Hacker Tradecraft Volume 13 — RF Tradecraft I: SDR and Sub-GHz

Contents

Section	Topic
1	About this volume
2	SDR fundamentals
3	The RF spectrum map
4	Sub-GHz in practice
5	The capture-analyze-replay workflow
6	The gear — SDR hardware comparison
7	Legal and regulatory
8	Cross-reference index
9	Resources

---

1. About this volume

This volume opens the reference cluster (Vols 13–17). It is the first of three RF-tradecraft volumes — sub-GHz here, Wi-Fi and BLE in Vol 14, RFID/NFC/access-control in Vol 15 — followed by computer-hacking tradecraft in Vol 16 and social engineering in Vol 17. The reference cluster’s job is different from the seven hat volumes that precede it. Those volumes (Vols 6–12) treated the people and the posture: who wears which hat, what authorization envelope they operate inside, what the engagement lifecycle looks like, what the criminal-economy parallel looks like. This volume treats the physics and the protocols — the engineering-grade reference that the hat volumes have been linking into when they hand-waved “see Vol 13 for SDR depth”.

The reader of this series — tjscientist, a 45+-year EE and software engineer — already understands radio. Quadrature mixing, sample-rate-vs-bandwidth, ADC dynamic range, antenna theory: these are not topics that need to be re-derived. What this volume does instead is wrap RF fundamentals in the security-research framing that the hat volumes presume. An EE who has spent decades designing receivers knows how an I/Q demodulator works; the same EE may not know what Universal Radio Hacker does, why rtl_433 exists, what makes a Flipper Zero’s sub-GHz subsystem distinct from a HackRF transmitting on the same frequency, or what the working capture-analyze-replay loop actually looks like at command-line depth. The volume’s value is in the framing, not in the fundamentals.

Reference-cluster role. Vols 13–17 are engineered to be linked into rather than read sequentially. Every H2 heading in this volume — the nine that follow this section — has a stable auto-generated anchor of the form vol13-<heading-slug> (the build pipeline lowercases the heading text, hyphenates, and strips leading section numbers; see the project’s CLAUDE.md for the convention). Those anchors are frozen append-only from the day this volume is committed. Other Hack Tools deep dives — the HackRF One series, the Flipper Zero series, the OpenSourceSDRLab PortaRF series, and the RTL-SDR series when it is authored — cross-link into these anchors as HackerTradecraft_Complete.html#vol13-<slug> for the broader tradecraft context that those device deep dives deliberately don’t re-derive. Inside this series, the hat volumes already linked here: Vol 9 §3.3 sketched the RTL-SDR → Flipper → HackRF → Proxmark3 progression as the green-hat RF starter kit; Vol 11 §3.6 treated those same tools as the red-team operator’s physical-entry RF/HID staging layer. This volume deepens both lines and supplies the reference anchors that future deep dives lean on.

What this volume does not duplicate. The hardware-level depth on individual devices lives in the device deep dives, not here. Each sibling deep dive is referenced by relative path:

• HackRF One — chip-level theory of operation, revision history (r1 through r10), the Clifford Heath modifications, the bias-T, the SDR receive chain at MAX2839 / RFFC5072 / MAX5864 silicon depth — lives in ../../HackRF One/03-outputs/HackRF_One_Complete.html.
• OpenSourceSDRLab PortaRF — the handheld HackRF descendant; how the integrated PortaPack-class display + keyboard + battery + chassis differ from the H2R4 + PortaPack pairing — lives in ../../OpenSourceSDRLab PortaRF/03-outputs/PortaRF_Complete.html.
• Flipper Zero — the CC1101-based sub-GHz subsystem, the firmware’s subghz app and protocol library, the keeloq / faac / nice / star-line decoder ecosystem — lives in ../../Flipper Zero/03-outputs/Flipper_Zero_Complete.html.
• RTL-SDR — deep dive not yet authored (the project status as of early 2026 is a stub at ../../RTL-SDR/CLAUDE.md); when authored, it will cover the RTL2832U + R820T2/R828D silicon, the V3 direct-sampling HF mode, the V4 changes, and the rtl_* command-line ecosystem.

This volume treats SDR and sub-GHz at the tradecraft level — what to do with the spectrum, how to choose between the tools, what the workflow actually looks like, and where the legal lines fall. Wi-Fi and BLE (the 2.4 / 5 / 6 GHz cluster) belong in Vol 14; the LF/HF RFID + NFC + access-control material belongs in Vol 15; and the computer-hacking implants — Hak5’s Ducky Script / Bash Bunny / Key Croc / O.MG family — belong in Vol 16, where the keystroke-injection vs RF-injection distinction can be drawn cleanly. Volume 13 is sub-GHz only.

---

2. SDR fundamentals

The shortest definition of software-defined radio: a radio whose signal-processing chain is implemented in software running on a general-purpose processor, with the hardware reduced to the minimum analog stages required to translate RF energy at the antenna into baseband I/Q samples for the software to consume (receive) and to translate I/Q samples back into modulated RF at the antenna (transmit). The cut-line between hardware and software has moved relentlessly toward the antenna over five decades — first digital filters, then digital demodulators, then direct-conversion architectures, then the anything-goes baseband programmability that defines the modern SDR. The result is a class of hardware that is, in principle, any radio: tune to any frequency the analog front-end supports, apply any demodulator the host CPU can run in real time, and the same physical box that was an ADS-B receiver this morning becomes a 433 MHz garage-door capture rig at lunch and a 2.4 GHz spectrum analyzer in the afternoon. That generality is what makes SDR the universal instrument of RF security research.

2.1 Quadrature and the I/Q representation

Every modern SDR — HackRF, RTL-SDR, LimeSDR, BladeRF, USRP, PortaRF, every one — uses a quadrature or complex baseband representation of the signal. Two real-valued sample streams, conventionally labeled I (in-phase) and Q (quadrature), together encode the instantaneous complex envelope of the RF signal at baseband. The two streams are taken from a pair of mixers driven by local-oscillator signals 90° apart in phase: the I channel mixes the RF input against cos(2πf_LO·t), the Q channel mixes against sin(2πf_LO·t), both products pass through identical low-pass filters, and the resulting I[n] and Q[n] sample streams together form the complex signal z[n] = I[n] + j·Q[n].

The EE reader knows why this matters; the security-tradecraft reader needs to know what it enables. Three properties of the complex-baseband representation are load-bearing for the workflow that follows:

Negative frequencies become distinguishable. A real-valued ADC sample sequence is symmetric in the frequency domain — energy at +Δf and energy at −Δf relative to the local oscillator are indistinguishable. The complex-baseband representation breaks that symmetry: positive and negative offsets are independent. An SDR tuned to 433.92 MHz can simultaneously observe a signal at 433.80 MHz (negative offset of 120 kHz) and 434.04 MHz (positive offset of 120 kHz) and keep them straight. Sub-GHz protocols often use frequency-hopped or offset transmitters in close adjacency; without I/Q the analysis chain would alias them onto each other.

The signal bandwidth equals the sample rate. With a real-valued ADC at sample rate Fs, the captured bandwidth per Nyquist is Fs/2. With an I/Q ADC pair at sample rate Fs per channel, the captured bandwidth is the full Fs — the negative-frequency half is no longer redundant. A HackRF One sampling at 20 MS/s captures a full 20 MHz of spectrum centered on the tuned frequency, not 10 MHz. This is why SDR “sample rate” is also often called “bandwidth” colloquially; in the I/Q regime the two are the same number.

Arbitrary demodulation in software. With the complex envelope in hand, every demodulator — AM, FM, SSB, OOK, ASK, FSK, GFSK, MSK, QAM, PSK of any order — is a few lines of Python or C, not a chain of analog stages. The same captured I/Q file can be demodulated as FM voice, decoded as Manchester-encoded TPMS data, or fed to a PSK decoder as the analyst chooses; the recording is agnostic to the demodulator. This is what makes the capture-once-analyze-many-times workflow of §5 possible.

2.2 Sample rate, bandwidth, and Nyquist

The relationship between sample rate, captured bandwidth, and signal bandwidth is the load-bearing setup decision for every capture. Three rules cover most situations:

Capture bandwidth = sample rate (I/Q). Per §2.1: with an I/Q-sampling SDR at Fs samples per second per channel, the analyzable bandwidth around the tuned center frequency is Fs. The HackRF’s 20 MS/s ceiling means 20 MHz of capture bandwidth — the entire 902–922 MHz LoRa / 915 MHz ISM region in a single capture, for example. The RTL-SDR Blog V4’s 2.4 MS/s stable sample rate means 2.4 MHz of capture bandwidth — wide enough for any single sub-GHz device but not wide enough for cross-channel survey work.

Signal bandwidth ≤ ~80% of sample rate. The analog anti-alias filters at the ADC have finite roll-off. Working practice across the SDR ecosystem is to size the sample rate to roughly 1.25× the signal bandwidth of interest, leaving margin for the filter skirts. A 200 kHz narrow-band FM signal needs roughly 250 kHz of sample rate to capture cleanly; a 1 MHz LoRa chirp needs roughly 1.25 MS/s. Pushing closer to Nyquist works in clean spectrum but invites aliasing artifacts from adjacent transmitters.

Aliasing is silent and ambiguous. If a strong out-of-band emitter falls inside the SDR’s analog front-end passband but outside the digital filter’s passband, it folds back into the captured spectrum at an aliased frequency — typically with no warning beyond a mystery signal appearing where no real transmitter exists. The defensive moves are (a) tune carefully to put strong adjacent emitters outside the captured band, (b) use the SDR’s IF gain stage to back off when wideband signals are present, and (c) when in doubt, capture at a higher sample rate and decimate in post.

The TPMS analyst trying to capture a 315 MHz tire-pressure transmission while a nearby 433 MHz garage opener fires will see this in practice — both signals fall inside an RTL-SDR’s tuner passband around either center, and gain that’s set comfortably for the weak TPMS signal saturates on the garage transmission. The mature workflow tunes the SDR for the target band’s specific characteristics and accepts that one capture session typically yields data on one protocol family at a time.

