Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Dealing with a hardware+software platform born under linux can be a real pain for people not used to it so I will try to make things easier for them explaining what I did to make that great HackRF One hardware working under Windows. I am still not too good in those kind of subjects so I will try to explain things the same way I understood them; if you find incongruences please feel free to correct me and I will update this post giving credits to contributors.
WHAT IS HackRF One
It is a platform with open hardware and software created by by Michael Ossmann specific for radio frequencies analysis; this is at the moment the only hardware able to scan the widest range of RF signas starting from 30MHz to 6GHz !! (another hardware that is going to be released this year is Airspy but its range will be from 24MHz to 1.7GHz - there are other very cheap usb dvb dongles able to do that kind of analysis but they are not natively built for that kind of stuff and are really limited compared to HackRF One).
Using an hardware device called Ham-It-Up RF converter (picture below) the HackRF One can also explore the LF and MF frequencies range so the full range is extended from 300kHz to 6GHz !!!
This device is the succesor of the Jawbreaker hardware and its manufacturing was possible thanks to a specific kickstarter campaign.
HARDWARE SPECIFCATIONS
Frequency Range: 10MHz - 6GHz (kickstarter campaign says "from 30MHz" while acutal official site says "from 10MHz") [from 300kHz to 6GHz if you add an Ham It Up RF Converter hardware] - the range practically starts from the upper part of LF (Low Frequency) band to the lower part of SHF (Super High Frequency) band.
- Bandwidth: the maximum bandwidth of HackRF is 20 MHz (about 10 times the bandwidth of TV tuner dongles); that means that HackRF could be used for high speed digital radio applications such as LTE or 802.11g. Bandwidht is the maximum range of frequencies "explorable" at the same time: this means that you can "see" or better "listen" to a range of frequencies 20MHz-wide; here is a practical example: if you set HackRF One to 20 MHz bandwidth and you center the frequency to 97MHz your bandwidht will be approximatively from 87 to 107MHz (that is almost the full radio FM spectrum from 87.5 to 108.0 MHz (with some exceptions such as Japan FM broadcast range that is form 76 to 90MHz) !):
the peaks above represent radio broadcasting stations.
So everything in the range of the bandwidth you are listening to is recordable -> so it can save up to 20 million samples per second !
- Included Antenna Specs: it is called ANT500, it is telescopic, and it is designed for operations from 75 MHz to 1 GHz (this means that that if you want to reach the non-supported frequencies you need to buy/build your own antenna):
- half-duplex transceiver: it means that it can transmit or receive but can't do both at the same time. However, full-duplex operation is possible if you use two HackRF devices.
- SMA female antenna connector
- SMA female clock input and output for synchronization
- compatible with GNU Radio, SDR# (also called SDRSharp), and more: picture above is taken with SDR#
- software-configurable RX and TX gain and baseband filter
- software-controlled antenna port power (50 mA at 3.3 V)
- convenient buttons for programming
- internal pin headers for expansion
- Hi-Speed USB 2.0: (Male Type A <---> Male Micro B cable-connectors)
- Same cable USB-powered: one cable-only to connect and to powering-up
- 8-bit quadrature samples (8-bit I and 8-bit Q): I don't know what it is, if someone can explain it I will be grateful !
WHAT IS SDR
(taken directly from the kickstarter campaing page):
SDR is the application of Digital Signal Processing to radio waveforms. It is similar to the software-based digital audio techniques that became popular a couple of decades ago. Just as a sound card in a computer digitizes audio waveforms, a software radio peripheral digitizes radio waveforms. It's like a very fast sound card with the speaker and microphone replaced by an antenna. A single software radio platform can be used to implement virtually any wireless technology (Bluetooth, ZigBee, cellular technologies, FM radio, etc.).
HOW TO USE HackRF One WITH SDR# SOFTWARE
- Download the following file: sdr-install.zip from SDR# page (it needs an internet connection to download necessay files)
- Once downloaded unzip it, launch "install.bat" and wait for the program to download the necessay files
- now connect HackRF One to an USB port and execute zadig.exe to install Windows Drivers; if the new USB devices is not shown go to "Options" and select "List All Devices" (see picture below);
- now choose "WinUSB (v6.x.xxxx.xxxxx)" and press "Install WCID Driver" button:
Usually under Windows HackRF will work with ONE USB PORT AND THIS ONE ONLY !!! So try all USB ports before saying "hardware not found by SDRSharp!"
