Testing report: MAYHEM the RF Pentesting HackRF/Portapack firmware.

This article – the first in a series – will walk you through the basics of Portapack MAYHEM firmware, installation and some hands-on testing of RF spoofing, DoS and Replay Attacks.

The PortaPack is a $200 software defined radio plus screen/keypad which allows you to go portable with the HackRF and a battery pack. It features a small touchscreen LCD and an iPod like control wheel that is used to control custom HackRF firmware which includes an audio receiver, several built in digital decoders and transmitters too. With the PortaPack no PC is required to receive or transmit with the HackRF.

The functionality of your portapack depends on the software you run on it. There are several options but running the MAYHEM firmware will then give you some a really amazing amount of cool features. While listening to transmissions from ships, planes or emergency services is hardly news to police scanner owners using the Portapack is as easy as entering the correct frequency.

Channel information for almost any Police/Fire Deparment Radio could be found on RadioReference Wiki, sample Scanner frequencies for the annual Times Square New Years Celebration.

But where the MAYHEM firmware stands out is in the ability to receive and transmit data from digital messaging systems, remote controls, smart car sensors and others. It can even spoof critical beacon signals as those from aircraft transponders or GPS satellites.

As of the time of this post the currently available decoders and transmit options can be seen in the screenshots below. Note that for the transmitter options, there are some there that could really land you in trouble with the law so be very careful to exercise caution and only transmit what you are legally allowed to.

The PortaPack add-on hardware to the HackRF was released several years ago but the firmware was not developed very far beyond listening to audio and implementing a few transmitters. For a time this interesting device was forgotten compared to its brother HackRF. After some years the third party 'Havoc' firmware by 'furrtek' greatly expanded the list of decoders and transmit options. Unfortunately the havoc firmware is no longer maintained so we're now looking at the open-source MAYHEM firmware by ’eried’, an active fork with even more features.

Another reason why the Portapack is becoming more popular is because of its dropping price. Both the Portapack and the HackRF are open source hardware, anyone can produce their own device based on the code and available designs. Therefore a "clone" of Portapack is just as good as an original one. With open source code hardware there is no such thing as genuine hardware. For this reason, right now it is possible to find a complete HackRF and Portapack kits offers from China, under $250 or about half the $500 which is what it initially cost when it was released years ago.

Installation

There are two versions of the portapack: the Portapack H1 and the Portapack H2, the difference is the new H2 have a bigger screen, better controls and a built-in battery. Radio capabilities are the same as they both use the same internal HackRF. Portapack H1 and H2 are fully compatible with MAYHEM. I choose the cheaper H1 to save some money.

Installing the firmware is really easy. One of the characteristics of the HackRF along with the Portapack is that it is practically impossible to brick, so there is no need to worry about this process. It is always recommended to update the firmware with the latest realease of the project, since although some vendors even include the old Havoc or even the new Mayhem firmware, they are rarely the latest version since it is a project that adds constant improvements.

Download last release from https://github.com/eried/portapack-mayhem/releases

Windows

  1. Connect the device via USB
  2. Switch to HackRF mode via the on-screen option (in the PortaPack)
  3. Double click flash_portapack_mayhem.bat and follow the instructions
  4. Reboot the device

Linux

  1. Connect the device via USB
  2. Switch to HackRF mode via the on-screen option (in the PortaPack)
  3. Upload the firmware with hackrf_spiflash -w new_firmware_file.bin
  4. Reboot the device

Hands-on Testing

The list of supported radio protocols on MAYHEM is impressive: Police Scanner, IQ file replay, Microphone FM transmit with CTCSS, CTCSS decoder, Frequency manager (save & load from SD card, with categories and notes), "Soundboard" wave file player from files in SD card , ADS-B receiver with map view, ADS-B transmitter (aircraft spoof), SSTV transmitter, Fully configurable jammer, POCSAG transmitter, POCSAG receiver/decoder, Morse transmitter (FM tone and CW), OOK transmitter for common remote encoders (PT2262, doorbells, remote outlets, some garage doors, ...), RDS (Radio Data System) PSN, RadioText and Time groups transmitter, Meteorological ballon radiosonde receiver (M10, M2K2, ...) , AFSK receiver, AFSK transmitter (Bell202, ...) , Nuoptix DTMF sync transmitter, French LCR (Language de Commande Routier) message generator, Street lighting control transmitter (CCIR tones), Fully configurable RF signal generator, car TPMS decoder, car keyfoob spoofer (Subaru), Nordic NRF decoder, APRS decoder and transmitter, RSSI audio output as pitch (for direction finding), BurgerPager Spoofer, and more.

For audio RX/TX you need a TRRS (3 ring) jack plug with the Left-Right-Mic-Ground arrangement. I believe that's the most common arrangement for android headsets.

There are so many that I would not have time or means to test all the functions, but I can attest all the ones I have tried work perfectly, here are some examples.

RF REPLAY ATTACKS

Our Portapack has the ability to capture broadcasts in IQ format and subsequently re-broadcast them over the air. Quadrature signals, also called IQ signals, IQ data or IQ samples, are often used in RF applications. They form the basis of complex RF signal modulation and demodulation, both in hardware and in software, as well as in complex signal analysis.

For simplicity, you can consider that an IQ capture is a raw capture without any type of demodulation applied and that holds enough information to later be able to analyze its content and decode. Conversely, if we encode a RF signal in IQ format, it will be very easy to send it to the air.

