Ham Hacks: Breaking Into Software-defined Radio

So you want to expand your hacking repertoire and to play around with different radio protocols aside from the more ubiquitous Wi-Fi and Bluetooth? Software-defined radio (SDR) can open an entirely new world to you; different radio frequency (RF) bands serve different purposes ranging from submarine communications to satellites in deep space.

Even as recently as a decade ago, becoming an SDR enthusiast was difficult due to the exorbitant costs associated with SDR devices (which could easily stretch into tens of thousands of dollars). However, in the last several years some smart people figured out that a Realtek chipset used in TV tuner dongles could be repurposed as a cheap, multifrequency receiver. With the widespread introduction of RTL-SDR devices, the barrier to entry for SDR has lowered substantially – quality low-cost equipment is now more affordable and accessible. In this article, we’ll review the hardware and software components you need for a functional SDR setup without spending a fortune. Then, we’ll go into demoing the software so you’re set up for success. And finally, we’ll show you how you can begin reverse engineering radio signals once you have the right foundation in place. But first, let’s dive into radio basics.

NOTE: We will not be covering HAM radio specifically. You do not need a license to receive; only to transmit – and RTL-SDRs are receive only. However, getting your HAM radio technician license will help you to learn and use the important concepts needed for radio hacking. We encourage you to do some research; HAM Study by Signal Stuff is a solid resource for practicing HAM radio test questions and eventually earning your license.

An Overview of Radio: RF Is Magic!

In the 1880s, the scientist (and legendary sourpuss) Heinrich Rudolph Hertz proved the existence of radio waves (hence why the unit of frequency, the Hertz, was named for him). Comically, Hertz did not foresee the possible applications of radio and asserted that it would never serve any useful purpose. Hertz would be in for a shock if he saw how much wireless technology quietly powers our world today – from cell phones to satellites constantly orbiting the earth.

There are some basic terms to understand before we go any deeper into radio, though. Frequency is the rate of radio waves that pass per second. Wavelength is the distance between two radio waves. The below image illustrates these two concepts.

Modulation is the process of modifying a radio wave so it can transmit data. This is how information is added to a radio wave. The three main types of modulation are:

• Amplitude modulation (AM), which transmits information by making the amplitude or wave height of a carrier wave stronger or weaker
• Frequency modulation (FM), which transmits information by making the wavelength (aka wave speed) faster or slower
• Phase modulation (PM), which transmits information by changing the phase or where a wave stops/starts

More modern computer-based systems work from digital data – the ones and zeros of binary code (digital modulation). The traditional analog modulation techniques have been adapted to communicate digital data.

Signals can cover just a short span of frequencies or a larger span. This is known as a signal’s bandwidth. For example in the United States, FM radio channels are 200kHz wide while Wi-Fi signals are around 20MHz wide. To keep signals from overlapping with each other and causing interference, certain frequency ranges are dedicated for specific uses. These blocks of the RF spectrum are known as bands. RF bands – in a nutshell – are groups of radio frequencies. Different RF bands are used for different technological purposes. Below is a quick run-through of each radio band and what technology most prevalently uses it.

Very or Extremely Low Frequency (VLF, ELF). These bands sit at 3-30KHz, and are used by maritime radio communications and submarines.

Medium Frequency (MF). This band is located at 300KHz-3MHz, and is most commonly used for AM and aviation radio.

High Frequency (HF). At around 3-30MHz, this band is used for amateur radio, “short wave,” NFC/RFID, and weather broadcasts.

Very High Frequency (VHF). VHF is 30-300MHz, and is often relied upon for FM radio and VHF television.

Ultra-High Frequency (UHF). UHF is located at 300MHz-3GHz, and it’s where you’ll find lots of different wireless technology. This is where you find 2.4GHz Wi-Fi, UHF TV, microwaves, GPS, LTE/4G, car keys, and RC toys. It was also the inspiration for the title of that Weird Al film, which was named for it.

Super High Frequency (SHF). This band is at 3GHz-30GHz, and it is used for 5GHz Wi-Fi and satellite communications.

Extremely High Frequency (EHF). The last RF band you need to know is located at 30GHz-300GHz, and is used for radio astronomy and deep space satellites.

Now that we’ve briefly reviewed some common terms related to radio, let’s get into the hardware and software components of SDR.

