🧵 How to maintain and protect your expensive RF equipment ?
If you have ever bought RF equipment, even the relatively low-tier ones, you know how expensive they could be, so it's essential to use and maintain them properly to ensure they last long.
Here's 5 tips:

1. Use a torque wrench for your SMA connectors. It protects the connector from over-tightening and ensures consistent force, reducing wear.
Here's mine (from Mini Circuits)
There are also wrenches for other connector types like N.

2. Use DC block at your SDR/Spectrum analyzer's input to protect against DC bias, especially when connecting to unknown devices.
I like Mini Circuits, Huber+Suhner, and Midwest Microwave.

🧵 How to hack wireless signals?
A short intro to replay attacks for beginners.

In this thread I will show you 2 ways to replay a simple wireless signal (a 433MHZ garage opener key)

Please note that I have intentionally chosen a basic device for educational purposes. Hacking real world devices with more complex protocols and security features like encryption and rotating keys is not as easy. Here my focus is showing the underlying concept with the easiest attack (replay attack), for absolute beginners.

Disclaimer: this is purely educational content, done on a simple device, in a lab. Always consult your local laws before doing such wireless experiments especially on targets that don't belong to you.

1/6

Let's first talk about some basic concepts and keywords
Modulation: the process of changing a signal's properties (like amplitude or frequency) to carry information. Probably you have heard the name of some basic modulations like AM and FM.
ISM band: a set of frequencies reserved for industrial, scientific and medical purposes where many public non-licensed devices like parking remotes or even your WiFi modem, operate in. Example: 2.4GHZ, 433MHZ (Europe, Africa and Middle East), 915MHZ (Americas)

2/6

Now let's talk about the tools:
I will show 2 methods:
For the first one, we'll use FlipperZero.
For the second one we use a SDR (any SDR will do for receiving, but we need one with transmitter to be able to emulate our parking remote. In this case I use HackRF, but LimeSDR/PlutoSDR/USRP/bladeRF would've worked too)

The first method is very limited (only works on certain frequencies like the 433MHZ we'll use here)

Here's a picture of the tools I will use, plus the target device.
The goal is to replicate the device functionality (successfully copying the garage opener button, which should blink the LED connected to its receiver)
The garage opener is a simple 433MHZ device with 2 fixed codes for opening and closing the door (or whatever you use it for: turning on and off a light)
The device consists of 2 parts: the remote transmitter, and the receiver unit.

3/6

🧵 What is amateur radio (also called ham radio) and why it might be worthwhile for a hacker to get into it?

I am a licensed ham radio operator. I have 2 call signs: an American one (NM9A) and a German (DF2HF)
Many people don't know what ham radio is, and what we (ham radio operators or licensees) do.
In short, ham radio is DIY wireless experimentation: it lets you perform a series of operations and experiments on specified radio frequencies.
Let me be more specific, with more examples. Here's what you can do with a ham radio license:
- Send messages over air (via antennas) to other licensed operators. Message can be morse code, digital data, or you could talk to each other over radio spectrum!
- Perform experimentation: build antennas, receivers, transmitters, etc, and test them.
- Participate in contests against other licensed operators

1/7

There are 2 things to consider:
1. ham radio does not use Internet and usually it doesn't use satellites (although it could use some amateur satellites as well). You send signals over air. It's like, if there were no electricity or telecom/Internet infrastructure, all you need to communicate to other operators is a battery, a transceiver, and an antenna!
2. It's a hobby. It's non-commercial. For example you can't run a music broadcast service on radio, with an amateur license.

Sometimes people ask me why you don't use Skype/WhatsApp/etc to contact others?
I have 2 answers:
1. Contacting others over air is just a small example of many things you could do in ham radio.
2. Contacting a person thousands of kilometers aways using a piece of wire (e.g. a simple antenna) using 100W of power, without Internet, is like a magic! You have to try it for yourself.

Every country has a government organization to regulate the use of radio spectrum (e.g. FCC in the US, and BNetzA in Germany), both for amateurs and also commercial usage.
There are also big national organizations for ham radio that offer membership (ARRL in the US, DARC in Germany)

2/7

There are endless ways of contacting other amateurs over radio: you can use HF (0-30MHZ) frequencies that under ideal conditions could travel thousands of kilometers and allow you to have inter-continental contact. Higher frequencies like VHF (30-300MHZ) and UHF and microwave frequencies (e.g. GHZ range) are more limited in propagation, and sometimes need direct path between the transmitter and receiver. For example law enforcement uses VHF/UHF frequencies on their 2-way radios that work in limited areas (e.g. in a city)
The very big antennas you have probably seen in amateurs' backyards are HF (the lower the frequency, the bigger the antenna)

3/7

🧵 How to build an RF lab on a budget?
A hacker's guide to the most important tools for signal hacking/analysis.

