4GHz)
• Z-wave (900MHz)
• Wifi(2.4GHz)
• Cellular (900/1800/1900/2100MHz)

8. Radio Frequencies - Bands
Common ISM bands used in IoT systems
• 315 MHz
• 433 MHz
• 902-928 MHz
• 863 –870 MHz
• 2.4 GHz
• 5.8 GHz

9. Communication System

10. General RF Communication Basics
• Channel BandWidth
• Modulation
• Bit rate
• Preamble
• Sync word
• CRC?

11. Communication Basics
• Channel BandWidth - Channel is a medium through which information
is transmitted between transmitter and receiver. Channel bandwidth is
the frequency range that constitutes the channel.
• Modulation - Modulation is the process of superimposing the
information of a modulating signal on a carrier signal (which is of high
frequency) by varying the characteristic of carrier signal according to
the modulating signal.

12. Communication Basics
• Bit rate : bit rate (bitrate or as a variable R) is the number of bits
that are conveyed or processed per unit of time. Ex 1M-bps
• Preamble : A preamble is a signal used in network
communications to synchronize transmission timing between two
or more systems.
• Sync word: a syncword, sync character, sync sequence or
preamble is used to synchronize a data transmission by
indicating the end of header.
• CRC : A cyclic redundancy check (CRC) is an error-detecting
code commonly used in digital networks and storage devices to
detect accidental changes to raw data.

13. Communication Basics
General RF Packet Structure

14. Warning
• The spectrum is a limited public resource. Playing with illegal radio
might get you arrested.
• It can interfere with critical systems, Marine, Army, etc.
• It is advised to use a Faraday cage (“RF cage”)

15. SDR
• a radio communication system where components that have been
typically implemented in hardware ( mixers, filters, amplifiers,
modulators, etc.) are instead implemented by means of software
• Drag and drop components and create a flow graph!

16. SDR

17. HackRF
• A Software Defined Radio peripheral capable of transmission or
reception of radio signals from 1 MHz to 6 GHz.
• One of the best peripherals that are out there
• Can receive or transmit (half duplex)
• Cost: RS 30000/-

18. RTL-SDR
• RTL-SDR is a very cheap software defined radio that uses a DVB-T
TV tuner dongle based on the RTL2832U chipset.
• Drawback –receive only. But still great for analysis!

20. Demo GSM Sniffer
Tools required : SDR(Hackrf), GNURadio, WireShark, GQRX
Modules : gr-gsm
sudo apt-get install gnuradio gnuradio-dev gr-
osmosdr gr-osmosdr gqrx-sdr wireshark
ubuntu
sudo port install gnuradio gnuradio-dev gr-
osmosdr gr-osmosdr gqrx wireshark
Mac Ports

21. Listening to Radio Signals
Using GQRX

22. GSM Sniffer
Tools required : SDR(Hackrf), GNURadio, WireShark, GQRX
Modules : gr-gsm
Using Kalibrate to find Channels
git clone https://github.com/scateu/kalibrate-hackrf.git

23. GSM Sniffer
Tools required : SDR(Hackrf), GNURadio, WireShark, GQRX
Modules : gr-gsm
GRC Block : https://github.com/wi-fi-analyzer/gr-gsm/blob/master/apps/
airprobe_rtlsdr.grc

24. GSM Sniffer
Setting Frequency according to channel results from kalibrate

25. GSM Sniffer
Using WireShark to decode the Captured Packets
sudo wireshark -k -Y 'gsmtap && !icmp' -i lo

26. Bluetooth Sniffer (NRF24)
$ git clone https://github.com/omriiluz/NRF24-BTLE-Decoder
https://wiki.bitcraze.io/misc:hacks:hackrf

27. Bluetooth Sniffer (NRF24)
$ cat /tmp/fifo | ./nrf24-btle-decoder -d 1

28. Planning (Demo Car Jacking Using Replay Attack)
• Information gathering
• Frequency
• Modulation
• Preamble and Syncword
• Transmission!

29. https://www.fcc.gov/general/fcc-id-search-page
http://fcc.io/
Information Gathering
Every Device has it’s own FCC id or you can it by opening your hardware

30. Finding Frequency
Using GQRX to find my car remote radio frequency.
Swift Dzire remote uses 433.900 MHz

31. Modulation
Most of the car remotes use OOK(On off shift keying) part of ASK
ASK(Amplitude shift keying)
FSK(Frequency shift keying)
PSK(Phase shift keying)

32. Capturing the raw data
$ hackrf_transfer -r data.iq -f 433900000 -g 50 -l 24

33. Analysing the raw data in audacity
Preamble and SyncWord
1 0 1 10 10 01 1 1 0 0 00 1 1 0 0 0 1 0 01 1
Payload

34. Transmission
$ hackrf_transfer -t data.iq -f 433900000

35. Transmission

36. Transmission

37. Dealing with Rolling Codes
• Jamming the key while transmission
• Capture the signal with another receiver
$ git clone https://github.com/furrtek/portapack-havoc.git

38. Dealing with Rolling Codes
• Capture the first signal and replay it
• Keep the second signal for future replay attack
Yard Stick One (<1GHz)
Half duplex mode
TC1111-chipset
rfcat pre built
d = RfCat(idx=0)
d.setMdmModulation(MOD_ASK_OOK) #on of key
d.setFreq(433920000) # frequency
d.setMdmDRate(4800)# how long each bit is transmited for
d.setMdmChanBW(60000)# how wide channel is
d.setMdmChanSpc(24000)
d.setChannel(0)
d.setMaxPower() # max power
d.lowball(1) # need inorder to read data

39. Thank you