[{"data":1,"prerenderedAt":1332},["Reactive",2],{"kb-chapters":3,"kb-doc:/knowledge-base/reverse-engineering/wireless-rf/":181},[4,11,17,23,29,35,41,47,53,59,65,71,77,83,89,96,102,108,114,120,126,132,138,144,150,156,163,169,175],{"_path":5,"title":6,"description":7,"part":8,"_file":9,"chapterNumber":10},"/knowledge-base/networks/introduction","Introduction","Overview of the communication networks used in modern vehicles, from LIN to Automotive Ethernet.","Vehicle Networks & Protocols","7.knowledge-base/1.networks/1.introduction.md",1,{"_path":12,"title":13,"description":14,"part":8,"_file":15,"chapterNumber":16},"/knowledge-base/networks/vehicle-documentation","Vehicle Documentation","Where to find manufacturer wiring diagrams, J2534 passthrough devices, and the different types of diagrams that are useful when researching a vehicle.","7.knowledge-base/1.networks/2.vehicle-documentation.md",2,{"_path":18,"title":19,"description":20,"part":8,"_file":21,"chapterNumber":22},"/knowledge-base/networks/lin-bus","Local Interconnect Network (LIN)","Local Interconnect Network — a single-wire low-speed bus used as a low-cost alternative to CAN for non-critical body electronics.","7.knowledge-base/1.networks/3.lin-bus.md",3,{"_path":24,"title":25,"description":26,"part":8,"_file":27,"chapterNumber":28},"/knowledge-base/networks/controller-area-network","Controller Area Network (CAN)","ISO 11898 — the differential bus that became the backbone of automotive networking. Frames, bit timing, errors, CAN FD, message contents, and practical attacks.","7.knowledge-base/1.networks/4.controller-area-network.md",4,{"_path":30,"title":31,"description":32,"part":8,"_file":33,"chapterNumber":34},"/knowledge-base/networks/secure-onboard-communication","Secure Onboard Communication (SecOC)","AUTOSAR's standard for cryptographic message authentication on in-vehicle networks — freshness values, MAC computation and key management.","7.knowledge-base/1.networks/5.secure-onboard-communication.md",5,{"_path":36,"title":37,"description":38,"part":8,"_file":39,"chapterNumber":40},"/knowledge-base/networks/flexray","FlexRay","Time-triggered, deterministic automotive bus standardized as ISO 17458, designed for higher speeds and drive-by-wire systems.","7.knowledge-base/1.networks/6.flexray.md",6,{"_path":42,"title":43,"description":44,"part":8,"_file":45,"chapterNumber":46},"/knowledge-base/networks/automotive-ethernet","Automotive Ethernet","Automotive variants of Ethernet — 100BASE-T1, 1000BASE-T1, and 10BASE-T1S — built around single twisted-pair cabling and strict EMC requirements.","7.knowledge-base/1.networks/7.automotive-ethernet.md",7,{"_path":48,"title":6,"description":49,"part":50,"_file":51,"chapterNumber":52},"/knowledge-base/diagnostics/introduction","Overview of automotive diagnostic protocols — ISO-TP, OBD-II, UDS, CCP and XCP — and how they layer on top of CAN.","Diagnostic Protocols","7.knowledge-base/2.diagnostics/1.introduction.md",8,{"_path":54,"title":55,"description":56,"part":50,"_file":57,"chapterNumber":58},"/knowledge-base/diagnostics/iso-tp","ISO 15765-2 (ISO-TP)","ISO 15765-2 transport layer for sending diagnostic payloads larger than 8 bytes over CAN — single, first, consecutive and flow-control frames.","7.knowledge-base/2.diagnostics/2.iso-tp.md",9,{"_path":60,"title":61,"description":62,"part":50,"_file":63,"chapterNumber":64},"/knowledge-base/diagnostics/vw-tp20","VW Transport Protocol 2.0 (TP 2.0)","Volkswagen's pre-ISO-TP transport layer for KWP2000 over CAN — channel setup, parameter negotiation, and the data exchange counter scheme.","7.knowledge-base/2.diagnostics/3.vw-tp20.md",10,{"_path":66,"title":67,"description":68,"part":50,"_file":69,"chapterNumber":70},"/knowledge-base/diagnostics/obd-ii","On-board diagnostics (OBD-II)","On-Board Diagnostics II — the J1962 connector, signal protocols, service IDs, parameter IDs, and DTC encoding.","7.knowledge-base/2.diagnostics/4.obd-ii.md",11,{"_path":72,"title":73,"description":74,"part":50,"_file":75,"chapterNumber":76},"/knowledge-base/diagnostics/uds","Unified Diagnostic Services (UDS)","ISO 14229-1 — the modern diagnostic protocol for sessions, Read/Write DID, Security Access, Routine Control and firmware Request Download / Upload.","7.knowledge-base/2.diagnostics/6.uds.md",12,{"_path":78,"title":79,"description":80,"part":50,"_file":81,"chapterNumber":82},"/knowledge-base/diagnostics/ccp","CAN Calibration Protocol (CCP)","A low-level debug/calibration protocol over CAN — Command Receive Object, Data Transfer Object, and the commands used to read and write ECU memory.","7.knowledge-base/2.diagnostics/7.ccp.md",13,{"_path":84,"title":85,"description":86,"part":50,"_file":87,"chapterNumber":88},"/knowledge-base/diagnostics/xcp","Universal Measurement and Calibration Protocol (XCP)","ASAM XCP — successor to CCP supporting CAN, CAN FD, FlexRay, and Ethernet, with synchronous data acquisition, stimulation, and calibration.","7.knowledge-base/2.diagnostics/8.xcp.md",14,{"_path":90,"title":91,"description":92,"part":93,"_file":94,"chapterNumber":95},"/knowledge-base/reverse-engineering/ecu-flashing","ECU