It’s a bit of time I own an HackRF One. And I had a lot of fun with it. HackRF is a Software Defined Radio, a hardware platform capable of receive/transmit signals in a frequency range between 1 MHz and 6 GHz.

With the last firmware review (2017.02.1), HackRF received the capacity to scan a wide range of frequencies, rapidly retuning the radio clock (before that upgrade, the retuning had to be made externally). This function, called Sweep Mode, scans the entire supported range (1-6000 MHz) in less than 1s; more precisely, HackRF is capable to scan at a rate of 8 GHz/s, all for ~300$, thanks to Michael Ossmann.

Preparation

First make sure to have the newest firmware:

[175468.801248] usb 2-1.5: new high-speed USB device number 5 using ehci-pci
[175468.910224] usb 2-1.5: New USB device found, idVendor=1d50, idProduct=6089
[175468.910228] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=4
[175468.910230] usb 2-1.5: Product: HackRF One
[175468.910232] usb 2-1.5: Manufacturer: Great Scott Gadgets
[175468.910234] usb 2-1.5: SerialNumber: 0000000000000000457863c8256b511f
[175468.912066] hackrf 2-1.5:1.0: Board ID: 02
[175468.912069] hackrf 2-1.5:1.0: Firmware version: 2017.02.1
[175468.912239] hackrf 2-1.5:1.0: Registered as swradio0
[175468.912357] hackrf 2-1.5:1.0: Registered as swradio1
[175468.912360] hackrf 2-1.5:1.0: SDR API is still slightly experimental and functionality changes may follow

Then, install some SDR or signal analysis/manipulation tools, like gnuradio, gqrx, Audacity, rtl_*, and so on.

What can we do

FM Radio Broadcaster around

The yellow lines “vibrating” – frequency modulation – between the 92-108 MHz:

Well-known Bands

Here we can see the FDD downlink bands used by Salt – small line around 925 MHz – and the two 15 MHz wide of Sunrise and Swisscom – 930-960 MHz:

Fingerprint on RF Spectrum

Take a look at the whole supported spectrum:

Hunting Signals

To find out which frequency is used by a generic device, scan the spectrum until a difference is noted:

As second step we can restrict the range:

As last step we can restrict analysis center the device on the identified frequency:

At the end, once recorded, we can pass the signal to other tools like Audacity, gnuradio, or – in this case – rtl_433:

rcc@ubunthin:~$ rtl_433 -f 434418000 -a -r gqrx_20170612_165837_434418000.wav
...
Test mode active. Reading samples from file: gqrx_20170612_165837_434418000.wav
Input format: uint8
*** signal_start = -9991, signal_end = 511495
signal_len = 521486,  pulses = 3
Iteration 1. t: 215269    min: 70940 (2)    max: 359599 (1)    delta 656265929
Iteration 2. t: 215269    min: 70940 (2)    max: 359599 (1)    delta 0
Pulse coding: Short pulse length 70940 - Long pulse length 359599

Short distance: 2, long distance: 0, packet distance: 2

p_limit: 215269
bitbuffer:: Number of rows: 3
[00] {1} 00 : 0
[01] {1} 00 : 0
[02] {1} 80 : 1
Test mode file issued 8 packets

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• http://www.ossmann.com/mike/
• https://github.com/mossmann/hackrf/wiki/HackRF-One