{"id":13584389,"url":"https://github.com/cn0xroot/gr-replay","last_synced_at":"2026-01-24T18:01:56.145Z","repository":{"id":170535759,"uuid":"70254614","full_name":"cn0xroot/gr-replay","owner":"cn0xroot","description":"signal record and replay flow graph for Gnuradio","archived":false,"fork":false,"pushed_at":"2016-10-07T14:45:42.000Z","size":10,"stargazers_count":53,"open_issues_count":0,"forks_count":22,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-02-17T02:41:40.863Z","etag":null,"topics":["bladerf","gnuradio","hackrf","sdr","usrp"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cn0xroot.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-10-07T14:33:01.000Z","updated_at":"2025-02-10T22:14:18.000Z","dependencies_parsed_at":"2024-01-15T02:40:15.655Z","dependency_job_id":null,"html_url":"https://github.com/cn0xroot/gr-replay","commit_stats":null,"previous_names":["cn0xroot/gr-replay"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cn0xroot/gr-replay","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cn0xroot%2Fgr-replay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cn0xroot%2Fgr-replay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cn0xroot%2Fgr-replay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cn0xroot%2Fgr-replay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cn0xroot","download_url":"https://codeload.github.com/cn0xroot/gr-replay/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cn0xroot%2Fgr-replay/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28733300,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-24T17:51:25.893Z","status":"ssl_error","status_checked_at":"2026-01-24T17:50:48.377Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bladerf","gnuradio","hackrf","sdr","usrp"],"created_at":"2024-08-01T15:04:12.804Z","updated_at":"2026-01-24T18:01:56.126Z","avatar_url":"https://github.com/cn0xroot.png","language":null,"funding_links":[],"categories":["Others","\u003ca id=\"58b6684347a223e01d4d76d9ca185a88\"\u003e\u003c/a\u003eReplay\u0026\u0026重播"],"sub_categories":[],"readme":"#Wireless Hacking With SDR And GnuRadio\n\n###0x01 信号捕获\n市面上常见的无线遥控工作的频段，通常工作在315Mhz、433Mhz，也有少数的会采用868Mhz.915Mhz这几个频点。\n我们可以用电视棒、HackRF、BladeRF等SDR硬件来确定遥控的工作频率：\n打开软件按下遥控器后，能在瀑布图上看到明显的反应：\n`osmocom_fft -F -f 433e6 -s 4e6`\n\n![](http://image.3001.net/images/20160906/14731396517189.png)\n\n`gqrx`\n\n![](http://image.3001.net/images/20160906/14731399552822.png)\n\n无线遥控中心频率：433870000\n\n###0x02 录制信号\nSDR软件通常支持录制信号，可将遥控的信号保存为wav音频文件或者以.cfile、.raw格式保存。\n\n这里用gnuradio-companion流图来实现信号录制以及信号重放。\n\n\u003cpre\u003e\nwget http://www.0xroot.cn/SDR/signal-record.grc\ngnuradio-companion signal-record.grc\n\u003c/pre\u003e\n\n![](http://image.3001.net/images/20160906/14731408275359.png)\n\n左侧osmocom Source模块调用SDR硬件，我们设置其中心频率为433.874MHz，采样率为2M:\n\n![](http://image.3001.net/images/20160906/14731410493905.png)\n\n右侧上边 QT GUI Sink模块将捕获到的信号在瀑布图上展示出来，右侧下边的File Sink将录制到的信号保存为/tmp/key.raw文件：\n\n![](http://image.3001.net/images/20160906/14731412508422.png)\n\n执行流图，按下遥控前：\n\n![](http://image.3001.net/images/20160906/14731414379973.png)\n\n按下遥控：\n\n![](http://image.3001.net/images/20160906/14731416435960.png)\n\n转到/tmp 缓存目录：\n\n![](http://image.3001.net/images/20160906/14731418105787.png)\n\n###0x03 信号重放\n接下来再用gnuradio-companion写个信号重放的流图：\n\n\u003cpre\u003e\nwget http://www.0xroot.cn/SDR/signal-replay.grc\ngnuradio-companion signal-replay.grc\n\u003c/pre\u003e\n\n![](http://image.3001.net/images/20160906/14731422579853.png)\n\n左侧File Source调用捕获到的key.raw信号文件,osmocom Sink调用HackRF、BladeRF将信号发射出去，与此同时QT GUI Time Sink、QT GUI Frequency Sink模块分别在屏幕上显示时间轴（时间域）、频率幅度（频率域），执行流图：\n![](http://image.3001.net/images/20160906/14731427257276.png)\n\nbingo!\n\n### 0x04 信号分析\n\n`inspectrum key.raw`\n\n![](http://image.3001.net/images/20160907/14732280661074.png)\n\n信号分析\u0026转码细节参考：\n[如何使用SDR+inspectrum逆向分析无线遥控信号](https://github.com/cn0xroot/cn0xroot.github.io/tree/master/SDR/signal-analysis)\n一文。