HackRF One · Volume 11
HackRF One Volume 11 — Operations, RF Safety, Legal, and Lab Discipline
Capture / decode / replay end-to-end, the never-TX list, and the bench-discipline rules
Contents
1. About this Volume
A HackRF One in receive-only mode is a peaceful instrument. A HackRF in transmit mode is a regulated radio service operating without a license unless you’re careful. This volume is the operational and legal reference: what you can and cannot transmit, where the legal lines are, what the lab discipline looks like, and the end-to-end workflow from “I notice a signal” to “I have a working decode”.
The legal content here is United States Federal Communications Commission (FCC) -centric because that is tjscientist’s regulatory environment. International equivalents (Ofcom in the UK, ARCEP in France, BNetzA in Germany, ISED in Canada) follow similar shapes but specific frequencies and rules differ. Always cross-check against your local regulator before transmitting.
2. The End-to-End Workflow
Putting Vols 5–7 together as one workflow:
1. Spot a signal (`hackrf_sweep` or hackrf_transfer + visual)
↓
2. Capture IQ (`hackrf_transfer -r capture.cfile`)
↓
3. Identify modulation (Inspectrum cursor → bit duration; URH heuristic)
↓
4. Demodulate to bits (URH, GNU Radio, or rtl_433)
↓
5. Recognise structure (preamble, sync, length, address, payload, CRC)
↓
6. Validate decode (capture at least 5 instances; confirm decoder produces consistent output)
↓
7. Decide outcome:
├── If on tjscientist's hardware / under license → write Flipper FAP, custom decoder, replay test
├── If exploratory only → archive notes; HackRF moves to next signal
└── If regulated band you're not licensed for → STOP at receive; never transmitEach step has been covered in detail in earlier volumes. This volume is the operational glue.
3. The FCC Frequency-Allocation Map (US)
The FCC publishes a master frequency-allocation chart at fcc.gov/oet/spectrum/table/fcctable.pdf. Highlights for HackRF-relevant bands:
| Band | Allocation | TX-allowed? (without license) |
|---|---|---|
| 9 kHz – 30 MHz | Various: aviation HF, ham, broadcast HF, CB, etc. | Generally NO without license. CB (26.965-27.405 MHz) is licensed-by-rule under Part 95 |
| 30 MHz – 88 MHz | Government (military, public-safety, ham 6-m) | NO except ham 50–54 MHz with license |
| 88 MHz – 108 MHz | FM broadcast | NO (Part 73) |
| 108 MHz – 137 MHz | Aviation (AM voice) | NO (Part 87) |
| 144 MHz – 148 MHz | Amateur radio 2-m | YES with license |
| 162 MHz – 174 MHz | Government, some public safety | NO |
| 220 MHz – 225 MHz | Amateur 1.25-m | YES with license |
| 420 MHz – 450 MHz | Government, amateur 70-cm | YES (430-450) with license |
| 433.05 MHz – 434.79 MHz | ISM band | YES under Part 15 (low power, intermittent) |
| 460 MHz – 470 MHz | Public safety, GMRS, FRS | FRS (462.55–467.7125) channel set without license; GMRS requires license |
| 902 MHz – 928 MHz | ISM band | YES under Part 15 |
| 1090 MHz | Aviation transponder (Mode S) | RECEIVE ONLY |
| 1.5–1.6 GHz | GPS, satellite | NEVER TX |
| 1900 MHz – 1995 MHz | Cellular PCS | NEVER TX |
| 2.4 GHz – 2.4835 GHz | ISM band (WiFi, BLE, ZigBee, etc.) | YES under Part 15 (channel-specific rules) |
| 5.15 GHz – 5.825 GHz | UNII bands (WiFi) | YES under Part 15 with channel-specific rules |
The HackRF One’s tuning range covers all of these. Receive in any of them is fine (FCC Part 15 §15.119 explicitly permits passive reception). Transmit is where the rules apply.
