HARDWARE HACKING VILLAGE - Hacking your HackRF

I'm Mike Davis I'm here to talk about hacking your hacker rap louder can you hear me now yeah okay I'll just shot a bit I'm a little bit hungover and I've got a bit of a cold so you know my voice is a bit deep it yeah so I'm talking about hacking or hacker rap basically the idea is to show you guys how to take a hacker app apart a little bit and maybe modify it and do make it do some things it's not supposed to which is kind of cool I am elastic ninja on Twitter Mike Davis I'm doing a master's in information security and yeah I love hacking stuff I'm I've done a lot of hardware talks and I bought this badge as well so yeah you talked to me about that later if you want okay so what is a hacker app so
I've actually got my hacker apart on the table in front of me here and it's a pretty sketchy setup there but that's that's a hacker I've pretty much open it's a software-defined radio and you can get it from Great Scott gadgets it's it's quite a nice accessible device it's three hundred and thirty dollars I think and it's open-source hardware which is why I get all excited about it so oops
so one of the fun things about a hacker
app if you want to change it is actually taking it apart the first time I did it there were a lot of bad cracking noises and it it I actually broke the case I
used the tool on the left and if you go search on the internet that's quite a few talks about how to actually do it the proper way and the best way is to use jared boon sure brains little guitar pick and he's got a very specific type so you can just go buy one at the at the store and the thing just pops open so it's actually done a 10-second video on it so that's what you can look in so here's a map of
the world of the internals of the hack RF on a tarp or a top right hand section is just our four dragons and like that fiddle there there's not a lot you can do in there but you can change it in software so that's the interesting part but I'm gonna focus on the other side of it which is basically everything from the RF section on words if you go have a look at the baseband header you can get the the raw 28 mega sampled megahertz rather at baseband both the transfer and the receivers in there the only problem I have with that header is I don't think it's a good RF header so you probably if you want to do something with that you probably want to replace it or maybe put something with better contacts in it this is a Cpl D it does a lot of the heavy lifting decimation and moving the data from the so I didn't mention the front end which is the little chip on the bottom left there and that does the that samples the raw baseband it turns it into digital data so that's actually the the but that you I gives you the digital part of the SDR so the CPL d is a kind of like a I like to call it a weak FPGA but that's not really what it is it's a logical device you can program it to map I mean in this case I think it's mapping pins between the front end and an actual processor does decimation and those all bunch of other RF type activities and then you've got the
actual microcontroller itself with all the headers and that's the bit that that's pretty interesting for me and if you take a look at this this is a great fat so they've actually chopped the hacker up in half and just giving you that bits on the left there in a slightly different format and slightly different chip as well but if you ask them about the great threats it's quite a nice little device I think they've done a lot of talks on like infrared and all that kind of thing and basically you can also use it for as a kind of logic analyzer as well if you want that's quite a cool thing so most of the work I've done has been in this little section here it involves a lot of this a lot of this
kind of thing bread boards and little wires sticking all over the place I've seen someone did a very nice PCB to join two hacker reps together it was an academic project and I'll try and find that link but it's really cool what they did they worked on the CP LD site and multiplied that to synchronize to hack RFS I focused on the processor side and I failed so anyway I had a good time doing it so like I said before one of the great things about the hacker app is that it's a it's open source hardware they publish all the schematics and you can go have a look through it and really you can go to Michael husband's github and just have a look at that have a look at it in hi cat so when you're opening a
cat that's the kind of view you get you can see all the traces between the different components and if you do a
little bit of work you can just get rid of all the layers that you don't care about and instead focus on processor in the headers for for this particular thing the datasheet for the person so that they use is really hard to like if you look for the pin outs it's summer in the middle of the document and I could never find it I wanted to put it on the page here but basically the most of the pins that you would be interested in actually map so that the headers I'm yeah so so the question is is it just open source hardware and on multiple manufacturers manufacturing it so great ok I just designed it and and make it and I believe there's a thing called a blue RF or something like that which is cheaper and use the cheaper components and breaks more often and occasionally if you ask them very nicely they'll fix it for you but I wouldn't recommend using it especially because it's literally a clone that's using cheaper parts so I'd rather support great scale gadgets but they're armed I mean you could make it yourself so I talked a little bit later about what I want to do and how I want to change it and so I'll be kind of I'll be making a few myself and then making an open-source as well yeah ok so it's got
