0x55aa
ā† Back to Blog

HackRF One: The SDR That Can Talk Back (And Why That Changes Everything) šŸ“”

ā€¢14 min read
"rf""sdr""wireless""hobby""hackrf""signal-analysis"

HackRF One: The SDR That Can Talk Back (And Why That Changes Everything) šŸ“”

Hot take: The moment I plugged in a HackRF One and successfully transmitted my first test signal, I felt like a wizard. Then I immediately unplugged it because I realized I should probably read the manual before broadcasting anything near aircraft frequencies. Turns out, transmitting RF requires a LOT more responsibility than receiving.

But man, what a rabbit hole it opened up. šŸ°

I've been the "passive observer" in the radio spectrum for a while ā€” tracking planes with my RTL-SDR, decoding satellite images, listening to air traffic control. It's amazing. But RTL-SDR is read-only. It's like being able to read every book in a library but never being allowed to write. The HackRF One handed me a pen. And some very specific rules about where I'm allowed to write.

What Even Is HackRF One? šŸ¤”

Quick recap for the uninitiated:

RTL-SDR: $25 USB dongle, receive only, 500 kHz ā€“ 1.7 GHz. Amazing for listening.

HackRF One: ~$350 USB device, receive AND transmit, 1 MHz ā€“ 6 GHz. Terrifyingly powerful.

The key difference: HackRF One is half-duplex (either transmit OR receive at a time, not both simultaneously). It samples at up to 20 MHz bandwidth. And it can generate signals, not just capture them.

As a developer exploring radio frequencies, I think of it this way:

  • RTL-SDR = READ access to the spectrum
  • HackRF One = READ + WRITE access to the spectrum

And you know what they say about WRITE access... you'd better know what you're doing. šŸ˜…

My Journey From RTL-SDR to HackRF (The Upgrade Story) ā¬†ļø

After about six months of obsessive RTL-SDR usage, I kept hitting the same wall: I could see signals I wanted to understand, but I couldn't replay or generate them to study how they worked.

The moment that pushed me over the edge:

I was looking at a mystery signal on 433 MHz. Repeating burst. Probably a cheap weather station sensor. I could decode the data with rtl_433. But I thought: "What happens if I replay this signal? Would the receiver think it's getting a fresh reading?"

With RTL-SDR: "I'll never know."

With HackRF One: "Time to find out." šŸŽÆ

(Spoiler: Yes it worked. In my own lab with my own devices. This is exactly why security researchers use this stuff!)

What the HackRF One Actually Does Differently šŸ”¬

The Hardware

RTL-SDR V3:
ā”œā”€ā”€ Chipset: RTL2832U + R820T2
ā”œā”€ā”€ Frequency: 500 kHz - 1.7 GHz
ā”œā”€ā”€ Sample Rate: 2.4 MSPS
ā”œā”€ā”€ Direction: Receive only
ā”œā”€ā”€ Price: ~$25
ā””ā”€ā”€ Use case: Learning, listening, exploring

HackRF One:
ā”œā”€ā”€ Chipset: MAX2839 + MAX5864 + RFFC5072
ā”œā”€ā”€ Frequency: 1 MHz - 6 GHz
ā”œā”€ā”€ Sample Rate: 20 MSPS
ā”œā”€ā”€ Direction: Half-duplex TX/RX
ā”œā”€ā”€ Price: ~$350
ā””ā”€ā”€ Use case: Research, testing, education, security

What fascinated me about HackRF: The 20 MHz bandwidth means you can capture and replay wide chunks of spectrum in one shot. My RTL-SDR struggles with anything over 2.4 MHz without dropping samples. HackRF eats 20 MHz and asks for more.

The Software

The HackRF works with most of the same tools I already loved:

# Install HackRF tools
sudo apt-get install hackrf

# Verify HackRF is detected
hackrf_info
# Output:
# Found HackRF One...
# Firmware Version: 2023.01.1
# Part ID Number: 0x...

# Listen to FM radio (same as RTL-SDR, different syntax)
hackrf_transfer -r fm_capture.bin -f 104500000 -s 2000000 -l 32 -g 20

# Use with GQRX or SDR# for visual spectrum

With GNU Radio: Oh boy. This is where HackRF really shines. You can build signal flowgraphs that generate, modulate, and transmit custom waveforms. It's like having a programmable radio station.

