HackRF One Sweep Mode - A quick Introduction

HackRF One Sweep Mode

A quick Introduction

Rocco Gagliardi
by Rocco Gagliardi
on June 22, 2017
time to read: 5 minutes

Keypoints

  • HackRF is a software defined radio
  • The supported range is 1 MHz to 6 GHz
  • A scan of the entire supported range takes just 1 second

It’s a bit of time I own an HackRF One. And I had a lot of fun with it. HackRF is a Software Defined Radio, a hardware platform capable of receive/transmit signals in a frequency range between 1 MHz and 6 GHz.

With the last firmware review (2017.02.1), HackRF received the capacity to scan a wide range of frequencies, rapidly retuning the radio clock (before that upgrade, the retuning had to be made externally). This function, called Sweep Mode, scans the entire supported range (1-6000 MHz) in less than 1s; more precisely, HackRF is capable to scan at a rate of 8 GHz/s, all for ~300$, thanks to Michael Ossmann.

Preparation

First make sure to have the newest firmware:

[175468.801248] usb 2-1.5: new high-speed USB device number 5 using ehci-pci
[175468.910224] usb 2-1.5: New USB device found, idVendor=1d50, idProduct=6089
[175468.910228] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=4
[175468.910230] usb 2-1.5: Product: HackRF One
[175468.910232] usb 2-1.5: Manufacturer: Great Scott Gadgets
[175468.910234] usb 2-1.5: SerialNumber: 0000000000000000457863c8256b511f
[175468.912066] hackrf 2-1.5:1.0: Board ID: 02
[175468.912069] hackrf 2-1.5:1.0: Firmware version: 2017.02.1
[175468.912239] hackrf 2-1.5:1.0: Registered as swradio0
[175468.912357] hackrf 2-1.5:1.0: Registered as swradio1
[175468.912360] hackrf 2-1.5:1.0: SDR API is still slightly experimental and functionality changes may follow

Then, install some SDR or signal analysis/manipulation tools, like gnuradio, gqrx, Audacity, rtl_*, and so on.

What can we do

FM Radio Broadcaster around

The yellow lines “vibrating” – frequency modulation – between the 92-108 MHz:

Radio Broadcasting with a Spectrum Analyzer

Well-known Bands

Here we can see the FDD downlink bands used by Salt – small line around 925 MHz – and the two 15 MHz wide of Sunrise and Swisscom – 930-960 MHz:

900 MHz band

Fingerprint on RF Spectrum

Take a look at the whole supported spectrum:

Full Spectrum

Hunting Signals

To find out which frequency is used by a generic device, scan the spectrum until a difference is noted:

Full Spectrum

As second step we can restrict the range:

Restricted range

As last step we can restrict analysis center the device on the identified frequency:

Tuning the Signal

At the end, once recorded, we can pass the signal to other tools like Audacity, gnuradio, or – in this case – rtl_433:

rcc@ubunthin:~$ rtl_433 -f 434418000 -a -r gqrx_20170612_165837_434418000.wav
...
Test mode active. Reading samples from file: gqrx_20170612_165837_434418000.wav
Input format: uint8
*** signal_start = -9991, signal_end = 511495
signal_len = 521486,  pulses = 3
Iteration 1. t: 215269    min: 70940 (2)    max: 359599 (1)    delta 656265929
Iteration 2. t: 215269    min: 70940 (2)    max: 359599 (1)    delta 0
Pulse coding: Short pulse length 70940 - Long pulse length 359599

Short distance: 2, long distance: 0, packet distance: 2

p_limit: 215269
bitbuffer:: Number of rows: 3
[00] {1} 00 : 0
[01] {1} 00 : 0
[02] {1} 80 : 1
Test mode file issued 8 packets

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in network routing, firewalling and log management.

Links

You need support in such a project?

Our experts will get in contact with you!

×
Office 365 Teams Security

Office 365 Teams Security

Rocco Gagliardi

Phishing Protection

Phishing Protection

Rocco Gagliardi

Logging

Logging

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here