2.3 The SDR receive chain at schematic depth

The receive chain in every modern SDR — RTL-SDR through HackRF through USRP — has the same canonical structure. The differences between products are in which stages are present, how configurable each stage is, and what silicon implements each stage. The block diagram:

ANTENNA  →  PRESELECTOR  →  LNA  →  MIXER  →  IF FILTER  →  ADC  →  DSP
   (1)         (2)         (3)      (4)        (5)        (6)     (7)
                                      ↑
                                    LO (8)

  ┌─────────────────────────────────────────────────────────────────────┐
  │ (1) Antenna — captures RF energy; characterized by gain pattern,    │
  │     polarization, bandwidth. SMA / RP-SMA / U.FL connector.         │
  │                                                                     │
  │ (2) Preselector — optional band-pass filter rejecting out-of-band   │
  │     emitters before the LNA saturates. RTL-SDR has none; HackRF has │
  │     switched filter banks; high-end SDRs (Airspy HF+, SDRplay) have │
  │     extensive multi-stage filtering.                                │
  │                                                                     │
  │ (3) LNA — low-noise amplifier. First active stage; sets the chain's │
  │     noise figure. Gain is configurable on most SDRs (HackRF: 0/8/16 │
  │     /24/32/40 dB front-end VGA; RTL-SDR: 0-49.6 dB R820T2 LNA gain).│
  │     Excess gain at LNA causes mixer saturation; too little gain     │
  │     buries weak signals in the ADC quantization noise. Goldilocks.  │
  │                                                                     │
  │ (4) Mixer — multiplies RF input by the local oscillator (8) to     │
  │     translate the signal to baseband (I/Q direct conversion) or to  │
  │     a non-zero IF (superheterodyne). Modern SDRs are mostly direct- │
  │     conversion; the mixer output is already the complex baseband.   │
  │     HackRF uses an RFFC5072 wideband fractional-N synthesizer +     │
  │     MAX2839 baseband transceiver pair; RTL-SDR V4 uses R828D tuner. │
  │                                                                     │
  │ (5) IF / baseband filter — low-pass anti-alias filter limiting the  │
  │     baseband signal bandwidth to less than Fs/2 of the ADC. Often   │
  │     programmable (HackRF MAX2839 baseband filter is 1.75–28 MHz).   │
  │                                                                     │
  │ (6) ADC — analog-to-digital converter. The bottleneck for dynamic   │
  │     range. RTL-SDR is 8-bit (~48 dB ideal SNR); HackRF is 8-bit    │
  │     (MAX5864); BladeRF 2.0 is 12-bit (~72 dB); USRP B2x0 is 12-bit; │
  │     high-end USRP and AD9361-based SDRs are 12-bit; lab-grade SDR   │
  │     vector signal analyzers run 14- or 16-bit at lower sample rates.│
  │                                                                     │
  │ (7) DSP — digital signal processing in software (or FPGA, host CPU, │
  │     or both). Demodulation, decimation, filtering, decoding.        │
  │                                                                     │
  │ (8) Local oscillator — the tunable synthesizer that sets the mixer's│
  │     translation frequency. Phase noise and tuning resolution here   │
  │     set the SDR's frequency precision. HackRF's RFFC5072 + a 25 MHz │
  │     reference; RTL-SDR Blog V4's **R828D tuner** and built-in       │
  │     **HF direct-sampling input** are the major hardware upgrades    │
  │     from V3; both V3 and V4 carry a 1 PPM TCXO.                    │
  └─────────────────────────────────────────────────────────────────────┘

Figure 13.1 — The canonical SDR receive chain. The differences between an $30 RTL-SDR Blog V4 and a $1,500 USRP B205mini-i are in which stages exist, how they’re implemented (silicon vs FPGA), and how configurable each is — not in the topology. The HackRF One sits in the middle: better front-end and synthesizer than the RTL-SDR, narrower dynamic range than the USRP, transmit capability that the RTL-SDR lacks.

2.4 The SDR transmit chain

Transmit is conceptually the receive chain in reverse, with one additional stage — the power amplifier — and one regulatory issue that does not apply to receive: transmit is regulated, and the same hardware that legally observes a signal may or may not be permitted to retransmit it on the same frequency. §7 treats the legal frame in full; the engineering block diagram:

DSP  →  DAC  →  RECONSTRUCTION FILTER  →  UPCONVERT  →  PA  →  ANTENNA
 (1)    (2)            (3)                   (4)        (5)     (6)
                                              ↑
                                            LO (7)

  ┌─────────────────────────────────────────────────────────────────────┐
  │ (1) DSP generates I/Q baseband samples to be transmitted.           │
  │ (2) DAC converts I/Q samples to analog baseband voltages.           │
  │ (3) Reconstruction filter smooths the DAC steps into a continuous   │
  │     baseband waveform.                                              │
  │ (4) Upconvert mixer (mirror of RX mixer) translates baseband to RF. │
  │ (5) Power amplifier brings the signal up to transmit power. HackRF  │
  │     PA is modest (~10 dBm typical, frequency-dependent); for higher │
  │     power, the operator adds an external PA — the same stage that   │
  │     turns capability into a regulatory question.                    │
  │ (6) Antenna radiates. Same antenna as RX in a half-duplex SDR.      │
  │ (7) LO can be the same one as RX (some SDRs share); HackRF, being   │
  │     half-duplex, uses the same synthesizer in RX and TX modes.      │
  └─────────────────────────────────────────────────────────────────────┘

Figure 13.2 — The SDR transmit chain. Half-duplex SDRs (HackRF, the RTL-SDR variants that gained TX, the Flipper Zero’s CC1101 in TX mode) use one mixer and synthesizer switched between RX and TX. Full-duplex SDRs (USRP B210, BladeRF 2.0 with separate TX/RX chains, LimeSDR Mini with the AD9361’s dual chains) carry both directions simultaneously — the cost is duplicated silicon. The PA stage (5) is the regulatory pinch point: the same baseband synthesis that legally drove a 50 mV/m field strength becomes an unlawful transmission if the operator adds a +30 dBm external amplifier and a high-gain antenna.

2.5 The four numbers that bound SDR capability

Four parameters bound what any given SDR can do for security research. They appear in the §6 comparison table as the columns the choice usually turns on:

Parameter	What it bounds	Typical range across §6 gear
Frequency range	What protocols the SDR can tune to	500 kHz (RTL-SDR Blog V4) → 6 GHz (HackRF, USRP B205) — but also 100 kHz–1.7 GHz (RTL-SDR original), 70 MHz–6 GHz (USRP B205 — no HF), 300–928 MHz with gaps (Flipper Zero CC1101)
Instantaneous bandwidth	How much spectrum the SDR can capture in one I/Q stream	2.4 MHz (RTL-SDR Blog V4 stable) → 56 MHz (USRP B210, BladeRF 2.0 micro xA9) — most security work fits in 20 MHz (HackRF ceiling)
ADC resolution	Dynamic range; smallest signal observable against a strong neighbor	8 bits / ~48 dB ideal (RTL-SDR, HackRF) → 12 bits / ~72 dB (BladeRF, USRP, ADALM-Pluto) → 14–16 bits (vector signal analyzers)
Transmit capability	Whether the SDR can transmit, half/full-duplex, output power	None (RTL-SDR) / half-duplex ~10 dBm (HackRF, Flipper CC1101) / full-duplex with adjustable power (USRP B205, BladeRF 2.0, LimeSDR Mini)

Table 13.1 — The four numbers that bound SDR capability. Frequency range and bandwidth determine what you can observe; ADC resolution determines how cleanly you observe it; transmit capability determines what you can do with the captured signal. The §6 comparison table layers cost, form factor, and software ecosystem on top of these four physical-layer parameters.

The frequency-range column hides nuance — the headline number is the synthesizer’s coverage, but real-world usability also depends on the preselector / IF filter coverage, the LNA noise figure across band, and whether the antenna port is single-ended SMA (most common) or differential (some specialized boards). A HackRF tuned to 30 MHz technically supports the frequency but has noticeably worse noise figure than at 433 MHz where the chain is optimized. The §6 table column reports the headline; the device deep dives carry the band-by-band performance detail.

---

3. The RF spectrum map

The reference spectrum table for security tradecraft. Bands are ordered roughly by frequency; the typical capture difficulty column is a working estimate at the consumer-SDR level (RTL-SDR or HackRF with whip antenna), not at a lab-grade level.

