What I Am Doing - RF Survey

What I Am Doing - RF Survey

One of the things we do here at Red Crow Labs while working on a hardware product analysis / reverse engineering project is conduct an RF Spectrum survey. A lot of different things and types of equipment go into this but I'll show a couple of basics here.

We have a hackRF setup as a spectrum analyzer using hackrf_sweep looking at the 0-6GHz range. As an example here is a screenshot of what the spectrum looks like in the lab:

No alt text provided for this image
Lap Spectrum Capture

We can see some cell signals, maybe some military transmissions or other things emanating from the National Lab nearby, my 2.4 and 5GHz WIFI router, and a few other things. (Maybe some Havana Syndrome inducing signals around the 3 and 4 GHz range ;P)

Lets drill down a little and take a closer look at 2.4 GHz wifi:

No alt text provided for this image
2.4GHz Wifi

The read line shows the peak signal hold and the yellow is real-time visualization of signals along with the waterfall below. There are better devices than the hackRF for this kind of work, but that's what we are using for simple, quick, and small projects that don't need too much sophistication.

When testing a device we place it in a Faraday isolation enclosure with our spectrum analyzer to block out any signals that aren't coming from it (such as radio stations, Bluetooth, wifi, cell signals, etc.) and see if it transmits or emanates anything unexpected.

No alt text provided for this image
Copper Mesh Enclosure

We have a wooden enclosure with the seams sealed with Faraday tape and wrapped in copper mesh that is heavy and doesn't work as well as we would like. (Some frequency ranges manage to leak in).

No alt text provided for this image
Light Enclosure

We have a second lightweight enclosure that's simply wrapped in multiple layers of aluminum foil that works a bit better. From time to time we do work in a full screen room or anechoic chamber depending on what is needed and who we are working for.

In some cases we might do some Near Field analysis looking for unintended or other emissions from devices. This is done using an oscilloscope running in FFT / Spectrum Analyzer mode hooked to a HGLN Amplifier and a variety of near field probes as can be seen in the following image:

No alt text provided for this image
Near Field Probing of Raspi CPU

So in addition to JTAG/UART hacking and firmware dumping as well as software disassembly, we do some RF / Signals work as well. We also do network, filesystem, process, and memory instrumentation as a part of our reverse engineering and analysis as well but I'll leave that for a future post.

Thanks for listening!

A.