Wireless Hacking With SDR And GnuRadio

0x01 信号捕获

市面上常见的无线遥控工作的频段,通常工作在315Mhz、433Mhz,也有少数的会采用868Mhz.915Mhz这几个频点。 我们可以用电视棒、HackRF、BladeRF等SDR硬件来确定遥控的工作频率: 打开软件按下遥控器后,能在瀑布图上看到明显的反应:

osmocom_fft -F -f 443e6 -s 4e6

gqrx

无线遥控中心频率:433870000

0x02 录制信号

SDR软件通常支持录制信号,可将遥控的信号保存为wav音频文件或者以.cfile、.raw格式保存。

这里用gnuradio-companion流图来实现信号录制以及信号重放。

左侧osmocom Source模块调用SDR硬件,我们设置其中心频率为433.874MHz,采样率为2M:

右侧上边 QT GUI Sink模块将捕获到的信号在瀑布图上展示出来,右侧下边的File Sink将录制到的信号保存为/tmp/key.raw文件:

执行流图,按下遥控前:

按下遥控:

转到/tmp 缓存目录:

0x03 信号重放

接下来再用gnuradio-companion写个信号重放的流图:

左侧File Source调用捕获到的key.raw信号文件,osmocom Sink调用HackRF、BladeRF将信号发射出去,与此同时QT GUI Time Sink、QT GUI Frequency Sink模块分别在屏幕上显示时间轴(时间域)、频率幅度(频率域),执行流图:

bingo!

0×04 演示视频 demo

https://v.qq.com/x/page/m0332e0zdo7.html

0x05 信号分析

inspectrum key.raw

信号分析&转码细节参考: 如何使用SDR+inspectrum逆向分析无线遥控信号 一文。

s = ''
a = [0.333033, 0.326189, 0.0332124, 0.388094, 0.326704, 0.0154539, 0.322883, 0.0270275, 0.0150091, 0.443235, 0.362946, 0.027745, 0.430879, 0.443824, 0.0277048, 0.330736, 0.0290668, 0.0133217, 0.376686, 0.0123277, 0.00931546, 0.446231, 0.397617, 0.0162406, 0.447861, 0.0050071, 0.0109479, 0.389289, 0.0271959, 0.0138626, 0.32109, 0.0268736, 0.0129828, 0.401142, 0.326009, 0.0303488, 0.379368, 0.0229494, 0.0134011, 0.318115, 0.346288, 0.017666, 0.333818, 0.326769, 0.0141554, 0.341832, 0.0291055, 0.0153984, 0.446665, 0.399975, 0.024566, 0.316297, 0.0159851, 0.010876, 0.428384, 0.444201, 0.0214323, 0.376211, 0.00628675, 0.0105036, 0.44565, 0.0195615, 0.012549, 0.445242, 0.366523, 0.0225733, 0.324775, 0.0192127, 0.0134437, 0.318991, 0.381386, 0.0149852, 0.00882163, 0.447015]
for i in a:
    if i > 0.1:
        s +='1'
    else:
        s +='0'
print s
python test.py 
 11011010011011010010011010010010011010011011010011010011010010011010011001
pip install bitstring`
python
import bitstring

bitstring.BitArray(bin='11011010011011010010011010010010011010011011010011010011010010011010011001').tobytes()

Image

Automated RF/SDR Signal Analysis [Reverse Engineering]

Payload: \x36\x9b\x49\xa4\x9a\x6d\x34\xd2\x69\x9

thanks for tresacton‘s help (GitHub)

0x06 Hacking The world with watch

德州仪器生产的EZ430 Chronos手表由于采用了MSP430芯片,该芯片支持发射1GHz以下频率的无线信号,覆盖市面上各种常见的无线遥控频率(315MHz、433MHz、868MHz、915MHz):

 6.1 开发环境搭建

到 TI德州仪器官网下载:(需注册账号) CCS studio (Code Composer Studio ):http://processors.wiki.ti.com/index.php/Download_CCS