a I didn't put the name on it LPC 4320 is on the hacker app like you said that datasheet is terrible in terms of just trying to find the pin out usually it's the first ten pages but in this case I checked last night I couldn't actually find it but it has everything you needing therefore to do what you want to do it's got two cores and it's got an m4 which is a reasonably powerful kind of processor and then it's go a little m0 sitting on the side that is it's kind of difficult to get them to communicate but you can actually pass data between them so that's useful for things like driving displays and doing all that kind of thing while the main processor does a lot of the hard work as I'll show you later there's DMA in the yeah as you'd expect from a modern person sir and a lot of the hacker reps that main loop in the hacker doesn't actually do anything so most of the works done in DMA so if you want to fiddle in there it's a little bit of assembly and that kind of thing so but it's not a lot of code it can drive an SD card can drive Ethernet it's got ADC and DAC s so you can do things like sample microphones and upper speakers and that kind of thing it's pretty cool and there's all the rest of the kind of things you made spec just
quick overview all the different headers there's this for headers this p22 it's
got stuff like the clocks and SPI you can see in the bottom left there I don't I didn't use this very often 28
headers these are all the ones that are surrounding the actual processor again this is SD card stuff
there's your baseband header and like I said I'm not sure I haven't tried it but I'm not sure that that's actually I'm not sure that you'd actually be able to get the quality of signal to one out of it but I like I haven't really tried it so yeah and this is the one that I
normally I'd normally play with it's got a whole bunch of thing it's got the you can get footage into it you can get voltage out of it a lot of ground pins and a whole bunch of GPIO pins that are kind of useful okay so the firmware is
also open source so you can just go to Michael Osmonds get a repo and you can play with the firmware so as I said
before the typical main loop is just setting up USB mainly and then and then just sitting in a while true so it doesn't really do a lot normally I take this out and replace it with something else and in this case I want to show off
a little that the typical kind of hello world which is a blinky lights blinky LED
I believe so but I'll tweet them out elastic man to make it easy have you got it yeah okay so I mean if you if you
want to typically if you want to blink a light you have to interact with GPI opens so general purpose i/o pins in this case it's neatly wrapped up in for the anyway they've got three LEDs in the front of the hacker app so this is neatly wrapped up of it and a little LED on LED often LED toggle and and so you can literally just for hell our worlds
replace the the whole main loop with just LED on delay for half a second led off and delay again and I'm gonna try my best not to break this so you can see
the green light I hope and that is currently blinking so that's basically that code they're just just blinking and every half second or so okay so when you
program the device normally there's the hack RF SPI flash and that just interacts with the USB and then pushes that pushes your binary into the flash chip and then you know soon as you reboot it loads off that and it's fine but I tend to remove the USB handling because most of what I'm doing doesn't actually have USB attached to it so after breaking the USB you have to use DFU util and it's super easy just push the DFU button on the front reset it and then it's in DFU mode and that'll get it into they'll get your code onto the device getting it back is an interesting exercise in get resets and that kind of thing okay so um that's the typical loop that
I I mean that's the base of the loop so the question is how do you break USB or why does it break where was their code
so this is the actual main loop and the normal code and as you can see there's there's two sets of USB kind of transfer code and it runs out continuously and soon as you take that out I think it's within a couple of seconds the device it times out and it stops responding to USB in terms of the host actually I forgot my word but disconnects it so it's very quickly not useful as a USB device I mean you can leave this stuff in here but if there's no USB device connected while your stuff is running where things happen so I just take it off yeah okay
so I did the blinky demos all right
right so obviously you want to do something useful with a hacker or if you don't want to just blink it an LED or you may want to do that but so there's quite a few interesting other open-source projects there's the port of pack which I'll describe later I've got a badge that I wrote so I used some of that courage and if you dig around in the hacker or code itself there's a lot of a lot of bits of code that actually access the hardware in interesting ways so like there's a blinky demo in the actual hack RF source code so you can go dig around there have a look but porta PAC is actually a thing to look at if you want to build something that's not a host based SCR you know or it's a hose connected STR and I'll show you that just now one of the more interesting