Choosing an SDR - Hardware

When choosing an SDR, there are several features you’ll want to pay attention to before deciding on one to purchase. Depending on your use case, some features may be more important to you (e.g., the ability to transmit or what frequencies your radio can manipulate). It ultimately will come down to what you most want from your SDR – what RF bands you are planning to tap into, whether you have any preference toward transmitting and/or receiving, and of course how much money you’d like to spend.

Tuner range

This feature controls the range of frequencies an SDR can see, which will directly impact your ability to jump between frequencies. So if you’re planning to use your radio for a specific project or purpose, you’ll want an SDR that will allow you to see the frequencies that you’re most interested in. For example, if you wanted to work with a technology like Zigbee or LoRa in the 2.4GHz range, then an RTL-SDR that only can receive up to 1.7GHz is not going to cut it.

Transmit capability

 Some platforms (usually the cheaper ones like RTL-SDRs) are receive-only. That means that you can listen to RF signals, but not send out any of your own. There are half-duplex SDRs, which means you can either transmit or receive at one time, but not both at once. This can be a roadblock if you wanted to simultaneously intercept a signal and transmit a modified version of your signal. Full duplex SDRs allow you to do both at once, which is ideal, but translates into a higher cost. Another thing to remember is that there are strict rules about what signals, at what frequencies, and at what transmission power you can send. Getting your amateur radio license will help you learn the rules of what you can transmit as well as how to legally do it.

Sample rate

Sample rate means how many samples per second. The more samples you have, the wider the range of frequencies you can view at one time. So for example, if you wanted to capture a signal with a 20MHz bandwidth (20MHz wide), then you would need an SDR that could capture at least 20 million samples per second (MSPS). If your RTL-SDR has a 2MSPS, then you’ll only be able to tune to a 2MHz bandwidth at one time.

Dynamic range/ADC resolution

This refers to bits per sample value, and it determines how accurate/detailed the samples are. You have more accuracy the more bits you have per sample value. SDRs typically have a dynamic range between 8 and 16 bits per sample.

Popular SDR Platforms

So now that you are more familiar with some of the terminology around SDR features, let’s compare some popular SDR platforms to see what features are offered at each price point. Here’s a sample of some of the most popular SDR platforms – from the cheapest to most expensive and highlighting what features they offer.

The gateway drug of software-defined radios is the RTL-SDR. At just $20 for a radio and antenna, this is the perfect device to get you started exploring the radio world. The downsides of the RTL-SDR is that it can’t transmit and that the tuner range usually stops before the commonly used 2.4GHz band.

Once you get into the higher-end radios, you not only get transmit capabilities, but also a wider tuner range and sample rate. My personal favorite is the HackRF One, since it’s easy to use and there’s a large online community writing blog posts and tutorials involving it. I frequently use a HackRF with the Portapack add-on running Havoc firmware when pen testing wireless devices or competing in wireless CTFs. If you need to both transmit and receive at the same time, the BladeRF is an awesome platform with full duplex capabilities. I also use a BladeRF at work when I need to both send and receive at the same time. It’s a great platform that offers lots of power and features, but can be somewhat harder to use for a beginner. Not too much software support or documentation exists for LimeSDR, but if you’re more experienced or willing to troubleshoot, then the budget-friendly LimeSDR might be right for you.

When deciding upon an SDR, it’ll really come down to what you are most looking to get from it – and your budget.

What About the Antenna?

All radios require antennas. Usually SDRs will come with some kind of multipurpose indoor antenna, like the ones shown inside the house of the above image. The two most important features of antennas to keep in mind are the radiation pattern and polarization. Radiation pattern describes what directions antennas send out signals. The outdoor antenna that looks like a horizontal pole with many vertical elements sticking out of it is a directional antenna called a Yagi. Directional antennas work best pointed in one direction. The antenna that looks like a lightsaber is an example of an omnidirectional antenna. They send/receive signals in a donut pattern (basically every direction but up/down).

Next, we need to consider polarization. Most terrestrial signals are horizontally polarized, meaning you will align your antenna perpendicular to the ground to receive them. So if you were using a dipole antenna (commonly referred to as bunny ears) to pick up a vertically polarized signal, you would want the two arms, also called elements, to be pointed up and down. If you wanted to receive a low Earth orbit VHF satellite signal (like old analog TV signals) then you would want your dipole in a V orientation.