Band	Frequency	Use	Regulatory class	Typical capture difficulty
LF RFID	125–134 kHz	EM4100 / HID Prox / Indala access cards; pet implants; livestock tags	Unlicensed inductive coupling; very short range (cm)	Easy — Proxmark3 or Flipper RFID antenna; not capturable by RTL-SDR / HackRF (below RTL-SDR V4 HF mode floor for usable SNR; cross-link Vol 15)
AM broadcast	530–1700 kHz	Commercial AM radio	Licensed broadcast; receive unrestricted	Easy — RTL-SDR V3/V4 with direct-sampling or HF upconverter
HF amateur + shortwave	1.8–30 MHz	Amateur radio (160 m through 10 m), shortwave broadcast, marine, aviation HF	FCC Part 97 (amateur — TX requires license); receive unrestricted	Easy receive (RTL-SDR V4 native HF) / moderate analysis (band-specific modulation knowledge)
HF NFC	13.56 MHz	MIFARE / DESFire / FeliCa / ISO 14443 / ISO 15693 access cards; tap-to-pay; passport chips; smart-card readers	Unlicensed inductive coupling; very short range (cm)	Easy with Proxmark3 / Flipper NFC / ACR122U; cross-link Vol 15
6 m + 2 m amateur	50 / 144 MHz	Amateur VHF	FCC Part 97	Easy receive (RTL-SDR)
FM broadcast	88–108 MHz	Commercial FM radio	Licensed broadcast	Easy — every SDR; canonical first-capture target
VHF aviation	108–137 MHz	ATC voice (AM); VOR / ILS navigation; ACARS data; VOLMET weather; some military VHF	FAA/FCC licensed	Easy receive — RTL-SDR is the canonical aircraft-monitoring tool
VHF marine	156–162 MHz	VHF marine voice; AIS at 161.975 / 162.025 MHz (vessel position data)	FCC Part 80	Easy — rtl_ais decodes AIS into vessel position records
VHF land-mobile	136–174 MHz	Public-safety, business, amateur 2 m	FCC Part 90 / Part 97	Easy receive
70 cm amateur	420–450 MHz	Amateur UHF	FCC Part 97	Easy receive
ISM 315 MHz (US)	315 MHz (narrow)	TPMS (tire-pressure), garage doors, car-key fobs, weather stations, low-end remotes	FCC Part 15 (US) — low-power unlicensed	Easy capture, easy decode
ISM 433 MHz (EU/intl)	433.05–434.79 MHz	Garage doors, key fobs (EU), remote sensors, RC, weather stations, the bulk of consumer wireless	ETSI EN 300 220 (EU); FCC Part 15 also allows	Easy capture, easy decode — the most populated single sub-GHz band
UHF land-mobile	450–470 MHz	Public-safety, business, paging	FCC Part 90	Easy receive; trunked systems require trunk-following SDR setup
ISM 868 MHz (EU)	863–870 MHz	LoRa EU, Z-Wave EU, smart-meter EU, alarm systems	ETSI EN 300 220	Moderate — many concurrent transmitters in dense areas
ISM 915 MHz (US)	902–928 MHz	LoRa US, Z-Wave US, smart-meter US, 802.15.4 sub-GHz, industrial telemetry	FCC Part 15.247 (frequency-hopping spread spectrum), §15.249, §15.255	Moderate — wider band, FHSS scattering signals; HackRF needed for full-band capture
GPS L1	1575.42 MHz	GPS civil signal; the satellite-navigation reference	International — receive unrestricted, retransmission via spoofing illegal	Hard — −130 dBm signal, broadband CDMA spread; requires active antenna or LNA + careful capture
GPS L2 / L5	1227.60 / 1176.45 MHz	Modernized GPS (L2C / L5)	Same as L1	Hard
GSM 850 / DCS 1800 / PCS 1900	824–894 / 1710–1880 / 1850–1990 MHz	Legacy cellular voice and SMS — largely shut down in US (T-Mobile / AT&T 2G sunsets) but still operational in some markets	Licensed cellular carrier spectrum; ECPA bars interception of voice	Moderate — gr-gsm and others; legality is the harder problem than the capture
LTE bands	700–900 / 1700–2100 / 2300–2700 / 3500 MHz	4G LTE (US bands 2, 4, 5, 7, 12, 13, 17, 25, 26, 41, 66, 71, etc.)	Licensed cellular	Hard — wide-bandwidth OFDM; cellular protocol stack is a specialty
5G NR	600 MHz – 3.5 GHz (sub-6) / 24–40 GHz (mmWave)	5G cellular	Licensed cellular	Hard sub-6, very hard mmWave
IMSI catcher detection	Across cellular bands	Defensive — passive observation of cellular base-station footprints to flag rogue cells	Receive only	See ../../Rayhunter/ — Rayhunter on Verizon Orbic RC400L is the canonical low-cost detection platform
ADS-B	1090 MHz	Aircraft position broadcast (1090ES Mode-S extended squitter)	Licensed transponder; receive unrestricted	Easy — dump1090, rtl_sdr, FlightAware, ADSBexchange — the canonical RTL-SDR demo
Iridium pagers / data	1616–1626 MHz	Iridium satellite-phone TDMA bursts, paging	Licensed satellite	Moderate — gr-iridium
Inmarsat-C	1525–1559 MHz (down)	Inmarsat satellite messaging	Licensed satellite; receive unrestricted	Moderate — JAERO, scytale-c
ISM 2.4 GHz	2400–2483.5 MHz	Wi-Fi 2.4 GHz; Bluetooth Classic + BLE; Zigbee 802.15.4; many RC drones; cordless devices; ANT+	FCC Part 15 / ETSI	Moderate (Wi-Fi) — see Vol 14; HackRF is at the edge of usefulness for 802.11
ISM 5 GHz / U-NII	5150–5895 MHz	Wi-Fi 5/6/6E; some 5 GHz Wi-Fi-Direct	FCC Part 15.247 / §15.407 (U-NII)	Moderate — same as 2.4 GHz framing; cross-link Vol 14
Wi-Fi 6E / 6 GHz	5925–7125 MHz	Wi-Fi 6E and 7 in the new 6 GHz unlicensed band	FCC Part 15 (2020 expansion)	HackRF cuts off at 6 GHz; needs specialized 6 GHz-capable SDR

Table 13.2 — The RF spectrum from 100 kHz to ~7 GHz, ordered by frequency, with the security-relevant uses, the regulatory class, and a working estimate of capture difficulty at the consumer-SDR level. The table is reference-only — bands beyond the consumer-SDR ceiling (satellite Ku-band downlinks, microwave point-to-point, mmWave 5G, radar bands) are not included because the consumer SDR catalog can’t capture them usefully. ISM bands are the population center for sub-GHz security work: 315 MHz (US), 433.92 MHz (EU and international), 868 MHz (EU), 915 MHz (US) carry the bulk of the consumer-device wireless surface. The Wi-Fi / BLE band coverage is sketched here for orientation but treated at depth in Vol 14; the LF/HF RFID/NFC bands are sketched but treated at depth in Vol 15.

A few observations from the table that drive operator behavior in the field. The most populated single sub-GHz band is 433.92 MHz — the EU-and-international consumer-wireless population center, also widely used in US devices because Part 15 §15.231 permits the band. Any sub-GHz survey of an unknown environment starts there. The 315 MHz US TPMS population is uniformly Manchester-encoded ASK/OOK — once decoded for one vehicle, the same demodulator works for most. The 868 / 915 MHz LoRa population is asymmetric: LoRa modulation is chirp spread spectrum (CSS), not OOK/FSK, so the canonical rtl_433 won’t decode it; LoRa needs gr-lora or rpitx-LoRa or dedicated LoRa gateway hardware. GPS L1 is hard for the right reasons: the signal is −130 dBm below thermal noise, recovered only via CDMA correlation — passive observation of raw GPS at the antenna shows nothing usable on a waterfall; the GPS receiver does the heavy lifting in the correlation engine, not in the analog chain.

---

4. Sub-GHz in practice

The sub-GHz attack and research surface — 300 MHz to 1 GHz, the population center of consumer wireless that isn’t Wi-Fi/BLE/cellular — is the historical heart of RF security research and remains the most accessible. The hardware barrier to entry is low (RTL-SDR + Flipper Zero covers most of the field); the protocols are usually simpler than the cellular/Wi-Fi stack; and the device population is enormous — every garage door, every TPMS sensor, every weather station, every cheap remote, every car key fob, much industrial telemetry, much of the IoT smart-meter footprint, all live here.

4.1 The 315 / 433 / 868 / 915 MHz band assignments

Four narrow ISM bands carry essentially all consumer sub-GHz wireless:

• 315 MHz (US) — narrow allocation around 315.0 MHz; the US-market consumer-remote band. TPMS sensors, garage-door openers (older), some car-key fobs, some weather-station transmitters. FCC Part 15 §15.231 limits field strength.
• 433.92 MHz (EU and international, also widely used in US) — the global consumer-device band. ETSI EN 300 220 in Europe; FCC Part 15 §15.231 in the US. Garage doors, weather stations, the bulk of cheap-Aliexpress-remote traffic, low-power-keyfob, RC, alarm sensors, doorbells. Most populous single band globally.
• 868 MHz (EU) — the European LoRa band, Z-Wave EU, smart-meter EU, some alarm systems. ETSI EN 300 220.
• 915 MHz (US) — the US ISM equivalent — LoRa US, Z-Wave US, smart-meter US, 802.15.4 sub-GHz, industrial telemetry. FCC Part 15.247 (frequency-hopping spread spectrum at up to 1 W) and §15.249 (low-power). Wider than its EU sibling at 902–928 MHz.

The Flipper Zero’s CC1101 covers 300–348 MHz, 387–464 MHz, and 779–928 MHz with gaps in between — by design, the gaps fall outside the populated ISM-band islands. The HackRF covers 1 MHz – 6 GHz contiguously, so the band gaps are absent; this is the main capability difference at the sub-GHz layer (the Flipper trades coverage flexibility for a polished UI and protocol-decoder library). RTL-SDR V4 covers up to 1.766 GHz contiguously — it can tune anywhere across the sub-GHz spectrum on receive, the only thing it can’t do is transmit.

