ASK/L(OOK)/Listen! – Basic Signal Decoding and Replay

Written on:September 1, 2017
Add One


It’s been quite a while since my last post and I figured it was time to start contributing again so I’m kicking it off with a quick-and-dirty method to decode and replay ASK On-off keying (OOK) signals. A couple of notes before I delve in…

First, this is not intended to be an intro to SDR/RF hacking. If you’re new to the subject, I highly recommend you go through Michael Ossmann’s free video tutorial series found here: Beyond that, you can find other tutorials and videos online, including the material at

Second, I did not develop the method I’m about to demonstrate. [I know…take two years off from posting and I can’t even come back with something original 🙂 ] It’s actually something I saw in a 2016 video [] so full credit goes to that individual. It’s a handy method to know and I think it always helps to have multiple examples, so I felt it was worthwhile to share.

Let’s dive in…

The Setup

If you want to replicate exactly what I’m going to demo, you’ll need the following:

  • A Linux distro (I’m using the latest version of Kali) with the following software tools:
    • osmocom_fft
    • RFcat
    • Inspectrum – make sure you grab the latest version. I recommend installing directly from source on Github ( as the version available via my distro package manager was outdated and did not contain the features I’m going to demonstrate.
  • An SDR dongle – any should do. For this demo I just used an inexpensive NooElec R820T2 NESDR Mini 2

YARD Stick One

  • Some device that operates using ASK/OOK modulated sub-1GHz signal. I’m using a cheap remote-controlled power outlet that I grabbed on Amazon.

Capturing the Signal

Looking at the target outlet device, I can see from the sticker on the back that it operates on a frequency of 433.92MHZ so no need to go to for this one.


Plug in your SDR and fire up osmocom to capture the signal.

osmocom_fft - f 43392e4 -s 8e6

This particular outlet has separate buttons for On and Off. I’ll demo the On signal and the same technique will apply to decoding the Off signal.

Pressing (and holding) the On button produces the following signal.

Record it in osmocom (REC button on lower right of screen) and load the corresponding file in inspectrum:

inspectrum /tmp/name-f4.339200e+08-[filename].cfile

You’ll want to ensure your Sample rate is the same (in this case 8e6) and also adjust the FFT size and Zoom to get a better visual of the spectrogram. I typically like to zoom out a bit at first just to see what I’m dealing with, which in this case (as it typically is with basic OOK) is a simple repeating signal.



Now I want to focus on one of these groups, zoom in a bit, and add an amplitude plot to better visualize the signal.



Center the red line on the signal and you should now have a nice representation.


Note that depending on the strength of the signal, you may find the peaks on your amplitude plot looks closer to straight lines and less “squiggly” (a technical term) than the above. Either way, it won’t affect our ability to interpret.

The next step is to plot our symbols. Select a symbol number (I usually start with about 40 depending on the size of the spectrogram) and check “Enable cursors” and you should see a vertical line plot appear somewhere on your screen. Move it to far left and resize those vertical bars to represent a single symbol. I’m not going to explain symbols/symbol rate but essentially in order for us to decode this signal, each horizontal line should align with exactly one smallest unit of measure representing a peak or valley in the amplitude plot. For example the very first peak on the above picture is considered one symbol. The next valley is equivalent to three symbols (three times the width of the first peak), and so on. Here’s a visual to help:


Now you want to increase the number of symbols until the cursor plot overlays exactly with the entire signal (in this case 97) which leaves me with the following:


Now right click and select “Extract symbols (to stdout)…”.


Go back to your terminal and you should see something like this:

Now we just need to decode those numerical symbol representations into bytes and we can transmit. I’ve got a very basic python script that I use for testing that looks as follows:


Now plug in your YARD Stick One, fire up RFCat and follow along. The first thing we need to do is run the above python script and initialize our YS1 device.


Now we want to convert our numeric symbols to a bit string representation.


We could simply send this bit string using the above xmit() function but I usually like to see the hex representation. In this case it’s not really necessary but it may be if you’re faced with more complicated decoding (checksums) or need to extract alphanum data from the transmission for any reason.


Now we can simply send the signal (note the function sends it 10 times…you may need to adjust depending on what you’re testing).


And on comes the lamp I’ve got plugged into that outlet 🙂

Decoding the Off signal in the same manner produces a bit string that varies by only one byte:


Sending that bit string now turns my lamp off.