Flashing","How a control unit is reprogrammed over the wire with UDS, walked through step by step, why the sequence is staged the way it is, how the SecurityAccess seed/key gate works from weak proprietary LFSR ciphers to the Volkswagen SA2 script, and the levels of image authenticity from no signature validation through HSM-backed secure boot.","Reverse Engineering","7.knowledge-base/3.reverse-engineering/1.ecu-flashing.md",15,{"_path":97,"title":98,"description":99,"part":93,"_file":100,"chapterNumber":101},"/knowledge-base/reverse-engineering/oem-update-files","OEM Update Files","Where to find official ECU firmware, why OEMs ship it, and how the major manufacturer update container formats (VW FRF/ODX, Toyota CUW, Ford VBF, BMW psdzdata, Tesla BHX) are structured, decrypted, and unpacked.","7.knowledge-base/3.reverse-engineering/2.oem-update-files.md",16,{"_path":103,"title":104,"description":105,"part":93,"_file":106,"chapterNumber":107},"/knowledge-base/reverse-engineering/ghidra","Ghidra Tutorial","Practical use of Ghidra on automotive ECU images. Project setup, p-code and SLEIGH, auto-analysis configuration, locating code in raw images, configuring the memory map and Small Data Area for PPC VLE, TriCore and RH850, and recognising UDS dispatchers, CAN tables, and AUTOSAR fingerprints.","7.knowledge-base/3.reverse-engineering/3.ghidra.md",17,{"_path":109,"title":110,"description":111,"part":93,"_file":112,"chapterNumber":113},"/knowledge-base/reverse-engineering/wireless-rf","Wireless and RF","Practical reverse engineering of automotive sub-GHz radio links. Radio architectures (heterodyne, integrated transceivers, SDR), unlicensed ISM bands, binary modulation schemes (ASK, FSK, BPSK), Manchester line coding, the software ecosystem (GNU Radio, Gqrx, URH, rtl_433), and a walkthrough of decoding a Hitag2 keyfob capture in URH.","7.knowledge-base/3.reverse-engineering/4.wireless-rf.md",18,{"_path":115,"title":6,"description":116,"part":117,"_file":118,"chapterNumber":119},"/knowledge-base/existing-research/introduction","Landmark papers from 2010 to 2016 that defined automotive security research and demonstrated the first complete remote exploit chain against a production vehicle.","Existing Research","7.knowledge-base/4.existing-research/1.introduction.md",19,{"_path":121,"title":122,"description":123,"part":117,"_file":124,"chapterNumber":125},"/knowledge-base/existing-research/engine-control-units","Engine Control Units","Public reverse-engineering work on engine ECUs, focusing on bri3d's documented exploit chains for the Volkswagen Group Simos 18 ECU and its Infineon TriCore TC1791 processor.","7.knowledge-base/4.existing-research/2.engine-control-units.md",20,{"_path":127,"title":128,"description":129,"part":117,"_file":130,"chapterNumber":131},"/knowledge-base/existing-research/ev-charging","EV Charging","Research covering two distinct attack surfaces introduced by electric vehicle charging, the HomePlug Green PHY powerline data layer used by the Combined Charging System, and the AC charger as a peer device with its own firmware and bidirectional communications.","7.knowledge-base/4.existing-research/3.ev-charging.md",21,{"_path":133,"title":134,"description":135,"part":117,"_file":136,"chapterNumber":137},"/knowledge-base/existing-research/fault-injection","Fault Injection","Published fault injection research relevant to automotive microcontrollers, covering voltage glitching, EMFI, debug access, and secure-boot bypasses on Renesas, Infineon, NXP/Freescale, and Tesla compute platforms.","7.knowledge-base/4.existing-research/4.fault-injection.md",22,{"_path":139,"title":140,"description":141,"part":117,"_file":142,"chapterNumber":143},"/knowledge-base/existing-research/infotainment-telematics","Infotainment & Telematics","Sixteen published research entries covering remote exploitation of infotainment and telematics systems across Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan vehicles, plus a cross-industry web API survey.","7.knowledge-base/4.existing-research/5.infotainment-telematics.md",23,{"_path":145,"title":146,"description":147,"part":117,"_file":148,"chapterNumber":149},"/knowledge-base/existing-research/sensors-and-radios","Other Wireless Attack Surfaces","Research covering wireless attack surfaces beyond the primary CAN and telematics interfaces, including tire pressure sensors and DAB radio receivers, both of which accept untrusted RF input and have historically performed no authentication or input validation.","7.knowledge-base/4.existing-research/6.sensors-and-radios.md",24,{"_path":151,"title":152,"description":153,"part":117,"_file":154,"chapterNumber":155},"/knowledge-base/existing-research/remote-keyless-entry","Remote Keyless Entry and Immobilisers","Research on cryptographic attacks against passive keyless entry systems, transponder-based immobilisers, rolling-code RKE, and the CAN-injection theft