4.2 The protocol-family taxonomy

The sub-GHz device population is dominated by a small set of recurring protocol families. The taxonomy:

                              SUB-GHZ PROTOCOL TAXONOMY
                              ─────────────────────────

                              ┌─────────────────────┐
                              │  CONSUMER REMOTES   │
                              └──────────┬──────────┘
                                         │
              ┌──────────────────────────┼──────────────────────────┐
              │                          │                          │
   ┌──────────▼──────────┐    ┌──────────▼──────────┐    ┌──────────▼──────────┐
   │   FIXED-CODE        │    │   ROLLING-CODE      │    │   PROTOCOL-LIBRARY  │
   │   (replay defeats)  │    │   (capture+replay   │    │   (proprietary;     │
   │                     │    │    defeats vary)    │    │    documented)      │
   │   OOK/ASK Manchester│    │                     │    │                     │
   │   typical; raw      │    │   KeeLoq (Microchip │    │   FAAC, Nice,       │
   │   binary at 1-10    │    │   HCS200/HCS301):   │    │   Star Line, BFT,   │
   │   kbps. Garage      │    │   28-bit serial +   │    │   Hörmann, Holtek,  │
   │   doors pre-2000,   │    │   16-bit counter +  │    │   etc. Flipper      │
   │   older keyfobs,    │    │   discriminator;    │    │   subghz protocol   │
   │   doorbells,        │    │   AES-encrypted     │    │   library carries   │
   │   cheap remotes,    │    │   counter. Hitag2.  │    │   ~80 decoders.     │
   │   weather stations  │    │   AES-128 modern    │    │                     │
   │   (often unsigned), │    │   automotive (most  │    │                     │
   │   pet collars.      │    │   2015+).           │    │                     │
   └─────────────────────┘    └─────────────────────┘    └─────────────────────┘

                              ┌─────────────────────┐
                              │  INDUSTRIAL / IoT   │
                              └──────────┬──────────┘
                                         │
              ┌──────────────────────────┼──────────────────────────┐
              │                          │                          │
   ┌──────────▼──────────┐    ┌──────────▼──────────┐    ┌──────────▼──────────┐
   │   LoRa / LoRaWAN    │    │   Z-Wave (700 / 800)│    │   802.15.4 sub-GHz  │
   │                     │    │                     │    │                     │
   │   Chirp Spread      │    │   GFSK, mesh        │    │   Industrial mesh   │
   │   Spectrum (CSS),   │    │   networking,       │    │   (Wi-SUN, JupiterX,│
   │   long range (km),  │    │   AES-128 in modern │    │   smart-meter), AES │
   │   sub-bps to        │    │   stack. EU 868     │    │   in spec, often    │
   │   ~30 kbps. EU 868, │    │   MHz, US 908.4 MHz.│    │   poorly deployed.  │
   │   US 902-928 MHz.   │    │                     │    │                     │
   │   gr-lora decoder.  │    │                     │    │                     │
   └─────────────────────┘    └─────────────────────┘    └─────────────────────┘

                              ┌─────────────────────┐
                              │  SENSORS / TELEMETRY│
                              └──────────┬──────────┘
                                         │
              ┌──────────────────────────┼──────────────────────────┐
              │                          │                          │
   ┌──────────▼──────────┐    ┌──────────▼──────────┐    ┌──────────▼──────────┐
   │   TPMS              │    │   Weather stations  │    │   Pagers / POCSAG / │
   │                     │    │                     │    │   FLEX              │
   │   315 MHz (US) /    │    │   433/915 MHz, OOK/ │    │                     │
   │   433 MHz (EU)      │    │   FSK Manchester,   │    │   138-174 MHz /     │
   │   FSK Manchester    │    │   typically no auth.│    │   929-932 MHz; FSK; │
   │   most ID + pres-   │    │   Acurite, Oregon   │    │   plaintext         │
   │   sure + temp + V.  │    │   Scientific, Davis,│    │   transmission of   │
   │   No auth; ~280     │    │   LaCrosse, etc.    │    │   numeric/alpha     │
   │   decoders in       │    │   rtl_433 decodes   │    │   pages. multimon-ng│
   │   rtl_433.          │    │   most.             │    │   decodes.          │
   └─────────────────────┘    └─────────────────────┘    └─────────────────────┘

Figure 13.3 — The sub-GHz protocol-family taxonomy. Three branches: consumer remotes (replay tradecraft applies — see §4.3 below), industrial / IoT mesh protocols (the modern crypto-protected stack — replay is largely defeated for compliant deployments), and sensors / telemetry (the largest population, mostly unencrypted broadcasts that anyone can capture and decode but few can actually attack at a meaningful level). The taxonomy is not exhaustive — proprietary corner cases exist — but the working operator knows which branch a given signal belongs to within minutes of capture, and the branch determines what the next move is.

4.3 Replay-attack defeats — what works against what

The sub-GHz security-research workflow is dominated by replay: capture a transmission, replay it later, see what happens. The replay-attack landscape, summarized:

Protocol family	Replay defeat	Typical example	Capture-and-replay outcome
Fixed-code OOK/ASK	None	Pre-2000 garage doors; cheap doorbells; weather stations; pet collars	Successful — the same captured signal opens the door on replay every time
Rolling-code (KeeLoq HCS-series, no key)	Counter rotation	Older car-key fobs; mid-1990s through 2010s garage doors; many gate openers	Single replay defeated; but rolling-code can be defeated by jam-and-replay (Kamkar’s RollJam 2015 DEF CON) or by counter resync tricks
Rolling-code (modern AES-128)	AES-encrypted counter	Modern (2015+) automotive keyfobs from most major manufacturers; modern smart locks	Replay defeated; capture-and-replay attack class largely closed for compliant implementations
Hitag2	Proprietary stream cipher	Some older European automotive (VW Group 2009-2015 had Hitag2-related research findings)	Cipher has known cryptographic weaknesses (publicly disclosed); not a simple capture-and-replay defeat but not full security either
LoRaWAN	AES-128 frame + network keys	Industrial telemetry, smart agriculture, low-power WAN	Captured frame is encrypted at application + network layers; replay defeated unless join keys are compromised
Z-Wave (700/800)	S2 security (AES-128 + ECDH key exchange)	Smart-home devices on Z-Wave 700+	Replay defeated for S2-secured devices; legacy S0 has known issues
TPMS	None	Tire-pressure sensors on every modern car	Captured signal can be replayed; the attack class is “spoof a false tire-pressure reading,” which is interesting for academic research but rarely an operational attack
Industrial 802.15.4 sub-GHz	Wi-SUN security profile	Smart-meter, distribution-automation, industrial mesh	Wi-SUN is AES-128-secured; replay defeated. Older / non-compliant deployments are vulnerable.
Wireless doorbell / chime	None	$20 Aliexpress doorbells; intercom-grade chimes	Successful — fixed-code, no authentication. Documented for years; still ships.
Garage door (modern, since ~2010)	Rolling-code (KeeLoq or proprietary)	Genie, LiftMaster, Chamberlain modern	Single capture-and-replay defeated; RollJam-class attacks possible against specific implementations

Table 13.3 — Sub-GHz protocol families and the replay-attack defeats. The pattern is clear: pre-2000 consumer wireless is generally fixed-code (capture-and-replay works); the 2000s introduced rolling-code KeeLoq (single replay defeated but jam-and-replay possible); the 2015+ generation uses AES-encrypted counters (replay closed for compliant implementations); industrial/IoT protocols that use AES-128 frame encryption (LoRaWAN, modern Z-Wave, Wi-SUN) are replay-defeated when correctly deployed. The exception that proves the rule is the sensor population — TPMS, weather stations, doorbells — which is uniformly unauthenticated because the threat model doesn’t justify the per-device cost of crypto; an attacker can spoof readings, but the practical exploit value is limited.

4.4 The two tools for sub-GHz tradecraft

For sub-GHz work specifically, two tools dominate practitioner workflows: the Flipper Zero for operational handheld use, and the HackRF One for research and arbitrary signal generation. They are complementary, not substitutes.

The Flipper Zero is a CC1101-based sub-GHz handheld with a polished UI, a built-in protocol-decoder library covering ~80 documented sub-GHz protocols (KeeLoq, Faac, Nice, Star Line, Hörmann, Holtek, Princeton, and many more), and the canonical capture-and-replay workflow built into the firmware as a five-tap operation: Sub-GHz → Read → wait for signal → Save → Send. The Flipper’s strengths are the integrated protocol decoders, the handheld form factor (it goes in a pocket where a HackRF doesn’t), and the absolute beginner-accessibility of the workflow. Its limitations are the CC1101 chip’s coverage (300–348, 387–464, 779–928 MHz only, with gaps), the modest TX power (~12 dBm), and the lack of wideband capture (single-channel, narrow-band only — the Flipper isn’t doing 20 MHz waterfall analysis).

The HackRF One is the workhorse SDR. 1 MHz – 6 GHz contiguous tuning, 20 MS/s sample rate, half-duplex transmit-and-receive, an open-source firmware stack (Mike Walters / Michael Ossmann), broad host-software support (hackrf_transfer, GNU Radio, SDR#, GQRX, SDRangel, URH). For sub-GHz security research specifically, the HackRF advantages over the Flipper are: wideband capture (record 20 MHz at once and analyze any signal in post), arbitrary signal generation (transmit a Python-generated I/Q file at any frequency), no built-in protocol restrictions (the firmware doesn’t decide what’s a “legitimate” decoder), and the full GNU Radio + URH toolchain available downstream. The HackRF’s limitations are the form factor (bench instrument, not field), the 8-bit ADC (limited dynamic range — strong adjacent signals can saturate the chain), and the modest TX power (~10 dBm; serious work needs an external PA, which raises regulatory questions per §7).

Both tools have full deep dives in the Hack Tools hub. For the Flipper’s sub-GHz subsystem at chip-and-firmware depth — CC1101 register sequences, the firmware’s subghz protocol library architecture, the read-RAW / frequency-analyzer / static-rolling distinction in the firmware UI — see Flipper_Zero_Complete.html. For the HackRF at silicon depth — MAX2839 / RFFC5072 / MAX5864 silicon, the r1-r10 revision history, the Clifford Heath modifications on tjscientist’s specific unit, the bias-T, the firmware ecosystem — see HackRF_One_Complete.html. For the integrated handheld HackRF descendant from OpenSourceSDRLab, see PortaRF_Complete.html.

Figure 13.4 — Flipper Zero running its sub-GHz scanning mode on 433 MHz AM. Photo: File:Flipper Zero.jpg by Turbospok. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AFlipper%20Zero.jpg).

---

5. The capture-analyze-replay workflow

The canonical sub-GHz security-research workflow has three phases — capture, analyze, replay — that map cleanly onto three distinct toolchains. The capture phase produces an I/Q file; the analyze phase reverse-engineers the protocol from the I/Q file; the replay phase regenerates the modulated signal and transmits it (in the operator’s own RF space, against the operator’s own devices — see §7).

