18 SDR Tricks with the hackrf

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

little late technical difficulties and all that uh hackrf you guys hopefully have seen a little bit of and if you haven't seen the uh fancy new enclosure uh here's one um so you know there it is and there are a few people around here who have some and if you back hacker off on Kickstarter it's in the mail to you already and uh there's one uh that people can win in Wireless CTF right what's that wireless CTF hack RF somebody can win one right yeah so yeah do that I as soon as I take it out of my back yeah so go out go forth and win a hack RF uh so this is SDR tricks with hack RF I've given this talk once before at Recon it's just a short talk uh and the second half of the hour is going to be Jared Boon talking about the hack RF pter pack which is super cool so um it was to day at the time that uh uh I gave this talk at reccon you know June 28 everybody should know the number to 6.28 318 53 Etc right woo yeah old school people call it tpie but TOA is the new hotness pie is old and busted so uh I actually received for the first time in my life a happy to day car from do card from Dominic here see it says other uh so that was pretty awesome uh so uh uh this is hackr F1 without the Swank case um it's a SDR peripheral that operates from 10 MHz to 6 GHz officially uh unofficially is part of what I'm going to talk about today uh 20 MHz bandwidth and um uh that's a function of the 20 megga sample per second ADC and it's a half duplex software defined radio transceiver it can transmit and receive but it can't do both at the same time and so I'm talking about kind of the the the top level capabilities like the high level overview what the capabilities are and in this talk I'm going to talk primarily about getting around these capabilities in various ways or sorry getting getting around the limitations of these capabilities in various ways uh so just a little bit of an overview of the hardware design so you can understand what I'm talking about the architecture of hack RF the at the antenna on the left um we have signals that are in the range of like 10 megahertz to 6 GHz actually this slide is really old back when we thought we would only go down to 100 MHz but we keep lowering that lower spec uh and there's a wideband front end that has a mixer in it that converts the frequency so it shifts of frequency from anywhere in that range that wide range into the intermediate frequency range which is the 2.3 to 2.7 GHz actually now it's about 2.15 to 2.75 GHz but it's right in that 2 GHz band right around 2.5 GHz we have an intermediate frequency and then there's an intermediate frequency transceiver that converts between the intermediate frequency and Bas band where Bas band is the vicinity of zero Hertz so we have dual conversion we convert the frequency once between RF and if and then we convert the sequ the frequency a second time between if and bband and then we have an analog to digital converter and everything's digital from there on out uh on the re on the transmit side it's the exact reverse uh same thing we go digital to to analog baseband around zero htz then it gets converted to the intermediate frequency and then it gets converted to the RF which is at whatever you configure it to between 10 MHz and 6 GHz so now that you're a little bit familiar with the architecture uh the first thing I want to show you is tapping into the base band directly tapping into the analog baseband signals so going back here what we're doing is is bypassing all this radio stuff and just talking to the ADC or DAC on this analog baseband connection directly so we put a header there hackrf jawbreaker if you have one of the uh beta units didn't have this little baseband header but hackr F1 we thought well it' be nice to add some expansion cap more expansion capabilities and this is one cool way to do that so in this example uh I'm just plugging in two wires into the analog to digital converter so that I can use the hacker F to directly sample some external electrical signal and for example I might use something um well uh I might use something like a Hot Wheels Radar Gun which is one of my favorite toys uh the Hot Wheels Radar Gun has uh this has like multiple components in it and if you buy one from eBay it might be broken but most likely the part that's broken is that that board you see there with the two red controls on it it's the control board and LCD and that's completely separate from the actual radio part the actual radar that's within the Hot Wheels Radar Gun so if you want to just use this thing for your own project you just rip that part off and connect directly to the radar with these three leads all you have to do is give it a power supply and you get an analog baseband radar return signal that you can plug into your oscilloscope or you could plug it into your hack RF and uh what we get is two channels we have two adcs and each one is a differential signaling with one volt Peak to Peak and the um common mode voltage needs to be like around the middle of uh the supply voltage so it's around 1.5 volts and there's no anti-aliasing filter on there so you have to kind of provide that on your own if you want so it's a little bit tricky to interface with if you don't have much experience with electronics it's not as easy to use as say an oscilloscope but in this particular example I was able to directly plug