\n\n![](http://image.3001.net/images/20160907/1473228141351.png)\n\n\u003cpre\u003e\ns = ''\na = [0.333033, 0.326189, 0.0332124, 0.388094, 0.326704, 0.0154539, 0.322883, 0.0270275, 0.0150091, 0.443235, 0.362946, 0.027745, 0.430879, 0.443824, 0.0277048, 0.330736, 0.0290668, 0.0133217, 0.376686, 0.0123277, 0.00931546, 0.446231, 0.397617, 0.0162406, 0.447861, 0.0050071, 0.0109479, 0.389289, 0.0271959, 0.0138626, 0.32109, 0.0268736, 0.0129828, 0.401142, 0.326009, 0.0303488, 0.379368, 0.0229494, 0.0134011, 0.318115, 0.346288, 0.017666, 0.333818, 0.326769, 0.0141554, 0.341832, 0.0291055, 0.0153984, 0.446665, 0.399975, 0.024566, 0.316297, 0.0159851, 0.010876, 0.428384, 0.444201, 0.0214323, 0.376211, 0.00628675, 0.0105036, 0.44565, 0.0195615, 0.012549, 0.445242, 0.366523, 0.0225733, 0.324775, 0.0192127, 0.0134437, 0.318991, 0.381386, 0.0149852, 0.00882163, 0.447015]\nfor i in a:\n\tif i \u003e 0.1:\n\t\ts +='1'\n\telse:\n\t\ts +='0'\nprint s\t\t\n\t\t\u003c/pre\u003e\n\u003cpre\u003e\npython test.py \n 11011010011011010010011010010010011010011011010011010011010010011010011001\n\u003c/pre\u003e \n \n![](http://image.3001.net/images/20160907/14732283689846.png)\n\n\u003cpre\u003e\npip install bitstring\n\u003c/pre\u003e\n\n\u003cpre\u003e\npython\nimport bitstring\n\nbitstring.BitArray(bin='11011010011011010010011010010010011010011011010011010011010010011010011001').tobytes()\n\u003c/pre\u003e\t\t\n\n![](http://image.3001.net/images/20160928/14750512374959.png)\n[Automated RF/SDR Signal Analysis [Reverse Engineering]](https://github.com/tresacton/dspectrum)\n\u003cpre\u003e\nPayload : formatted hexcode\n\\x36\\x9b\\x49\\xa4\\x9a\\x6d\\x34\\xd2\\x69\\x9\n\u003c/pre\u003e\nthanks for tresacton‘s help [GitHub](https://github.com/tresacton/dspectrum/issues/1)\n### 0x05 Hacking The world with watch\n德州仪器生产的EZ430 Chronos手表由于采用了MSP430芯片，该芯片支持发射1GHz以下频率的无线信号,覆盖市面上各种常见的无线遥控频率（315MHz、433MHz、868MHz、915MHz）:\n![](http://image.3001.net/images/20160907/14732312105191.png)\n#### 5.1 开发环境搭建\n到 TI德州仪器官网下载：(需注册账号)\nCCS studio (Code Composer Studio ):[http://processors.wiki.ti.com/index.php/Download_CCS](http://processors.wiki.ti.com/index.php/Download_CCS)\n\nFET-Pro430-Lite程序:[http://www.elprotronic.com/download.html](http://www.elprotronic.com/download.html)\n\nSmartRF Studio : [http://www.ti.com.cn/tool/cn/smartrftm-studio](http://www.ti.com.cn/tool/cn/smartrftm-studio)\n\n以及GitHub上面的 miChronos项目代码：[http://github.com/jackokring/miChronos](http://github.com/jackokring/miChronos)\n\n百度网盘：[https://pan.baidu.com/s/1hsse2Ni](https://pan.baidu.com/s/1hsse2Ni)\n\nwindows 7如果不是Service Pack 1 则需下载安装Windows 7 和 Windows Server 2008 R2 Service Pack 1 (KB976932)补丁，否则无法安装 Code Composer Studio\n下载地址：[https://www.microsoft.com/zh-cn/download/confirmation.aspx?id=5842](https://www.microsoft.com/zh-cn/download/confirmation.aspx?id=5842)\n\n![](http://image.3001.net/images/20160907/14732297441519.png)\n\n![](http://image.3001.net/images/20160907/14732320781614.png)\n\n### 0x06 refer\n\n[Michael Ossmann: Software Defined Radio with HackRF, Lesson 11: Replay YouTuBe https://www.youtube.com/watch?v=CyYteFiIozM ](Michael Ossmann: Software Defined Radio with HackRF, Lesson 11: Replay YouTuBe https://www.youtube.com/watch?v=CyYteFiIozM)\n\n[TI eZ430-Chronos Hacking quickstart http://timgray.blogspot.jp/2012/12/ti-ez430-chronos-hacking-quickstart.html](TI eZ430-Chronos Hacking quickstart http://timgray.blogspot.jp/2012/12/ti-ez430-chronos-hacking-quickstart.html)\n\n\n\n[The hackable watch: a wearable MSP430 MCU  http://www.itopen.it/the-hackable-watch-a-wearable-msp430-mcu/](The hackable watch: a wearable MSP430 MCU  http://www.itopen.it/the-hackable-watch-a-wearable-msp430-mcu/)\n\n[You can ring my bell! Adventures in sub-GHz RF land...  http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html?m=1](You can ring my bell! Adventures in sub-GHz RF land...  http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html?m=1)\n\n[TI EZ430 Chronos watch, quick guide / tutorial to hacking the firmware  https://www.youtube.com/watch?v=20dVNyJ8fYw\u0026feature=youtu.be](TI EZ430 Chronos watch, quick guide / tutorial to hacking the firmware  https://www.youtube.com/watch?v=20dVNyJ8fYw\u0026feature=youtu.be)\n\n###Author:[雪碧0xroot](http://www.0xroot.cn) @[漏洞盒子安全团队 VULBOX Security Team](https://www.vulbox.com/)  \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcn0xroot%2Fgr-replay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcn0xroot%2Fgr-replay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcn0xroot%2Fgr-replay/lists"}