Before you begin make sure that radios are enabled in the options ## Recording Signals - Find the TX freqs of devices that you want to investigate - Using the SPECTRUM ANALYZER function: - tune the SPEC A to the peaks that you see on the graph by clicking - Recording identified freq: - open the RECORD SIGNAL window (settings from SPEC A will carry over) - Modify sample rate as needed - modify gain (i.e. 20->22) - Hit the red RECORD Button and analyze graph for capture <iframe width="560" height="315" src="https://www.youtube.com/embed/kuubkTDAxwA?si=33jIfKGldRyU7zVV" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> ## Interpreting Signals - Extracting Bits - Open the captured signal in the INTERPRETATION tab - Zoom into the signal until you can see modulated data on the sine wave - Select the segment of the signal that you want to manipulate and crop/delete/create as needed. This is accomplished by highlighting the portion of the signal in the graph and using right-click menu to navigate options - use SHOW SIGNAL AS BITS check box to analyze modulation - adjust NOISE as needed (marked by red bar in signal graph) - use SIGNAL VIEW to see demodulated data - adjust the CENTER to seperate bit data (peak/valley) - use Y-SCALE to scale data - Highlight the bits that you want to use - adjust ERROR tolerance as needed - Verify the modulation (i.e. amplitude modulation) in modulation tab - You can highlight data in the bit window and it will reflect the selection on the graph and vice versa <iframe width="560" height="315" src="https://www.youtube.com/embed/QqVvEOzKPCs?si=SdftHEIfDIgwAhVe" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> ## Analysis - Bits from interpretation phase get loaded into ANALYSIS tab - messages displayed in window, SEARCH BAR to find specific data sequences - HIDE/RESET rows as needed - can send messages back to INTERPRETATION - in ANALYSIS tab MARK DIFFS IN PROTOCOL to see data - identify and mark participants as needed (can be done in INTERPRETATION as well) - ANALYZE button can automate participant identification - DECODING drop down will give different data views with native decoders - use ... to craft custom decoder, native primitives included - The purpose of decoding is to eliminate the reported errors, confirming that the data is in the correct format - The loop for DECODING is: - Analyze data - Adjust paramaters in INTERPRETATION (noise, center, etc) - Analyze data - note decoded error count - repeat until errors are at an acceptable level, preferably zero - You can write custom decoders in python/C++ and path them into application - once data is decoded, start LABELING message type data: - preambles (like aa in hex view) - sync bits (like 9 in hex view) - RORG data - CRC data - TX ID - EOF - DATA - Message types can be assigned automatically using ACK tab drop down menu buttons <iframe width="560" height="315" src="https://www.youtube.com/embed/IF-tO1wMDUg?si=TDGWhpqlvcOFty78" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> ## Generation Phase - After CAPTURE and INTERPRETATION, got to ANALYSIS tab and mark differences: - look for patterns in the data/repeating data - Label the data using best guess method to ID protocol logic - Go to GENERATION tab - Drag and drop protocol data into generation view - manually manipulate/edit/delete the data in the generation window - more complex protocols will require FUZZING: - native fuzzer will work all lables that have been assigned - right click generated data to access fuzzing window - use options at the bottom of the window to generate fuzzing data - hit FUZZ button to generate messages - before sending fuzzed messages, edit carrier freq of modulation: - Generate window -> edit button - use AUTO DETECT FROM ORIGINAL SIGNAL - Generate the data file (for debug) or send the data - When sending data: - select the correct SDR and verify antenna - verify that all options are correct - send data and monitor for effects - add pauses between messages as needed <iframe width="560" height="315" src="https://www.youtube.com/embed/ODJRpDTxFvs?si=043cEQudG32CJKCD" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>