chain.","7.knowledge-base/4.existing-research/7.remote-keyless-entry.md",25,{"_path":157,"title":158,"description":159,"part":160,"_file":161,"chapterNumber":162},"/knowledge-base/tools/can-adapters","CAN Adapters","USB-to-CAN adapters — comma.ai red panda and PEAK-System PCAN — and the standard DB-9 pinout for CAN.","Tools","7.knowledge-base/5.tools/1.can-adapters.md",26,{"_path":164,"title":165,"description":166,"part":160,"_file":167,"chapterNumber":168},"/knowledge-base/tools/can-analysis","CAN Analysis","Tools for analysing and reverse-engineering CAN traffic — comma.ai cabana, SavyCAN, VehicleSpy, and Wireshark.","7.knowledge-base/5.tools/2.can-analysis.md",27,{"_path":170,"title":171,"description":172,"part":160,"_file":173,"chapterNumber":174},"/knowledge-base/tools/scripting","Scripting","Python libraries and CLI tools for talking to a CAN bus — comma.ai panda, SocketCAN can-utils, python-can, and Scapy with ISO-TP and UDS examples.","7.knowledge-base/5.tools/3.scripting.md",28,{"_path":176,"title":177,"description":178,"part":160,"_file":179,"chapterNumber":180},"/knowledge-base/tools/dbc-files","DBC Files","The DBC file format used to describe the contents of CAN messages — nodes, messages, signals, comments, and value tables.","7.knowledge-base/5.tools/4.dbc-files.md",29,{"_path":109,"_dir":182,"_draft":183,"_partial":183,"_locale":184,"title":110,"description":111,"part":93,"references":185,"body":258,"_type":1328,"_id":1329,"_source":1330,"_file":112,"_extension":1331},"reverse-engineering",false,"",[186,191,196,201,206,211,218,223,228,233,238,243,248,253],{"id":187,"authors":188,"title":189,"url":190},"rtl-sdr","Osmocom","rtl-sdr: turning the Realtek RTL2832U DVB-T tuner into a software-defined radio","https://osmocom.org/projects/rtl-sdr/wiki/Rtl-sdr",{"id":192,"authors":193,"title":194,"url":195},"bladerf","Nuand","bladeRF 2.0 micro","https://www.nuand.com/bladerf-2-0-micro/",{"id":197,"authors":198,"title":199,"url":200},"yardstick","Great Scott Gadgets","YARD Stick One","https://greatscottgadgets.com/yardstickone/",{"id":202,"authors":203,"title":204,"url":205},"flipper","Flipper Devices","Flipper Zero documentation — sub-GHz radio","https://docs.flipper.net/sub-ghz",{"id":207,"authors":208,"title":209,"url":210},"cc1101","Texas Instruments","CC1101 Low-Power Sub-1 GHz RF Transceiver datasheet","https://www.ti.com/lit/ds/symlink/cc1101.pdf",{"id":212,"authors":213,"title":214,"publisher":215,"year":216,"url":217},"urh","Pohl, Noack","Universal Radio Hacker: A Suite for Analyzing and Attacking Stateful Wireless Protocols","USENIX WOOT 2018",2018,"https://www.usenix.org/conference/woot18/presentation/pohl",{"id":219,"authors":220,"title":221,"url":222},"gnuradio","GNU Radio Project","GNU Radio","https://www.gnuradio.org/",{"id":224,"authors":225,"title":226,"url":227},"gqrx","Alexandru Csete and contributors","Gqrx SDR","https://gqrx.dk/",{"id":229,"authors":230,"title":231,"url":232},"sdrpp","Alexandre Rouma and contributors","SDR++: cross-platform and open-source SDR software","https://www.sdrpp.org/",{"id":234,"authors":235,"title":236,"url":237},"sdrsharp","Airspy","SDR# (SDRSharp)","https://airspy.com/download/",{"id":239,"authors":240,"title":241,"url":242},"cyberether","Luigi Cruz","CyberEther: GPU-accelerated signal visualization and data processing","https://github.com/luigifcruz/CyberEther",{"id":244,"authors":245,"title":246,"url":247},"rtl433","Merbanan and contributors","rtl_433: program to decode radio transmissions from devices on the ISM bands","https://github.com/merbanan/rtl_433",{"id":249,"authors":250,"title":251,"url":252},"etsi-300-220","ETSI","EN 300 220 — Short Range Devices (SRD) operating in the frequency range 25 MHz to 1 000 MHz","https://www.etsi.org/deliver/etsi_en/300200_300299/30022001/",{"id":254,"authors":255,"title":256,"url":257},"fcc-part15","FCC","47 CFR Part 15 — Radio Frequency Devices","https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-15",{"type":259,"children":260,"toc":1303},"root",[261,269,275,297,302,309,314,341,345,421,430,465,502,510,516,545,547,705,711,716,723,735,742,748,753,759,765,770,774,780,785,795,850,854,867,873,878,884,922,930,935,949,957,962,976,984,990,1006,1014,1019,1040,1048,1054,1065,1071,1098,1110,1118,1124,1136,1144,1150,1174,1179,1187,1193,1205,1230,1235,1243,1249,1260,1268,1280,1288,1293,1299],{"type":262,"tag":263,"props":264,"children":266},"element","h1",{"id":265},"wireless-and-rf",[267],{"type":268,"value":110},"text",{"type":262,"tag":270,"props":271,"children":272},"p",{},[273],{"type":268,"value":274},"Modern vehicles expose a surprising amount of attack surface over radio: remote keyless entry, passive keyless entry and start, tire pressure sensors, immobiliser transponders, and more.",{"type":262,"tag":270,"props":276,"children":277},{},[278,280,287,289,295],{"type":268,"value":279},"Most of these links use simple modulations on unlicensed frequencies and predate any meaningful threat model. Existing research on cryptographic attacks against keyfobs and immobilisers is collected in the ",{"type":262,"tag":281,"props":282,"children":284},"a",{"href":283},"/knowledge-base/existing-research/remote-keyless-entry/",[285],{"type":268,"value":286},"Remote