Let's first introduce a few concepts and tools before actually jumping into the specific brands and models.
Depending on what you want to do, there are a few tools you need in your lab for frequency analysis, antenna testing, and RF measurements:
1. spectrum analyzer: one of the most important tools in an RF lab. A device that lets you "see" signals. Mostly come in 2 shapes: either standalone (benchtop or portable, but with its display, and works independent of a computer), or USB-based that needs a computer.
It's like a receiver, receiving signals from its input port (e.g. from an antenna) and showing them to you.
2. signal generator: as the name says, a device to generate signals. Like a transmitter. Important for many use cases (testing antennas, receivers, and many other RF accessories)

1/7

3. Network/antenna analyzer: used for testing some RF components and accessories like attenuators, filters, antennas etc.
4. RF power meter: to measure the output power of a transmitter or signal generator. Would be very useful for troubleshooting.
5. SDR (Software defined radio): it's like a receiver (or also transmitter, for some models) which does the analog RF part in the hardware, and then signal processing (e.g modulation/demodulation) is done on software. You have probably heard of RTL-SDR or HackRF before.
6. Accessories: depending on your project/goal, you need: cables, antennas, connectors, adapters, amplifiers, DC blocks, filters, attenuators, antenna switches, power splitter/combiner, etc.
7. Optionally some books to get started with.

2/7

Ok now let's jump into introducing the tools.
Disclaimer: these tools can't replace high grade lab tools that cost 10s of thousands, but are great for hobbyists, personal labs, and people who don't do RF for a living (e.g. people interested in signal hacking, amateur radio, etc)
Also: these are my favorites. Doesn't mean that there are no other great tools out there

GenComm GC747A: a Swiss army knife of RF tools. It's a spectrum analyzer, signal generator, network/antenna analyzer, and RF power meter, all in one device!
It was used as a field LTE analyzer in South Korea by some telecom operators and since 2018 you can find them sold 2nd hand on eBay (there are a few different models sold under GenComm and JDSU, with prices ranging from 1 to 3k)
It has an internal battery and can be used portable.
I don't use it much these days as I have more professional tools, but still a great value for the price.

3/7

🧵 9 Lesser-known features of Flipper Zero:

Flipper Zero is normally known for RFID/NFC hacking, sub-GHZ signal hacking, and things like infrared. But it can do much more thanks to its open source nature, third party firmwares, and extensibility (using add-on modules)
Here's 9 things you can do with it:

1/11

2FA: Short for 2-factor authentication. It can act as a hardware 2FA. Similar to YubiKey.

Disclaimer: I'm not saying you should use it as 2FA (I use YubiKey personally and also at work) however it can act as hardware 2FA (U2F over USB)

2/11

You could choose from unofficial firmwares that give your device additional capabilities.
I use "unleashed". It removes some of the Flipper Zero's restrictions, adds new apps, has a bigger database of IR remotes, more Mifare keys, protocol fuzzers, ... (Full list available on )
3/11flipperunleashed.com

🧵 How does an off-the-shelf car GPS jammer work?
A short thread.

There are many ways to perform radio signal jamming (and also detect or protect against it), however the most basic concept is this: a jammer saturates the input of the target's receiver system by noise, in a way that it can't receive/detect/decode the desired radio signal anymore. It reduces the signal to noise ratio.
It's like if you want to listen to someone, but I shout at you in close proximity, so you can't hear that person. (I hope experts don't shout at me for this simplistic example)
There are many legal and illegal use cases for a jammer: military, law enforcement, car theft, protection against tracking etc.

1/4

The GPS jammer in this thread, is sold on Amazon and AliExpress under different titles, but it's mainly to be used in cars (there are also more powerful handheld models covering multiple frequencies with higher power, to jam mobile signals)
Please note that running a jammer is illegal in many countries. This thread serves only an educational purpose.
For this thread, I was lucky to get some pictures and measurements done by @RFAmirhosein in his lab.
Here's how it looks inside.
It has 4 main components we're interested in. I have marked them:
1. 7805: a voltage regulator IC to convert car's lighter voltage (12V) to 5V.
2. 555: timer IC generating the modulation signal (this is probably the most famous IC of all time)
3. Murata MQK301-1528: a VCO (oscillator) for the frequencies 1466-1590MHZ (GPS L1 frequency is 1575MHZ)
4. The RF amplifier IC, amplifying the generated signal, before sending it to the antenna.

2/4

Let's look at the frequency spectrum using a spectrum analyzer:
Left: spectrum before turning on the jammer.

Middle: wide band frequency spectrum after turning on the jammer ( running a jammer with antenna is not legal, so here the output of the jammer is directly connected to the input of the spectrum analyzer, using a cable, in a lab)
There are 3 peaks: one at 1.575GHZ (GPS frequency. Main output of the jammer) and its 2nd and 3rd harmonics (basically 2x and 3x the output signal)

Right: closer look at the 1.575GHZ frequency, and frequencies close to it. The output is about 13dBm

13dBm (20mW) might not be much power, but the GPS signal is millions of times weaker, so it doesn't take much power to jam it.

3/4