FET-Pro430-Lite程序:http://www.elprotronic.com/download.html

SmartRF Studio : http://www.ti.com.cn/tool/cn/smartrftm-studio

以及GitHub上面的 miChronos项目代码:http://github.com/jackokring/miChronos

百度网盘:https://pan.baidu.com/s/1hsse2Ni

windows 7如果不是Service Pack 1 则需下载安装Windows 7 和 Windows Server 2008 R2 Service Pack 1 (KB976932)补丁,否则无法安装 Code Composer Studio 下载地址:https://www.microsoft.com/zh-cn/download/confirmation.aspx?id=5842

0x07 refer

Michael Ossmann: Software Defined Radio with HackRF, Lesson 11: Replay YouTuBe https://www.youtube.com/watch?v=CyYteFiIozM

TI eZ430-Chronos Hacking quickstart http://timgray.blogspot.jp/2012/12/ti-ez430-chronos-hacking-quickstart.html

The hackable watch: a wearable MSP430 MCU http://www.itopen.it/the-hackable-watch-a-wearable-msp430-mcu/

You can ring my bell! Adventures in sub-GHz RF land… http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html?m=1

TI EZ430 Chronos watch, quick guide / tutorial to hacking the firmware https://www.youtube.com/watch?v=20dVNyJ8fYw&feature=youtu.be

Author:雪碧0xroot Blog

GSM Hacking Part ① :使用SDR扫描嗅探GSM网络

http://www.freebuf.com/articles/wireless/110773.html

作者:雪碧0xroot@漏洞盒子安全团队

GSM Hacking

0x00 前言

近期,发现Crazy Danish Hacker在YouTuBe发布了一个挺不错的教程视频:使用SDR嗅探监听GSM网络的通信流量(GSM Sniffing Teaser – Software Defined Radio Series)。该教程从电视棒的安装到扫描、嗅探工具的使用、GSM流量包的捕获解密都有详细说明演示:

http://v.qq.com/iframe/player.html?vid=u0317s0mw3n

作为搬运工,在这里将分两三部分参考&总结一下该教程的主要内容,输出一篇中文教程,希望能够给对这方面感兴趣的童鞋带来一定帮助。

0x01 环境搭建

OS:GNU Radio LiveCD

HardWare:电视棒(rtl-sdr)、HackRF、Bladerf 均可

1.安装编译依赖包

sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy

2.编译gr-gsm

git clone https://github.com/ptrkrysik/gr-gsm.git
cd gr-gsm
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig 

3.编译kalibrate

kalibrate-hackrf (HackRF用户)

git clone https://github.com/scateu/kalibrate-hackrf.git
cd kalibrate-hackrf
./bootstrap
./configure
make
sudo make install

kalibrate-rtl(电视棒用户)

git clone https://github.com/steve-m/kalibrate-rtl.git
cd kalibrate-hackrf
./bootstrap
./configure
make
sudo make install

0x01 扫描基站

1.1 kal

kal 
error: must enter channel or frequency
kalibrate v0.4.1-hackrf, Copyright (c) 2010, Joshua Lackey
modified for use with hackrf devices, Copyright (c) 2014, scateu@gmail.com
Usage:
    GSM Base Station Scan:
        kal <-s band indicator> [options]

    Clock Offset Calculation:
        kal <-f frequency | -c channel> [options]

Where options are:
    -s    band to scan (GSM850, GSM-R, GSM900, EGSM, DCS, PCS) //指定扫描的网络类型&频段
    -f    frequency of nearby GSM base station
    -c    channel of nearby GSM base station
    -b    band indicator (GSM850, GSM-R, GSM900, EGSM, DCS, PCS)
    -a    rf amplifier enable
    -g    vga (bb) gain in dB, 0-40dB, 8dB step
    -l    lna (if) gain in dB, 0-62dB, 2dB step
    -d    rtl-sdr device index
    -e    initial frequency error in ppm
    -E    manual frequency offset in hz
    -v    verbose
    -D    enable debug messages
    -h    help

kal -s GSM900 -g 40 -l 40 //扫描GSM900频段

Clipboard Image.png

1.2 gr-gsm (HackRF、BladeRF)

在编译完成的gr-gsm项目中,App目录里有用于扫描、解码gsm流量的脚本:

Clipboard Image.png

Clipboard Image.png

1.3 Bladerf 配合 SDR-sharp

通过上述方式,我们获取到了基站的一些参数信息,如:中心频率、信道、ARFCN值、LAC、MCC、MNC值等。这为我们接下来的工作提供了便利。那么windows用户有其它方式来确定基站的中心频率么?
Windows用户可通过SDR-sharp的瀑布图来确认基站的工作频率,由于HackRF性能问题,查看GSM频率时瀑布图效果不明显,所以我这里用BladeRF来实现这需求。由于SDR-sharp默认不支持BladeRF硬件,首先我们需为其安装硬件驱动,详情可参考:https://github.com/jmichelp/sdrsharp-bladerf

复制Release目录中的SDRSharp.BladeRF.dll到SDR主目录;

复制GitHub项目中的LibBladeRF目录下所有dll文件到SDR主目录;
在FrontEnds.xml文件增加

<add key="BladeRF" value="SDRSharp.BladeRF.BladeRFIO,SDRSharp.BladeRF" />

Clipboard Image.png

Clipboard Image.png

在SDR-sharp中加载BladeRF的FPGA固件:

Clipboard Image.png

最终效果:

CnSzzAMUAAAttef.jpg

0x02 Sniffer 嗅探

通过扫描我们获取到了基站的中心频率、信道、ARFCN值、LAC、MCC、MNC值等参数信息:

Clipboard Image.png

上图表明在937.4MHz、940.4MHz这两个中心频率发现GSM基站信号。

ubuntu@ubuntu:~/gr-gsm/apps$ ls
CMakeLists.txt  grgsm_livemon      grgsm_livemon.py  helpers
grgsm_decode    grgsm_livemon.grc  grgsm_scanner     README

ubuntu@ubuntu:~/gr-gsm/apps$ grgsm_livemon -h
linux; GNU C++ version 4.8.4; Boost_105400; UHD_003.010.git-197-g053111dc

Usage: grgsm_livemon: [options]

Options:
  -h, --help            show this help message and exit
  --args=ARGS           Set Device Arguments [default=]
  -f FC, --fc=FC        Set fc [default=939.4M]
  -g GAIN, --gain=GAIN  Set gain [default=30]
  -p PPM, --ppm=PPM     Set ppm [default=0]
  -s SAMP_RATE, --samp-rate=SAMP_RATE
                        Set samp_rate [default=2M]
  -o SHIFTOFF, --shiftoff=SHIFTOFF
                        Set shiftoff [default=400k]
  --osr=OSR             Set OSR [default=4]

我们来嗅探一下937.4MHz的基站:

grgsm_livemon -f 937.4

Clipboard Image.png

右侧终端显示成功捕获到了基站通信数据包。

0x03 Decode解密

3.1 安装WireShark

apt-get install wireshark

3.2 嗅探&解密

ubuntu@ubuntu:~/gr-gsm/apps$ ls
CMakeLists.txt  grgsm_livemon      grgsm_livemon.py  helpers
grgsm_decode    grgsm_livemon.grc  grgsm_scanner     README

ubuntu@ubuntu:~/gr-gsm/apps$ gnuradio-companion grgsm_livemon.grc

Clipboard Image.png

执行GRC流图:

Clipboard Image.png

sudo wireshark -k -Y 'gsmtap && !icmp' -i lo

捕获到的数据包如下:

Clipboard Image.png

解密方式可先参考GitHub:

Usage: Decoding How To · ptrkrysik/gr-gsm Wiki
Decoding-hopping-channels
在文章第二部分内容中,我们将使用鉴权后分配临时识别码 TMSI、KC对捕获到的GSM通信数据包进行解密。

第三部分,我们将根据gr-lte开源项目来讨论分析4G LTE基站的安全问题。(the gr-lte project is an Open Source Software Package which aims to provide a GNU Radio LTE Receiver to receive, synchronize and decode LTE signals.)

0x04 refer

https://github.com/ptrkrysik/gr-gsm/wiki/Usage

https://z4ziggy.wordpress.com/2015/05/17/sniffing-gsm-traffic-with-hackrf/

GSM Sniffing: Kalibrate-RTL Usage – Software Defined Radio Series #5

GSM Sniffing: Installing GR-GSM – Software Defined Radio Series #7

GSM Sniffing: Using GR-GSM – Software Defined Radio Series #8

*本文作者:雪碧0xroot@漏洞盒子安全团队,转载须注明来自FreeBuf黑客与极客(FreeBuf.COM)

永不消逝的电波(二)| HackRF入门:家用无线门铃信号重放

作者:雪碧 0xroot

0x00 前言

在第一篇文章:永不消逝的电波(一):无线电入门篇 我们了解了一下无线电的发展史以及无线电的一些物理知识,在第二篇里我们将用HackRF录制家用门铃的无线信号,然后重放门铃信号。

门铃从某宝买的,如图:

看到红色部分的时候,雪碧同学的表情是这样的:

好像买完什么,用不了多久就降价了,233…. 我可以退货再买吗?