4. The Never-TX List
Bands where transmission is forbidden to the unlicensed amateur, with significant fines for violation:
| Band | Why never TX | Penalty |
|---|---|---|
| GPS L1 (1.5754 GHz) and L2 (1.2276 GHz) | Critical aviation infrastructure; jamming endangers lives | $10K–10M FCC fine + criminal charges |
| 1090 MHz aircraft transponder | Aviation safety | Same |
| Cellular bands (multiple) | Active commercial services | $10K+ FCC fine + cellular carrier action |
| Public-safety (police/fire/EMS) | Critical infrastructure | Felony charges in most jurisdictions |
| Aviation voice (108–137 MHz) | Aviation safety | $10K+ FCC fine + FAA action |
| Marine VHF (156–162 MHz, 162.4-162.55) | Marine safety | USCG action; $10K+ |
| 121.5 MHz aviation distress | Search-and-rescue | Felony |
| 406 MHz EPIRB / ELT | Emergency beacons | Felony |
| Government bands (varies) | Federal use | NIST / federal action |
Mayhem’s Jammer app, GPS sim app, and Tetra TX app can all generate signals in restricted bands. The app exists; the legal use is into a dummy load on a bench for testing purposes only. Vol 11 §6 covers the dummy-load discipline. Never transmit any of these over the air.
5. License-Conditional Bands
Where transmission is legal with the right license:
5.1 Amateur radio (US — Part 97)
The FCC issues three classes of amateur license: Technician, General, Extra. The Technician license costs $35 and allows transmission on:
- 6-m (50–54 MHz)
- 2-m (144–148 MHz)
- 1.25-m (222–225 MHz)
- 70-cm (420–450 MHz)
- 33-cm (902–928 MHz)
- 23-cm (1240–1300 MHz)
- 13-cm (2300–2310 MHz, 2390–2450 MHz)
This is more than enough range for HackRF-driven experiments — APRS, CW, digital modes (FT8, JS8Call, WSPR), simplex voice, RTTY, etc. The Technician license is the right floor for serious HackRF TX work.
General and Extra add HF privileges (below 30 MHz), which on a HackRF One requires the Ham-It-Up upconverter for receive (Vol 8 §5.4) and a different transmit chain (the HackRF’s TX power isn’t HF-friendly).
The American Radio Relay League (ARRL) has the standard Technician study guide^[http://www.arrl.org/]; passing rate with one weekend of study is high.
5.2 GMRS (Part 95E)
The General Mobile Radio Service license (Part 95) is $35 for 10 years and covers a household. GMRS allows:
- 462.5500–462.7250 MHz (8 channels)
- 467.5500–467.7250 MHz (8 channels, repeater inputs)
- Up to 5 W on most channels; 50 W on some
GMRS is the right license for short-range family communication work the HackRF can drive.
5.3 Self-licensing (Part 15 ISM)
Some bands are licensed-by-rule — you don’t need an individual license, but you must follow the rules:
- 433.05–434.79 MHz: low-power data only, ~10 mW maximum, intermittent
- 902–928 MHz: a few watts allowed depending on channel
- 2.4–2.4835 GHz: WiFi power limits, frequency-hopping requirements
For HackRF replay-attack research on garage-door remotes (typically 433 or 315 MHz), you’re operating under Part 15. The HackRF’s stock TX power (~+10 dBm = 10 mW) is in-bounds; an external amplifier would push you out.
6. Bench Discipline — The Dummy Load and the Faraday Tent
For bench TX testing without radiating outdoors:
6.1 The dummy load
A 50 Ω SMA dummy load absorbs the HackRF’s TX power as heat. With a +10 dBm output (10 mW) the dummy load barely warms; with an external amp, sized appropriately. Mini-Circuits HAT-30+ (30 dB attenuator + dummy) is a good choice for ~$25. The bench setup:
[HackRF SMA] ─► [50 Ω dummy load]Now you can run any TX experiment knowing nothing radiates. Mayhem’s Jammer and GPS-sim apps are safe in this configuration; they’re a felony if connected to an antenna.
6.2 The Faraday tent
A Faraday tent is a fabric-mesh enclosure that attenuates RF leakage by 50–80 dB. Mission Darkness, Stronghold Cyber, and Slick Bag sell ready-made tents for $100–500. With the HackRF + antenna inside the tent and the laptop driving it from outside (USB cable through a port), you can run full-power TX tests without leaking enough signal to be detected outside the tent.
This is the right discipline for:
- Testing your own RC equipment / sensors / IoT devices.
- Capturing-and-replaying the same signal in a closed loop.
- Validating a decoder by transmitting a synthesised packet and confirming it round-trips through your decoder.
A Faraday tent is overkill for casual work. It is the right tool when you want to run a full-power TX experiment that would otherwise require a license or risk a fine.
6.3 The 60 dB attenuator chain
For active-receiver work where you want to test against a strong signal in a controlled environment:
[HackRF TX] ─► [60 dB attenuator] ─► [some antenna or device under test]60 dB attenuation drops +10 dBm to -50 dBm — strong but no longer “outdoor radiating” in any meaningful sense. Pair with the Faraday tent for absolute isolation.
