SDR & RF Hacking

Radio Frequency
๐Ÿ”ฅ Advanced
T1040

Introduction to Software Defined Radio (SDR), signal analysis, and replay attacks. Learn how to capture, analyze, and replay radio signals using hardware like HackRF and RTL-SDR, and software tools like URH and GQRX.

Warning

Legal Warning: Transmitting on certain frequencies without a license is illegal in many jurisdictions. Always ensure you are authorized to transmit on the frequency you are using, or use a Faraday cage/shielded environment to prevent signal leakage.

๐Ÿ“‘ Table of Contents

SDR Hardware Overview

Choosing the right SDR hardware depends on whether you need receive-only or full transmit capability.

Device Freq Range TX/RX Bandwidth Price
RTL-SDR v3 500 kHz โ€“ 1.7 GHz RX only 3.2 MHz ~$30
HackRF One 1 MHz โ€“ 6 GHz TX + RX 20 MHz ~$300
YARD Stick One 300โ€“928 MHz TX + RX N/A (packet) ~$100
Flipper Zero 300โ€“928 MHz TX + RX N/A (packet) ~$170
BladeRF 2.0 47 MHz โ€“ 6 GHz Full duplex 56 MHz ~$480

Start With RTL-SDR

The RTL-SDR v3 is the best entry point โ€” it's cheap, widely supported, and covers most of the interesting sub-GHz frequencies. Graduate to HackRF when you need transmit capability.

GQRX Setup & Visualization

GQRX is a GUI SDR receiver that provides real-time FFT spectrum and waterfall display. It's the go-to tool for initial signal discovery and characterization.

gqrx-setup.sh
bash 
# Install GQRX on Kali/Debian
sudo apt install gqrx-sdr

# Start GQRX
gqrx

# CLI alternative: rtl_power for spectrum scanning
# Scan 400โ€“440 MHz range and output CSV heatmap
rtl_power -f 400M:440M:100k -g 50 -i 10 -e 1h scan.csv

# Convert to heatmap image
python3 heatmap.py scan.csv scan.png

# Quick signal check: rtl_fm for FM demodulation
rtl_fm -f 433.92M -s 250k -r 48k - | aplay -r 48000 -f S16_LE

# Record raw I/Q samples for offline analysis
rtl_sdr -f 433920000 -s 2048000 -g 40 capture.bin
# Install GQRX on Kali/Debian
sudo apt install gqrx-sdr

# Start GQRX
gqrx

# CLI alternative: rtl_power for spectrum scanning
# Scan 400โ€“440 MHz range and output CSV heatmap
rtl_power -f 400M:440M:100k -g 50 -i 10 -e 1h scan.csv

# Convert to heatmap image
python3 heatmap.py scan.csv scan.png

# Quick signal check: rtl_fm for FM demodulation
rtl_fm -f 433.92M -s 250k -r 48k - | aplay -r 48000 -f S16_LE

# Record raw I/Q samples for offline analysis
rtl_sdr -f 433920000 -s 2048000 -g 40 capture.bin

Signal Analysis Fundamentals

Signal analysis involves visualizing and interpreting radio signals to understand their properties. The most common visualization tool is the waterfall display, which shows frequency over time, with color intensity representing signal strength.

Key Concepts

  • Frequency: The specific radio frequency the signal is operating on (e.g., 433.92 MHz).
  • Bandwidth: The range of frequencies the signal occupies.
  • Modulation: How data is encoded onto the carrier wave. Common types include:
    • ASK (Amplitude Shift Keying): Data is represented by varying the amplitude.
    • OOK (On-Off Keying): A simple form of ASK where the carrier is present for '1' and absent for '0'.
    • FSK (Frequency Shift Keying): Data is represented by varying the frequency.

Common Frequency Reference

Quick reference for common frequencies encountered during wireless assessments.

Frequency Use Modulation Notes
315 MHz Car key fobs (US), garage doors OOK/ASK Fixed or rolling code
433.92 MHz Key fobs (EU), weather stations, doorbells OOK/ASK/FSK ISM band, most common sub-GHz
868 MHz LoRa, alarm systems (EU), smart meters FSK/CSS EU ISM band
915 MHz LoRa, RFID (US), Zigbee (US) FSK/CSS US ISM band
1.575 GHz GPS L1 (civilian) BPSK GPS spoofing target

Replay Attacks

A replay attack involves capturing a valid signal (e.g., from a car key fob or garage door remote) and retransmitting it later to trigger the same action. This is effective against simple systems that use fixed codes.