0x01 环境搭建:

MAC下可以用gqrx和hackrf (需要有Xcode、Mac Port的支持)

sudo port install gnuradio
sudo port install hackrf
sudo port install rtl-sdr
sudo port install gr-osmosdr
sudo port install hackrf

 

sudo port install gqrx

 

也可以参考:在Mac上安装HackRF环境

0x02 步入正题:

安装完成以后,插入HackRF,终端执行 hackrf_info:

hackrf_info 
Found HackRF board.
Board ID Number: 2 (HackRF One)
Firmware Version: git-815d1f6
Part ID Number: 0xa000cb3c 0x00664f49
Serial Number: 0x00000000 0x00000000 0x583064c0 0x2640ad4b
#通过终端启动gqrx
gqrx

按下遥控器,我们可以看到信号的频率在314.100000Mhz(读作:314.1兆赫兹)左右

1Mhz=1000000hz;
1Khz=1000hz

314.1Mhz=314100000hz;

关掉gqrx启动hackrf

hackrf_transfer Usage:

Usage:
    -r  # Receive data into file. 把接收到的信号、数据保存到文件中;(信号录制)
    -t  # Transmit data from file. 从文件中提取、发送射频信号;(信号播放)
    -w # Receive data into file with WAV header and automatic name.
       # This is for SDR# compatibility and may not work with other software.
    [-f freq_hz] # Frequency in Hz [0MHz to 7250MHz].
    [-i if_freq_hz] # Intermediate Frequency (IF) in Hz [2150MHz to 2750MHz].
    [-o lo_freq_hz] # Front-end Local Oscillator (LO) frequency in Hz [84MHz to 5400MHz].
    [-m image_reject] # Image rejection filter selection, 0=bypass, 1=low pass, 2=high pass.
    [-a amp_enable] # RX/TX RF amplifier 1=Enable, 0=Disable.
    [-p antenna_enable] # Antenna port power, 1=Enable, 0=Disable.
    [-l gain_db] # RX LNA (IF) gain, 0-40dB, 8dB steps
    [-g gain_db] # RX VGA (baseband) gain, 0-62dB, 2dB steps
    [-x gain_db] # TX VGA (IF) gain, 0-47dB, 1dB steps
    [-s sample_rate_hz] # Sample rate in Hz (8/10/12.5/16/20MHz, default 10MHz).
    [-n num_samples] # Number of samples to transfer (default is unlimited).
    [-c amplitude] # CW signal source mode, amplitude 0-127 (DC value to DAC).
    [-b baseband_filter_bw_hz] # Set baseband filter bandwidth in MHz.
    Possible values: 1.75/2.5/3.5/5/5.5/6/7/8/9/10/12/14/15/20/24/28MHz, default < sample_rate_hz.
hackrf_transfer -r /dev/stdout -f 314100000 -a 1 -g 16 -l 32 -s 8000000

没按遥控器

按下遥控器:

由于hackrf_transfer后面没带解码参数,so我们看到一堆乱码数据;

0x03 录制信号&信号分析

录制遥控的无线信号:

hackrf_transfer -r door.raw -f 314100000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000