Keyless Entry chapter",{"type":268,"value":288},"; the existing research on tire pressure sensors and DAB receivers lives in the ",{"type":262,"tag":281,"props":290,"children":292},{"href":291},"/knowledge-base/existing-research/sensors-and-radios/",[293],{"type":268,"value":294},"Other Wireless Attack Surfaces chapter",{"type":268,"value":296},".",{"type":262,"tag":270,"props":298,"children":299},{},[300],{"type":268,"value":301},"This chapter covers the practical side: how the radios that produce these signals are built, which frequencies and modulations to expect, what tooling exists for capture and analysis, and a worked example of decoding a Hitag2 keyfob capture in Universal Radio Hacker.",{"type":262,"tag":303,"props":304,"children":306},"h2",{"id":305},"radio-architectures",[307],{"type":268,"value":308},"Radio Architectures",{"type":262,"tag":270,"props":310,"children":311},{},[312],{"type":268,"value":313},"A receiver has to take an antenna voltage of microvolts, select a narrow slice of spectrum, and produce a baseband signal that a digital block can decode. There are three families of receiver worth knowing.",{"type":262,"tag":270,"props":315,"children":316},{},[317,319,325,327,332,334,339],{"type":268,"value":318},"The ",{"type":262,"tag":320,"props":321,"children":322},"strong",{},[323],{"type":268,"value":324},"superheterodyne",{"type":268,"value":326}," architecture mixes the antenna signal with a tunable ",{"type":262,"tag":320,"props":328,"children":329},{},[330],{"type":268,"value":331},"local oscillator (LO)",{"type":268,"value":333}," to produce a fixed ",{"type":262,"tag":320,"props":335,"children":336},{},[337],{"type":268,"value":338},"intermediate frequency (IF)",{"type":268,"value":340},". The IF stage does the selectivity work: a sharp crystal or SAW filter at a fixed frequency is far easier to build than a sharp filter that tunes across a wide band. The demodulator then operates on the IF, not the original carrier. Almost every analogue radio receiver built between 1930 and 2000 used this layout, and it remains the default for narrowband receivers today.",{"type":262,"tag":342,"props":343,"children":344},"rf-receiver-diagram",{},[],{"type":262,"tag":270,"props":346,"children":347},{},[348,350,355,357,362,364,368,370,378,379,382,384,392,393,396,398,405,407,412,414,419],{"type":268,"value":349},"Integrated ",{"type":262,"tag":320,"props":351,"children":352},{},[353],{"type":268,"value":354},"transceiver chips",{"type":268,"value":356}," package this entire chain on one die with a digital interface. The TI ",{"type":262,"tag":320,"props":358,"children":359},{},[360],{"type":268,"value":361},"CC1101",{"type":268,"value":363}," ",{"type":262,"tag":365,"props":366,"children":367},"citation",{"id":207},[],{"type":268,"value":369}," is the canonical example for sub-GHz work: tunable from 300 to 928 MHz, supports OOK, 2-FSK, 4-FSK, GFSK, and MSK with programmable data rates, and exposes a packet engine over SPI. It is the radio inside the ",{"type":262,"tag":281,"props":371,"children":375},{"href":372,"rel":373},"https://flipperzero.one/",[374],"nofollow",[376],{"type":268,"value":377},"Flipper Zero",{"type":268,"value":363},{"type":262,"tag":365,"props":380,"children":381},{"id":202},[],{"type":268,"value":383},". The ",{"type":262,"tag":281,"props":385,"children":387},{"href":200,"rel":386},[374],[388],{"type":262,"tag":320,"props":389,"children":390},{},[391],{"type":268,"value":199},{"type":268,"value":363},{"type":262,"tag":365,"props":394,"children":395},{"id":197},[],{"type":268,"value":397}," is the same CC1101 silicon but on a USB dongle with open firmware and a Python library (",{"type":262,"tag":399,"props":400,"children":402},"code",{"className":401},[],[403],{"type":268,"value":404},"rfcat",{"type":268,"value":406},"), so the same captures and replays a Flipper does can be scripted from a laptop. Other common parts in this class are the ",{"type":262,"tag":320,"props":408,"children":409},{},[410],{"type":268,"value":411},"nRF24L01+",{"type":268,"value":413}," (2.4 GHz, GFSK) and the ",{"type":262,"tag":320,"props":415,"children":416},{},[417],{"type":268,"value":418},"Silicon Labs Si4432",{"type":268,"value":420}," (sub-GHz).",{"type":262,"tag":270,"props":422,"children":423},{},[424],{"type":262,"tag":425,"props":426,"children":429},"img",{"alt":427,"src":428},"YARD Stick One USB dongle. Photo: Great Scott Gadgets.","/images/knowledge-base/reverse-engineering/rf-yardstick-one.jpeg",[],{"type":262,"tag":270,"props":431,"children":432},{},[433,438,440,450,451,454,456,463],{"type":262,"tag":320,"props":434,"children":435},{},[436],{"type":268,"value":437},"Software-defined radios",{"type":268,"value":439}," push the digital boundary as close to the antenna as possible. An ",{"type":262,"tag":281,"props":441,"children":444},{"href":442,"rel":443},"https://www.rtl-sdr.com/",[374],[445],{"type":262,"tag":320,"props":446,"children":447},{},[448],{"type":268,"value":449},"RTL-SDR",{"type":268,"value":363},{"type":262,"tag":365,"props":452,"children":453},{"id":187},[],{"type":268,"value":455}," is