Software-defined radio (SDR) technology can be used for many interesting technical experiments. With listening only SDR you can do many interesting things, but having a SDR that can also transmit opens many new doors. Here are some interesting videos related to SDR and cyber security:
Universal Radio Hacker – Replay Attack With HackRF
Download here: https://github.com/jopohl/urh
Radio Hacking: Cars, Hardware, and more! – Samy Kamkar – AppSec California 2016
Hacking Car Key Fobs with SDR
Getting Started With The HackRF, Hak5 1707
Hacking Ford Key Fobs Pt. 1 – SDR Attacks with @TB69RR – Hak5 2523
Hacking Ford Key Fobs Pt. 2 – SDR Attacks with @TB69RR – Hak5 2524
Hacking Ford Key Fobs Pt. 3 – SDR Attacks with @TB69RR – Hak5 2525
Hacking Restaurant Pagers with HackRF
Software Defined Spectrum Analyser – Hack RF
Locating Cellular Signal with HackRF Spectrum Analyzer SDR Software
GSM Sniffing: Voice Decryption 101 – Software Defined Radio Series #11
How To Listen To Trunked Police Radio And Why Im Done
Transmitting NTSC/ATSC Video With the HackRF One and Gnuradio
Check also Using a HackRF SDR to Sniff RF Emissions from a Cryptocurrency Hardware Wallet and Obtain the PIN article.
414 Comments
Tomi Engdahl says:
This guy created an analog 1G AMPS cell network and it works with his vintage Motorola!
https://www.reddit.com/r/vintagecomputing/comments/zlqqh1/this_guy_created_an_analog_1g_amps_cell_network/
Tomi Engdahl says:
https://hackaday.com/2021/06/02/how-to-run-a-first-generation-cell-phone-network/
Tomi Engdahl says:
https://philtel.org/2023/05/11/reviving-amps-phones.html
Tomi Engdahl says:
https://www.rtl-sdr.com/running-a-1g-mobile-phone-network-with-a-hackrf/
Tomi Engdahl says:
https://www.oreateai.com/blog/unpacking-the-1g-cellular-system-the-analog-dawn-of-mobile-communication/5f9f7b590d1f53b07b377d2ccf6f3f6a
Tomi Engdahl says:
Lime Microsystems Unveils the LimeSDR Micro, an M.2 Expandable SDR with Vector Accelerator
First FPGA-free LimeSDR is now crowdfunding, with an NXP baseband processor offering the ability to accelerate vector DSP work on-device.
https://www.hackster.io/news/lime-microsystems-unveils-the-limesdr-micro-an-m-2-expandable-sdr-with-vector-accelerator-9c1ef3823d9f
Tomi Engdahl says:
Open-source hardware DAB+ receiver combines ESP32 SoC with Skyworks SI4684 digital radio chip
https://www.cnx-software.com/2026/04/09/open-source-hardware-dab-receiver-combines-esp32-soc-with-skyworks-si4684-chip/
Tomi Engdahl says:
https://oh2ti.fi/2017/06/tetra-lahetteen-tarkastelua/
Tomi Engdahl says:
Running Your Own 3G Network
https://hackaday.com/2026/05/09/running-your-own-3g-network/
CDMA2000 was one of the protocols defined for 3G networks and is now years out of date and being phased out worldwide. Nevertheless, there are still vast numbers of phones that will happily connect to it, creating an opportunity for hackers seeking to run their own cellular networks. [Chrismoos] recently made this endeavour significantly easier by releasing 1xBTS, a Rust implementation of the lower three layers of a CDMA2000 network.
The lowest layer of the stack is an SDR for the actual radio communications. Itβs been tested with the USRP B200 and B210, the LimeSDR Mini 2, and the BladeRF Micro 2.0. The code might work with certain other SDRs using the SoapySDR abstraction layer. The SDR is controlled by the base station (BTS) software, which, in turn, is controlled by the base station controller (BSC) over an Abis link. The BSC manages channels and mobile device associations, and exchanges frames with the mobile switching center (MSC), which handles message switching.
The stack includes standard 3G verification; before a handset can authenticate to the network, its details must be added to the home location register (HLR). Once authenticated, the handset can access all standard services: inbound and outbound voice calls via a SIP gateway, inbound and outbound SMS, and data packet transfers. A web dashboard provides a convenient management platform that includes packet tracing.
Tomi Engdahl says:
CDMA2000 1x from RF to core.
A full cellular stack in Rust β SDR air interface, BTS/BSC split, MSC, SMSC, HLR, packet data, and a dashboard.
Get Started
https://1xbts.org/
The air interface is built on CDMA2000 Spread Rate 1, driven by a software-defined radio. Phones connect over a real 1.25 MHz channel β pilot, sync, paging, and traffic channels β using Walsh code spreading and Viterbi decoding. Closed-loop power control runs at 800 Hz to keep signal quality stable as the phone moves.
Tomi Engdahl says:
GSM Phone Network At EMF Camp Built On Raspberry Pi And LimeSDR
https://hackaday.com/2018/08/30/gsm-phone-network-at-emf-camp-built-on-raspberry-pi-and-limesdr/
Tomi Engdahl says:
How To Run A First-Generation Cell Phone Network
https://hackaday.com/2021/06/02/how-to-run-a-first-generation-cell-phone-network/
Tomi Engdahl says:
Building Your Own 4G LTE Base Station
https://hackaday.com/2024/03/03/building-your-own-4g-lte-base-station/
Tomi Engdahl says:
Running Your Own 3G Network
https://hackaday.com/2026/05/09/running-your-own-3g-network/