Practical Application

If you haven’t played much in the SDR/RF space you might be asking yourself “So what?”. Turning on and off someone’s lamp might be annoying but doesn’t have many security applications. However, there are quite a number of other types of devices that operate at sub 1GHz frequencies including locks and alarms. There are also devices that use those frequencies to transmit data. Whether you’re assessing new technologies or performing physical penetration testing, you may find it useful to have the ability to interpret and replay radio signals.

Keep in mind that we only dealt with a very basic implementation of the simplest kind of modulation…there’s plenty more to delve into in the world of RF security!

Until next post…

– MC

Phishing with Macros and Powershell

Written on:May 22, 2015
are closed

Over the past 6 months, it seems we’ve been experiencing a resurgence of macro-based malware, possibly because it’s such a simple and proven means of delivering a phishing payload to large organizations. If you’re performing a penetration test against an organization and you have reason to believe untrusted macro execution is enabled, they can also be a good means to test user awareness and gain a foothold via social engineering. Regardless of their popularity,…


Offensive Security’s CTP and OSCE – My Experience

Written on:May 13, 2015
are closed

Overview I had been wanting to take the Cracking The Perimeter (CTP) course for some time but my schedule was pretty hectic. I finally forced myself to start it at the beginning of the new year and I’m really glad I did. As promised, here is my review… Prerequisites Offsec states the following: Many pre-requisites are required, such as good familiarity with a Ollydbg, and a general mastery of offensive network security techniques. Definitely sound advice….


An Analysis Of MS15-034

Written on:April 18, 2015
are closed

Introduction By now you’ve undoubtedly heard about MS15-034. The following is a collection of my cursory research and thoughts on this vulnerability. In addition, here is a small list of related resources, some of which I also reference in the sections that follow: Microsoft Security Bulletin MS15-034 (Microsoft) The Delicate Art of Remote Checks – A Glance Into MS15-034 (Beyond Trust) MS15-034: HTTP.sys (IIS) DoS And Possible Remote Code Execution. PATCH…

Read more... – An Experiment in AV Evasion

Written on:March 9, 2015
are closed

Introduction I just wrapped up the Offensive Security Cracking The Perimeter (CTP) course and one of the topics was AV evasion. Although I write a lot of custom scripts and tools, when it comes to AV evasion, I typically rely on the tools and methods of others (Veil, powershell, python, custom shellcode). That said, the great thing about courses like CTP is they give me an excuse to investigate a topic that I haven’t…


EggSandwich – An Egghunter with Integrity

Written on:February 12, 2015
are closed

Introduction A while back I introduced the EggSandwich in my tutorial on Egghunting as a means to implement some basic integrity checks into the traditional Egghunter and overcome the problem of fragmented / corrupted shellcode. I recently took the opportunity to update my implementation so it could accomodate shellcode of any size. The code and a brief explanation follows. What is the EggSandwich? I ran into a situation when developing an exploit for an…


Developing a Security Assessment Program

Written on:December 19, 2014
are closed

Introduction Most organizations and are deploying new applications and technologies at a high rate and without a means to adequately assess them prior to implementation, it’s difficult to accurately gauge your organization’s risk. No matter what the size or industry, it’s imperative that an organization has a standardized and repeatable process for assessing the security of the IT solutions it implements.  My goal with today’s post is to provide some recommendations on…


Exploiting MS14-066 / CVE-2014-6321 (aka “Winshock”)

Written on:November 29, 2014
are closed

Introduction I think enough time has passed now to provide a little more detail on how to exploit MS14-066 schannel vulnerability (aka “Winshock”). In this post I won’t be providing a complete PoC exploit, but I will delve into the details on exactly how to trigger the heap overflow along with some example modifications to OpenSSL so you can replicate the issue yourself. This vulnerability was announced while I was on…


Windows OLE RCE Exploit MS14-060 (CVE-2014-4114) – Sandworm

Written on:October 22, 2014
are closed

This recent exploit (dubbed “Sandworm”) took advantage of a vulnerability in which a specially crafted OLE object could allow remote code execution. In the case of the live sample exploit PPSX file I examined, it automatically downloaded the payload from a remote SMB share. I won’t rehash much of the details that others have covered but if you want to read more, here are some resources: Microsoft Security Bulletin: Original Discovery by…


Drupal 7 SQL Injection (CVE-2014-3704)

Written on:October 17, 2014
are closed

Introduction This vuln has been getting a lot of attention, and rightfully so. The good news is an update is available (and a supplemental patch has been released as well). The bad news is that it’s pre-auth SQLi. The basic problem is the way Drupal core 7.x versions prior to 7.32 construct a SQL query. Contrary to some claims, this is not a flaw in the use of prepared statements/parameterized queries, which…