5.1 Capture — getting an I/Q file from the antenna

The capture step has the simplest tool surface. Three command lines cover the vast majority of practical use:

# RTL-SDR Blog V4 — capture 2 MS/s I/Q stream at 433.92 MHz for 5 seconds
rtl_sdr -f 433920000 -s 2048000 -g 40 -n 10240000 capture_433.iq

# HackRF One — capture 8 MS/s I/Q stream at 315 MHz for 10 seconds  
hackrf_transfer -r capture_315.iq -f 315000000 -s 8000000 -l 16 -g 40 -n 80000000

# Flipper Zero — capture is built into the firmware (Sub-GHz menu → Read);
# saves to /any/subghz/<name>.sub on the SD card in a text key-value format
# that the Flipper's protocol library decodes natively. No host shell needed.

Figure 13.5 — Three canonical capture commands. The -f flag sets the center frequency in Hz; the -s flag sets the sample rate in S/s; the -g flag sets gain; the -n flag sets the sample count (sample rate × seconds × 2 for I+Q gives total samples). The RTL-SDR’s rtl_sdr and the HackRF’s hackrf_transfer both write interleaved I/Q files — by convention the RTL-SDR writes unsigned 8-bit I/Q pairs (uint8), and the HackRF writes signed 8-bit I/Q pairs (int8); downstream tools need to know which.

A few practical details that bite people on the first capture:

• File format mismatch. RTL-SDR’s rtl_sdr writes uint8 interleaved I/Q. HackRF’s hackrf_transfer writes int8 interleaved I/Q. URH and Inspectrum both ask which is which on import; getting it wrong produces a “looks like noise” capture. GNU Radio’s File Source block likewise needs the byte format set correctly.
• Gain set too high. With the LNA + IF + baseband gain all maxed, a strong nearby transmitter saturates the chain and produces signal-shaped clipping artifacts that look like real signals on a waterfall. Working practice: start with moderate gain (LNA 16-24 dB, IF/baseband around half-scale), increase only if the target signal is buried in noise.
• Center frequency offset. Manufacturing tolerance on the SDR’s reference crystal puts the actual center frequency a few PPM off the nominal. At 433 MHz, a 30 PPM offset is 13 kHz — easily enough to push a 10 kHz-wide signal partially off the analyzed bandwidth. RTL-SDR Blog V4’s 1 PPM TCXO largely eliminates this; older RTL-SDR V1/V2 dongles need manual PPM correction (rtl_test -p then rtl_sdr -p <ppm>).
• Capture duration vs disk space. I/Q at 2 MS/s with 2 bytes per sample (one for I, one for Q) is 4 MB/s. 8 MS/s is 16 MB/s. A one-minute capture at HackRF’s full 20 MS/s is 2.4 GB. SSDs handle this without trouble; spinning disks may not. Practical sub-GHz captures are typically 1-30 seconds long — enough for a few protocol transmissions.

5.2 Analyze — from I/Q file to decoded symbols

The analysis phase is where the workflow’s center of gravity sits. Three tools cover the bulk of practitioner workflows; each has its own strength.

Universal Radio Hacker (URH) by Johannes Pohl is the most-used single tool for sub-GHz protocol reverse engineering. URH was published academically at USENIX WOOT 2018 (“Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols”) and is open-source on GitHub (jopohl/urh). The workflow URH supports is: load an I/Q file → visualize the captured signal on a waterfall and as I/Q traces → identify the modulation by eye (OOK vs FSK is visually obvious; bit rate is visually estimable) → set demodulator parameters → URH extracts a bitstream → URH attempts protocol-field assignment (preamble, sync, payload, CRC) — automatically rule-based or manually by the operator → URH generates the regenerated bitstream → URH transmits via HackRF / RTL-SDR (RX-only chip excluded, HackRF needed for TX) or exports an I/Q file for hackrf_transfer -t. URH’s killer feature for sub-GHz tradecraft is the protocol field assignment + fuzzing combination — the operator can twiddle individual fields and see the resulting bitstream, which makes it the natural tool for “what changes when I press button 2 versus button 1” reverse engineering.

Inspectrum is the lightweight visual-analysis tool. Inspectrum is a waterfall viewer with cursor-driven measurement — drop two cursors on a signal, get the time delta and frequency span; mark a region, measure symbol rate and bandwidth. It doesn’t decode anything; it tells you what’s there so you know what to decode. For “I have an unknown signal and I don’t know what frequency it sits at or how wide it is,” Inspectrum answers the question faster than URH. URH for protocol work, Inspectrum for first-look analysis.

GNU Radio Companion (GRC) is the heavyweight option — a graphical flowgraph editor for the GNU Radio framework, where the operator wires up blocks (File Source → Throttle → FFT → Frequency Sink, or RTL-SDR Source → Low Pass Filter → Quadrature Demod → File Sink) to build custom signal-processing chains. For the protocol families where URH’s automated assignment fails — LoRa CSS modulation, exotic phase modulations, anything multi-carrier — GRC is the workshop. The downside is the learning curve: GRC is a competent DSP framework, not a one-page tutorial. Michael Ossmann’s “Software Defined Radio with HackRF” video series (Great Scott Gadgets, free) remains the canonical introduction; it’s the single best resource for someone who wants to use GNU Radio for security research specifically.

Figure 13.6 — GNU Radio Companion (GRC) showing a flowgraph. Photo: File:GNU Radio Companion (3.8.1.0) Screenshot.png by Marcusmueller ettus. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AGNU%20Radio%20Companion%20(3.8.1.0)%20Screenshot.png).

rtl_433 is the protocol-decoder-of-last-resort for the sensor/telemetry population: weather stations, TPMS, doorbells, energy monitors, ~500+ documented sub-GHz device formats. It runs as a daemon that monitors an RTL-SDR live and decodes everything it recognizes onto stdout as JSON. For “what’s transmitting in my neighborhood at 433 MHz,” rtl_433 -F json answers the question in real time. For “what’s the protocol family of this specific device,” running rtl_433 -A -G (decode all known protocols) against a capture often identifies it without manual reverse-engineering work.

5.3 Replay — back through the antenna

The replay phase is conceptually the inverse of capture: load an I/Q file or regenerated bitstream into the SDR’s TX chain, retransmit on the same frequency. Three tools dominate:

# HackRF — replay a captured I/Q file directly via hackrf_transfer -t
# (signed 8-bit interleaved; same format hackrf_transfer wrote on capture)
hackrf_transfer -t capture_433.iq -f 433920000 -s 8000000 -x 30

# GNU Radio — load File Source (i8 vector) → osmocom Sink → transmit.
# Same flowgraph topology as RX in reverse, with the file as the source
# instead of the antenna.

# Flipper Zero — Sub-GHz menu → saved captures → Send. The Flipper handles
# the captured-signal + protocol-library + TX path internally; for fixed-code
# OOK/ASK signals against the operator's own devices, this is the lowest-
# friction replay workflow in the lineup.

Figure 13.7 — Three canonical replay commands. The HackRF’s -x 30 flag sets the TX VGA gain (0-47 dB); start low and increase. The Flipper’s UI-driven replay is functionally equivalent for fixed-code OOK protocols but doesn’t carry the same operational flexibility (the Flipper won’t replay an arbitrary I/Q file; it only replays signals in formats its protocol library understands).

A worked example at the methodology level — a fixed-code garage-door capture-decode-replay round trip on the operator’s own equipment. The walk-through is intentionally methodological rather than operational; it summarizes the published URH documentation:

1. Hypothesize the frequency and modulation. Pre-2000 garage-door openers in the US use 315 MHz; in EU/intl markets 433.92 MHz. Modulation is universally OOK/ASK with Manchester encoding at 1-10 kbps. Open URH; tune RTL-SDR to 433.92 MHz at 1 MS/s sample rate; trigger the garage opener while recording.
2. Identify the burst on the waterfall. URH’s waterfall shows the 433 MHz OOK burst as a series of ON/OFF intervals around a 100 ms total transmission. Cursor-measure the symbol period; for a typical garage opener it’s around 500 μs (2 kbps).
3. Demodulate to a bitstream. URH’s automated demodulator detects OOK and Manchester encoding, extracts the bitstream — a typical garage-opener message is ~24-66 bits long including preamble.
4. Identify protocol structure. Repeat the capture two or three times. If the bitstream is identical each time, it’s fixed-code — the same code opens the door every time. If the bitstream differs in a predictable counter-rotating way, it’s rolling-code — the captured code won’t replay (and the operator should switch to studying KeeLoq weaknesses rather than naive replay).
5. Regenerate and replay. For fixed-code: URH generates the modulated I/Q file from the demodulated bitstream; hackrf_transfer -t (or URH’s built-in HackRF TX) retransmits at 433.92 MHz; the door opens. Working confirmation of capture → analyze → replay.

The point of the walk-through is the methodology: the operator isn’t bypassing security in the cryptographic sense (a fixed-code garage-door opener has none); the operator is exercising the workflow for understanding. The specific consumer-device population that’s still vulnerable to this attack has been documented at length in URH’s papers and in the rtl_433 protocol database; nothing in the walk-through above is novel disclosure. The legal and ethical framing — operate on hardware you own, in RF space you control — is the load-bearing constraint, treated in §7 below and in the project-wide baseline at ../../_shared/legal_ethics.md.

5.4 Where the workflow extends — fuzzing and protocol simulation

Beyond capture-analyze-replay, URH supports two more advanced workflows that round out the operator’s toolkit:

• Fuzzing — twiddle individual protocol fields and observe the effect. URH’s Generator tab lets the operator define a message template with named fields (preamble, address, command, checksum) and iterate over field values, transmitting each variant in sequence. For a non-trivially-secured protocol with known fields but unknown semantics, fuzzing identifies field meanings by behavior.
• Stateful simulation — URH’s Simulator tab supports two-party protocol exchanges (operator’s SDR plays one role; the target device plays the other). For challenge-response protocols where a single captured transmission isn’t enough (the device expects a counter-response from the controller), the simulator can stand in. This is the WOOT 2018 paper’s contribution — most prior tools handled stateless protocols only.