The final thing to consider when setting up your antenna is length. Many introductory antenna kits come with telescoping antenna that you can make longer or shorter depending on what you’re trying to receive. For lower frequencies, you will want a longer antenna, and for higher frequencies a shorter one. Every antenna should be adjusted in length to get as close as possible to the resonant frequency. To calculate the resonant frequency antenna length, shoot for either ½ or ¼ of the signal’s wavelength. (This calculator is a good starting point.)

Usually the antennas that come with your SDR will let you receive most common frequencies and protocols, but there’s always the option of building your own antenna. Many antennas are as simple as a long length of wire. You’ll need a connector called an antenna balun to attach your DIY antenna to your SDR.

PRO TIP: Be careful to always have an antenna attached to your SDR when transmitting, since using an SDR without an antenna attached can break your device.

Antennas are a complex subject that could be a blog post in and of themselves, but this talk by Justin McAllister is a solid resource for understanding antenna concepts and building your own.

Choosing an SDR - Software

Now that you know what options exist for your SDR in terms of hardware, the next step is selecting the right software. The software listed below might have some overlap in function, but having each will provide you with a well-rounded SDR toolkit.

GNU-radio Companion

This is your custom radio software-building tool. It supports a wide variety of SDRs, and is particularly useful for rapid prototyping transmitters and receivers. It can hear, see, modulate, demodulate, filter, and amplify your data. It also lets you see RF data in a variety of graphs and plots. GRC flowgraphs (which are customizable building blocks linked together to form some kind of radio program) can appear intimidating, but if you want to start with the basics and build up an understanding of this tool, I recommend the Field Expedient SDR book series (linked to in the “Next Steps” section).

GQRX

This provides a visual representation of the frequency and time domains of radio signals. It basically lets you visualize what is happening in the radio world. And not only can GQRX help you listen, it can record signals, too. Unfortunately, it only works on Linux and MacOS. If you are using Windows, you’ll need a GQRX alternative, SDR#, or baudline.

Inspectru

Inspectrum is for when you are ready to analyze your signals. This tool will help you start analyzing your captures, find the symbol rate, and go from a signal to bits.

Universal Radio Hacker (URH)

This all-in-one radio hacking tool is incredibly powerful and multi-faceted. It locates and records signals, and it can also go from signals to bits. But it adds another layer of analysis; you can start reverse engineering at a protocol level. You can identify fields and their lengths; you can compare different transmissions you received. And you can use this tool to modify the signals you reverse engineered, and then transmit them out again.

Now that you know what tools you need to be successful, it’s time to learn how to hack with an SDR.

Signal Capture Workflow: Reverse Engineering Car Keys

In this example, we’ll be using an SDR to reverse engineer car key fobs. The goals of this exercise are to identify the signal frequency, bandwidth, modulation, symbol rate, and packet structure elements (preamble, sync word, CRC, fields, field size).

Step 1: Find the signal

The easiest way to do this is to use the device’s FCC ID. Every device that uses radio needs to have an FCC ID, which is publicly available online (at this website). You can use the FCC ID to quickly identify the frequency/bandwidth of the fobs. If you don’t have the FCC ID, you can use GQRX to find the signal. Here’s an example of GQRX in action locating a key fob at 315MHz:

Step 2: Record the signal

You can use GQRX to record the signal, or you can use the command-line tool that comes packaged with the radio. For this example, we’ll use RTLSDR, which is relatively easy for following along. To record the signal, we need to specify the frequency, the sample rate, and the number of samples to read. Gain is another common command argument, but most radio platforms have an auto-gain feature – so you don’t need to mess with this option very often. When you’ve finished recording, save your output file with the default extension of your SDR: .cfile, .cu8, .cs8, or .cs16.

$ rtl_sdr -f 314,500,000 -s 2,000,000 -n 20,000,000 outfile.cu8

So in the example code block above I’m using the rtl-sdr command to capture a signal at the frequency 314.5MHz. I’m recording at 2 million samples per second, meaning I’ll capture 2MHz of bandwidth around the center frequency 314.5MHz. Now you might be thinking, Kelly – I thought we just identified that the transmission frequency was 315MHz. Why are you recording 500kHz off? Well, you may have noticed in GQRX a big spike at your center frequency no matter what frequency you tuned to. This is called a DC spike and occurs with many SDRs. To get a clean capture, I offset my frequency a little bit from the target to avoid the DC spike. Next, we tell the rtl-sdr command how many samples we want to collect, which is 20 million. If we’re recording at a 2 million samples per second rate, then 20 million samples will record for ten seconds. Finally, we save the capture to a file. I’m using the .cu8 file extension since the RTL-SDR that I’m using records samples as an unsigned 8-bit integer. If you’re not sure what kind of samples your radio uses, use the generic .cfile extension.

