Tooling

Side-Channel & TEMPEST

TempestSDR, Universal Radio Hacker, Portapack, gr-iridium — RF security research and protocol hacking.

The dark-arts SDR cabinet: receiving emissions you weren't meant to receive, replaying or analyzing protocols, and reconstructing screens from electromagnetic leakage. Almost everything here is dual-use — legal for research on your own equipment, illegal in most jurisdictions when applied to others. This page is for security researchers, capture-the-flag participants, and curious hardware hackers. Cross-link with SDR Transceivers (HackRF, Portapack), Sub-GHz, 433 MHz & RTL_433 (low-frequency capture), and BLE & Bluetooth IoT (BLE-side hacks).

Protocol analysis & replay

  • Universal Radio Hacker (URH) — Python / Qt; the standard "wireless protocol reverse-engineering" tool. Records IQ from any SDR, demodulates, clusters bursts, builds protocol field models, replays via TX. Brilliant for analyzing 433 MHz remotes, garage doors, weather stations, doorbells. GPLv3.
  • GNU Radio replay flowgraphs — the canonical "record IQ, hit play, retransmit" pattern for HackRF / LimeSDR / Pluto. Examples in the GR sample / community repos.
  • inspectrum — IQ inspector / waterfall analyzer; helps you visually identify symbols / chip rates before writing a decoder. GPLv3.
  • rfcat / Yardstick One — Python framework for the YARD Stick One USB stick (sub-GHz hacking). ~$100. Great for OOK / FSK protocol replay below 1 GHz.
  • Hak5 / GreatScott "RFID research" — physical-layer cloning kits; LF (125 kHz) and HF (13.56 MHz) overlap.

Portable hacking platforms

  • HackRF One + Portapack H4M + Mayhem firmware — see SDR Transceivers; the standalone DEFCON-favorite portable. Mayhem firmware unlocks: replay, sub-GHz attacks, BLE jamming/sniffing, ADS-B beaconing, POCSAG TX, jamming (felony in most countries — don't), Bluetooth, NFC, AIS spoof, RDS modify. Use only on hardware you own.
  • Flipper Zero — see broader scope below; sub-GHz + RFID + NFC + IR + BLE; not an SDR but the spiritual cousin. ~$170. Open-source firmware (Unleashed / Xtreme / Roguemaster) extends the locked-from-the-factory regions.
  • HydraNFC / Proxmark3 RDV4 — NFC / RFID specialists; Proxmark is the canonical card-cloning platform. Open source. Cross-buy with HackRF for full-spectrum coverage.
  • WHID Cactus / WiFi HID injectors — out-of-scope for SDR but adjacent.

TEMPEST / van-Eck-phreaking

  • TempestSDR — receives compromising EM emanations from monitor cables / display drivers and reconstructs the screen image. Java + JNI; works with HackRF, RTL-SDR, USRP, Airspy. Tunes a few hundred MHz looking for VGA/HDMI line-rate harmonics; surprising what modern HDMI cables still leak. Research / educational. GPLv3.
  • gr-tempest — GNU Radio module for the same. Active research code.
  • Painful reality: modern shielded HDMI cables and IPS panels leak much less than VGA / DVI; TempestSDR is more "demo / PoC" than "operational threat" in 2026 — but DVI-D bridges, KVM cables, and old monitors leak enough to be readable from another room.

Iridium / Inmarsat / satellite paging

  • gr-iridium — GNU Radio Iridium pager / data decoder. Iridium broadcasts pager-style messages on 1626 MHz; gr-iridium captures and demodulates them. Some Iridium voice was previously crackable (research from Lübeck, 2015–2017); modern Iridium NEXT improved encryption but the legacy pager channel remains readable. GPL.
  • gr-inmarsat / aero-decoder — Inmarsat AERO airborne data decoder; cockpit message reception. SatDump (see Weather Satellites) also decodes Inmarsat-AERO.
  • gr-iridium-toolkit — companion analysis on top of gr-iridium output.

Pager / POCSAG / FLEX / DECT

  • multimon-ng — POCSAG / FLEX / DTMF / EAS / ZVEI / morse / X10. Reads audio from any SDR app via stdin; minimum-friction pager decoder. GPLv2.
  • PDW (Paging Decoder for Windows) — Windows; freeware; classic pager decoder.
  • rtl_pager / rtl_433 also handle some pager protocols.
  • AlPager / TPAGE — older Windows pager decoders; sunset.
  • dect-rx (osmocom-dect) — DECT (cordless phone) reception; old gr-dect; mostly research-grade.

RF spectrum survey & "wide-area" hacks

  • rtl_power / soapy_power / heatmap.py — wide-band power scans → image / heatmap. Find idle channels, identify pulsed transmitters.
  • kismet — wireless network sniffer (Wi-Fi / Bluetooth / RTL-SDR plugins); the spectrum-survey workhorse.
  • CRfind / RFspot — newer 2025 commercial RF surveyors with SDR backends; closed.

License / pricing / ethics

  • TempestSDR / URH / gr-iridium / multimon-ng / Mayhem / inspectrum — all FOSS (GPL).
  • HackRF / Portapack / Flipper / Proxmark — open hardware + open firmware ecosystems.
  • Mayhem firmware ships features (BLE replay, sub-GHz jam, AIS spoof) that violate FCC Part 15 / Part 97 / equivalent rules in most countries when used on a real antenna. Use a dummy load or a Faraday cage.
  • No FCC license is required to listen in the US (with a tiny set of exceptions: cellular voice, encrypted comms, satellite phone interception). Listening ≠ recording ≠ rebroadcasting — recording laws differ by state, rebroadcasting basically always illegal without authorization.
  • EU / UK / Canada / Australia — receive-only is much more restricted; check before you build.
  • Replay attacks on car keys, garage doors, RFID hotel keys — illegal essentially everywhere if not your own. CTFs / labs / research-with-permission only.

Practical guidance

  • Start with URH on a known target — your own 433 MHz garage remote, your own weather station. The workflow makes sense quickly: record, demodulate, decode, modify, retransmit.
  • Faraday cage / dummy load. Build / buy a small RF screen for testing TX without lighting up your neighborhood.
  • Document your work. RF hacking depends on traceability — sample rate, gain, frequency, antenna, GPS time. Save IQ files; you'll go back to them.
  • Update Mayhem regularly. The Portapack ecosystem moves fast — features added monthly.
  • Don't believe the marketing. Lots of "Wi-Fi hacking" tools and "SIGINT receivers" on AliExpress are repackaged HackRFs / RTL-SDRs with a logo. Buy the underlying hardware directly.

Pick this if…

  • Default protocol RE tool: Universal Radio Hacker.
  • Portable RF playground: HackRF + Portapack H4M + Mayhem.
  • Sub-GHz / 433 / NFC / IR / BLE pocket tool: Flipper Zero (Unleashed/Xtreme firmware).
  • NFC / RFID specialist: Proxmark3 RDV4.
  • TEMPEST research: TempestSDR + an old monitor.
  • Pager decoding: multimon-ng + any SDR.
  • Iridium pager research: gr-iridium with any L-band-capable SDR (HackRF, USRP).
  • Wide-band spectrum survey: rtl_power / soapy_power + heatmap.py.

On this page