a repurposed DVB-T USB stick (RTL2832U demodulator plus an R820T2 tuner) that streams 8-bit I/Q samples at up to about 2.4 MS/s and tunes from roughly 24 MHz to 1.7 GHz. It is receive-only and costs around €25, which makes it a very affordable tool for receiving a wide range of signals. If you want to try an SDR before buying one, the ",{"type":262,"tag":281,"props":457,"children":460},{"href":458,"rel":459},"http://websdr.ewi.utwente.nl:8901/",[374],[461],{"type":268,"value":462},"University of Twente WebSDR",{"type":268,"value":464}," exposes a wideband receiver over the browser.",{"type":262,"tag":270,"props":466,"children":467},{},[468,470,478,479,482,484,491,493,500],{"type":268,"value":469},"For transmit, the ",{"type":262,"tag":281,"props":471,"children":473},{"href":195,"rel":472},[374],[474],{"type":262,"tag":320,"props":475,"children":476},{},[477],{"type":268,"value":194},{"type":268,"value":363},{"type":262,"tag":365,"props":480,"children":481},{"id":192},[],{"type":268,"value":483}," covers 47 MHz to 6 GHz, full duplex, with a 12-bit ADC/DAC at up to 61.44 MS/s. It sits in the same price range as the older HackRF One but offers full duplex, a wider dynamic range from the deeper bit depth, and a higher sample rate, which makes it the better default if you need to transmit. More capable SDRs (",{"type":262,"tag":281,"props":485,"children":488},{"href":486,"rel":487},"https://limemicro.com/products/boards/limesdr/",[374],[489],{"type":268,"value":490},"LimeSDR",{"type":268,"value":492},", ",{"type":262,"tag":281,"props":494,"children":497},{"href":495,"rel":496},"https://www.ettus.com/",[374],[498],{"type":268,"value":499},"USRP",{"type":268,"value":501},") trade cost for further increases in sample rate, channel count, clock stability, and bit depth.",{"type":262,"tag":270,"props":503,"children":504},{},[505],{"type":262,"tag":425,"props":506,"children":509},{"alt":507,"src":508},"Nuand bladeRF 2.0 micro SDR. Photo: Nuand.","/images/knowledge-base/reverse-engineering/rf-bladerf-micro.png",[],{"type":262,"tag":303,"props":511,"children":513},{"id":512},"frequency-bands",[514],{"type":268,"value":515},"Frequency Bands",{"type":262,"tag":270,"props":517,"children":518},{},[519,521,526,528,533,535,538,540,543],{"type":268,"value":520},"Most automotive RF links sit in unlicensed ",{"type":262,"tag":320,"props":522,"children":523},{},[524],{"type":268,"value":525},"ISM",{"type":268,"value":527}," (Industrial, Scientific, Medical) and ",{"type":262,"tag":320,"props":529,"children":530},{},[531],{"type":268,"value":532},"SRD",{"type":268,"value":534}," (Short Range Device) bands. Each region's regulator (ETSI EN 300 220 in Europe ",{"type":262,"tag":365,"props":536,"children":537},{"id":249},[],{"type":268,"value":539},", FCC Part 15 in the United States ",{"type":262,"tag":365,"props":541,"children":542},{"id":254},[],{"type":268,"value":544},", ARIB in Japan) defines a power limit and, often, a duty-cycle limit per band. The bands relevant to automotive work are:",{"type":268,"value":546},"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",{"type":262,"tag":548,"props":549,"children":550},"table",{},[551,575],{"type":262,"tag":552,"props":553,"children":554},"thead",{},[555],{"type":262,"tag":556,"props":557,"children":558},"tr",{},[559,565,570],{"type":262,"tag":560,"props":561,"children":562},"th",{},[563],{"type":268,"value":564},"Band",{"type":262,"tag":560,"props":566,"children":567},{},[568],{"type":268,"value":569},"Region",{"type":262,"tag":560,"props":571,"children":572},{},[573],{"type":268,"value":574},"Typical use",{"type":262,"tag":576,"props":577,"children":578},"tbody",{},[579,598,616,634,652,670,687],{"type":262,"tag":556,"props":580,"children":581},{},[582,588,593],{"type":262,"tag":583,"props":584,"children":585},"td",{},[586],{"type":268,"value":587},"125 kHz / 134 kHz",{"type":262,"tag":583,"props":589,"children":590},{},[591],{"type":268,"value":592},"Worldwide LF",{"type":262,"tag":583,"props":594,"children":595},{},[596],{"type":268,"value":597},"Immobiliser transponders, PKES wakeup, RFID",{"type":262,"tag":556,"props":599,"children":600},{},[601,606,611],{"type":262,"tag":583,"props":602,"children":603},{},[604],{"type":268,"value":605},"13.56 MHz",{"type":262,"tag":583,"props":607,"children":608},{},[609],{"type":268,"value":610},"Worldwide HF",{"type":262,"tag":583,"props":612,"children":613},{},[614],{"type":268,"value":615},"NFC keycards, some immobiliser systems",{"type":262,"tag":556,"props":617,"children":618},{},[619,624,629],{"type":262,"tag":583,"props":620,"children":621},{},[622],{"type":268,"value":623},"315 MHz",{"type":262,"tag":583,"props":625,"children":626},{},[627],{"type":268,"value":628},"North America, Japan",{"type":262,"tag":583,"props":630,"children":631},{},[632],{"type":268,"value":633},"Keyfobs, TPMS",{"type":262,"tag":556,"props":635,"children":636},{},[637,642,647],{"type":262,"tag":583,"props":638,"children":639},{},[640],{"type":268,"value":641},"433.05–434.79 