HackRF PortaPack Firmware Spoofs All The Things

The HackRF is an exceptionally capable software defined radio (SDR) transceiver, but naturally you need to connect it to a computer to actually do anything with it. So the PortaPack was developed to turn it into a stand-alone device with the addition of a touchscreen LCD, a few buttons, and a headphone jack. With all the hardware in place, it’s just a matter of installing a firmware capable enough to do some proper RF hacking on the go.

Enter MAYHEM, an evolved fork of the original PortaPack firmware that the developers claim is the most up-to-date and feature packed version available. Without ever plugging into a computer, this firmware allows you to receive, decode, and re-transmit a dizzying number of wireless protocols. From firing off the seating pagers at a local restaurant to creating a fleet of phantom aircraft with spoofed ADS-B transponders, MAYHEM certainly seems like it lives up to the name.

[A. Petazzoni] recently put together a detailed blog post about installing and using MAYHEM on the HackRF/PortaPack, complete with a number of real-world examples that show off just a handful of possible applications for the project. Jamming cell phones, sending fake pager messages, and cloning RF remotes is just scratching the surface of what’s possible.

It’s not hard to see why some have already expressed concern about the project, but in reality, none of these capabilities are actually new. This firmware simply brings them all together in one easy-to-use package, and while there might be an argument to be made about proliferation, we all know that the responsibility to behave ethically rests on the user and not the tools.

35 thoughts on “HackRF PortaPack Firmware Spoofs All The Things

    1. Is promoting mayhem in a horrifically oppressive regime somehow not “responsible use”?

      It’s like somewhere you were told that “the people who create laws and rules are incapable of being malevolent”, and you never bothered to question it.

      1. There are many ways that promoting mayhem in a horrifically oppressive regime is not responsible use. For example, where it would have a disproportionate negative impact on people who are not part of the regime.

        So far the only reported legitimate uses in these comments are consistent with behaviour that the relevant regime would likely approve of (see comment on testing fire service pagers). So not really a good match for the name MAYHEM.

    2. I use this product to help find exploits against vehicle security systems and then I form the manufacturers. Less then 10% of what I find do I share because I find so many rolling code vulnerabilities with this tool. We do try to inform manufacturers though. I also teach people how to use this tool to under stand RF and how to make safer products. What do you do to make the world a better place other than judge people. This is a great tool they share for free.

      1. Thanks for highlighting your responsible use of this tool. Again, it doesn’t seem like your constructive actions are a very good match for the name MAYHEM. In fact, your work is probably preventing mayhem. Perhaps CALM would have been a better name.

        I make things to try and make the world better – many of the ideas I have I do share – see hackaday.io for example. I also design electronics for a range of industries. I think you may have read more judgement into my question than I intended.

        I’m genuinely perplexed about the hacker community constantly having to campaign against legislation that would limit our ability to legitimately use things like SDRs, remote control aircraft etc but on the other hand we go around giving our tools names which clearly do not signal that we can be trusted to benevolently use the technology we have created.

  1. It’s… getting real close to a real life tricorder! I hope more legitamate used get developed for this stuff, there’s a lot of possibility.

    I’d like to see real FHSS protocols that don’t rely on randomly spamming everywhere to try to sync up, that would be a big win for IoT.

      1. I’d love to write some code for these someday! Most of the really top notch awesome stuff like EPC tags requires full duplex, but there’s still so much you can do here!

        I wonder how much additional hardware would be needed to send data optically?

        My Epic Lockdown Project™️ was an IoT protocol to replace LoRaWan, with Golay code error correction, encryption and replay attack prevention, bluetooth-style secure pairing, power save beacons, and TX power control, plus RX diversity through multiple gateways linked by MQTT.

        I’d love to make a handheld device for receiving and logging sensor data, and acting as a multichannel gateway, so it could be like a real tricorder that you could use to view whatever sensor Arduino lets you use, or act like a remote control for them.

        I think getting lower power consumption than Bluetooth is totally possible, if you have a huge RX bandwidth and don’t need a sync to use FHSS.

        But it also took me 3 months to get it working the first time and I know like, nothing about DSP or FPGA….

  2. Re: ” …we all know that the responsibility to behave ethically rests on the user and not the tools.”

    Doesn’t this assume that there exists an ethical use for the tool? Does a grenade or molotov cocktail have an ethical use? Does this? Serious question, what are the ethical uses for this?

    Given human nature there is a statistical probability of 1 that this will be used unethically.

      1. The firmware definitely still has legitimate uses, for one thing running your own pager service (especially if you have lots of pagers from a now shut down system an its in the legal spectrum for you).
        There is too many legitimate potential uses to list, just because there is plenty of uses you shouldn’t use it for doesn’t change that – same as most tools.

        Now if the software and firmware could be limited to stop some of the worse abuses without breaking functionality is a good question – though I don’t think it would take long to catch somebody using one of these for stupid things. Used sensibly nobody would ever know it was there, and some misbehaving would be possible, but serious abuse is screaming out ‘here I am, smart enough to wreck stuff, with no regard for others, using a tool I didn’t make…’ doesn’t take long to track down a signal like that unless its very very transient – and being that short lived limits the harm that can be done…

      2. Molotov cocktails were the only weapons the Hungarians had to defend themselves against Soviet armour during the invasion.

