Flipper Zero Chat App - RF Signal Analysis via SDR
ฝัง
- เผยแพร่เมื่อ 14 ก.ค. 2024
- Learning some RF reverse engineering. Trying things out on the Flipper Zero subghz chat application.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity - วิทยาศาสตร์และเทคโนโลยี
Glad you enjoyed the training and you are continuing hacking around RF! ❤😊
You should get Jeff Geerling's dad on here to explain all this crazy RF stuff
Hope you'll make some more videos on SDR as you explore further, this was excellent as always!
Nice video! I wish there were more videos where people have problems (and asked for viewers' help).
I'm not 100% sure what chip is used in flipper zero (CC1101 I think?), but it's very possible that it has built-in hardware CRC check and it maybe that URH doesn't send that checksum. I did have similar problem back in 2018 when I started playing with CC1101 and URH but I ended giving up on it back then.
Sub-1 GHz module
Transceiver: CC1101
TX power: -20 dBm max
Frequency bands (depends on your region):
315 MHz
433 MHz
868 MHz
Yes, the cc1101 uses checksum. URH has a built in calculator for the cc1101 crc function.
Excellent video!! Hadn't heard of URH prior to this video and now i have a new tool to pair with the HackRF. Thanks and looking forward to more SDR experiments+lessons!
Love the videos, Matt!
I played around with esp32 microcontrollers and 433 mhz rx and TX modules and was able to detect and replay the doorbell at the office. Good for some pranks. I'm going to have to look up those tools you are using.
Thanks for your channel. There's really no one else doing hardware hacking tutorials at this level that I can find. I'm always learning from you. Keep it up and if you ever do a patreon or something, let me know. BTW I can't seem to get into your discord server. W
Thanks!! I'll look into the discord link
Thanks for the video, love the range of content!
The Generated Signal looks very overpowerd maybe reduce the Gain and then it works ?
Agreed. Reduce that gain. It's a garbled distortion mess if it's too close and too "loud".
awesome video man!
Interesting stuff.
I've personally never actually seen the Flipper chat actually work. I've picked up transmissions from it for other things, at least as far as verifying frequency.
If I know you by watching all your videos so far you will resolve the myth by extracting the flipper zeros firmware and modify in the way that URH can transmit as is and there we go :)
Joke a side, I always verify my regenenrated signal with another very cheap receive only SDR such as good old RTL-SDR dongle.
It feels like when you de-noise the signal clicking the button couple of times you may be loosing some part of the preamble of the signal.
Keep up the good work!
This was really interesting!
Awesome video 👏🏻😊
i dont know about rf modulation, but can there be any crc in the data being transmitted? incorrect crc will lead to false data but there should be something received on the other side. weird
awesome video!
Keep up the good work. Thanks for another interesting video. I used Arduino w/ an ESP8266 to be able to remotely control a projector w/ IR as well as a remote controlled (315MHz) outlet. It would be interesting to dissect some remotes and get the actual data.
For the problem at the end of the video, first thing comes up in my mind is check the datalink layer integrity protections, like polarity, CRC, there might be some of these checks that make the flipperzero abandoned your message. Just my guess.
In the generator set your carrier to 433Mhz, the information is encoded in shifting frequency an amount from the carrier. The shift amount is visible in your spectrum analyzer graph. Hope that helps.
great video. i love sdr hacking and reverse engineering. maybe combine them to reverse a car key or something? would be cool
The FCC won't let him be.
I doubt it since car keys use rolling codes
Another shot in the dark about your problem, if the carrier frequency is too similar to the signal you are trying to copy, then maybe you could mess with carrier frequency settings or dynamic range. Also, if the preamble is off by 1 bit, it won't work. Just throwing a couple ideas out, don't really know what I'm talking about very well.😂😂
got it. I'll definitely try all this out.
@@mattbrwn I believe that the la character is a sort of checksum, there are tool online that give you various checksum with an inputted string so you cold match the result from the string which starts with “FL” and usually ends with “\0”, “
” or
”…
Make sure that you didnt throw anything away like the "1" at the start of the synchronization, 101010..., it could represent a start bit or stop bit.
