Overview
HackRF is an open-source software-defined radio (SDR) peripheral and toolchain that enables full-duplex TX/RX capabilities across the 1 MHz to 6 GHz frequency range. Unlike receive-only SDRs like RTL-SDR, HackRF can both transmit and receive radio signals, making it a powerful tool for RF analysis, wireless security research, protocol exploration, and signal generation. Built on GNU Radio, HackRF supports multiple operating systems and provides both graphical interfaces and command-line tools.
Key capabilities include signal capture/playback, spectrum analysis, protocol fuzzing, GPS spoofing research, cellular signal analysis, WiFi packet injection, and numerous other RF-based security applications.
Hardware Requirements
HackRF Device Specifications
| Specification | Details |
|---|
| Frequency Range | 1 MHz - 6 GHz |
| Bandwidth | 20 MHz |
| Sample Rate | 20 Msps (Mega-samples per second) |
| TX Power | 0 dBm nominal at 1 GHz |
| RX Sensitivity | -30 dBm @ 1 GHz |
| Duplex | Full duplex (TX/RX simultaneous) |
| Interface | USB 2.0 HS |
| Power Consumption | < 500 mA @ 5V |
| Antenna | SMA connectors (external antenna required) |
Required Infrastructure
# Computer requirements
- OS: Linux, macOS, Windows
- USB 2.0 port (preferably powered)
- CPU: 1+ GHz recommended
- RAM: 1+ GB
# Software dependencies
- libusb >= 1.0
- GNU Radio (optional)
- gr-osmosdr (optional)
Installation
Linux Setup
# Install dependencies
sudo apt-get update
sudo apt-get install build-essential cmake libusb-1.0-0-dev pkg-config
# Install GNU Radio and drivers
sudo apt-get install gnuradio librtlsdr-dev libhackrf-dev
# Build from source
git clone https://github.com/greatscottgadgets/hackrf.git
cd hackrf/host
mkdir build && cd build
cmake ..
make
sudo make install
sudo ldconfig
# Verify installation
hackrf_info
macOS Installation
# Using Homebrew
brew install hackrf
# Or build from source
brew install cmake libusb pkg-config
git clone https://github.com/greatscottgadgets/hackrf.git
cd hackrf/host
mkdir build && cd build
cmake ..
make
sudo make install
Windows Setup
# Install pre-built binaries from:
# https://github.com/greatscottgadgets/hackrf/releases
# Or build with MinGW:
# - Install MSYS2
# - Follow Linux installation steps
# - Add HackRF to Windows PATH
USB Driver Configuration (Linux)
# Set udev rules for non-root access
sudo cp host/libhackrf/udev/50-hackrf.rules /etc/udev/rules.d/
sudo udevadm control --reload
sudo udevadm trigger
# Add user to plugdev group
sudo usermod -a -G plugdev $USER
newgrp plugdev
# Verify device
hackrf_info
Basic Operations
Device Discovery
# List connected HackRF devices
hackrf_info
# Expected output:
# Found HackRF board 0: HackRF One
# Board ID Number: 0 (HackRF One)
# Firmware Version: 2020.12.1
# Part ID Number: 0xa000cb3c 0x00635f4c
# Serial Number: 0000000000000000a6922006b3163521
TX/RX Capabilities
