SDR and non-SDR tools for reverse engineering wireless systems

Hey there!
The God of frequencies Michael Ossmann visited us again this year at the TROOPERS16 and showed us how to break another device using a specific setup.

Last time he introduced the HackRF One to us (Read here:, but this post is a short summary of his talk about “Rapid Radio Reversing”, he is a wireless security researcher, who makes hardware for hackers. Best known for the HackRF, Ubertooth, and Daisho projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

In his talk he demonstrates how helpful it can be to use a combination of both SDR and non-SDR tools for reverse engineering wireless systems. He uses both HackRF One and YARD Stick One to reverse engineer a wireless cabinet lock called StealthLock. He is also showing the advantages and disadvantages of both SDR and non-SDR. SDR (HackRF One):

The strengths of SDR’s are:
– Every waveform over the air can be analyzed in software
– Wide-range of frequency

Weaknesses of SDR’s are:
– Hard learning curve
– requires much and complex code for more difficult things
=> Good for:
– detecting a signal
– detecting frequencies device is working on
– detecting unknown modulations
– Replay attacks (Record & Play)

Non-SDR (YARD Stick One):
=> Good for:
– Getting Started (less to learn)
– Speed advantage

His conclusion and way to success is to use both, otherwise it wouldn’t be possible to reverse devices that “rapid”.

First he was getting some general information`s about the device for example which frequency it was sending and receiving. He uses to speed up the process of finding frequencies, by the way there is also a Chinese one called ““.

He used the HackRF One to get the traffic between the remote and the lock and started reversing the always repeating signals sent by the remote-control.

1. He started using the tool “inspectrum” to look at the transmissions being made by the remote

1.1 It looked like the remote spams the passcode being typed by the user and hopes for being recognized by the door-lock

2. RFcat in combination with YARD Stick One to capture the packets being sent, after some different passcodes it was obvious which bytes of data always change and then he could identify, which of the bytes were the numbers of the sent data.

3.He uses scripts to get started reversing more, after some different passcodes it was obvious which bytes of data always change and then he could identify, which of the bytes were the numbers of the sent data

In the end of his talk he was able to brute force any give password and even able to set any password you couldn’t set in the remote, because it only had the numbers ( Characters abcd f. ex.)

If you are interested in any technical details or demonstrations please take a look at the slides or the video recording.

Kind regards,

Tom Wellinger