SDR & RF Hacking

Radio Frequency

Introduction to Software Defined Radio (SDR), signal analysis, and replay attacks. Learn how to capture, analyze, and replay radio signals using hardware like HackRF and RTL-SDR, and software tools like URH and GQRX.

Warning

Legal Warning: Transmitting on certain frequencies without a license is illegal in many jurisdictions. Always ensure you are authorized to transmit on the frequency you are using, or use a Faraday cage/shielded environment to prevent signal leakage.

Signal Analysis

Signal analysis involves visualizing and interpreting radio signals to understand their properties. The most common visualization tool is the waterfall display, which shows frequency over time, with color intensity representing signal strength.

Key Concepts

  • Frequency: The specific radio frequency the signal is operating on (e.g., 433.92 MHz).
  • Bandwidth: The range of frequencies the signal occupies.
  • Modulation: How data is encoded onto the carrier wave. Common types include:
    • ASK (Amplitude Shift Keying): Data is represented by varying the amplitude.
    • OOK (On-Off Keying): A simple form of ASK where the carrier is present for '1' and absent for '0'.
    • FSK (Frequency Shift Keying): Data is represented by varying the frequency.

Replay Attacks

A replay attack involves capturing a valid signal (e.g., from a car key fob or garage door remote) and retransmitting it later to trigger the same action. This is effective against simple systems that use fixed codes.

Information

Defense: Rolling Codes
Modern systems use "Rolling Codes" (or Hopping Codes), where the code changes with every button press. If you capture a code and replay it, the receiver will reject it because it expects a new, unique code.

Recording a Signal

Use hackrf_transfer to capture a signal to a file.

capture.sh
bash 
hackrf_transfer -r capture.bin -f 433920000 -s 2000000

Replaying a Signal

Transmit the captured signal back on the same frequency.

replay.sh
bash 
hackrf_transfer -t capture.bin -f 433920000 -s 2000000 -x 47

Flipper Zero

The Flipper Zero is a portable multi-tool for pentesters and geeks in a toy-like body. It supports Sub-GHz, NFC, RFID, Infrared, and more. It significantly simplifies the process of capturing and replaying signals compared to using a laptop with an SDR dongle.

For Sub-GHz attacks, the Flipper Zero can:

  • Read and save signals from remotes.
  • Emulate saved signals (Replay Attack).
  • Analyze frequency usage.
View Flipper Zero Cheat Sheet

Related Topics

Flipper Zero

Using Flipper Zero for RF hacking.

IoT Pentesting

Bluetooth and Zigbee security.

Wireless Tools

Hardware and software for wireless assessments.