The Stuff That Made My Jaw Drop āœØ

1. Replaying Captured Signals (In Your Own Lab!)

This was my first "whoa" moment. The classic demo:

# Step 1: Capture a signal (e.g., from a garage door remote - YOUR OWN!)
hackrf_transfer -r captured_signal.bin -f 315000000 -s 2000000 -l 40 -g 20

# Step 2: Replay it back
hackrf_transfer -t captured_signal.bin -f 315000000 -s 2000000 -x 20

What I tested: My own cheap RF power strip (433 MHz). I captured the ON signal, saved it, and could replay it from software. The switch clicked on. I made my desk lamp blink by code. At that moment I felt like a wizard AND a security researcher simultaneously. šŸ§™ā€ā™‚ļø

What this teaches you: How replay attacks work. Why "security by obscurity" in wireless protocols is a joke. Why rolling codes (used in modern car fobs) actually matter.

2. Transmitting Custom Signals with GNU Radio

In my RF experiments, generating a custom AM-modulated signal is about 20 lines of Python in GNU Radio:

# GNU Radio Python snippet - transmit a 1 kHz test tone on 100 MHz
# (In a shielded lab environment, obviously!)
from gnuradio import gr, blocks, analog
import osmosdr

class test_transmit(gr.top_block):
    def __init__(self):
        gr.top_block.__init__(self)

        # Signal source: 1 kHz sine wave
        self.source = analog.sig_source_f(32000, analog.GR_SIN_WAVE, 1000, 0.5, 0)

        # Convert to complex (needed for RF)
        self.to_complex = blocks.float_to_complex(1)

        # HackRF sink
        self.sink = osmosdr.sink(args="hackrf")
        self.sink.set_sample_rate(2e6)
        self.sink.set_center_freq(100e6)  # 100 MHz
        self.sink.set_gain(14)

        # Connect blocks
        self.connect(self.source, self.to_complex, self.sink)

This works. And that's exactly why the legal section below is not optional reading.

3. Signal Analysis at 20 MHz Bandwidth

Remember when I said RTL-SDR is limited to ~2.4 MHz bandwidth? With HackRF I can see 20 MHz of spectrum at once. For things like:

  • Watching WiFi channel hopping (2.4 GHz)
  • Seeing the full LTE uplink/downlink structure
  • Capturing burst signals that happen faster than RTL-SDR can catch
  • Analyzing spread-spectrum signals properly

As a developer, it's like going from a 640x480 display to 4K. You just see MORE.

Real Projects I've Done With HackRF šŸ“š

Project 1: Weather Station Security Audit (My Own!)

I have one of those cheap indoor/outdoor weather stations. It transmits on 433 MHz. I:

  1. Captured the signal with HackRF
  2. Analyzed the packet structure with Universal Radio Hacker (URH)
  3. Figured out the encoding (Manchester, no checksum... yikes)
  4. Generated fake temperature readings and replayed them
  5. My indoor display happily reported -50Ā°C in July

Lesson: Cheap IoT devices have zero authentication. This is why smart home security matters! And it's fun to find it yourself, in your own devices.

Project 2: Understanding Rolling Codes vs. Fixed Codes

This was a pure education project. I compared:

Fixed code remote (cheap RF outlet, 315 MHz):

  • Captures once ā†’ replay forever ā†’ 0 security
  • This is why you don't use these for anything important

Rolling code remote (modern car fob, 315/433 MHz):

  • Code changes every single press
  • Replay attack fails ā€” old codes are invalid
  • This is why your car is harder to steal than your lamp

What fascinated me: Modern car fobs are genuinely well-designed. The cryptography is solid. You need the private key to generate the next code. RTL-SDR + HackRF lets you SEE this difference in practice, not just read about it in a textbook. šŸ“–

Project 3: Building a Spectrum Monitor

I set up a Python script that uses HackRF to regularly sweep from 100 MHz to 2.4 GHz and log signal activity. Basically a DIY spectrum monitoring station.

import subprocess
import time

def sweep_spectrum(start_mhz, stop_mhz, step_mhz=10):
    """Sweep spectrum and log signal levels"""
    results = {}

    for freq in range(start_mhz, stop_mhz, step_mhz):
        # Use hackrf_sweep for fast scanning
        result = subprocess.run([
            'hackrf_sweep',
            '-f', f'{freq}:{freq + step_mhz}',
            '-l', '32',
            '-g', '32',
            '-n', '8192'
        ], capture_output=True, text=True, timeout=2)

        if result.returncode == 0:
            results[freq] = parse_power_level(result.stdout)

    return results

What I discovered: My apartment at 2 AM is a BUSY place wirelessly. Neighbor's WiFi, Bluetooth from phones, smart home devices chatting away, mystery 868 MHz bursts I still haven't identified. The spectrum never sleeps!

