The Practical Guide to Radio Waves Hacking

. 8 min read

In this blog post, we are going to discuss how to generate some of the modulation types to send data from Arduino Nano and then receive it using GNUradio and GQRX to decode it to the original data sent.

Some of the things that we are going to cover in this post:

  • Create various sorts of modulation using Arduino Nano (not Uno or others)
  • Send data over 433MHz transmitter
  • Capture the traffic using RTL-SDR
  • Process it using GNURadio and Audacity to decode the modulation and recover the original data being transmitted.

In order to get started, we will need the following items:

Hardware

  • Arduino nano
  • 433MHz transmitter
  • RTL-SDR
  • Connecting Wires

Software

hardware-hacking

Step1 : Create various sorts of modulation using Arduino Nano.

What is Modulation?
Modulation is nothing but a carrier signal that varies in accordance with the message signal .To know more what modulation is, let us understand the two major categories of modulation:-

  • Analog Modulation
  • Digital Modulation

Analog Modulation

In analog modulation, analog signal (Sinusoidal signal) is used as a carrier wave that modulates the message signal or data signal.

radio-wave-hacking-software-defined-radio-SDR-analyze-radio-signals

How analog modulation works?

A carrier wave has three defining properties,which are amplitude, frequency, and phase. These three defining properties are used to create three types of modulation:

  • Amplitude Modulation
  • Frequency Modulation
  • Phase Modulation

Amplitude Modulation : In this type of modulation ,the amplitude of the carrier signal varies in accordance with the message signal, while other factors like phase and frequency remain constant.

Frequency Modulation : In this type of modulation,the frequency of the carrier signal varies in accordance with the message signal, while other factors like phase and amplitude remain constant.

Phase Modulation : In this type of modulation, the phase of the carrier signal varies in accordance with the message signal, while other factors like amplitude and frequency remain constant.

IoT-Training

Digital Modulation

Digital modulation is somewhat similar to analog modulation except the carrier wave is of discrete amplitude signal. For binary signal, it has only two levels, either high, logic 1, low, or logic 0.

The modulation scheme is mainly of three types-

  • ASK or Amplitude Shift Key
  • FSK or Frequency Shift Key
  • PSK or Phase Shift Key

Amplitude Shift Keying (ASK) : In this type of modulation, the amplitude of the carrier wave varies in accordance with the data signal. And if information is present, then it will be represented as 1 (high) else it will be always represented as 0 (low). This is also known as on and off keying.

Frequency Shift Keying (FSK): In this type of modulation, the frequency of the carrier waves varies in accordance with the data signal.

Phase Shift Keying (PSK) : In this type of modulation, the phase of the carrier signal varies in accordance with the message signal.

On and off Keying

Amplitude shift-keying (ASK) is a popular modulation technique used in digital data communication for a large number of low-frequency RF applications. The source transmits a large amplitude carrier when it wants to send a '1' and small amplitude carrier when it wants to send a '0' in its simplest form. On-off keying (OOK) modulation is a further simplification of this method, where the source sends NO carrier when it wants to send a '0'. In the simplest form, the presence of a carrier for a specific duration represents a binary one, while its absence for the same duration represents a binary zero.

We are going to transmit on and off keying modulated signal.

Step 2 : For sending this data, we have download the Arduino library for the RC_Switch, which contains the program for transmitting data on 433MHz from the URL – https://github.com/sui77/rc-switch

The source code can be downloaded here .

#include<RCSwitch.h>
RCSwitch mySwitch = RCSwitch();
void setup() {
    Serial.begin(9600);
 	mySwitch.enableTransmit(10); //Transmitter is connected to Arduino Pin 10
 }
 
void loop(){
	mySwitch.send("01100010000011000100000");
	delay(3000);
}

Step 3 : For sending the data over 433MHz, connect the 433MHZ transmitter with your Arduino.