These workflows are documented at length in URH’s GitHub and in the WOOT 2018 paper; they’re listed here so the reader knows where the next layer of depth lives when capture-analyze-replay isn’t enough.

---

6. The gear — SDR hardware comparison

The comparison table for the SDR hardware that Hack Tools covers, organized for the “which one do I reach for?” decision. Cost figures are early-2026 reference points; verify against vendor sites before quoting.

Figure 13.8 — HackRF One PCB. Photo: File:HackRF One (15131430332).jpg by SparkFun Electronics from Boulder, USA. License: CC BY 2.0 (https://creativecommons.org/licenses/by/2.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AHackRF%20One%20(15131430332).jpg).

Tool	Cost (early 2026)	Frequency range	Sample rate / BW	TX?	ADC	Best at	Deep dive cross-ref
RTL-SDR Blog V3	$30 (dongle) / $40 (kit)	500 kHz – 1.766 GHz (TCXO + HF direct-sampling via SMA bias-T / antenna-port switching; pre-V4 implementation)	2.4 MHz stable / 3.2 MHz peak	No	8-bit	First-tool entry; ADS-B / FM / AM / 433 ISM / ham receive; always-on monitoring. As of May 2026 the V3 is the in-production current model (see V4 status note below).	../../RTL-SDR/CLAUDE.md (deep dive aspirational)
RTL-SDR Blog V4 (end of line, May 14, 2026)	$30 / $40 from remaining reseller stock	500 kHz – 1.766 GHz (TCXO + built-in HF direct-sampling input — the V4 innovation over V3)	2.4 MHz stable / 3.2 MHz peak	No	8-bit	Same role as V3; the R828D tuner + built-in HF input is the V4’s design improvement. No new production going forward — the upstream announcement (RTL-SDR Blog, May 14 2026) declared end-of-line; the V4L “lite” with the R828S tuner is positioned as the eventual successor and a Blog V5 is in early concept. The doc keeps the V4 row because owned units remain field-current; new purchases should default to V3 until V4L ships.	../../RTL-SDR/CLAUDE.md
HackRF One	$300-340	1 MHz – 6 GHz	20 MS/s	Half-duplex (~10 dBm)	8-bit	The workhorse — wideband capture + arbitrary TX 1 MHz – 6 GHz; the universal “what is this and can I retransmit it” instrument	../../HackRF One/03-outputs/HackRF_One_Complete.html
HackRF Pro (new, shipping since Oct 2025)	$400-500	100 kHz – 6 GHz (wider HF coverage than HackRF One’s 1 MHz floor)	20 MS/s standard; 16-bit extended-precision mode at lower sample rates; 4-bit half-precision mode up to 40 MS/s	Half-duplex	8-bit standard; 16-bit / 4-bit modes	The HackRF One’s forward-replacement: built-in TCXO, USB-C, flatter frequency response, the problematic HackRF-One DC spike eliminated, additional shielding, injection-molded enclosure. Backward-compatible with the HackRF One software stack — hackrf_transfer, GNU Radio osmocom blocks, URH all work unchanged. The new-purchase default unless 8-bit is sufficient and budget rules.	../../HackRF One/03-outputs/HackRF_One_Complete.html
HackRF One + PortaPack H2+	~$340 (HackRF) + ~$200-300 (PortaPack H2+)	Same as HackRF	Same as HackRF	Same as HackRF	8-bit	Field-portable HackRF with on-device display + battery; the bench HackRF becomes a handheld. The current new-purchase PortaPack from ShareBrained Technology has stepped through the H2 / H2+ / H4M generations — H4M is the current model in production; H2+ remains supported by community firmware and is what tjscientist’s owned unit is.	../../HackRF One/03-outputs/HackRF_One_Complete.html Vol 6 (PortaPack)
OpenSourceSDRLab PortaRF	~$700	1 MHz – 6 GHz	20 MS/s	Half-duplex	8-bit	Integrated handheld HackRF descendant — single chassis, integrated battery, single SKU vs the H2R4+PortaPack assembly	../../OpenSourceSDRLab PortaRF/03-outputs/PortaRF_Complete.html
Flipper Zero (sub-GHz)	$170 (full device)	300-348 / 387-464 / 779-928 MHz (CC1101)	~600 kHz channel BW	Yes (~12 dBm)	(CC1101 internal)	Pocketable sub-GHz capture-and-replay with built-in protocol library (~80 decoders); the field tool for sub-GHz	../../Flipper Zero/03-outputs/Flipper_Zero_Complete.html
ADALM-PLUTO (PlutoSDR)	$230-280	325 MHz – 3.8 GHz (hackable to ~70 MHz – 6 GHz via firmware mod)	61.44 MS/s (limited by USB 2)	Full-duplex	12-bit	Educational + research SDR with full-duplex + better ADC than HackRF; lab-grade but quirky firmware	(No Hack Tools deep dive)
BladeRF 2.0 micro xA9	$720-1,100	70 MHz – 6 GHz	61.44 MS/s (USB 3)	Full-duplex	12-bit	Pro-grade full-duplex SDR with FPGA; cellular and 802.11 work; better dynamic range than HackRF	(No Hack Tools deep dive)
LimeSDR Mini 2.0	$470-600	10 MHz – 3.5 GHz	30.72 MS/s	Full-duplex	12-bit	Open-source mid-tier full-duplex SDR; LimeSuite + GNU Radio	(No Hack Tools deep dive)
USRP B205mini-i	$900-1,300	70 MHz – 6 GHz	56 MHz instantaneous BW	Full-duplex	12-bit	Lab-grade, Ettus/National Instruments support, full-duplex, the academic and research reference	(No Hack Tools deep dive)

Table 13.4 — SDR hardware comparison, ordered roughly by cost. The price-vs-capability progression is monotonic: the cheaper the device, the narrower the bandwidth + the lower the ADC resolution + the fewer the channels. The cliff between $300 (HackRF) and $900+ (BladeRF / LimeSDR / USRP) is where ADC resolution jumps from 8 to 12 bits and where TX goes from half-duplex to full-duplex. For sub-GHz security research specifically, the HackRF One sits at the practical sweet spot — wide enough coverage, good enough dynamic range, transmit-capable. The RTL-SDR V4 covers the receive-only first-tool niche; the Flipper Zero covers the field-handheld sub-GHz niche; the lab-grade tier (BladeRF / USRP / LimeSDR) is for work where the HackRF’s 8-bit ADC, 20 MHz ceiling, or half-duplex constraint becomes the limiting factor.

The decision graph for which SDR to reach for, in working order:

• “What’s this sub-GHz signal in my neighborhood?” → RTL-SDR V4 + rtl_433 -F json will identify most consumer-device transmissions automatically. For unknown protocols, RTL-SDR + URH for analysis. No TX needed for observation.
• “Can I replay this fixed-code garage-door opener?” → Flipper Zero (the protocol library + capture-and-replay UI is purpose-built for this). HackRF One if the Flipper’s protocol library doesn’t recognize the signal.
• “I need to capture 20 MHz of spectrum across the 902-928 MHz LoRa band.” → HackRF One, or HackRF Pro for a flatter response and the option of 16-bit extended-precision mode at lower sample rates. The RTL-SDR’s 2.4 MHz ceiling can’t span the band; the Flipper’s narrow CC1101 channel can’t either.
• “I need to transmit a custom-modulated signal at 5.8 GHz.” → HackRF One or HackRF Pro (with awareness of the §7 constraints). Or BladeRF 2.0 / USRP B205 if 8-bit standard mode and half-duplex are limiting and full-duplex is needed.
• “I’m buying my first HackRF in 2026.” → HackRF Pro is the default — USB-C, built-in TCXO, the eliminated DC spike, software-backward-compatible with the entire HackRF One ecosystem. The HackRF One remains a sound used-market choice and the unit tjscientist’s HackRF One deep dive covers; the silicon-depth content in HackRF_One_Complete.html still applies (Pro uses the same RFFC5072 + MAX2839 + MAX5864 silicon family).
• “I need to do 802.11 capture in monitor mode.” → Not an SDR job at the consumer scale — use a dedicated 802.11 NIC in monitor mode, or a Wi-Fi Pineapple, or the ESP32 Marauder. SDRs can do 802.11 capture (USRP + gr-ieee802-11) but it’s an academic-research workflow, not the working operator’s choice. See Vol 14.
• “I need to do cellular (LTE) work.” → BladeRF / USRP territory, possibly srsRAN or OpenAirInterface as the protocol stack. HackRF is too narrow-bandwidth for LTE. Out of scope for this volume; cross-link Vol 14 for the cellular-band coverage notes.

Figure 13.9 — RTL-SDR V3 dongle. Photo: File:Rtl-sdr.jpg by Joeceads. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3ARtl-sdr.jpg). (Reused from Vol 9 §3.3.)

Why §6.1 was revised after this volume’s initial commit — RTL-SDR V4 EOL + HackRF Pro release. The initial Vol 13 §6.1 (committed 2026-05-16) ran the RTL-SDR Blog V4 as the canonical entry-tier dongle and didn’t list a HackRF Pro row at all. Two things moved between the volume’s commit and its first audit pass: (1) the upstream RTL-SDR Blog announced V4 end-of-line on May 14, 2026, two days before this volume shipped, and the doc’s “RTL-SDR Blog V4 (current as of 2026)” framing was already stale by the time it was written; the audit added the V3 row back as the in-production current model, kept the V4 row for owned units, and noted the upcoming V4L Lite with R828S tuner. (2) Great Scott Gadgets announced HackRF Pro on June 26, 2025 with initial shipments late October 2025 (wider HF coverage 100 kHz–6 GHz, built-in TCXO, USB-C, 16-bit extended-precision and 4-bit / 40 MS/s modes, software-backward-compatible with HackRF One) — the volume was authored without the Pro row, and the audit added it as the natural new-purchase HackRF default. The takeaway: both fast-moving facts (vendor product status, new releases) need an audit pass between shipping and “current” for any RF-tradecraft volume.