things about what I've been doing is trying to power a hack or F without blowing it up so what I like to do is push it into the USB bus which means that I run the risk of blowing up my computer when I program it but if you're careful enough you can basically power it off you put 5 volts into the V bus and then it manages the rest itself so you can even fun really plug a battery in there there is actually a V bat then but I haven't tried that I'm not actually sure what that does but it it says battery sorry okay yeah that makes more sense but if you want it you really need to give it five volts and then it's everything's happy so okay
so I built up a shaky demo it basically I'll show you the code now but it sits in the loop and it it pulls pulls the 2.4 gig spectrum into little bins and then tries to display it on my little batch here so I did in my hotel room it's a little bit sketchy but kinda works also the contrast is a bit rubbish I don't know if you can will see that but so in theory that's the 2.4 spectrum just doing a waterfall down here so again the porter pack does a much better job of this and it's a really nice sort of device but if you wanted to put a display on there's also display drivers on that well there's a display for referral on the actual hacker as well so you could plug that into so this is just a bit bang to SPI talking to my badge anyway
so the reason I started all of this was I wanted to have multiple hacker apps synchronized so I could do TX and rx or I could do like multiple to the whole band of Wi-Fi or in the one case it was direction-finding so that was my actual intent and the reason I started taking my devices apart I also have far too many hacker reps because I was trying to do that kind of thing so if you want to buy one anyway um but so it was relatively simple it's just like basically plugging a few DP iOS and together and synchronizing the clocks so you'll see you'll see on the hacker if there's two ports on the back and there's a four for accepting or transmitting a clock and the clock and the hacker F is not that great so it drifts a bit I think it's a it's just a standard or relatively standard crystal and it's got 20 to 100 ppm kind of accuracy so there are changes you can make to it to get much better so doing things like GPS and that kind of thing you can actually do with a hack RF buts you need to do a lot of work anyway so the problem with this approach is you've got multiple USB ports that you have to synchronize and it turns out that synchronized USB is actually a terrible idea so it doesn't actually work but it for very low bandwidth signals you can actually get away with it so the the difference between the time of arrival of packets and that kind of thing is actually it's you can get away with it but I gave up on that project and I
started thinking about cutting a hacker - ha and so the idea is that what I want to do is take the RF section one side not physically cutting it sorry but I don't know what would happen but take an RF section on one side and putting the purses in section or another and then hopefully making little boards that I could plug the you plug multiple RF sections into and and then the discussion becomes what kind of processor do you use and how do you get all that data across so then all of a sudden I'm working with USB 3 that VGA is and that kind of thing so I kind of kind of put it on a shelf for now but I've still a sold dream about it it's like something I'd really like to do and there is actually a great structure forward out there that does multiple it can do it adds another radio section to the hacker app I've gotten forgotten the name of it but it's a work in progress and I think that might be the easier part I'm not sure but so if you have a look around at the micro husband's github repo you'll actually find it there like all of the board's the great fit and everything are there so if you wanted to go make one and give me one that'll be great but anyway so that's a project I'm working on
I also fly drones and that's a picture of my drone hanging off a wire that I it took me ages to get out of get it off of there but one of my projects is actually to put hacker apps or a1 hacker if that I'm willing to risk on to a drone and use it in place of the fpv gear that i that you can buy commercially so fpv gear that you can buy commercially is pretty shockingly bad stuff it's an FM modulated video signal and it doesn't do well with interference it doesn't do well with the bads antenna so I thought maybe I could do better so I've been strapping hacker onto it and trying to receive a signal and then I'm getting somewhere you know but I'm always worried about that you know landing up on on something and then my hacker f is yeah gone so anyway so all
the things I've been talking about are kind of encapsulated in the Porter pack you can buy it at at the vendor area it's got a little screen it's got buttons it's got it's got a battery it's got all the things in there I haven't bought one because I like to break stuff myself but this thing is pretty cool if that's all you're looking for okay yeah and that is pretty much my talk