        As for [MikeB]’s ‘serious question’, that’s simply a failure of imagination on both your parts.

      3. Skippy, you’re just a shiny metal beer can, don’t beat yourself up…..

        I’ve been able to pass ouputs directly from the HackRF One through an attenuator into an RTL-SDR+GNURadio to simulate RF Incidents for security research in the Zigbee Secure Energy Profile, Itron ETR and others.

        Another use comes to my mind although you would want to pack it behind a faraday cage to be safe.

        You could use my same setup in a NORAD themed escape room scenario where the players have to defeat a simulated wings of Attack Aircraft/Strategic Bombers. Never Squawk 7000!

        Is it ethical to do so? Y’all tell me, but it would be a cool use of thr hardware. Also my example is pretty extreme, one in which any bleed through RF could find you chilling in a Blacksite or Federal Prison.

        TBH, any scenario with less extreme storylines involving RF attacks could be used. i.e. Bank Heist in which you have to perform or defend against attacks on your get away vehicle to defeat the scenario.

        -unklStewy

    1. No, it doesn’t assume that. You seem to be projecting your own ethical opinions onto inanimate objects. “Things” don’t have any inherent ethical properties.

      In any case, White Hat hacking, experimentation, and general receiving/monitoring are some obvious ethical uses for this tool.

      In an alternate, simplified reality with Boolean ethics, the other things you mentioned may not have ethical uses, but in this reality they do. Fighting back against an oppressive and murderous regime is one obvious use.

      1. That’s certainly the most obvious use. Another might be penetrating ‘hostile’ networks for ‘intelligence gathering’.

        Local law enforcement probably as national forces and real intelligence services have much better toys and methods.

    2. Lots of legitimate uses. A field engineer needs to transmit a specific signal on command. Load up that signal, go to the site, press the send, tada you have a test signal 100 miles away from an outlet.

      Key fobs and garage door openers fail. Maybe you can get a signal 1 out of 50 times, and the retail key fob learning ones need things more reliably, well this will record the one time the old fob worked, and this will transmit reliably.

      If you ever worked on rf equipment you will find something like this invaluable.

      Sure some people will use it mischievously, but it is hardly worth getting on for that.

    3. Doesn’t this assume that there exists an ethical use for the tool? Does a grenade or molotov cocktail have an ethical use? Does this? Serious

      Obviously you dont see “repelling an invading force” as ethical since that is an obvious intended purpose of both grenades and molotovs.

      Given that you openly support wars of agression and oppression, your morals are absolutely worthless to me. You’re clearly hateful and violent, and not worth listening to.

    4. I am seriously tempted to get it and mostly use it as a garage door remote. Since it is a SDR, I could also use it in the car to just listen to various frequencies. Depending on my mood, I could listen to AM, FM, Ham Radio, Air traffic when by the airport, etc.

  3. Read the original linked article, it includes a list of ethical uses: capturing RF autonomously to study it later, check the resistance of your wireless home appliances to replay attacks or conducting security testing on devices where you have permission to transmit.

  4. Much as I’d love to trigger all the restaurant pagers at once (once restaurants aren’t lethal pots of virus-laden air), the “responsible use” thing is a dodge used by purveyors of everything from nuclear weapons to hot pepper and is irrelevant. Jammers are simply illegal in the U.S. and for good reason.

    https://www.fcc.gov/general/jammer-enforcement

    You may also want to look at the fracas that Limor Fried created when she proposed a “personal space bubble” as her thesis in 2005. MIT’s administration was not amused. [PDF]

    https://www.ladyada.net/media/pub/thesis.pdf

  5. Great to know. Reminds me to some day finish the project to better document modifying a GPS receiver module with a converted front end input to be used as a weak signals detector or more feasibly a receiver. Spoofing of the Digital block will be required and I haven’t gotten as far as to see what the capabilities are for communications. Sure would be nice to be able to use just the RF block.

  6. I work at an airport and I am a volunteer firefighter. I have used the portapack with mayhem to test adsb in and out on one of our aircraft at work after a near miss, and I’ve used it to test some old pagers with my fire brigade. There are many legitimate uses for a tool like this, but like most things, it can be used in a not so legitimate manner.

      1. If you work at that airport, and the security people of that airport are informed of why the device is needed, and others at the airport whose RF devices may detect/interfere with its use are aware of its presence and how/why it is being used…

    1. Noise floor isn’t the best and that get’s me wondering about the latest and greatest hacks of the HackRF to improve performance. I recall, reballing a better grade chip (I forget though something like the installed factory are seconds of a better chip renamed) can increase the sampling rate and seems there are some others and well. A blog or reference site noting all the signal path hacks to improve performance can be handy.

  7. I use this to break in to my own cars. I love the idea that by a codes and scripts you can get into things by using the back door. I love my hacker one portapack., I want to thank great scotts and the maker of mayhem yous are awesome

  8. I go a PortaPack for my Hack RF One simply because it lets me see the invisible spectrum that surrounds us all. I have no specific use and certainly no malicious one. My PortaPack came with Mayhem pre-installed.

    I do think actively trying to sound harmful and playing up the worst possible uses is a stupid move. Who would do that? A thirteen-year old trying to impress his peers?

    Do they want laws prohibiting user control of Software Defined Radio? There is no better way to stop SDR than to make it obviously dangerous with a simple name that even a legislator can understand.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.