MHz",{"type":262,"tag":583,"props":643,"children":644},{},[645],{"type":268,"value":646},"Europe, Asia",{"type":262,"tag":583,"props":648,"children":649},{},[650],{"type":268,"value":651},"Keyfobs, garage doors, TPMS",{"type":262,"tag":556,"props":653,"children":654},{},[655,660,665],{"type":262,"tag":583,"props":656,"children":657},{},[658],{"type":268,"value":659},"868–868.6 MHz",{"type":262,"tag":583,"props":661,"children":662},{},[663],{"type":268,"value":664},"Europe SRD",{"type":262,"tag":583,"props":666,"children":667},{},[668],{"type":268,"value":669},"Keyfobs",{"type":262,"tag":556,"props":671,"children":672},{},[673,678,683],{"type":262,"tag":583,"props":674,"children":675},{},[676],{"type":268,"value":677},"902–928 MHz",{"type":262,"tag":583,"props":679,"children":680},{},[681],{"type":268,"value":682},"North America ISM",{"type":262,"tag":583,"props":684,"children":685},{},[686],{"type":268,"value":669},{"type":262,"tag":556,"props":688,"children":689},{},[690,695,700],{"type":262,"tag":583,"props":691,"children":692},{},[693],{"type":268,"value":694},"2.4 GHz",{"type":262,"tag":583,"props":696,"children":697},{},[698],{"type":268,"value":699},"Worldwide ISM",{"type":262,"tag":583,"props":701,"children":702},{},[703],{"type":268,"value":704},"Bluetooth Low Energy, WiFi",{"type":262,"tag":303,"props":706,"children":708},{"id":707},"modulation",[709],{"type":268,"value":710},"Modulation",{"type":262,"tag":270,"props":712,"children":713},{},[714],{"type":268,"value":715},"Once the receiver has isolated the right slice of spectrum, the modulation determines how bits ride on the carrier. The three most common modulations for binary data are described below.",{"type":262,"tag":717,"props":718,"children":720},"h3",{"id":719},"amplitude-shift-keying-ask-ook",[721],{"type":268,"value":722},"Amplitude Shift Keying (ASK / OOK)",{"type":262,"tag":270,"props":724,"children":725},{},[726,728,733],{"type":268,"value":727},"The simplest modulation: a \"1\" is the carrier present, a \"0\" is the carrier absent (or at a lower amplitude). Also called ",{"type":262,"tag":320,"props":729,"children":730},{},[731],{"type":268,"value":732},"OOK",{"type":268,"value":734}," (on-off keying). ASK is cheap to generate (a single transistor switching the oscillator on and off) and cheap to demodulate (a diode envelope detector). It dominates older keyfobs and TPMS sensors in the 315/433 MHz bands.",{"type":262,"tag":736,"props":737,"children":741},"rf-modulation",{"bits":738,"type":739,":cyclesPerBit":740},"10110010","ask","4",[],{"type":262,"tag":717,"props":743,"children":745},{"id":744},"frequency-shift-keying-fsk",[746],{"type":268,"value":747},"Frequency Shift Keying (FSK)",{"type":262,"tag":270,"props":749,"children":750},{},[751],{"type":268,"value":752},"FSK keeps the amplitude constant and switches the carrier between two frequencies, one for \"0\" and one for \"1\". Because the envelope is flat, FSK tolerates changing amplitude due to external influences. It is the default modulation for modern keyfobs.",{"type":262,"tag":736,"props":754,"children":758},{"bits":738,"type":755,":fskCenter":756,":fskDeviation":757},"fsk","3","1.2",[],{"type":262,"tag":717,"props":760,"children":762},{"id":761},"binary-phase-shift-keying-bpsk",[763],{"type":268,"value":764},"Binary Phase Shift Keying (BPSK)",{"type":262,"tag":270,"props":766,"children":767},{},[768],{"type":268,"value":769},"BPSK keeps both the amplitude and frequency constant, and encodes bits as 180° phase shifts of the carrier. It is rare on cheap links because it requires a coherent reference at the receiver, but it appears in higher-end protocols (some PEPS systems, parts of C-V2X). The same chips that do BPSK also extend to QPSK, 8-PSK, and QAM for higher data rates.",{"type":262,"tag":736,"props":771,"children":773},{"bits":738,"type":772},"psk",[],{"type":262,"tag":303,"props":775,"children":777},{"id":776},"manchester-line-coding",[778],{"type":268,"value":779},"Manchester Line Coding",{"type":262,"tag":270,"props":781,"children":782},{},[783],{"type":268,"value":784},"When transmitting RF data, no separate clock signal can be included, and we cannot rely on the transmitter's and receiver's clocks to stay in sync. The clock and data therefore have to be combined into the same signal.",{"type":262,"tag":270,"props":786,"children":787},{},[788,793],{"type":262,"tag":320,"props":789,"children":790},{},[791],{"type":268,"value":792},"Manchester coding",{"type":268,"value":794}," solves this problem by splitting each bit period into two halves and forcing a transition in the middle. The direction of the transition carries the bit. Two conventions are in use, and they are exact inverses of each other:",{"type":262,"tag":796,"props":797,"children":798},"ul",{},[799,826],{"type":262,"tag":800,"props":801,"children":802},"li",{},[803,808,810,816,818,824],{"type":262,"tag":320,"props":804,"children":805},{},[806],{"type":268,"value":807},"Manchester I",{"type":268,"value":809}," (also called