- now you can execute SDRSharp.exe (it is in the same zadig.exe folder) and SDRSharp will open up:
Here are the basics:
1
- 1st of all click on the "gear" icon and set the device as "Jawbraker" (A)
- then set the sampling rate: the more it is the wider the band will be with zoom set to 0 (B)
- then set the LNA gain according to your receiving signal (see further) (C)
2
- now set the kind of radio you want to listen to (WFM is the "normal radio" band)
3
- now set the "step size": this represents the "accuracy" of the vertical red line while you move it through the frequencies; it is the same thing that happens when you press the "forward" button of yoru radio-car-system if the automatic station scan is disabled, it goes "a step further" and the width of this step is represented by this "step size" value: the smaller it is the more precise it will be (smaller values should be used when you are inspecting a narrow band range)
4
- now set the resolution: this is the resolution of the peaks you can see in the upper part of the Spectrum Analyzer: the higher it is the more the processor will work: setting it above 65535 can cause system performance slow down.
NOW YOU CAN PRESS THE "PLAY BUTTON" to make the software analyzing HackRF One sniffed traffic:
Double-click on any peak to tune to that frequency and listen to it !
The Spectrum Analyzer represents a graphic peak-view of the band of the frequencies you are exploring; higher peaks means that something is broadcasting over that frequency. [X = Frequency ; Y = Amplitude]
(peaks can be automatically marked setting the option "Mark Peaks" you can see in the lower-right corner of the previous picture)
The Waterfall represents a graphic "cascade" representation of the signals across the frequency range you are investigating, usually "coded" with a specific color which indicates signal amplitude or strength displayed over time (more recent are at the top of the waterfall, older ones are at the bottom).
If your waterfall doesn't seems to have any broadcast signal try to increment the LNA gain in the settings.
ZOOM: with this slider you can narrow or make wider the graphic band your are seeing
CONTRAST: it changes the color of the waterfall "silent" background and of the waterfall "hot lines" (I prefere the "silent" background to be blue and the "broadcasting frequencies" to be orange/red as you can see in the watefall picture above).
RANGE: it narrows or widen the "Y coordinate" (amplitude) in the "Spectrum Analyzer" graphic
OFFSET: it moves up and down the "Y coordinate" (amplitude) in the "Spectrum Analyzer" graphic
Here is a sum-up of the various available frequencies:
Please note that most of them have many sub-ranges !
Here are some GREAT SDR with HackRF tutorials by Michael Ossmann, the author of HackRF !
Next part will be installing the HackRF environment and compiling it under Windows !
Last edited by asper (2014-10-01 08:44:50)
Offline
INSTALLING THE COMPILING EVIRONMENT
Download and install the following packages:
- MinGW Setup (mine was already installed to compile Proxmark3)
- CMake (I am using v3.0.2-win32-x86 and I installed it in C:\CMake, this path is important in the commands we must send in the MinGW shell)
Download and extract the following packages respectively in the path C:\MinGW\msys\1.0\local\include\libusb-1.0.18\libusb and C:\libusbx-1.0.18-win:
- libusb-1.0 (I am using v1.0.18)
- libusb-win32 (I am using v1.0.18)
Download and extract the following package in the root of your C:\ drive and rename the folder to C:\hackrf:
- Latest HackRF package
Now launch C:\MinGW\msys\1.0\msys.bat to open MinGW shell and type the following:
cd /c
cd hackrf
cd host
mkdir build
cd build
PATH=$PATH:/c/CMake/bin
cmake ../ -G "MSYS Makefiles" -DLIBUSB_INCLUDE_DIR=/usr/local/include/libusb-1.0/
cmake ../ -G "MSYS Makefiles" -DLIBUSB_LIBRARIES=/c/libusbx-1.0.18-win/MinGW32/dll/libusb-1.0.dll
make
make install
You have now compiled HackRF !