---

7. Legal and regulatory

The legal framing for RF security research splits cleanly along the receive-vs-transmit axis. Receive is generally permitted; transmit is structurally regulated; replay against systems the operator doesn’t own is potentially criminal regardless of frequency. This section summarizes the rule structure that the project-wide baseline at ../../_shared/legal_ethics.md covers in full.

The line — load-bearing callout. Receive any frequency you want, transmit only on frequencies and at power levels you’re licensed for or that fall within Part 15 unlicensed allowances. Replay an authorized capture against your own equipment in your own RF space. Replay against systems you don’t own and don’t have authorization to test is a federal offense — the CFAA’s “without authorization” prong applies to wireless intrusions just as it does to wired ones. The technical capability to retransmit doesn’t grant the legal permission to do so. See Vol 19 (when authored) for the statutory walkthrough; see Vol 11 §3.6 for the engagement-paperwork stack that an authorized red-team operator carries when they retransmit captured signals as part of a sanctioned engagement.

7.1 Receive — what’s generally legal

Passive observation of RF signals in the United States is broadly permitted, with three significant exceptions:

• Cellular voice and radio common carrier traffic — the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510 et seq., as amended in 1986 — ECPA added cellular telephone communications to the Wiretap Act’s prohibited-interception list (18 U.S.C. § 2510) — prohibits interception of cellular telephone calls and radio common carrier traffic. The statute applies regardless of whether the communications are encrypted. The exception that proves the rule: aeronautical, marine, government, and amateur radio voice is not covered; cellular voice and commercial paging are.
• Encrypted communications — interception of encrypted communications you’re not authorized to decrypt can implicate ECPA and the broader Wiretap Act framework. The hardware-capability-vs-legal-permission distinction is sharp here: an SDR can decrypt many things; the operator can’t.
• Protected emergency / military / federal communications — specific statutes (the Communications Act of 1934, Section 705) restrict the disclosure and use of intercepted communications even when interception itself was passive. Receiving is usually not the crime; acting on what was received is.

For the bulk of RF security research — ISM-band consumer devices, ADS-B, AIS, weather stations, amateur radio, unencrypted public-safety traffic, ham radio — passive receive is unrestricted. The RTL-SDR’s existence as a $30 consumer product reflects this: nothing about owning, using, or sharing captures of the public RF spectrum is illegal at the consumer-device level.

7.2 Transmit — what’s structurally regulated

Transmit requires authorization. Three authorization paths cover the practical surface:

• FCC Part 15 unlicensed operation — 47 CFR Part 15 governs unlicensed transmitters. Specific sub-parts cover specific applications: §15.231 for periodic operation of consumer remotes (the regime that governs garage-door openers, weather-station transmitters, basic remotes), §15.247 for spread-spectrum operation in the 902-928 MHz, 2400-2483.5 MHz, and 5725-5850 MHz ISM bands, §15.249 for low-power operation in those bands, §15.255 for higher-frequency operation. Part 15 sets field-strength limits (50 mV/m at 3 meters in the 902-928 MHz band) and operational restrictions (must accept interference, must not cause interference to licensed users). A HackRF transmitting a captured weather-station signal at modest gain on 433 MHz is plausibly within Part 15; the same HackRF transmitting at +30 dBm into a high-gain antenna is not.
• FCC Part 97 amateur radio — licensed amateur radio operators can transmit in amateur bands (160m through 70cm and beyond, plus microwave allocations) at power levels and modes governed by their license class. Transmitting on amateur frequencies without a license is a Communications Act violation; the FCC’s enforcement appetite for unlicensed amateur transmission is real and has produced fines.
• Licensed services — Part 90 (private land mobile), Part 95 (Personal Radio Service — including GMRS, FRS, MURS), Part 80 (marine), Part 22/24/27 (commercial mobile), Part 73 (broadcast), and so on. Each covers a specific service with its own licensing regime. Transmitting on a licensed service’s frequency without the appropriate license is structurally prohibited.

The retransmit-vs-original-license distinction. An SDR is capable of generating any RF signal in its TX range; capability and legality are different categories. Transmitting on 1090 MHz (ADS-B) without an ADS-B-compliant transponder license is a federal aviation-safety violation. Transmitting on commercial cellular bands without carrier authorization is an Communications Act violation that has produced criminal prosecutions (Stingray-related cases on the law-enforcement side; “rogue base station” prosecutions on the criminal side). Transmitting on emergency-services frequencies (police, fire, EMS) without authorization is similarly criminal. The structural rule: the SDR’s capability to transmit on a frequency doesn’t grant the legal permission to do so.

7.3 Replay attacks — the CFAA layer

Beyond the FCC’s spectrum-management framework, a second body of law applies to the use of the captured signal — the federal Computer Fraud and Abuse Act (18 U.S.C. § 1030) and state-law equivalents. Replaying a captured garage-door signal to open someone else’s garage door is a CFAA “without authorization” event regardless of whether the FCC Part 15 transmit rules were respected. The replay against your own equipment in your own RF space is fine; the replay against a third party’s equipment is the felony — and the same SDR with the same capture is the same instrument. The discriminator is authorization, not gear.

The full CFAA framing applied to wireless intrusions belongs in Vol 19 (not yet authored); the engagement-paperwork stack that an authorized red-team operator carries — SOW, scope document, ROE, get-out-of-jail letter — is treated at full depth in Vol 6 §1 and Vol 11 §3.6.

7.4 International variations

Outside the US the regulatory framework varies by jurisdiction. A few headline notes:

• ETSI / CEPT (Europe) — ETSI EN 300 220 governs short-range devices (SRDs) in the 25-1000 MHz range, including the 433 MHz and 868 MHz consumer-device bands. ETSI EN 300 328 governs 2.4 GHz ISM. The framework is broadly analogous to FCC Part 15 with band-specific differences (Europe has 868 MHz where the US has 915 MHz; the EU’s 433 MHz allocation differs in field-strength rules from the US Part 15).
• UK — Ofcom administers the UK spectrum; the Wireless Telegraphy Act 2006 is the statutory anchor (replaced the WT Act 1949 + subsequent amendments). Receive is broadly unrestricted; transmit requires authorization; unauthorized transmission is a criminal offense.
• Japan — MIC (Ministry of Internal Affairs and Communications) administers spectrum; the Radio Act prohibits unauthorized transmission. Sub-GHz consumer band allocations differ from US/EU (Japan uses 920 MHz, not 868 or 915).
• Operator awareness — when transmitting in a jurisdiction other than where the SDR was bought, the operator is responsible for understanding the local rules. This isn’t a “I didn’t know” defense.

7.5 The lab-discipline rule that covers all of the above

The lab-discipline rule that the project-wide legal_ethics.md baseline applies — own the hardware you’re testing or have written authorization to test it; operate inside an RF environment you control or have authorization to occupy; record what you’re doing so the engagement is auditable — covers nearly every operationally-relevant case. The remaining edge cases (transmitting outside Part 15 limits even on your own equipment; capturing licensed-service traffic and acting on it; cellular-band work without carrier authorization) are bounded enough that they should always be checked against current statute and the operator’s specific authorization before the first photon leaves the antenna. When the legal posture isn’t clean, the right answer is to not transmit.

---

8. Cross-reference index

The anchor map: which hat volumes link into Vol 13, and which Vol 13 sections are the link targets. This section is the Vol 13 contribution to the canonical anchor index that Vol 21 will consolidate across the series. The H2 headings below are frozen append-only as of the date of this volume’s first commit — renaming any of them changes its auto-generated vol13-<slug> anchor and silently breaks inbound links.

From	Anchor target in Vol 13	Context
Vol 9 §3.3	#vol13-the-gear-sdr-hardware-comparison	Green-hat RF starter-kit progression (RTL-SDR → Flipper → HackRF → Proxmark3) — Vol 13 §6 is the engineering-grade reference behind the starter-kit table.
Vol 9 §3.3	#vol13-sub-ghz-in-practice	The 433 MHz ISM environment the green-hat learner first decodes.
Vol 11 §3.6	#vol13-the-gear-sdr-hardware-comparison	Red-hat physical-entry RF/HID staging layer — the Pineapple / Flipper / Proxmark / HackRF working set; the SDR rows of Vol 13 §6 carry the engineering depth.
Vol 11 §3.6	#vol13-sub-ghz-in-practice	Sub-GHz keyfob and remote-capture work in an authorized red-team engagement.
Future deep dives — HackRF One Vol 1, PortaRF Vol 1, Flipper Zero Vol 4	#vol13-sdr-fundamentals	When a tool deep dive needs to gesture at SDR theory without re-deriving it, this is the target.
Future deep dives — RTL-SDR (when authored)	#vol13-the-rf-spectrum-map	The receive-only entry tool’s positioning in the broader spectrum landscape.
Future deep dives — Rayhunter	#vol13-the-rf-spectrum-map	IMSI-catcher detection sits in the cellular bands of the spectrum table.
Future deep dives — WiFi Pineapple, ESP32 Marauder Firmware	#vol13-legal-and-regulatory	The lab-discipline rule that applies to every RF tool, gathered in one place.
Vol 14 (RF Tradecraft II — Wi-Fi & BLE)	#vol13-sdr-fundamentals	Vol 14 builds on the I/Q + Nyquist + receive-chain foundation laid here.
Vol 14	#vol13-the-rf-spectrum-map	Vol 14 picks up at the 2.4 / 5 / 6 GHz rows of the spectrum table.
Vol 15 (RF Tradecraft III — RFID/NFC)	#vol13-the-rf-spectrum-map	Vol 15 picks up at the 125 kHz LF / 13.56 MHz HF rows.
Vol 20 (Cheatsheet)	All §6 rows	The SDR-comparison table is field-card material in cheatsheet form.
Vol 21 (Glossary + canonical anchor index)	Every Vol 13 H2 anchor	Vol 21 consolidates the full anchor catalog for the series.

