In cybersecurity operations, physical layer security necessitates the analysis of devices operating especially at Sub-GHz frequencies. This study covers the processes of capturing wireless signals, converting them into digital data, and decoding protocol structures.
What are Sub-GHz Protocols?
Sub-GHz represents the world of wireless communication operating below the 1 GHz frequency band. Unlike complex protocols such as Wi-Fi, these devices generally transmit simple digital signals.
Modulation and Encoding
Some of the common Modulation Standards are as follows:
- OOK (On-Off Keying): The most basic method. The presence of a signal is accepted as “1” and its absence as “0.” It is very common in inexpensive remote controls.
- ASK (Amplitude Shift Keying): A method where data is transmitted through changes in the amplitude (height) levels of the carrier signal.
- FSK (Frequency Shift Keying): A method of slightly shifting the frequency to transmit data.
- GFSK (Gaussian FSK): A smoother version of FSK that prevents signal interference.
Some of the common Encoding Methods are:
- Manchester Encoding: The bit value is determined by the direction of the signal level transition (from high to low or vice versa).
- PWM (Pulse Width Modulation): The bit value is determined by the “High” duration of the wave; generally, a long pulse is “1” and a short pulse is “0.”
RF Packet Structure (The Skeleton of Data)
A standard radio frequency packet consists of the following components to ensure coordination between the receiver and transmitter:
- Preamble: The initial sequence that synchronizes the receiver.
- Sync Word: The critical code that defines the starting point of the data.
- Payload and CRC: The actual command data to be transmitted and the error control mechanism.
Operational Methodology and Findings
The analyses performed focused on the 433.92 MHz band:
Hardware: HackRF One and PortaPack (Mayhem Firmware) were used for the signal capture process, while Flipper Zero was used for signal generation.
Digital Analysis: Raw capture data was decoded using the Universal Radio Hacker (URH) software.
Technical Note: As seen in the analysis, Princeton-24 and Nice Flo-12 protocols were tested sequentially within the same capture file. Signal integrity was maintained during the analysis using ASK modulation and a value of 1400 Samples/Symbol.
Digitalization and Thresholding Process
The following steps were applied in URH to obtain meaningful data from the signal:
Packet Anatomy: The Preamble, Sync Word, and Payload blocks were manually marked to reveal the protocol skeleton.
Noise Threshold: A noise filter was applied to mark wave peaks (High) as 1 and the parts where the carrier wave remains silent (Low) as 0.
11111000010001000111011101000111010000111011101110100011101000011101000111010011101110100011101000100010
1001000100011101110100011101000111011101110100011101000111010001110100011101110100011101000100010
10001000100011101110100011101000111011101110100011101000111010001110100011101110100011101000100010
100001000100111011101000111010001110111011101000111010001110100011101001110111010001110100100010
100001001000111011101000111010001110111011101000111010001110100011101001110111010001110100010010...
Raw Bitstream of the Recording
A. Princeton 24-Bit Protocol: The first 20 bits of the 24-bit packet represent the fixed device ID (1AD5A), while the remaining 4 bits represent the functional command data.
B. Nice Flo 12-Bit Protocol: The entire 12-bit data packet directly forms the device ID (407); in this structure, there is no separation between address and data—the whole packet acts as the key.
Further Reading:
References:
- Great Scott Gadgets (HackRF One)greatscottgadgets.com
- Flipper Zero Documentation, docs.flipperzero.one
- Universal Radio Hacker (URH) Wiki, URH GitHub Repository
- Visual Sources, https://notebooklm.google.com/, https://www.technologyuk.net/telecommunications/telecom-principles/digital-modulation-part-one.shtml
Arife Ebrar Üstüner