This is how the Arduino connections would be overall –
Arduino 5V ⇐> VCC of transmitter
Arduino GND ⇐> GND of transmitter
Arduino D10 ⇐> Data of transmitter

Radio Signal Analysis : In the above we have already discussed about the modulation techniques, now we are going to analyze some radio signal. But, for signal analysis we need some hardware device to capture the radio signal and some software to display that signal.

HARDWARE

Device Function Range
HackRF RX/TX 1MHz – 6Ghz
RTLSDR RX 24MHz-1766MHz
DX Patrol RX 100KHz-2GHz
USRP N-series RX/TX 1MHz-6MHz
BladeRF RX/TX 300MHz-3.8GHz
FUNcube RX/TX 150KHz-240MHz & 420MHz-1.9GHz
SDRPlay RX/TX 10KHz-2GHz
LimeSDR RX/TX 100KHz-3.8GHz
AirSpy Mini RX 24-1800Mhz

In this blog we are going to use RTLSDR device.

SOFTWARE

  1. Gnu Radio Companion (GRC)
  2. GQRX
  3. SDR#,
  4. Inspectrum HDSDR,
  5. Linrad,
  6. Cubic SDR etc.

In this blog we are going to discuss Gnu Radio Companion (GRC),GQRX and Inspectrum HDSDR,

Step 4 : For capturing the traffic using RTL-SDR, we need to install the Gqrx.

Open the terminal and type

sudo apt-get install gqrx-sdr

Once done, plug the SDR device and type

lsusb

RTL-SDR is a very cheap dongle that can be used as a computer based radio scanner for receiving live radio signals in your area. Depending on the particular model it could receive frequencies from 24 MHz up to 1766 MHz.

Quoting Wikipedia GQRX is an open source software defined radio (SDR) receiver implemented using GNU Radio and the Qt GUI toolkit. Currently it works on Linux and Mac with hardware supported by gr-osmosdr, including Funcube Dongle, RTL-SDR, Airspy, HackRF, BladeRF, RFSpace, USRP and SoapySDR.

Step 5 : Now open the Gqrx software by typing gqrx in terminal and configure the I/o. In the device menu, select the device and then click ok.

Step 6 : Set the frequency at 433mHz (transmitter frequency).

Step 7 : Click on the start button for capturing the traffic.

By using gqrx, you will get to know the actual frequency of your transmitter which will always be with in the range of 432-433 MHz .

Step 8 : For processing the signal, we now need to install the Gnuradio companion.
Open the terminal and type

sudo apt-get install gnuradio

Quoting wikipedia GNU Radio Companion (GRC) is a graphical tool for creating signal flow graphs and generating flow-graph source code.

Step 9 : Once done, open the grc software by typing gnuradio-companion in terminal.
Draw the block diagram and change the sampling frequency.Now, click on Run for recording the signal and further change the frequency and sample rate.

The grc file can be downloaded here.

Waterfall plot and FFT sink

Step 10 : Download the Audacity for demodulating the signal. Once it’s done, open the wav file and start decoding. You will now get the actual signal which was transmitted.

Download the wav file sink here.

We have finally recovered the original on and off keying signal. We have transmitted 0 for a short duration of time and 1 for a longer duration of time.

Step 11 : Install the inspectrum for demodulating the signal. Once it’s done, open the file sink file and start decoding.
Download hex file from here.

Quoting wikipedia Inspectrum is a tool that can be used for analysing captured signals, primarily from software-defined radio receivers.that's basically used for measure the time period, symbol rate, symbol period, etc.

Sampling Plot : In the sampling plot, we can measure the number of samples/message bits that are transmitted by the source.

Frequency Plot : In the frequency plot, we can measure the time period and frequency of the signal.

Amplitude Plot: In the amplitude plot,we can measure the amplitude of the signal.

That’s all, folks! In case of queries, reach out to us at https://www.attify.com/contact-us/



Vaibhav Bedi

Interested in Reverse Engineering ,penetration Testing

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave

Instagram