7. The “What Can I Actually Do?” Quick Reference
| I want to… | Legal status | Vol reference |
|---|---|---|
| Receive any signal in HackRF’s range | Always legal under FCC Part 15.119 | All RX volumes |
| Capture an unknown 433 MHz remote | Legal (RX in ISM band) | Vol 7 §6 |
| Replay your own captured 433 MHz remote at home | Legal (Part 15 ISM) | Vol 7 §6.4 |
| Decode FCC-licensed cellular channel for research | Legal RX only; no replay | Vol 7 |
| Transmit voice on 144 MHz with Technician license | Legal | Mayhem Audio TX, Vol 10 |
| Transmit voice on 154 MHz public-safety band | NEVER | — |
| Run Mayhem Jammer app over the air | NEVER | — |
| Run Mayhem Jammer app into a dummy load | Legal (no radiation) | Bench discipline, Vol 11 §6 |
| Test my own home alarm sensor with HackRF replay | Legal under Part 15 | Vol 7 |
| Test someone else’s car key fob (you don’t own the car) | NEVER (both technical and ethical) | — |
| Receive 1090 MHz ADS-B aircraft positions | Legal RX | Vol 6 (gr-air-modes), Vol 10 (ADSB app) |
| Transmit on 1090 MHz | NEVER (felony) | — |
| Spoof GPS into a Faraday tent for in-house GPS receiver test | Legal (no leak) | Vol 11 §6.2 |
| Spoof GPS over the air | NEVER (felony) | — |
| Build a digital ham radio mode (FT8, JS8Call) workflow | Legal with General class license | Vol 6 (GRC) + Vol 11 §5.1 |
8. RF Safety
Operator safety, not bystander legal:
- Don’t put the antenna against your face. At HackRF’s stock +10 dBm there’s no SAR risk, but with an external amplifier a few watts at 2.4 GHz against the eye is a heating risk.
- Connectorize cleanly. SMA finger-tight is fine for benchwork; over-tightening damages the connector. Loose SMAs in a chain create intermittent failures and reflections.
- Don’t transmit into an open SMA. The reflection back to the HackRF can damage the TX path. Always have either an antenna, a dummy load, or a known good attenuator chain in line during TX.
- Avoid running TX continuously for long periods at high duty cycle. The MAX2837 and the SKY13453 generate heat; the HackRF’s case and shielding aren’t designed for industrial-grade thermal management.
9. Lab Hygiene — Captures and Audit Trail
For research workflows where you might need to defend “what did I do and when”:
- Capture filename convention:
YYYYMMDD_HHMMSS_<freq>_<rate>_<gain>_<description>.cfile - Maintain a bench log (paper or text) with date, target signal, capture parameters, and any TX testing performed (with attenuator/dummy-load setup).
- Keep firmware versions pinned: record the HackRF firmware version (
hackrf_info) and Mayhem version (Mayhem About app) in the bench log when conditions change.
For pen-test contracts, the chain-of-custody requirement is the same as for any digital forensic work: timestamps, hashes of capture files, who-was-present log.
10. Cheatsheet Updates from this Volume
For Vol 12:
- Receive: always legal under FCC Part 15.119
- Transmit: license-or-legal-rule required
- Bench TX into a 50 Ω dummy load is always legal (no radiation)
- Faraday tent for full-power TX testing without leaking
- HackRF stock TX: +10 dBm = 10 mW (Part 15 ISM-compatible)
- Never-TX list: cellular, GPS, aviation, public-safety, marine VHF
- US ham license entry point: Technician class, $35
- Capture filename:
YYYYMMDD_HHMMSS_<freq>_<rate>_<gain>_<description>.cfile
11. Resources
| Resource | URL |
|---|---|
| FCC frequency allocation chart | https://transition.fcc.gov/oet/spectrum/table/fcctable.pdf |
| FCC Part 15 (low-power devices) | https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-15 |
| FCC Part 95 (personal radio services) | https://www.ecfr.gov/current/title-47/chapter-I/subchapter-D/part-95 |
| FCC Part 97 (amateur radio) | https://www.ecfr.gov/current/title-47/chapter-I/subchapter-D/part-97 |
| ARRL Technician license study | http://www.arrl.org/ |
| ARRL band plans | http://www.arrl.org/band-plan |
| Mission Darkness Faraday products | https://mosequipment.com/ |
| Mini-Circuits attenuators / dummy loads | https://www.minicircuits.com/ |
| Samy Kamkar, RollJam (legal/ethical analysis) | https://samy.pl/defcon2015/2015-defcon.pdf |