G.E. Thomas): ",{"type":262,"tag":399,"props":811,"children":813},{"className":812},[],[814],{"type":268,"value":815},"1",{"type":268,"value":817}," is a falling edge mid-bit (high then low). ",{"type":262,"tag":399,"props":819,"children":821},{"className":820},[],[822],{"type":268,"value":823},"0",{"type":268,"value":825}," is a rising edge (low then high).",{"type":262,"tag":800,"props":827,"children":828},{},[829,834,836,841,843,848],{"type":262,"tag":320,"props":830,"children":831},{},[832],{"type":268,"value":833},"Manchester II",{"type":268,"value":835}," (also called IEEE 802.3): ",{"type":262,"tag":399,"props":837,"children":839},{"className":838},[],[840],{"type":268,"value":815},{"type":268,"value":842}," is a rising edge mid-bit. ",{"type":262,"tag":399,"props":844,"children":846},{"className":845},[],[847],{"type":268,"value":823},{"type":268,"value":849}," is a falling edge.",{"type":262,"tag":736,"props":851,"children":853},{"bits":738,"type":852},"manchester",[],{"type":262,"tag":270,"props":855,"children":856},{},[857,859,865],{"type":268,"value":858},"Manchester doubles the symbol rate compared to NRZ for the same data rate, in exchange for a guaranteed transition every bit. A decoder locked to the wrong convention produces the bitwise complement of the original stream, which is the first thing to try when a captured frame looks almost-but-not-quite right. Differential Manchester (used in some token-ring and industrial protocols) is a variant where the bit is encoded by the ",{"type":262,"tag":860,"props":861,"children":862},"em",{},[863],{"type":268,"value":864},"presence or absence",{"type":268,"value":866}," of a transition at the bit boundary, making it polarity-independent.",{"type":262,"tag":303,"props":868,"children":870},{"id":869},"software",[871],{"type":268,"value":872},"Software",{"type":262,"tag":270,"props":874,"children":875},{},[876],{"type":268,"value":877},"A handful of tools cover the majority of practical RF reverse engineering work.",{"type":262,"tag":717,"props":879,"children":881},{"id":880},"gqrx-sdr-and-sdr",[882],{"type":268,"value":883},"Gqrx, SDR++, and SDR#",{"type":262,"tag":270,"props":885,"children":886},{},[887,893,894,897,898,904,905,908,910,916,917,920],{"type":262,"tag":281,"props":888,"children":890},{"href":227,"rel":889},[374],[891],{"type":268,"value":892},"Gqrx",{"type":268,"value":363},{"type":262,"tag":365,"props":895,"children":896},{"id":224},[],{"type":268,"value":492},{"type":262,"tag":281,"props":899,"children":901},{"href":232,"rel":900},[374],[902],{"type":268,"value":903},"SDR++",{"type":268,"value":363},{"type":262,"tag":365,"props":906,"children":907},{"id":229},[],{"type":268,"value":909},", and ",{"type":262,"tag":281,"props":911,"children":913},{"href":237,"rel":912},[374],[914],{"type":268,"value":915},"SDR#",{"type":268,"value":363},{"type":262,"tag":365,"props":918,"children":919},{"id":234},[],{"type":268,"value":921}," are general-purpose receivers with a waterfall display. They are the right starting point for any new signal: tune around the expected frequency, press a keyfob button, see whether a burst appears in the waterfall, eyeball the bandwidth and the modulation family.",{"type":262,"tag":270,"props":923,"children":924},{},[925],{"type":262,"tag":425,"props":926,"children":929},{"alt":927,"src":928},"Gqrx waterfall display","/images/knowledge-base/reverse-engineering/rf-gqrx-waterfall.png",[],{"type":262,"tag":717,"props":931,"children":933},{"id":932},"gnu-radio",[934],{"type":268,"value":221},{"type":262,"tag":270,"props":936,"children":937},{},[938,943,944,947],{"type":262,"tag":281,"props":939,"children":941},{"href":222,"rel":940},[374],[942],{"type":268,"value":221},{"type":268,"value":363},{"type":262,"tag":365,"props":945,"children":946},{"id":219},[],{"type":268,"value":948}," is the underlying DSP framework. Its graphical editor (GNU Radio Companion) lets you wire up signal-processing blocks into a flowgraph. Use it when you need a custom demodulator, a non-standard symbol rate, or any kind of bespoke signal processing that the other tools in this list do not handle.",{"type":262,"tag":270,"props":950,"children":951},{},[952],{"type":262,"tag":425,"props":953,"children":956},{"alt":954,"src":955},"GNU Radio Companion flowgraph.","/images/knowledge-base/reverse-engineering/rf-gnuradio.png",[],{"type":262,"tag":717,"props":958,"children":959},{"id":239},[960],{"type":268,"value":961},"CyberEther",{"type":262,"tag":270,"props":963,"children":964},{},[965,970,971,974],{"type":262,"tag":281,"props":966,"children":968},{"href":242,"rel":967},[374],[969],{"type":268,"value":961},{"type":268,"value":363},{"type":262,"tag":365,"props":972,"children":973},{"id":239},[],{"type":268,"value":975}," is a GPU-accelerated DSP and visualization framework. The blocks-and-wires editing model is similar to GNU Radio Companion, but the runtime targets the GPU (Metal, Vulkan, CUDA) instead of the CPU, which lets it draw waterfalls and run filters on wider bandwidths than GNU Radio can without dropping