# Transmit test (generates test signal)
hackrf_transfer -t test.iq -f 2400000000 -s 20000000 -a 1 -x 40
# Receive signal
hackrf_transfer -r capture.iq -f 2400000000 -s 20000000 -a 1 -x 40
# Continuous monitoring
hackrf_transfer -r - -f 2400000000 -s 20000000 -a 1 | xxd | head
| Option | Description | Example |
|---|
| -t FILE | Transmit IQ data | hackrf_transfer -t data.iq |
| -r FILE | Receive to file | hackrf_transfer -r capture.iq |
| -f FREQ | Center frequency (Hz) | hackrf_transfer -f 2400000000 |
| -s RATE | Sample rate (Hz) | hackrf_transfer -s 20000000 |
| -a AMP | Antenna amplifier (0-1) | hackrf_transfer -a 1 |
| -x GAIN | TX gain (0-47 dB) | hackrf_transfer -x 40 |
| -l GAIN | RX LNA gain (0-40 dB) | hackrf_transfer -l 32 |
| -g GAIN | RX VGA gain (0-62 dB) | hackrf_transfer -g 40 |
| -n SAMPLES | Number of samples | hackrf_transfer -n 1000000 |
| -c REPEAT | TX repeat count | hackrf_transfer -c 0 (infinite) |
Usage Examples
# Basic receive (20 MHz bandwidth, 2.4 GHz center)
hackrf_transfer -r output.iq -f 2400000000 -s 20000000
# Basic transmit
hackrf_transfer -t input.iq -f 2400000000 -s 20000000
# Continuous transmit (repeat forever)
hackrf_transfer -t signal.iq -f 1000000000 -s 20000000 -c 0
# Specify gain values
hackrf_transfer -r signal.iq -f 2400000000 -l 32 -g 30 -s 20000000
# Output to stdout (pipe to other tools)
hackrf_transfer -r - -f 2400000000 -s 20000000 | sox - output.wav
Frequency Bands and Applications
Common Frequency Bands
| Band | Frequency | Applications |
|---|
| WiFi 2.4GHz | 2.4 - 2.5 GHz | Wireless networks, Bluetooth |
| WiFi 5GHz | 5.0 - 6.0 GHz | High-speed wireless |
| GSM | 850/900/1800/1900 MHz | Cellular networks |
| Bluetooth | 2.4 - 2.48 GHz | Wireless peripherals |
| ISM Band | 2.4 - 2.5 GHz | Industrial/scientific |
| License-free | 433/868/915 MHz | IoT devices, remote controls |
| Satellite | 1-2 GHz | Downlink signals |
| Weather Radar | 5.6 GHz | Precipitation monitoring |
Frequency Management
# WiFi analysis (2.4 GHz)
hackrf_transfer -r wifi_2400.iq -f 2400000000 -s 20000000
# 5 GHz WiFi
hackrf_transfer -r wifi_5000.iq -f 5000000000 -s 20000000
# ISM band (433 MHz)
hackrf_transfer -r ism_433.iq -f 433000000 -s 2000000
# Bluetooth (2.4 GHz)
hackrf_transfer -r bluetooth.iq -f 2402000000 -s 2000000
# Cellular (GSM 900 MHz uplink)
hackrf_transfer -r gsm_900.iq -f 890000000 -s 20000000
Signal Capture and Analysis
# HackRF uses complex IQ (in-phase/quadrature) format
# 8-bit signed integers, interleaved I/Q samples
# File format:
# [I1] [Q1] [I2] [Q2] [I3] [Q3] ...
# Each sample: 1 byte I + 1 byte Q = 2 bytes
# Calculate file size
# File size = Sample rate × Duration (seconds) × 2 bytes
# Example: 20 Msps × 1 second × 2 = 40 MB file
Recording Signals