in the Hot Wheels Radar Gun with nothing other than just some wire going from the uh radar gun to the hack RF baseband header and uh I and I was able to just like wave my hand around in front of the Hot Wheels Radar Gun and I could see like in ganu radio uh exactly what I expected to see and uh like I could measure distances and or I could measure speed uh very easily um in addition there's a direct to digital to analog converter so you could use the hack RF kind of as a uh as a general purpose function generator similar to how you could use it as a general purpose oscilloscope it's again a little bit tricky to interface with because it's differential signaling and it puts out a maximum of about 800 molts Peak to Peak and again there's no anti-aliasing filter so you would need to provide that yourself if you were going to design a circuit to connect to this um in the fure future it would be really cool to have and I'm kind of started working on this but it's a ways off probably it would be really cool to have a uh little add-on board for hack RF that kind of takes care of some of these details for you adds the filtering adds the uh like a differential amplifier uh so that you could just say for example plug in an off-the-shelf oscilloscope probe or plug in you know use this thing just like uh you would use a bench oscilloscope or function generator kind of Allin one it wouldn't take very much circuitry all the complicated stuff is already on hack RF on the main board um which is what this slide is about the uh it would just make it a little bit easier to use and oh and one thing the reason I put this slide here is to remind me that you could interface with an external RF front end this way and this this is one of the most exciting possibilities for this kind of an of expansion whether you use this baseband expansion board that may exist in the future or whether you design your own circuit yourself to plug into the analog Bas band header one of the the best uses for that maybe would be to experiment with a separate RF section a separate radi other than the RF section of hack RF if you just want to use hack RF to be the uh computer interface to your radio this would be an excellent solution full duplex now hackrf is half duplex and uh but the everything actually from the USB connector through the microcontroller into the analog digital converters and digital and analog converter ERS is actually full duplex so from that analog baseband header to the host computer all of that bidirectionally you could operate in full duplex mode in theory at reduced sample rates um and so this is an interesting option if you were to you know connect your own radio front end to it that you can actually use it in full duplex mode uh or you know maybe you'll just put uh we'd just add a second uh RF section like a a transmit only RF section that we'd plug into the baseman header and then you could use the the onboard uh the onboard RF section for receive or vice versa um the operating frequency of hack RF the design at first we decided uh that we wanted something to work from 100 MHz to 6 gigahertz and we weren't sure if we would really meet that goal but once we kind of got the design on the drawing board we thought hey we should probably be able to do 30 MHz to 6 GHz and then when we actually started testing things things uh it was clear that it was working pretty well down to about 10 MHz and at that point I started experimenting with different components to see if I could enhance that low frequency comp uh Behavior without affecting the high frequency performance adversely and I've had quite a bit of success uh and I haven't talked about this much but yet but uh and I haven't figured out what I can guarantee but a a little bit of a review before we start before I show you the results remember that we have two different mixers that are shifting the frequency and so the uh the local oscillator that goes to each mixer uh is is the amount that the frequency gets shifted so if we wanted to tune to 6 GHz in the front in the RF and our intermediate frequency is 2.5 GHz well 6 GHz minus 2.5 GHz that's uh what is that that's 3.5 GHz so we have a 3.5 GHz local oscillator right there and then we'll have a 2.5 GHz local oscillator right here because that's shifting between 2.5 and zero so what affects our you know the primary limitation on what frequencies we can tune to is the range of frequencies that we can tune these two local oscillators the the range that we can tune this one to is only in that 2 GHz band but the range that we can tun in that front end oscillator uh it it's a range from like 80 85 MHz up to uh I think that the data sheet uh or the the advertisement for the part is something like 4 something gigahertz but uh it turns out you can actually configure it up to 5.4 GHz so theoretically we can tune this up to 2.7 and we can tune that up to 5.4 add those two together and uh you know what's that 8 8.1 GHz so we can configure it to tune any from 0o Herz to 8.1 GHz it's a really wide range it doesn't perform well over that whole range of course but that's the range that it can be configured to now I went ahead and tried this and this is a plot showing the maximum absolute maximum transmit power on the antenna Port from 0 to 10 mahz so 10 megahertz it's putting out about about 15 dbm uh and that's our advertise minimum frequency but as you can see it works quite well way below 10 mahz