Intended workflow

[seanee]

I've been using SDRs for a while but I'm new to the analyzing signals. I'm not clear how to take a signal from identification to decomposition to attack using FISSURE in its current state. Is there a lesson or video that pulls this all together?

I am interested in using the identification and deconstruction of PHY layer 802.11 with FISSURE as a starting point, since its something that URH do not support and they are ubiquitous. Ignoring the 802.11 specific utilities included with FISSURE, what is the workflow to take a complex signal like this from receipt by a SDR like HackRF to the end?

[cpoore1]

Thanks for asking. I'm glad someone is using this space. The videos in the README/YouTube channel give a general flow for what was there last fall. The "Help>Tab Help" menu item is a shorter outline. The slides and videos describe some of the concepts. However, I understand there needs to be more information and examples. I plan on releasing a Read the Docs/PDF user manual that will provide more details and adding some automated demo menu items for each tab that can walk through the features. I also have some existing presentation material that I might be able to release or use to build new lessons.

There is a lot missing in FISSURE that would make it an end-to-end operational capability. I am planning to correct that by fulfilling the Phase I Roadmap items starting next week and going hard until the end of summer. Many of which are already developed but need to be integrated.

As far as Wi-Fi goes, it may not be the easiest starting point to analyze a signal with an SDR. Take a look at what gr-ieee-802.11 is doing to get a sense for it. It offers 802.11a/g/p receive and transmit capabilities for some USRPs but the HackRF will need adjustments. Things like multiple modulation types in one message, OFDM, DSSS, high bandwidth signals, will make it difficult for the lower ADC resolution and sampling rates of the HackRF. But this is why FISSURE exists. If there is a solution, there is a place for it. I have made MATLAB scripts for getting bits from 1 Mbps beacon signals captured by a digitizer. Such scripts could be converted to Python/Octave and added to FISSURE to do things like find the chips in the DSSS signals and descramble the bits. It could be done as part of semi-automated protocol discovery process, with the binary data viewer, as an attack script against live/recorded data, or with the click of a button in the IQ viewer.

If you are just getting started, I would recommend an RF protocol that you can physically control, does not have too much complexity, and can be verified with something like rtl_433, GNU Radio, or URH. Practice detecting the signals (QSpectrumAnalyzer and hackrf_sweep are great), use the inspection flow graphs in FISSURE, record the signal, analyze it, replay it, look at examples of similar protocols and the code used to demodulate them, try to get a bitstream, see if it is encoded with anything, understand the message structure, build your own receive and transmit blocks with GNU Radio, build out a fuzzer block by looking at FISSURE examples, determine which messages are important, and so on. After trying all that you will be in good position to suggest/contribute new features for FISSURE and have a better idea of where they should go. Hopefully by then I will have added capabilities/documentation and have more people contributing to the project.