# 1-second capture at 2.4 GHz
hackrf_transfer -r wifi.iq -f 2400000000 -s 20000000 -n 20000000
# 10-second capture
hackrf_transfer -r capture.iq -f 2400000000 -s 20000000 -n 200000000
# Capture and monitor size
hackrf_transfer -r large_capture.iq -f 2400000000 -s 20000000 -n 1000000000 &
watch -n 1 'ls -lh large_capture.iq'
Analyzing Captured Data
# Using GNU Radio Companion (GUI)
gnuradio-companion
# Using Python/NumPy
python3 << 'EOF'
import numpy as np
# Read IQ data
data = np.fromfile('capture.iq', dtype=np.int8)
iq = data[::2] + 1j * data[1::2]
# Calculate power spectrum
spectrum = np.abs(np.fft.fft(iq))**2
print(f"Max power: {np.max(spectrum)}")
print(f"RMS level: {np.sqrt(np.mean(np.abs(iq)**2))}")
EOF
Signal Generation and Transmission
Creating Test Signals
# Generate QPSK test signal (Python)
python3 << 'EOF'
import numpy as np
import struct
# Parameters
sample_rate = 20e6
duration = 1.0 # 1 second
frequency = 1e6 # 1 MHz offset
samples = int(sample_rate * duration)
# Generate QPSK constellation
qpsk_symbols = np.array([1+1j, -1+1j, -1-1j, 1-1j]) / np.sqrt(2)
bits = np.random.randint(0, 4, samples)
symbols = qpsk_symbols[bits]
# Modulate
t = np.arange(samples) / sample_rate
modulated = symbols * np.exp(2j * np.pi * frequency * t)
# Normalize and convert to int8
iq = modulated / np.max(np.abs(modulated))
iq_int8 = (iq * 127).astype(np.int8)
# Write to file (interleaved I/Q)
with open('qpsk_signal.iq', 'wb') as f:
f.write(iq_int8.tobytes())
EOF
# Transmit the signal
hackrf_transfer -t qpsk_signal.iq -f 2400000000 -s 20000000 -x 40
Replaying Captured Signals
# Retransmit previously captured signal
hackrf_transfer -t wifi.iq -f 2400000000 -s 20000000 -x 35
# Repeat transmission indefinitely
hackrf_transfer -t wifi.iq -f 2400000000 -s 20000000 -c 0 -x 35
# Transmit with maximum power
hackrf_transfer -t signal.iq -f 1000000000 -s 20000000 -x 47
Spectrum Analysis
Real-time Spectrum Analysis
# Using GQRX for real-time visualization
gqrx
# Or using gr-osmosdr with GNU Radio
gnuradio-companion
# Load osmocom Source block configured for HackRF
Waterfall Display
# Capture and analyze spectrum
hackrf_transfer -r spectrum.iq -f 2400000000 -s 20000000 -n 200000000
# Create waterfall with GNU Radio or Python visualization
python3 << 'EOF'
import numpy as np
import matplotlib.pyplot as plt
data = np.fromfile('spectrum.iq', dtype=np.int8)
iq = data[::2] + 1j * data[1::2]
# Reshape for waterfall
chunk_size = 1024
chunks = len(iq) // chunk_size
iq_reshaped = iq[:chunk_size*chunks].reshape(-1, chunk_size)
# Compute spectrogram
spectrogram = np.abs(np.fft.fft(iq_reshaped))**2
plt.figure(figsize=(12, 6))
plt.imshow(10*np.log10(spectrogram), aspect='auto', cmap='viridis')
plt.colorbar(label='Power (dB)')
plt.ylabel('Time')
plt.xlabel('Frequency Bin')
plt.title('Waterfall Display')
plt.savefig('waterfall.png', dpi=150)