more like 1 mahz is kind of where it starts taking a dive and um I've used this for example to tune to AM radio stations shortwave radio stations I literally put a long piece of wire and just stuffed the end of it into the SMA connector on a hack RF and listen to radio radio Havana Cuba um you know short wave radio station at at 5 megahertz uh at my house in Colorado I do live on a mountain that's true uh although my lab is in a valley uh so here's an extreme example I wanted to see what the lowest frequency thing was that I could pick up with hackrf through the RF port and so I got a spool of wire and I just clipped to the leads and plugged that into the RF port and uh oh shoot I don't have a good screenshot of this uh and what I did was I held it up to a lowf frequency RFID reader and I was able to sniff lowf frequency RFID packets so I know a lot of people were excited when I first ounc that hacker F could go down to 10 MHz because they said oh that's that's now 13.5 MHz is in our range we can do high frequency RFID well two orders of magnitude lower in frequency is low frequency RFID tags operating at 125 ktz and that is way down by this the bottom of the valley on the left right uh and I was actually able to pick up up those RFID tags very easily uh I can't show you the uh little demo of it because I'm short on time and my laptop isn't working so uh you'll just have to take my word for it that what's that oh I won't worry too much about time but still my laptop isn't working so uh if anybody wants to see later uh one on1 uh I do have on my laptop the uh like a saved waveform that can show you a little replay of this uh I just can't put it up on screen so uh but I was totally able to do this just by clipping in a loop of wire to my RF Port holding the loop of wire up to an RFID reader and then holding an RFID tag next to it I got a very clean signal and that I could decode in software with no problem now this is a receive only solution I can't spoof a tag I can't transmit to the reader because the way low frequency RFID works is that uh I would have to be able to modulate the uh uh the the power of the the the the signal the 125 khz signal going through the coil of wire that's within the reader and I don't have enough output power to do anything like that I if I were going to do that I would need some kind of small external active circuit like a one transistor circuit for example to actually be able to modulate uh and and spoof a tag it it could literally be as simple as a one transistor circuit or a one diode circuit uh but I would need some kind of external circuit to actually spoof a tag sniffing tags though no problem with just just just a loop of wire and even though it's way down at the edge of the you know well well below the good operating range the amount of power that I get coming in on that direct coupling with this big loop of wire held right against the reader it's so much power that it overcomes the losses that are in the hack RF uh uh receive chain uh in the analog section at those those very low frequencies so I thought that was pretty exciting that I could actually do something way below 1 MHz um now I want to show you something about operating way above 6 GHz so the highest frequency test equipment I have in my lab is this uh Spectrum analyzer that goes up to 7 GHz I don't have anything that goes up to 8.1 GHz which is the highest frequency that I could tune a hackrf to or I could configure it to but I can at least show you things up to 7 GHz so the yellow line just look at the yellow trace for a little bit that's showing the maximum output power that I'm getting directly out of the RF Port from hack RF tuned to 4 gigahertz to 7 gigahertz so four at the left side to seven on the right you and this is the maximum output power in uh dbm now this little marker here right there that's 6 GHz so that's the edge of the advertised operating frequency range as you can see as you go up in frequency overall the performance declines uh there's a little bit of a hump around 5 and A2 gigahertz like it gets a little better in the 5 GHz band and then a little worse and then just a little bit above 6 GHz it starts dropping precipitously and our output power up at like 7 GHz is barely measurable with the way I have this spectrum analyzer configured so it's not really useful up here but it certainly could be useful in the low 6 GHz band uh above 6 GHz now uh then I did this again configuring the hack RF in a completely different way and that's how I got this blue Trace what I did was I configured uh I basically bypassed the entire front end mixer and I sent the intermediate frequency right out to directly uh through the amplifier uh the front end amplifier to the antenna so and this is a normal configuration this is how this is how we tune to things like around 2.4 GHz 2.5 GHz that's how we normally tune to things in that 2 GHz band the intermediate frequency band is by bypassing the front-end mixer so I bypass the front end mixer and then I look at the output power maximum output power I'm really maxing it out as much as I can uh and uh but I'm looking at the output power as I sweep the intermediate frequency from 2.75 or 2.15 to 2.75 gigahertz I sweep that frequency and then I got this blue line in the 4 to 7 GHz band so why do we have these big peaks in this region from here to here and then from this region from here off beyond my measured frequency range