A wave that Never Dies (ii) HACKRF Introduction: Home Wireless doorbell signal replay

0x00 Preface

In the first article: the Never-fading Wave (i): Radio introduction We learned about the history of radio and some of the physics of Radio, in the second we will use HACKRF to record the wireless signal of the doorbell, and then replay the doorbell signal.

The doorbell was bought from a treasure,

0X01 Environment Construction:

Mac can be used GQRX and HACKRF (need to have Xcode, Mac port support)

sudo port install gnuradiosudo port install hackrfsudo Port install RTL-sdrsudo Port install GR-Osmo Sdrsudo Port Install HACKRF

sudo port install Gqrx

Also refer to: Install HACKRF environment on Mac

0x02 Step into the subject:

After the installation is complete, insert HACKRF, and the terminal executes Hackrf_info:

2 (Hackrf one) Firmware version:git-0xa000cb3c0x00664f490x00000000  0x000000000x583064c00x2640ad4b

#通过终端启动gqrxgqrx

Press the remote control, we can see the frequency of the signal at 314.100000Mhz (read: 314.1 MHz) around

1mhz=1000000hz;1khz=1000hz314. 1mhz=314100000hz;

Turn off Gqrx, start HACKRF.

Hackrf_transfer Usage:

Usage:-R <filename># receive data into file. Save the received signal and data to a document; (Signal recording)-T <filename> # Transmit data fromfile. Extracting and sending RF signals from files; (signal playback)-W # Receive data into file with WAV header and automatic name. # This is  forsdr# compatibility and May is not work with other software. [-F Freq_hz] # FrequencyinchHz [0MHz to 7250MHz]. [-I if_freq_hz] # intermediate Frequency (IF)inchHz [2150MHz to 2750MHz]. [-O lo_freq_hz] # front-end Local oscillator (LO) frequencyinchHz [84MHz to 5400MHz]. [-M Image_reject] # image rejection Filter selection,0=bypass,1=low Pass,2=High Pass. [-A amp_enable] # RX/TX RF Amplifier1=enable,0=Disable. [-P antenna_enable] # antenna Port Power,1=enable,0=Disable. [-L gain_db] # RX LNA (IF) Gain,0-40dB, 8dB steps [-G gain_db] # RX VGA (baseband) gain,0-62dB, 2dB steps [-X gain_db] # TX VGA (IF) Gain,0-47dB, 1dB steps [-S sample_rate_hz] # sample RateinchHz (8/Ten/12.5/ -/20mhz,default10MHz). [-N Num_samples] # Number of samples to transfer (default  isUnlimited). [-C Amplitude] # CW signal source mode, amplitude0-127(DC value to DAC). [-B baseband_filter_bw_hz] # Set Baseband filter BandwidthinchMHz. Possible values:1.75/2.5/3.5/5/5.5/6/7/8/9/Ten/ A/ -/ the/ -/ -/28mhz,default< Sample_rate_hz.

314100000 1  -  + 8000000

Didn't press the remote.

Press the remote control:

Since Hackrf_transfer has no decoding parameters behind, so we see a bunch of garbled data;

0X03 Recording signal & signal Analysis

Record a remote wireless signal:

314100000  -  + 1 8000000 4000000

Terminal output:

Hackrf_transfer-r door.raw-f314100000-G --L +-A1-S8000000-B4000000Call Hackrf_sample_rate_set (8000000hz/8.000MHz) Call Hackrf_baseband_filter_bandwidth_set (3500000hz/3.500MHz) Call Hackrf_set_freq (314100000hz/314.100MHz) Call Hackrf_set_amp_enable (1) Stop with Ctrl-C16.0MiB/1.005SEC =15.9mib/Second16.0MiB/1.003SEC =15.9mib/Second16.0MiB/1.004SEC =15.9mib/Second16.3MiB/1.004SEC =16.2mib/Second16.0MiB/1.002SEC =16.0mib/Second16.0MiB/1.001SEC =16.0mib/Second16.0MiB/1.004SEC =15.9mib/Second16.0MiB/1.003SEC =15.9mib/Second16.3MiB/1.003SEC =16.2mib/Second16.0MiB/1.003SEC =15.9mib/Second16.0MiB/1.005SEC =15.9mib/Second^ccaught Signal2 8.1MiB/0.510SEC =15.9mib/seconduser Cancel, exiting ... Total time:11.54724Shackrf_stop_rx () donehackrf_close () Donehackrf_exit () donefclose (FD) Doneexit

Signal Waveform Analysis:

The software used here is audacity, importing recorded audio signals (uncompressed raw data)

Then the following interface appears:

Use default parameters to import directly:

The middle part is the wireless signal that is recorded when the remote control is pressed, we use the magnifying glass of audacity to enlarge to see:

Continue to zoom we can see:

Continue to zoom in:

Zoom in again:

At this time the more experienced children's shoes can be used to convert the radio frequency signal into binary data by graphics: 01010101****, then can write binary to the GRC (Gnu Radio Cpmpainon), make a block diagram, using GNC Project Replay wireless signal, the approximate method is as follows:

Launch GNU Radio Cpmpainon:kali linux--> wireless attack->software defined Radio->gnuradio-companion

Source: Find vector source in the right misc column

Add repeat (old), moving Average, osmocom Sink by searching

Four components:

Follow the process lines:

GNC does not use much, temporarily not to get started, this method will try again later:)

0X04 Signal Replay

Using the Hackrf_transfer replay signal:

314100000  - 1 8000000 4000000

Terminal output:

Hackrf_transfer-t door.raw-f314100000-G --L +-A1-S8000000-B4000000Call Hackrf_sample_rate_set (8000000hz/8.000MHz) Call Hackrf_baseband_filter_bandwidth_set (3500000hz/3.500MHz) Call Hackrf_set_freq (314100000hz/314.100MHz) Call Hackrf_set_amp_enable (1) Stop with Ctrl-C16.0MiB/1.004SEC =15.9mib/Second16.0MiB/1.004SEC =15.9mib/Second16.0MiB/1.003SEC =15.9mib/Second16.0MiB/1.001SEC =16.0mib/Second16.0MiB/1.000SEC =16.0mib/Second16.3MiB/1.001SEC =16.2mib/Second16.0MiB/1.003SEC =16.0mib/Second16.0MiB/1.001SEC =16.0mib/Second16.0MiB/1.005SEC =15.9mib/Second16.0MiB/1.003SEC =15.9mib/Second16.3MiB/1.003SEC =16.2mib/Second8.4MiB/1.004SEC =8.4mib/Second Exiting ... hackrf_is_streaming () result:hackrf_error_streaming_exit_called (-1004) Total time:12.03184Shackrf_stop_tx () donehackrf_close () Donehackrf_exit () donefclose (FD) Doneexit

0X05 Demo Video

The correct use posture of the bear child is this:

 for inch {1.. 999  Do 314100000  -  + 1 8000000 4000000; Done

Well, you read it right, repeat 999 times:)

0X06 Reference:

Hacking Fixed key remotes

Exploring Bluetooth & Ibeacons–from software to radio signals and back.

Chinese version: HACKRF sniff Bluetooth replay ibeacons signal

Gnu_radio Getting Started _v0.99

A wave that Never Dies (ii) HACKRF Introduction: Home Wireless doorbell signal replay