Table 13.5 — The Vol 13 cross-reference index. The pattern across the entries: hat volumes (6-12) link out for technical depth, future deep dives link in to ground their tool in the broader tradecraft, and the reference cluster siblings (Vol 14, 15) build on Vol 13’s foundation. The append-only discipline on the H2 headings is what makes this index stable; the table will grow as more cross-links are authored, but the existing anchors don’t move.

The frozen H2 anchors as committed in this volume:

• #vol13-about-this-volume
• #vol13-sdr-fundamentals
• #vol13-the-rf-spectrum-map
• #vol13-sub-ghz-in-practice
• #vol13-the-capture-analyze-replay-workflow
• #vol13-the-gear-sdr-hardware-comparison
• #vol13-legal-and-regulatory
• #vol13-cross-reference-index
• #vol13-resources

---

9. Resources

Primary references for Vol 13, organized by topic, with footnoted citations to the specific papers / tools / statutes / books.

SDR fundamentals and theory. Michael Ossmann’s “Software Defined Radio with HackRF” video series¹ is the canonical free introduction to SDR for security research specifically — fifteen lessons spanning sampling theory, modulation, GNU Radio, and HackRF-specific workflows. The ARRL Handbook² is the canonical amateur-radio reference and remains a comprehensive practical-radio reference even for the non-amateur SDR operator. Richard Lyons’ Understanding Digital Signal Processing³ is the standard reference for the DSP theory behind everything in §2.

SDR hardware and projects. The HackRF One documentation site⁴ is the authoritative reference for HackRF specifically, including the hackrf_transfer command reference, the firmware build process, and the revision history. The rtl-sdr project (Osmocom)⁵ hosts the canonical rtl_* command-line tools (rtl_sdr, rtl_test, rtl_fm, rtl_tcp, rtl_433 ecosystem). GNU Radio⁶ is the foundational DSP framework that GRC sits on top of. Universal Radio Hacker⁷ by Johannes Pohl is the canonical sub-GHz protocol-analysis tool; the WOOT 2018 paper⁸ documents the stateful-simulator architecture. Inspectrum⁹ is the canonical waterfall-viewer for quick analysis. rtl_433 by Benjamin Larsson and the rtl_433 contributors¹⁰ is the canonical decoder for the 500+ documented sub-GHz device protocols.

Sub-GHz protocol research. Samy Kamkar’s RollJam 2015 DEF CON disclosure¹¹ remains the load-bearing public reference for the jam-and-replay attack against rolling-code keyfobs. The Hitag2 cryptanalysis work — Verdult, Garcia, et al.¹² — documented the cipher weaknesses that affected mid-2000s and early-2010s European automotive immobilizers. TPMS security research has been catalogued at length in academic literature¹³; the rtl_433 project’s protocol database is the working catalog. KeeLoq cryptanalysis — Bogdanov¹⁴ and the broader 2007-2008 work — documented the side-channel and cryptographic attacks on the Microchip HCS-series rolling-code chips.

FCC and regulatory references. FCC Part 15 (47 CFR Part 15)¹⁵ is the unlicensed transmitter rules — the regulation that governs ISM-band consumer wireless. FCC Part 97 (47 CFR Part 97)¹⁶ is the amateur radio service rules. The ECPA / Wireless Communications Act framework¹⁷ is the statutory basis for the cellular-voice reception restriction. The ARRL Part 15 reference¹⁸ is the practitioner-readable summary.

Sibling Hack Tools deep dives — the device-level depth that this volume deliberately doesn’t duplicate:

• HackRF One deep dive: ../../HackRF One/03-outputs/HackRF_One_Complete.html
• OpenSourceSDRLab PortaRF deep dive: ../../OpenSourceSDRLab PortaRF/03-outputs/PortaRF_Complete.html
• Flipper Zero deep dive: ../../Flipper Zero/03-outputs/Flipper_Zero_Complete.html
• RTL-SDR (CLAUDE.md placeholder, deep dive aspirational): ../../RTL-SDR/CLAUDE.md
• WiFi Pineapple (RF tradecraft II preview): ../../WiFi Pineapple/03-outputs/WiFiPineapple_Complete.html

Series cross-references in this volume. Vol 5 §6 for the seven-hat taxonomy and the two-axis framework that grounds the receive-vs-transmit, authorization-vs-not framing of §7. Vol 9 §3.3 for the green-hat RF starter-kit narrative. Vol 11 §3.6 for the red-hat physical-entry RF/HID context. Vol 14, Vol 15, Vol 16, Vol 17 for the rest of the reference cluster. Vol 19 (when authored) for the CFAA + ECPA + Wireless Telegraphy Act statutory walkthrough.

Footnotes

1. Michael Ossmann, Software Defined Radio with HackRF — Great Scott Gadgets, free video series, 15 lessons. https://greatscottgadgets.com/sdr/. The single best introduction to SDR for security research specifically; remains canonical years after first publication. ↩

2. ARRL, The ARRL Handbook for Radio Communications — the American Radio Relay League’s annual practical-radio reference. Coverage spans antenna theory, propagation, modulation, RF design, and amateur-radio operating practice. The canonical practitioner reference for amateur RF since 1926. ↩

3. Richard G. Lyons, Understanding Digital Signal Processing, Pearson/Prentice Hall, multiple editions (current 3rd edition 2010). The standard introductory DSP textbook; covers the I/Q theory of §2.1 + the sampling theory of §2.2 at the level the EE reader expects. ↩

4. HackRF documentation, Great Scott Gadgets / Michael Ossmann. https://hackrf.readthedocs.io/. Authoritative reference for HackRF One — hackrf_transfer reference, firmware build, revision history, programmer documentation. ↩

5. Osmocom rtl-sdr project — the open-source RTL2832U driver and command-line tool suite. https://osmocom.org/projects/rtl-sdr/. The rtl_sdr / rtl_test / rtl_fm / rtl_tcp / rtl_eeprom / rtl_adsb family of command-line tools is the canonical RTL-SDR Linux software stack. ↩

6. GNU Radio project. https://www.gnuradio.org/. The foundational signal-processing framework that GNU Radio Companion (GRC) sits on top of. Open-source, GPL-licensed, the canonical SDR processing environment. ↩

7. Universal Radio Hacker (URH) — Johannes Pohl, open-source, GPL-3. https://github.com/jopohl/urh. The canonical sub-GHz protocol-analysis tool; capture, demodulation, protocol-field assignment, fuzzing, and stateful simulation in a single GUI. ↩

8. Johannes Pohl and Andreas Noack, “Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols”, 12th USENIX Workshop on Offensive Technologies (WOOT 2018). https://www.usenix.org/conference/woot18/presentation/pohl. Documents URH’s architecture, the stateful-simulator contribution, and the rule-based protocol-field inference engine. ↩

9. Inspectrum — Mike Walters et al., open-source. https://github.com/miek/inspectrum. Lightweight waterfall viewer for I/Q captures; cursor-driven measurement of time delta + frequency span + symbol rate. ↩

10. rtl_433 — Benjamin Larsson and contributors, open-source. https://github.com/merbanan/rtl_433. The canonical decoder for documented sub-GHz device protocols; ~280 device decoders in src/devices/ as of release 25.12 (December 2025), each typically handling multiple individual device-model variants, so the working “supported device” count is meaningfully higher than the decoder count. Real-time decoder + JSON output for monitoring; offline decoder for capture-file analysis. ↩

11. Samy Kamkar, “Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars”, DEF CON 23 (August 2015). The public disclosure of the RollJam jam-and-replay attack against rolling-code keyfobs. https://samy.pl/defcon2015/. ↩

12. Roel Verdult, Flavio Garcia, Josep Balasch, “Gone in 360 Seconds: Hijacking with Hitag2”, USENIX Security 2012. The canonical Hitag2 cryptanalysis paper; documents the weaknesses that affected mid-2000s European automotive immobilizers. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/verdult. ↩

13. Ishtiaq Rouf, Rob Miller, Hossen Mustafa, Travis Taylor, Sangho Oh, Wenyuan Xu, Marco Gruteser, Wade Trappe, and Ivan Seskar, “Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study”, USENIX Security 2010. The foundational academic reference for TPMS reverse-engineering and the privacy implications of unauthenticated TPMS transmissions. ↩

14. Andrey Bogdanov, “Cryptanalysis of the KeeLoq block cipher”, eprint 2007/055. The foundational cryptanalysis paper that exposed KeeLoq’s structural weaknesses, leading to the broader 2007-2008 work on side-channel attacks against HCS-series chips. https://eprint.iacr.org/2007/055. ↩

15. 47 CFR Part 15 — Radio Frequency Devices. Federal Communications Commission unlicensed transmitter rules. The regulation that governs ISM-band consumer wireless: §15.231 (periodic operation of consumer remotes), §15.247 (spread-spectrum in 902-928 MHz / 2400-2483.5 MHz / 5725-5850 MHz), §15.249 (low-power), §15.255 (high-frequency). https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-15. ↩

16. 47 CFR Part 97 — Amateur Radio Service. The FCC rules for amateur radio. License classes, allocated bands, power limits, operating practices. https://www.ecfr.gov/current/title-47/chapter-I/subchapter-D/part-97. ↩

17. Electronic Communications Privacy Act of 1986 — 18 U.S.C. § 2510 et seq., as amended. The federal wiretap statute, including § 2511 prohibition on interception of cellular telephone communications regardless of encryption status. Cellular interception is prohibited under ECPA 1986 (Title I, 18 U.S.C. § 2510 et seq.). Disclosure of intercepted radio communications is separately restricted under 47 U.S.C. § 605 (Communications Act of 1934, Section 705). ↩

18. ARRL, Part 15: Radio Frequency Devices — practitioner-readable summary of FCC Part 15 for the amateur radio operator and the homebrew RF designer. http://www.arrl.org/part-15-radio-frequency-devices. Useful as a quick reference for the field-strength limits and operational restrictions that apply to unlicensed transmitters. ↩