it's because they're harmonics of the intermediate frequency and so this range right here is twice the intermediate frequency 2.15 * 2 is 4 and a/4 gtz and that's where this blue region starts here and then three times that starts here so this is the the second harmonic and the third harmonic now notice that a especially way up here around 6.5 to 7 GHz this actually allows us to get much more output power then we're able to by properly config using the wideband front end and configuring it to operate like the way you would expect up here Mike youping the question is am I still dumping tons of power out at 2.4 GHz absolutely I certainly am um but by exploiting the harmonics and if you were going to do this in real life you would use a filter you can take an uh like an an off-the-shelf uh external filter that you can plug in between the hack RF and antenna you could actually operate at 7 GHz by filtering out everything below that would include all that power you're putting it out in the 2 GHz band um it's a pretty dirty trick but it's something that can be done uh and it's actually not too uncommon a trick for people who typically build equipment or use equipment in the many gigahertz so uh no one thing to note is that the frequency response is extremely nonflat of this blue curve especially note that gigantic Peak around 4.9 GHz the reason that it is so nonfat is because I'm actually overdriving the the front end amplifier uh and so it's just like overdriving a guitar amplifier and getting that Distortion that Distortion uh increases the harmonics that you get so that when we look at the harmonics if we're overdriving that front an amplifier we're able to get some extra oomph some extra peaks in those harmonics at certain frequencies where things uh just kind of overdrive the amplifier a little bit more so that's why we get a really good Peak around 4. .9 or 5 GHz and that's probably why this is increasing and not decreasing uh in this region below 7 GHz so what this does from 7 to 8.1 I don't know but what I would expect is that the yellow curve drops off in becomes totally unusable if it's not already and that the blue curve probably goes up and down a little bit and eventually you know maybe traces something similar to this curve but uh less so so uh that's kind of a dirty trick you can use to uh to do some fun things at very high frequencies and um uh one other thing I wanted to note I talked a little bit about kind of overcoming the limitations of the operating frequency range I talked about overcoming the limitations of half duplex if you use that baseband header uh but another thing I want to note is that theoretically you could overcome limit ations of the sample rate uh we have a sampler that is speced to run up to 22 Mega samples per second but we always figured it was wishful thinking that we'd just barely get up to 20 megahertz on uh or Mega 20 Mega samples per second on our USB interface so as it turns out uh at least on some USB host controllers we can actually exceed that and like on my laptop I can reliably run at a Max maximum sample rate of 212 Mega samples per second so just a little bit higher than 20 million samples per second uh which is 43 megabytes per second going over USB that's a lot to go over high-speed USB I've actually never seen any other USB device go that fast uh except for super speed USB devices of course and uh and additionally if you were to do processing on the arm instead of on the host computer and not worry about the limitation of USB you might even be able to go a little bit faster and if you want to learn about uh running code on the arm stick around for the next half hour to talk uh to listen to Jared um and uh there is a little uh there is some header there's an extra header that you can install on hack rf1 that gives you direct access to pins on the the cpld which is just some little logic glue between the arm and the ADC DAC so you could completely bypass the arm and stream your samples in and out of those cpld pins like if you had an external fpga board or something like that and you might even be able to get a little bit more sample rate out that way uh the ADC DAC chip is spec to run at 22 million samples per second but I I believe it can be overclocked in many cases and it can also be replaced with a pin compatible replacement chip that runs up to I think 40 Mega samples or 60 Mega samples I'm pretty sure it's just the same chip uh that they just bend and so the ones that they sell as 22 Mega samples maybe didn't test us very well at 40 but they probably operate somewhat faster than 22 in most cases or can uh and additionally there's an analog baseband filter in the intermediate frequency transceiver that can be configured to a maximum of about 30 mahz so that's kind of the limiting factor at that point if you kind of use those tricks to bypass USB and bypass the arm uh and at the extreme actually replace that ADC DAC chip with a faster one your limiting factor would be that baseband filter that gets you up to about 30 MHz instead of 20 MHz uh and that's SDR tricks with hack RF thanks for listening and I hope you'll stick around to to hear Jared talk about the hackrf Porta pack

Info

Channel: Adrian Crenshaw

Views: 310,219

Rating: undefined out of 5

Keywords: hacking, security, irongeek, infosec, bsides, lasvegas

Id: 4Lgdtr7ylNY

Channel Id: undefined

Length: 28min 5sec (1685 seconds)

Published: Tue Aug 12 2014