However, I believe there's a checksum to be placed somewhere at the tailend of the data. Need to figure out how the checksum is calculated and where it should be placed. I believe URH can help with that.
Please do More video on radio stuff ......................
Hi Matt, thank you for your videos. Have you thought about making videos about firmware repacking? Thank you for your motivations!
have one in the "Root Shell via Firmware Modification" vid. will try to do some more
Something like adding files / executables to the firmware and repacking it with firmware-mod-kit - for example.
@13:39, Y axis for amplitude, X axis for Frequency, since you are checking the FFT plot.
Ah my linked comment made my original comment disappear.
Looking online, Matt is correct about the axis' for the spectrogram.
"A spectrogram is usually drawn in two dimensions, with time along the horizontal axis and frequency on the vertical axis. Amplitude is also included, using color or grayscale. If you think of FFTs as snapshots, a spectrogram is a movie- a series of FFTs displayed in the order they occurred."
it looks like you really need a second sdr device, probably a cheap one, just to check what your main one is sending out
We Ham Radio Operaters use these Software Defined Radios, I have Both SDR play RSP Duo and Dx Models, and a Aldam Pluto, for DATV Reception,
Great Video. You have tried to send some message like aaaaaa,bbbbb,cccc and look if you can find a checksum/CRC.
Or maybe the message is prefixed with a length oder something like that. just Throwing out some ideas that have right know. But sadly i cannot test them because i dont have a sdr
What I would do is write out the generated signal to a file and do the same process as your original capture and see if you get the same thing out (or you can even look at the waveform and see if they seem to match).
Have you tried to change the name of the spoofed flipper? Could your flipper be ignoring the transmission because it thinks it is from itself. Just throwing that out there. I use meshtastic devices for some private communications and it is a mesh network that retransmits messages as a broadcast but the sending device doesn't see the message it originally sent out. Just a hunch but you might enjoy ham radio.
In the original replay that he did, the Flipper did display the messages even though they had the same device identifier.
The first bit should probably be deleted and not modulated along with the proper message. When you simply played back the transmission originally and the flipper received it ok, the bad noise bit wasn't modulated. Just a guess.
it looks like it does just transmit and receive plain ascii just modulated. definitely don't repeat it infinitely, the demodulator will think it is junk. The first bit could be a missinterpretation, you never know.
I have studied modulations, but only from electrical stand point, so I have no idea
Yes I believe he needs to delete first bit as it's not part of proper modulated transmission. Its a bit of noise I think
Is your problem possibly because you're repeating the signal infinitely with no buffer at the beginning and end of the message? How does the device distinguish the trailing bits from the beginning of the next signal without any delay or padding? Have you tried re-capturing the radio you're transmitting and analysing how that may be getting interpreted? Might need a second SDR to test that.
Have you got your udev rules setup? Linux does not know what to do with SDR hardware by default.
Also the 1/4 at the end is probably actually a checksum
Not trying to be a smarty pants but what is this exercise good for aside from a thought experiment? Is there any practical application?
Learning how to reverse engineer RF signals.
That looks more like PSK than pure FM and as others said, look for the CRC.
WHAT BUTTON DID U CLICK AT 15:42 A COUPLE OF TIMES TO CLEAR SOME NOISE?
CAPS LOCK
Verify your baud rate on both ends.
If you manage to fix it, you could even chat with gps data lolol
Intentional or coincidence that your volume is set to 69% 🤔...
Creepy device, that Flipper zero...no wonder that it get banned more and more...
Stay on it, seems that it will bring out some interesting things, even to me, where my raw knowledge of RF ends on 27Mhz CB radio things some 25yrs ago, that was quite interesting!
😮👍👍
Your waffling all over the place!
The brain thinks what the brain thinks 😁.
First
lots of good stuff, but I frankly have to cringe a lot watching your videos. You need someone to ping these things realtime against. The playback is slow, you can see progress of it - hence why the it replays every so often. Nothing to do with the antennae polarity !
I feel like that adds to the authenticity of the video. Has more of the bro showing you something cool instead of a college class feel. What do you think?
For sure I appreciate seeing the mistakes in real time, as well.