Compiled .exe tools can be found here: C:\hackrf\host\build\hackrf-tools\src
libhackrf.dll here C:\hackrf\host\build\libhackrf\src
Firmware can be found here: C:\hackrf\firmware-bin (this is already present in the hackrf downlodable package)
To see if everything is working fine connect HackRF One to USB port and then launch hackrf_info.exe, it should show HackRF specifications just like this:
Those .dlls are needed:
libhackrf.dll
libusb-1.0.dll
pthreadGC2.dll
Last edited by asper (2014-10-02 10:56:32)
Offline
INSTALLING GNURADIO
Having a working GNURADIO system under Windows can really be hard, at least in my experience, so this is what you need to install BEFORE installing GNURADIO (this is my actual "configuration"):
1 - python-2.7.3.msi (Python interpreter - link)
2 - numpy-1.6.2-win32-superpack-python2.7.exe (link)
3 - PyQt-Py2.7-x86-gpl-4.9.6-1.exe (link)
4 - setuptools-0.6c11.win32-py2.7.exe (used to install other Python dependencies - link)
5 - pygtk-all-in-one-2.24.2.win32-py2.7.msi (link)
6 - wxPython2.8-win32-unicode-2.8.12.1-py27.exe (link)
7 - PyQt4.Qwt5-5.2.1.win32-py27.exe
8 - lxml-3.0.2.win32-py2.7.exe (link)
9 - Python OpenGL (link)
10 - Visual C++ 2010 Runtime
11 - Launch from a DOS shell: C:\Program Files (x86)\Programming\Python 2.7\scripts>easy_install cheetah to install cheetah
(info taken here)
After that install:
- uhd_003.005.003-release_Win32.exe (USRP drivers - link)
- gnuradio_3.7.2.2_Win32.exe (link)
After that start GNURADIO Companion usually located here: C:\Program Files (x86)\gnuradio\bin\gnuradio-companion.py (it can take some couple of seconds before it starts)
If, for some strange reason, the software will not start anymore over time try to reinstall the fist 3 packets of the environment and it should start again... weired but it did the work in my case.
Now a tutorial on how to use gnuradio is really welcome !
Last edited by asper (2014-10-02 12:09:26)
Offline
MY 1st HACK WITH HackRF One
This is the device used to remotely control some electrical plugs, it has 10 buttons divided in 5 ON and 5 OFF buttons:
on the back we got help by a sticker: 433.92MHz !
Opening it up it revelas a HS2262A-R4; some datasheets are available using google.
So here what was needed to reverse this remote RF control.
- Open SDRSharp and get it to 433.92MHz;
- Verify that something is "moving" in that spectrum pressing some remote buttons:
Ok, the WOW Signal is here !
- Record with included HDRSharp plugin (you can find it on the right side of the software) at "16 Bit PCM" Baseband Only (no Audio):
The .WAV file will be located in the same SDRSharp .exe folder (it can get really big if you let it records for lot of seconds!).
- Open in Audacity the .WAV recorded tracks the go to "Tracks" -> "Stereo Track to Mono";
- Cut/Select the interesting part of the recording and amplify it to "new Peak Amplitude = 0.0"
- Optional: change track view to "Spectrum" (drop-down menu in the upper-left part of the opened track, next to the track name)
Do this for each button track recorded:
here you can see 3 recorded "tracks" of 3 different buttons using the spectrum view; notice the short and long pulses; I assumed short = 0 and long = 1 in an OOK modulation.
This is what came out holding the buttons:
32 bits for each frame [25 "active" bits + 7 "pause" bits]
Bits sequence:
1 ON - 0 0 1 1 1 1 1 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
1 OFF - 0 0 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
2 ON - 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
2 OFF - 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
3 ON - 0 0 1 1 0 0 1 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
3 OFF - 0 0 1 1 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
4 ON - 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
4 OFF - 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
5 ON - 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
5 OFF - 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _ _ _ _ _ _ _
bits from 0 to 7 = Button Number
bits from 9 to 15 = always 0
bits 16&17 = if 11 ON command; if 00 OFF command
Analyzing data I found that:
bitrate (duration of a single bit) = 0,0006 seconds
radio silence length = 7 bits (represented with: _ _ _ _ _ _ _)
interval between emitted frames (always repeating) = 0,007 seconds
If someone is able to explain me how to replicate those signals using HackRF One I will make a guide here !
Last edited by asper (2014-10-01 15:42:33)
Offline
An incredibly useful site is the FCC ID Search Page.