Information

Defense: Rolling Codes
Modern systems use "Rolling Codes" (or Hopping Codes), where the code changes with every button press. If you capture a code and replay it, the receiver will reject it because it expects a new, unique code.

Recording a Signal

Use hackrf_transfer to capture a signal to a file.

capture.sh
bash 
hackrf_transfer -r capture.bin -f 433920000 -s 2000000
hackrf_transfer -r capture.bin -f 433920000 -s 2000000

Replaying a Signal

Transmit the captured signal back on the same frequency. The -x flag sets TX gain (0โ€“47 dB).

replay.sh
bash 
hackrf_transfer -t capture.bin -f 433920000 -s 2000000 -x 47
hackrf_transfer -t capture.bin -f 433920000 -s 2000000 -x 47

Universal Radio Hacker (URH)

URH is a complete suite for investigating wireless protocols. It handles signal recording, demodulation, protocol analysis, and fuzzing in a single GUI. Far more capable than raw I/Q inspection for structured protocols.

urh-workflow.sh
bash 
# Install URH
sudo apt install universal-radio-hacker
# or: pip3 install urh

# Launch GUI
urh

# URH Workflow:
# 1. Record โ†’ capture signal from SDR device
# 2. Interpretation โ†’ auto-detect modulation (ASK/FSK/PSK)
# 3. Analysis โ†’ identify protocol structure, preamble, sync word
# 4. Generator โ†’ craft custom packets for fuzzing/replay
# 5. Simulator โ†’ emulate protocol exchanges

# CLI recording (alternative to GUI)
urh-cli record -d HackRF -f 433920000 -s 2M -o capture.complex
# Install URH
sudo apt install universal-radio-hacker
# or: pip3 install urh

# Launch GUI
urh

# URH Workflow:
# 1. Record โ†’ capture signal from SDR device
# 2. Interpretation โ†’ auto-detect modulation (ASK/FSK/PSK)
# 3. Analysis โ†’ identify protocol structure, preamble, sync word
# 4. Generator โ†’ craft custom packets for fuzzing/replay
# 5. Simulator โ†’ emulate protocol exchanges

# CLI recording (alternative to GUI)
urh-cli record -d HackRF -f 433920000 -s 2M -o capture.complex

URH Protocol Analysis

URH can automatically detect common protocols like Princeton PT2262 (garage doors), EV1527 (alarm remotes), and Honeywell 5800 (security sensors). Use the "Auto Interpret" feature to quickly identify encoding and bit patterns.

Flipper Zero

The Flipper Zero is a portable multi-tool for pentesters and geeks in a toy-like body. It supports Sub-GHz, NFC, RFID, Infrared, and more. It significantly simplifies the process of capturing and replaying signals compared to using a laptop with an SDR dongle.

For Sub-GHz attacks, the Flipper Zero can:

  • Read and save signals from remotes.
  • Emulate saved signals (Replay Attack).
  • Analyze frequency usage.
View Flipper Zero Cheat Sheet

Jamming & Detection

Understanding RF jamming is critical for both attack simulation and defensive assessment. During a physical security audit, testing whether alarm systems fail-open under jamming can reveal serious vulnerabilities.

Jamming Type Method Detection
Broadband Continuous noise across wide spectrum Easy โ€” elevated noise floor visible on spectrum analyzer
Narrowband Targeted CW or modulated signal on specific frequency Moderate โ€” requires monitoring the specific channel
Reactive Transmits only when target signal detected Hard โ€” looks like interference, not continuous

Legal Notice

Intentional jamming of licensed spectrum (including cellular, GPS, and emergency frequencies) is a federal crime in the US (47 USC ยง 333) and most other jurisdictions. Only test jamming resilience in shielded environments with explicit written authorization.
๐ŸŽฏ

Practice Labs

Hands-on SDR and RF practice with common tooling.

๐Ÿ”ง
RTL-SDR Signal Analysis Lab Custom Lab easy
GQRX waterfall displayFM broadcast capturefrequency identification
๐Ÿ”ง
URH Replay Attack Lab Custom Lab medium
Universal Radio HackerOOK/ASK decodingsub-GHz replay
Need help setting up? Check our Lab Setup Guide โ†’
08. WPA3 & Wi-Fi 6 10. Bluetooth & BLE

Related Topics

Flipper Zero

Using Flipper Zero for RF hacking.

IoT Pentesting

Bluetooth and Zigbee security.

Wireless Tools

Hardware and software for wireless assessments.