EOF
WiFi and Wireless Security
WiFi Beacon Analysis
# Capture WiFi beacons (2.4 GHz)
hackrf_transfer -r wifi_beacon.iq -f 2412000000 -s 20000000 -n 100000000
# Analyze with Wireshark (after IQ to PCAP conversion)
# Use gr-osmosdr and GNU Radio for IQ to PCAP conversion
Bluetooth Traffic Capture
# Capture Bluetooth advertising (2.4 GHz)
# Bluetooth uses frequency hopping: 2402-2480 MHz
hackrf_transfer -r bluetooth.iq -f 2402000000 -s 2000000 -n 20000000
# Single-frequency capture for initial analysis
hackrf_transfer -r bluetooth_single.iq -f 2402000000 -s 2000000
802.11 Packet Injection
# Requires packet generation tools (scapy, wlan_pi, etc.)
# Using GNU Radio + USRP/HackRF:
# 1. Create 802.11 frame in GNU Radio
# 2. Modulate to OFDM
# 3. Transmit via HackRF
# Command-line example (conceptual)
hackrf_transfer -t wifi_frame.iq -f 2412000000 -s 20000000 -x 40
Protocol Analysis and Fuzzing
ISM Band Signal Capture
# Capture 433 MHz for IoT/remote control analysis
hackrf_transfer -r iot_433.iq -f 433000000 -s 2000000 -n 10000000
# 868 MHz (Europe)
hackrf_transfer -r iot_868.iq -f 868000000 -s 2000000
# Analyze captured signals
python3 << 'EOF'
import numpy as np
from scipy import signal
data = np.fromfile('iot_433.iq', dtype=np.int8)
iq = data[::2] + 1j * data[1::2]
# Detect signal boundaries
amplitude = np.abs(iq)
threshold = np.mean(amplitude) * 2
detected = amplitude > threshold
print(f"Signal detected: {np.sum(detected)} samples")
EOF
Protocol Fuzzing
# Generate variant signals for fuzzing
python3 << 'EOF'
import numpy as np
import struct
# Create multiple signal variants
for variance in [0.8, 0.9, 1.0, 1.1, 1.2]:
original = np.fromfile('base_signal.iq', dtype=np.int8)
iq = original[::2] + 1j * original[1::2]
# Introduce variation
mutated = iq * variance
mutated_int8 = (mutated * 127).astype(np.int8)
# Save variant
with open(f'variant_{variance}.iq', 'wb') as f:
f.write(mutated_int8.tobytes())
EOF
# Transmit each variant and monitor response
for file in variant_*.iq; do
echo "Transmitting: $file"
hackrf_transfer -t "$file" -f 2400000000 -x 30
sleep 1
done
Gain Configuration
Receiver Gain Optimization
# HackRF receiver has two gain stages
# LNA Gain (Low Noise Amplifier): 0-40 dB
hackrf_transfer -r signal.iq -l 0 # Minimum noise figure, lower sensitivity
hackrf_transfer -r signal.iq -l 40 # Maximum gain
# VGA Gain (Variable Gain Amplifier): 0-62 dB
hackrf_transfer -r signal.iq -g 0 # Minimum VGA gain
hackrf_transfer -r signal.iq -g 62 # Maximum VGA gain
# Recommended configurations
# Weak signals: -l 40 -g 40
# Strong signals: -l 0 -g 0
# Mixed: -l 32 -g 30
Transmitter Power Control
# TX Gain: 0-47 dB (0 dBm nominal at 1 GHz)
# Minimum power (caution: may not transmit)
hackrf_transfer -t signal.iq -x 0
# Medium power
hackrf_transfer -t signal.iq -x 20
# High power
hackrf_transfer -t signal.iq -x 47
# Calibration for target power
hackrf_transfer -t calibration.iq -f 1000000000 -x 20
Troubleshooting
Connection Issues
| Problem | Solution |
|---|
| Device not detected | Check USB connection, verify udev rules |
| Permission denied | Add user to plugdev group, reload udev |
| USB timeout | Use powered USB hub, shorter cable |
| Frequency out of range | HackRF: 1 MHz - 6 GHz, verify input |
# Check CPU usage during capture
top -p $(pgrep hackrf_transfer)
# Reduce load on large captures
# Reduce sample rate from 20 MHz to 2 MHz
hackrf_transfer -r signal.iq -f 2400000000 -s 2000000
# Use external storage
hackrf_transfer -r /mnt/external/capture.iq -f 2400000000 -s 20000000
Signal Quality
# Weak signal reception troubleshooting
1. Use external antenna tuned to frequency
2. Position antenna away from obstacles
3. Increase RX gain: -l 40 -g 40
4. Move closer to signal source
5. Reduce sample rate for cleaner capture
# Strong signal causing issues
1. Reduce RX gain
2. Add attenuator (10-20 dB)
3. Move antenna away from source
4. Use directional antenna
Security and Legal Considerations
# IMPORTANT: HackRF transmission can be illegal
Legal uses:
- Amateur radio bands (licensed)
- ISM bands for permitted applications
- Research in controlled environments
- Testing of your own devices
Illegal uses:
- Jamming licensed communications
- Spoofing emergency systems
- Intercepting private communications
- Unauthorized device testing
COMPLIANCE CHECKLIST:
1. Verify local spectrum regulations
2. Obtain required licenses (amateur radio, etc.)
3. Only use permitted frequency bands
4. Test in shielded facilities when appropriate
5. Keep documentation of authorized testing
6. Obtain written permission for any testing
Resources and References