FCC information includes RF info and the occasional schematic.
http://transition.fcc.gov/oet/ea/fccid/
Offline
Yeah you are right ! Lot of free info there!
EDIT: it seems not to be possible to use GNURADIO with HackRF under Windows due to a missing gr-osmosdr compiled package... I will investigate GNURADIO in the future when it will natively support HackRF.
Last edited by asper (2014-10-02 12:59:58)
Offline
THis is a recorded session of a mifare reading with my mobile phone:
I don't think it is readable...
Last edited by asper (2014-10-03 11:57:36)
Offline
I've been diving into sdr, as a pet project I am writing gnuradio-modules to interpret DCS (digitally coded squelch) from a handheld radio (they use DCS / CTCSS to have 'private' channels, by transmitting a sub-audible signal which signals that the squelch should be opened). It's nice to extract that, because then you can jump on any such transmission with the same dcs-key and join the party (I can use my computer to tell the kids it's dinner time).
Anyway, @asper wrote
- 8-bit quadrature samples (8-bit I and 8-bit Q): I don't know what it is, if someone can explain it I will be grateful !
Michael Ossman has been talking about that in videos 6 and 7. Particularly 7: http://greatscottgadgets.com/sdr/7/. I'm now starting to understand the benefits of using quadrature sampling, and can't help thinking about if that's something we could do in proxmark. We wouldn't have to start anew from scratch, I think, but maybe have a separate mode for quadrature sampling. It seems a lot simpler to accurately determine PSK / ASK / whatever modulation scheme using that method instead of our current implementations which are not very robust.
Is there anyone else interested in exploring this?
@asper, on another note, how did you do the mifare reading? I would roughly go through these things...
* set the baseband frequency to 12.56 MHZ
* Shift the signal 1 MHz so 13.56 in centered
* Low-pass filter the signal. Check the waterfall graph to see how much bandwitdh is needed.
* Decimate heavily, you definitely don't need 20MHz channel width.
* Have the antenna *really* close to the signal source. Or, try to use an inductive antenna (coil) - e.g. a proper pm3 antenna. I used a pm3-antenna on my oscilloscope when doing the iclass-debugging.
* Do a recording to a file-sink. Then do the experimentation on the recorded file using a file sink.
Offline
I've been diving into sdr, as a pet project I am writing gnuradio-modules to interpret DCS (digitally coded squelch) from a handheld radio (they use DCS / CTCSS to have 'private' channels, by transmitting a sub-audible signal which signals that the squelch should be opened). It's nice to extract that, because then you can jump on any such transmission with the same dcs-key and join the party (I can use my computer to tell the kids it's dinner time).
Anyway, @asper wrote
- 8-bit quadrature samples (8-bit I and 8-bit Q): I don't know what it is, if someone can explain it I will be grateful !
Michael Ossman has been talking about that in videos 6 and 7. Particularly 7: http://greatscottgadgets.com/sdr/7/. I'm now starting to understand the benefits of using quadrature sampling, and can't help thinking about if that's something we could do in proxmark. We wouldn't have to start anew from scratch, I think, but maybe have a separate mode for quadrature sampling. It seems a lot simpler to accurately determine PSK / ASK / whatever modulation scheme using that method instead of our current implementations which are not very robust.
Is there anyone else interested in exploring this?
@asper, on another note, how did you do the mifare reading? I would roughly go through these things...
* set the baseband frequency to 12.56 MHZ
* Shift the signal 1 MHz so 13.56 in centered
* Low-pass filter the signal. Check the waterfall graph to see how much bandwitdh is needed.
* Decimate heavily, you definitely don't need 20MHz channel width.
* Have the antenna *really* close to the signal source. Or, try to use an inductive antenna (coil) - e.g. a proper pm3 antenna. I used a pm3-antenna on my oscilloscope when doing the iclass-debugging.
* Do a recording to a file-sink. Then do the experimentation on the recorded file using a file sink.
Thank you man for your answer. Unfortunately Gnuradio is still not working with HackRF under Windows so I cannot use it to manipulate the signal. I tested the ham it up converter but the signal is really worse (almost not visible) than without the ham it up converter so I think something is wrong with my ham it up or my antenna... also recordings done with SdrSharp are not so good so I am not able to "read" the waveform...
I will do more tests with your suggestions !
Last edited by asper (2014-10-14 21:10:02)
Offline