终端输出:

hackrf_transfer -r door.raw -f 314100000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000
call hackrf_sample_rate_set(8000000 Hz/8.000 MHz)
call hackrf_baseband_filter_bandwidth_set(3500000 Hz/3.500 MHz)
call hackrf_set_freq(314100000 Hz/314.100 MHz)
call hackrf_set_amp_enable(1)
Stop with Ctrl-C
16.0 MiB / 1.005 sec = 15.9 MiB/second
16.0 MiB / 1.003 sec = 15.9 MiB/second
16.0 MiB / 1.004 sec = 15.9 MiB/second
16.3 MiB / 1.004 sec = 16.2 MiB/second
16.0 MiB / 1.002 sec = 16.0 MiB/second
16.0 MiB / 1.001 sec = 16.0 MiB/second
16.0 MiB / 1.004 sec = 15.9 MiB/second
16.0 MiB / 1.003 sec = 15.9 MiB/second
16.3 MiB / 1.003 sec = 16.2 MiB/second
16.0 MiB / 1.003 sec = 15.9 MiB/second
16.0 MiB / 1.005 sec = 15.9 MiB/second
^CCaught signal 2
 8.1 MiB / 0.510 sec = 15.9 MiB/second

User cancel, exiting...
Total time: 11.54724 s
hackrf_stop_rx() done
hackrf_close() done
hackrf_exit() done
fclose(fd) done
exit

—————————————萌萌的分割线—————————————题外话—————————————

信号波形分析:

这里用到的软件是Audacity,导入录制的音频信号(未压缩原始数据)

然后出现如下界面:

使用默认参数,直接导入:

中间的那部分就是按下遥控时录制到的无线信号,我们使用Audacity的放大镜放大来看:

继续放大我们可以看到:

继续放大:

再放大:

这时经验比较丰富的童鞋可以通过图形,把无线射频信号转换成二进制数据:01010101**** ,接着可以把二进制写到GRC(Gnu Radio Cpmpainon),制作一个框图,使用GNC项目重放无线信号,大致方法如下:

启动Gnu Radio Cpmpainon :Kali Linux—->无线攻击—>Software defined Radio—>GnuRadio-Companion

源:在右侧Misc一栏找到Vector Source

通过搜索添加Repeat(old)、Moving Average、osmocom Sink

四个组件:

按照流程连线:

GNC用得不多,暂时还不上手,这种方法以后再试 :)

—————————————萌萌的分割线—————————————题外话结束—————————————

0x04 信号重放

使用hackrf_transfer重放信号:

hackrf_transfer -t door.raw -f 314100000 -x 47 -a 1 -s 8000000 -b 4000000

 

终端输出:

hackrf_transfer -t door.raw -f 314100000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000
call hackrf_sample_rate_set(8000000 Hz/8.000 MHz)
call hackrf_baseband_filter_bandwidth_set(3500000 Hz/3.500 MHz)
call hackrf_set_freq(314100000 Hz/314.100 MHz)
call hackrf_set_amp_enable(1)
Stop with Ctrl-C
16.0 MiB / 1.004 sec = 15.9 MiB/second
16.0 MiB / 1.004 sec = 15.9 MiB/second
16.0 MiB / 1.003 sec = 15.9 MiB/second
16.0 MiB / 1.001 sec = 16.0 MiB/second
16.0 MiB / 1.000 sec = 16.0 MiB/second
16.3 MiB / 1.001 sec = 16.2 MiB/second
16.0 MiB / 1.003 sec = 16.0 MiB/second
16.0 MiB / 1.001 sec = 16.0 MiB/second
16.0 MiB / 1.005 sec = 15.9 MiB/second
16.0 MiB / 1.003 sec = 15.9 MiB/second
16.3 MiB / 1.003 sec = 16.2 MiB/second
 8.4 MiB / 1.004 sec =  8.4 MiB/second

Exiting... hackrf_is_streaming() result: HACKRF_ERROR_STREAMING_EXIT_CALLED (-1004)
Total time: 12.03184 s
hackrf_stop_tx() done
hackrf_close() done
hackrf_exit() done
fclose(fd) done
exit

 

0x05 演示视频

http://v.qq.com/iframe/player.html?vid=d0173868gnw&tiny=0&auto=0
binggo

熊孩子的正确使用姿势是这样的:

for i in {1..999}; do hackrf_transfer -t door.raw -f 314100000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000; done

 

嗯,你没看错,重复播放九百九十九次 :)

0x06 参考:

Hacking fixed key remotes

Exploring Bluetooth & iBeacons – from software to radio signals and back.

中文版:HackRF嗅探蓝牙重放iBeacons信号

GNU_Radio入门_V0.99

*本文原创作者:雪碧(0xroot),转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)

文章首发于FreeBuf

原文:http://www.freebuf.com/news/special/83650.html