The Gear You Need to Get Started šŸ’°

Hardware

HackRF One ($350):

  • The original, by Great Scott Gadgets
  • Open source hardware design
  • Buy from official sources or trusted resellers
  • Avoid counterfeits ā€” they exist and they're terrible

PortaPack H2 (Optional, $150-200):

  • Screen + controls that attach to HackRF
  • Makes it standalone (no laptop required!)
  • Great for field use
  • Huge community firmware (Mayhem firmware is excellent)

SMA Antennas (Free - $100):

  • HackRF comes with a flexible antenna (it's okay)
  • Directional antennas massively improve range
  • Dipoles for specific frequencies are easy to DIY

Software

# Essential toolkit
sudo apt-get install hackrf gnuradio gqrx-sdr

# Universal Radio Hacker - BEST tool for unknown signal analysis
pip install urh

# Inspectrum - beautiful signal visualization
sudo apt-get install inspectrum

# GNU Radio Companion (GUI) - drag-and-drop signal flowgraphs
gnuradio-companion

Universal Radio Hacker is criminally underrated. It lets you:

  • Load any captured signal
  • Automatically detect modulation (ASK, FSK, PSK)
  • Decode bit patterns
  • Compare captures to find what changes
  • Replay signals

If you're a developer and you want to reverse-engineer a wireless protocol, URH is your IDE. šŸ› ļø

THE LEGAL STUFF (Not Optional Reading!) šŸšØ

I'm going to say this very clearly because HackRF lets you TRANSMIT, which is fundamentally different from RTL-SDR:

What You Absolutely Cannot Do

āŒ Transmit without a license (US: FCC Part 97 or other authorization)

  • This is a federal crime in most countries
  • Fines in the US start at $10,000
  • Intentional interference can mean prison time
  • "I was just testing" is not a legal defense

āŒ Jam signals of any kind

  • GPS jamming: federal felony
  • Cell phone jamming: illegal everywhere
  • WiFi jamming: illegal
  • Emergency service interference: very, very bad

āŒ Transmit on aircraft, maritime, emergency frequencies

  • Even a brief "oops" transmission can endanger lives
  • No experiment is worth this

āŒ Replay attack someone else's systems

  • Testing your own devices: fine
  • Testing neighbor's garage: crime
  • The line is clear: YOUR devices, YOUR property

What You CAN Do Legally

āœ… Receive anything (same as RTL-SDR, still legal)

āœ… Transmit in a shielded enclosure (Faraday cage ā€” RF stays inside, nobody's harmed)

āœ… Transmit with an amateur radio license (ham license)

  • US: Amateur Radio license (FCC Part 97)
  • Takes a 35-question multiple choice exam
  • Very achievable for developers ā€” it's mostly memorization
  • Opens up massive frequencies for experimentation

āœ… Transmit on ISM bands within power limits (433 MHz, 915 MHz, 2.4 GHz, 5.8 GHz in US)

  • Limited power, limited use cases
  • But totally legal for personal experimentation

āœ… Transmit in a lab/shielded environment for testing

  • Keep the signal inside a Faraday cage
  • Proper RF shielding = no interference = legal

My Personal Rules

After a lot of reading (and some paranoid googling), here's how I operate:

  1. Receive freely ā€” it's generally legal everywhere
  2. Transmit only in my shielded setup until I get my ham license
  3. Never transmit on cellular, GPS, aviation, or emergency bands
  4. Only replay MY OWN devices ā€” never someone else's
  5. Power down the HackRF TX before leaving the bench (no accidental transmissions)

Getting your ham license is genuinely the cleanest path here. The Technician exam is ~35 questions, there are free practice sites, and once you pass you have legal access to transmit on tons of frequencies. Highly recommend it.

Why This Matters for Developers Specifically šŸ’»

As a developer exploring radio frequencies, HackRF bridges a gap I didn't know existed between "software" and "hardware security."

For IoT security: Understanding that your $15 smart plug broadcasts in plaintext, with no authentication, at a fixed code ā€” that's something you can only truly grasp when you can capture AND replay it yourself.

