Flipper Zero Chat App - RF Signal Analysis via SDR
Vložit
- čas přidán 1. 07. 2024
- Learning some RF reverse engineering. Trying things out on the Flipper Zero subghz chat application.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity - Věda a technologie
Glad you enjoyed the training and you are continuing hacking around RF! ❤😊
Nice video! I wish there were more videos where people have problems (and asked for viewers' help).
You should get Jeff Geerling's dad on here to explain all this crazy RF stuff
Hope you'll make some more videos on SDR as you explore further, this was excellent as always!
I'm not 100% sure what chip is used in flipper zero (CC1101 I think?), but it's very possible that it has built-in hardware CRC check and it maybe that URH doesn't send that checksum. I did have similar problem back in 2018 when I started playing with CC1101 and URH but I ended giving up on it back then.
Sub-1 GHz module
Transceiver: CC1101
TX power: -20 dBm max
Frequency bands (depends on your region):
315 MHz
433 MHz
868 MHz
Yes, the cc1101 uses checksum. URH has a built in calculator for the cc1101 crc function.
Love the videos, Matt!
i dont know about rf modulation, but can there be any crc in the data being transmitted? incorrect crc will lead to false data but there should be something received on the other side. weird
Excellent video!! Hadn't heard of URH prior to this video and now i have a new tool to pair with the HackRF. Thanks and looking forward to more SDR experiments+lessons!
Thanks for the video, love the range of content!
I played around with esp32 microcontrollers and 433 mhz rx and TX modules and was able to detect and replay the doorbell at the office. Good for some pranks. I'm going to have to look up those tools you are using.
Thanks for your channel. There's really no one else doing hardware hacking tutorials at this level that I can find. I'm always learning from you. Keep it up and if you ever do a patreon or something, let me know. BTW I can't seem to get into your discord server. W
Thanks!! I'll look into the discord link
The Generated Signal looks very overpowerd maybe reduce the Gain and then it works ?
Agreed. Reduce that gain. It's a garbled distortion mess if it's too close and too "loud".
@13:39, Y axis for amplitude, X axis for Frequency, since you are checking the FFT plot.
Ah my linked comment made my original comment disappear.
Looking online, Matt is correct about the axis' for the spectrogram.
"A spectrogram is usually drawn in two dimensions, with time along the horizontal axis and frequency on the vertical axis. Amplitude is also included, using color or grayscale. If you think of FFTs as snapshots, a spectrogram is a movie- a series of FFTs displayed in the order they occurred."
awesome video man!
Interesting stuff.
I've personally never actually seen the Flipper chat actually work. I've picked up transmissions from it for other things, at least as far as verifying frequency.
This was really interesting!
Awesome video 👏🏻😊
awesome video!
Please do More video on radio stuff ......................
Keep up the good work. Thanks for another interesting video. I used Arduino w/ an ESP8266 to be able to remotely control a projector w/ IR as well as a remote controlled (315MHz) outlet. It would be interesting to dissect some remotes and get the actual data.
In the generator set your carrier to 433Mhz, the information is encoded in shifting frequency an amount from the carrier. The shift amount is visible in your spectrum analyzer graph. Hope that helps.
great video. i love sdr hacking and reverse engineering. maybe combine them to reverse a car key or something? would be cool
The FCC won't let him be.
For the problem at the end of the video, first thing comes up in my mind is check the datalink layer integrity protections, like polarity, CRC, there might be some of these checks that make the flipperzero abandoned your message. Just my guess.
Make sure that you didnt throw anything away like the "1" at the start of the synchronization, 101010..., it could represent a start bit or stop bit.
However, I believe there's a checksum to be placed somewhere at the tailend of the data. Need to figure out how the checksum is calculated and where it should be placed. I believe URH can help with that.
Another shot in the dark about your problem, if the carrier frequency is too similar to the signal you are trying to copy, then maybe you could mess with carrier frequency settings or dynamic range. Also, if the preamble is off by 1 bit, it won't work. Just throwing a couple ideas out, don't really know what I'm talking about very well.😂😂
got it. I'll definitely try all this out.
@@mattbrwn I believe that the la character is a sort of checksum, there are tool online that give you various checksum with an inputted string so you cold match the result from the string which starts with “FL” and usually ends with “\0”, “
” or
”…
What I would do is write out the generated signal to a file and do the same process as your original capture and see if you get the same thing out (or you can even look at the waveform and see if they seem to match).
Hi Matt, thank you for your videos. Have you thought about making videos about firmware repacking? Thank you for your motivations!
have one in the "Root Shell via Firmware Modification" vid. will try to do some more
Something like adding files / executables to the firmware and repacking it with firmware-mod-kit - for example.
it looks like you really need a second sdr device, probably a cheap one, just to check what your main one is sending out
Have you tried to change the name of the spoofed flipper? Could your flipper be ignoring the transmission because it thinks it is from itself. Just throwing that out there. I use meshtastic devices for some private communications and it is a mesh network that retransmits messages as a broadcast but the sending device doesn't see the message it originally sent out. Just a hunch but you might enjoy ham radio.
In the original replay that he did, the Flipper did display the messages even though they had the same device identifier.
WHAT BUTTON DID U CLICK AT 15:42 A COUPLE OF TIMES TO CLEAR SOME NOISE?
Is your problem possibly because you're repeating the signal infinitely with no buffer at the beginning and end of the message? How does the device distinguish the trailing bits from the beginning of the next signal without any delay or padding? Have you tried re-capturing the radio you're transmitting and analysing how that may be getting interpreted? Might need a second SDR to test that.
Great Video. You have tried to send some message like aaaaaa,bbbbb,cccc and look if you can find a checksum/CRC.
Or maybe the message is prefixed with a length oder something like that. just Throwing out some ideas that have right know. But sadly i cannot test them because i dont have a sdr
Have you got your udev rules setup? Linux does not know what to do with SDR hardware by default.
Also the 1/4 at the end is probably actually a checksum
it looks like it does just transmit and receive plain ascii just modulated. definitely don't repeat it infinitely, the demodulator will think it is junk. The first bit could be a missinterpretation, you never know.
I have studied modulations, but only from electrical stand point, so I have no idea
Not trying to be a smarty pants but what is this exercise good for aside from a thought experiment? Is there any practical application?
Learning how to reverse engineer RF signals.
That looks more like PSK than pure FM and as others said, look for the CRC.
Verify your baud rate on both ends.
If you manage to fix it, you could even chat with gps data lolol
Intentional or coincidence that your volume is set to 69% 🤔...
Creepy device, that Flipper zero...no wonder that it get banned more and more...
Stay on it, seems that it will bring out some interesting things, even to me, where my raw knowledge of RF ends on 27Mhz CB radio things some 25yrs ago, that was quite interesting!
😮👍👍
Your waffling all over the place!
The brain thinks what the brain thinks 😁.
First
lots of good stuff, but I frankly have to cringe a lot watching your videos. You need someone to ping these things realtime against. The playback is slow, you can see progress of it - hence why the it replays every so often. Nothing to do with the antennae polarity !
I feel like that adds to the authenticity of the video. Has more of the bro showing you something cool instead of a college class feel. What do you think?
For sure I appreciate seeing the mistakes in real time, as well.