Black Hills Infosec has a great introduction to RF Replay attacks over their blog. https://www.blackhillsinfosec.com/how-to-replay-rf-signals-using-sdr/

The best thing about the Portapack is that you do not need practically any RF knowledge or experience to launch this attack, therefore it is very easy to check whether a system is vulnerable or not, before taking the time to analyzing the protocol in more depth.

REMOTE CONTROLS

Many of the remote-control systems we use today still use insecure protocols without any encryption or spread spectrum. Furthermore, systems based on fixed codes are still extensively used. That make basic wireless remote control rather easy to implement, but also utterly insecure. They are commonly used in inexpensive wireless devices to control garage doors, fans, toys and even some alarm systems.

Our Portapack supports sending command through various remote-control protocols. Among them the PT2262/PT2272. These ICs utilize fixed address codes and no inherent encryption so they are not high security devices.

PT2272 presents 4 bits of data and uses 8 bits address. Keep in mind that these are tri-state bits, so they can have low, float and high states. Capturing these codes from the air is incredibly easy with an SDR and software like rtl_433. Addressing is often implemented with solder pads but, occasionally with jumpers and rarely with tri-state dip switches. And a special note, as we have said the floating value (without any soldering) is totally valid and would work fine. Therefore in the world there are possibly thousands or tens of thousands PT2272 devices installed by default where no code was configured so are working using the FFFFFF address.

POCSAG

A pager (also known as a beeper) is a wireless telecommunications device that receives and displays alphanumeric or voice messages. Pagers became widely used by the 1980s. In the 21st century, the widespread availability of cellphones and smartphones has greatly diminished the pager industry. Nevertheless, pagers continue to be used by some emergency services and public safety personnel, because pager systems reliability in some cases, including during natural and man-made disasters. This resilience has led public safety agencies to still adopt pagers over cellular and other commercial services for critical messaging.

Although there are several protocols for Pagers the most common is POCSAG. This protocol dates from the 80s and although there are more modern alternatives, it has become the de facto standard in the industry. Pagers have been under the scrutiny of information security experts for some time now as it is common for hospital pagers to spew out unencrypted patient data into the air for anyone with a radio and computer to decode. Another use of POCSAG is remote control of industrial systems using text messages.

Using the portapack it is really easy to spoof POCSAG messages. We only need to know the Freq, RIC address and the speed expected by the destination pager. All of this information could be easly be sniffed using the POCSAG sniffer or with HackRF running software like Multimon-ng. It's easy to think of the harm this capability could do in the wrong hands.

ADS-B

Automatic dependent surveillance–broadcast (ADS–B) is a surveillance technology in which an aircraft determines its position via satellite navigation and periodically broadcasts it, enabling it to be tracked. The information can be received by air traffic control ground stations as a replacement for older surveillance radar data, as no interrogation signal is needed from the ground.

ADS-B lack of any encryption or authentication within the standard. Flightradar24 a Swedish internet-based service that shows real-time aircraft flight tracking information on a map mostly from crowdsourced information gathering by volunteers with ADS-B receivers and satellite-based ADS-B receivers.

Confidentiality issues are well known as this information has been used since to monitor government spy planes for unrest in the US or to track the private planes of dictators around the world. But of course there is also the danger of broadcasting false information from planes that do not exist.

A security researcher claimed in 2012 that ADS-B has no defence against being interfered with via spoofed ADS-B messages because they were neither encrypted nor authenticated. The FAA responded to this criticism saying that they were aware of the issues and risks but were unable to disclose how they are mitigated as that is classified.

ADS-B Based TCAS (Traffic Collision Avoidance Systems) are also key components of flight safety. Designed for prevention of aircraft collisions, these systems are susceptible to Spoofing and jamming.

As you can see, it is such a critical system that all my tests were carried out in a closed RF circuit, using a portapack as transmitter and an RTL-SDR dongle with open-source ADSB software as receiver.

The tests showed that it is perfectly possible to emit false beacons by emulating the transponders of airplanes, but no signal was emitted in the air.

Jammer

MAYHEM wide-bandwidth portable RF jammer. In this mode we can transmit various forms of noise to cause a denial of service in radio devices. This includes cell phones, cordless phones, WiFi, remote controls, and other devices. Various types noise signals are supported and you can transmit on up to 3 different bands using any of the predefined lists or manual input.

The testing as a cell-phone jammer was a full successful to block major mobile operators as shown in figure. Although the average jamming range of the system was approximately 10 feet. This limitation can be attributed to the use of a rubber ducky antennas and low power in order to avoid jamming other users. Good antennas can increase the strength of the jamming signal.

Conclusion

The PortaPack is a very handy partner to the HackRF. It allows you to experiment with, record, listen, decode and transmit RF signals without the need for any computer.

The biggest use that we see for the PortaPack at Information Security is for testing capture and replay attacks, and capturing IQ data out in the field, for later analysis back in the lab on a computer.

Many of the receivers and transmitters implemented can be fun to play around with too. But you do need to be responsible and careful with the MAYHEM firmware though, as there is the huge potential of getting in trouble with it if you start transmitting illegal things. You should limit your transmitting testing to 315 MHz ISM Band (or 433,92 in Europe) , FRS/GMRS channels or ham radio bands if you have a license.

Portapack can be put into pass-through mode so that we can use it as a standalone HackRF on our PC to have even more capture and attack tools.