For protocol reverse engineering: URH + HackRF is basically Wireshark for the physical layer. You're doing exactly what you do with network packets, but for wireless protocols nobody documented.

For system design: When you've seen how rolling codes work vs. fixed codes at the signal level, you make better choices in your own systems. Understanding a weakness viscerally is different from reading about it.

For general curiosity: The radio spectrum is a physical layer of our world. Every device around you ā€” your phone, your car, your smart TV, your neighbour's baby monitor ā€” is shouting into the air constantly. Knowing you can hear (and study) all of it changes how you think about wireless technology forever.

Getting Started Without Blowing $350 Immediately šŸŽÆ

Step 1: Already have RTL-SDR? Start there. RTL-SDR gets you 90% of the learning. Receive, analyze, understand. HackRF is an upgrade, not a prerequisite.

Step 2: Learn URH with RTL-SDR captures first. You can practice signal analysis on captured files without ever needing to transmit. URH is free, your RTL-SDR can capture the signals.

Step 3: Get your ham license. Seriously. It's not hard, it gives you legal TX authority, and the community is incredible. HamStudy.org has free practice tests.

Step 4: If you're sure, buy HackRF One. Get it from Great Scott Gadgets directly or a trusted reseller. Not eBay. Not aliexpress. The counterfeits are everywhere and they're garbage.

Step 5: Start in receive mode. Even with HackRF, start by receiving. Make sure your setup works. Understand the tool. THEN carefully experiment with transmission in legal ways.

Resources That Actually Helped Me šŸ”§

Learning HackRF:

  • HackRF One documentation ā€” start here, read everything
  • r/hackrf ā€” active community, helpful for beginners
  • Michael Ossmann's presentations ā€” he designed HackRF, his talks are gold
  • Software Defined Radio With HackRF (YouTube series by Michael Ossmann)

Signal Analysis:

  • Universal Radio Hacker (URH) ā€” GitHub, completely free
  • Inspectrum ā€” beautiful signal visualization
  • sigidwiki.com ā€” signal identification database

Legal stuff:

  • FCC Part 97 (ham radio rules) ā€” fcc.gov
  • HamStudy.org ā€” free practice tests for license
  • ARRL.org ā€” American Radio Relay League, the ham radio bible

Community:

  • r/hackrf ā€” HackRF-specific questions
  • r/amateurradio ā€” huge community, very welcoming to SDR folks
  • HackRF Mailing List ā€” technical deep dives

TL;DR šŸ’”

HackRF One is what happens when SDR grows up and gets transmit capability. For a developer who's been passively listening to the spectrum, it's the tool that lets you INTERACT with it ā€” study how protocols work, understand wireless security hands-on, and build things that talk to physical radio hardware.

The catch: With transmit capability comes real legal responsibility. Unlike RTL-SDR which is purely passive, HackRF can interfere with real-world systems if misused. Study the rules, get your ham license, work in shielded environments, and only ever mess with your own devices.

Is it worth $350? For a developer who's serious about RF, wireless security, or just deeply curious about how radio protocols work? Absolutely yes.

Should it be your first SDR purchase? No ā€” start with RTL-SDR, learn to crawl before you run, then graduate to HackRF when you actually need transmit capability.

The radio spectrum is an invisible layer of our physical world, and tools like HackRF One let you interact with it like a programmer ā€” reading packets, analyzing protocols, building custom signal generators, and understanding security from the ground up.

My apartment now has a Faraday cage on the corner of my desk. My neighbors think I'm doing something suspicious. I'm actually just learning physics one signal at a time. šŸ“»

Curious about RF/SDR? Connect with me on LinkedIn and tell me what signals you're exploring!

Want to see my signal analysis scripts? Check out GitHub ā€” I'm building tools for IoT wireless protocol analysis.

Explore responsibly. Get licensed. And never, ever jam a GPS signal. Just... don't. šŸ›°ļø

P.S. The first time you replay a signal at your own device and it responds, the mix of "this is incredibly cool" and "this is slightly terrifying" is a unique feeling. Like the first time you wrote a SQL injection payload against your own test database. Power comes with responsibility. šŸ¦ø

P.P.S. Get the ham license. I keep saying it because I keep being right about it. The Technician exam took me two weekends of studying and one Saturday morning. Now I have legal authority to transmit on frequencies that would've cost me thousands in FCC fines otherwise. Best $15 exam fee I ever spent.

ā† Back to all posts