Step 3: Analyze the signal

For this step, use Inspectrum to identify the modulation type and symbol rate (which is the equivalent of baud rate, the rate that information is transferred in a communication channel). Then, the signal can be converted into binary for further analysis. You can also use URH to determine the symbol rate. URH allows you to cut through the noise and focus on the data that you will need for signal analysis. Using URH, take the recovered bits and decode them to view their data structures. Breaking down the bits will reveal more information about the signal. In this case, it showed that each unlock signal was identical – indicating that this signal was replayable. Watch this unfold:

Next Steps: Where To Go From Here

Once you become more comfortable with SDRs, there are a lot of directions you can pursue as far as research goes. These channels that you can tap into have not been previously accessible by hobbyist hackers; there’s plenty of opportunity to branch into new territory and explore signals stemming from deep space satellites, various aircraft, and even submarines at the bottom of the ocean.

While many researchers are focused on breaking Wi-Fi and Bluetooth technology, there’s a lot of room to make a meaningful impact in radio hacking. Perhaps you’d be interested in learning how to hack a crane or other large-scale construction equipment via radio frequencies. One researcher manipulated radio signals to hop between air-gapped computers, meaning isolated machines with no external network connections. Maybe you’d prefer to start by testing equipment around your home or office; you can manipulate radio frequencies to get your Alexa to control your wireless blinds. You can even look to the stars for some possibilities.

If you’re curious to see what others in this realm are up to or are seeking inspiration for your own pet projects, below are some notable DEF CON presentations that might help stoke your imagination.

Samy Kamkar – “Drive It Like You Hacked It.” (DEF CON 23) Inspired by “Gone in 60 Seconds,” Samy Kamkar demonstrates how he hacked garage door openers using a relatively inexpensive Mattel IM-ME toy.

Jason Hernandez, Sam Richards, Jerod MacDonald-Evoy – “Tracking Spies in the Sky.” (DEF CON 25) With a $20 radio and a Raspberry Pi – all relatively simple components – these researchers identified surveillance planes by monitoring ADS-B signals.

Kristin Paget – “Practical Cellphone Spying.” (DEF CON 18) Paget described how to use the Global System for Mobile Communications (GSM) to observe people’s mobile activity – and created her own stingray to intercept the cellphones of everyone in that DEF CON room.

Balint Seeber – “All Your RFz Are Belong to Me.” (DEF CON 21) Seeber explained in this talk how he manipulated radio signals in order to rickroll San Francisco’s emergency broadcast towers.

Once you understand the science behind how radio works and have the right equipment at your disposal, you can start hacking. Wireless technology defines much of the world we live in, and learning how to work with it can open up a world of opportunity as far as expanding your hacking skillset. The sky is really your limit – or, more appropriately, deep space.

Check out these related resources:

• Wireless Village: This site offers some great CTFs and other learning resources. It also has a weekly radio net (free online internet radio) and an active Discord channel.
• RTL-SDR blog: Another good one-stop shop for all things SDR.
• Check out this post they did on my 2020 DerpCon talk (thank you!).
• RTLSDR Subreddit: A subreddit where you can connect with other RTL-SDR enthusiasts and share information.
• Field Expedient SDR: Introduction to Software-Defined Radio, Volumes 1 - 3: A series to dive in to if you want to immerse yourself fully in SDR.
• Software-Defined Radio with HackRF: An introductory video series from Mike Ossman of Great Scott Gadgets on how to start learning digital signal processing. It provides some useful GQRX homework exercises, but some examples are outdated since newer systems with GQRX no longer support WX GUI plots.
• GQRX - Practical Tricks and TipsThis is the ultimate getting started guide for GQRX.
• Cyberspectrum #8: Reverse Engineering a Simple Wireless Device: As the title suggests, this Cyberspectrum episode includes a simple reverse engineering demo.

Follow on Twitter:

• @samykamkar
• @JerodMacEvoy
• @KristinPaget
• @spenchdotnet