samples.",{"type":262,"tag":270,"props":977,"children":978},{},[979],{"type":262,"tag":425,"props":980,"children":983},{"alt":981,"src":982},"CyberEther interface. Image: Luigi Cruz / CyberEther.","/images/knowledge-base/reverse-engineering/rf-cyberether.png",[],{"type":262,"tag":717,"props":985,"children":987},{"id":986},"universal-radio-hacker",[988],{"type":268,"value":989},"Universal Radio Hacker",{"type":262,"tag":270,"props":991,"children":992},{},[993,1000,1001,1004],{"type":262,"tag":281,"props":994,"children":997},{"href":995,"rel":996},"https://github.com/jopohl/urh",[374],[998],{"type":268,"value":999},"Universal Radio Hacker (URH)",{"type":268,"value":363},{"type":262,"tag":365,"props":1002,"children":1003},{"id":212},[],{"type":268,"value":1005}," covers most of what replay-style attacks on simple protocols need. It records to file, lets you slice bursts out of a long capture, has built-in demodulators for ASK/FSK/PSK, line decoders including Manchester, an analysis tab that aligns bits across multiple captures and highlights what changed, and a transmit path that drives any supported SDR.",{"type":262,"tag":270,"props":1007,"children":1008},{},[1009],{"type":262,"tag":425,"props":1010,"children":1013},{"alt":1011,"src":1012},"URH decoding the data from a TPMS sensor","/images/knowledge-base/reverse-engineering/rf-urh-overview.png",[],{"type":262,"tag":717,"props":1015,"children":1017},{"id":1016},"rtl_433",[1018],{"type":268,"value":1016},{"type":262,"tag":270,"props":1020,"children":1021},{},[1022,1027,1028,1031,1033,1038],{"type":262,"tag":281,"props":1023,"children":1025},{"href":247,"rel":1024},[374],[1026],{"type":268,"value":1016},{"type":268,"value":363},{"type":262,"tag":365,"props":1029,"children":1030},{"id":244},[],{"type":268,"value":1032}," is a decoder for known ISM-band protocols: weather sensors, TPMS sensors, energy meters, and many consumer doorbells and remotes. Run it before anything else. If ",{"type":262,"tag":399,"props":1034,"children":1036},{"className":1035},[],[1037],{"type":268,"value":1016},{"type":268,"value":1039}," already recognises the signal, you save yourself the work of demodulating from scratch and you get a documented packet layout for free.",{"type":262,"tag":270,"props":1041,"children":1042},{},[1043],{"type":262,"tag":425,"props":1044,"children":1047},{"alt":1045,"src":1046},"rtl_433 decoding several ISM-band sensors. Image: merbanan/rtl_433.","/images/knowledge-base/reverse-engineering/rf-rtl433.png",[],{"type":262,"tag":303,"props":1049,"children":1051},{"id":1050},"tutorial-decoding-a-hitag2-keyfob-in-urh",[1052],{"type":268,"value":1053},"Tutorial: Decoding a Hitag2 Keyfob in URH",{"type":262,"tag":270,"props":1055,"children":1056},{},[1057,1059,1063],{"type":268,"value":1058},"Hitag2 is a transponder protocol used in immobilisers and unidirectional RKE. The cryptographic weaknesses are documented in the ",{"type":262,"tag":281,"props":1060,"children":1061},{"href":283},[1062],{"type":268,"value":286},{"type":268,"value":1064},"; this tutorial only covers the layer below: how to capture a button press and locate the rolling counter in the resulting bitstream. The capture is from a 433.92 MHz European keyfob.",{"type":262,"tag":717,"props":1066,"children":1068},{"id":1067},"record-the-signal",[1069],{"type":268,"value":1070},"Record the Signal",{"type":262,"tag":270,"props":1072,"children":1073},{},[1074,1076,1081,1083,1088,1090,1096],{"type":268,"value":1075},"URH has a built-in recorder. Open ",{"type":262,"tag":320,"props":1077,"children":1078},{},[1079],{"type":268,"value":1080},"File, Record signal",{"type":268,"value":1082},", pick the SDR backend, set the centre frequency to 433.92 MHz, the sample rate to 1 MS/s. Press ",{"type":262,"tag":320,"props":1084,"children":1085},{},[1086],{"type":268,"value":1087},"Start",{"type":268,"value":1089}," and then press the lock button on the keyfob several times — the rolling counter will increment between presses, which is what makes the counter visible later. Stop the recording and save it to a ",{"type":262,"tag":399,"props":1091,"children":1093},{"className":1092},[],[1094],{"type":268,"value":1095},".complex",{"type":268,"value":1097}," file. A short burst per press should appear in the waterfall, lasting roughly 20–80 ms depending on the manufacturer.",{"type":262,"tag":270,"props":1099,"children":1100},{},[1101,1103,1108],{"type":268,"value":1102},"Open the recording in URH's ",{"type":262,"tag":320,"props":1104,"children":1105},{},[1106],{"type":268,"value":1107},"Interpretation",{"type":268,"value":1109}," tab. The burst is visible as a packet of amplitude transitions sitting above the noise floor.",{"type":262,"tag":270,"props":1111,"children":1112},{},[1113],{"type":262,"tag":425,"props":1114,"children":1117},{"alt":1115,"src":1116},"URH interpretation view with a recorded Hitag2 burst, amplitude axis.","/images/knowledge-base/reverse-engineering/rf-urh-record.png",[],{"type":262,"tag":717,"props":1119,"children":1121},{"id":1120},"demodulate-and-recover-the-symbol-rate",[1122],{"type":268,"value":1123},"Demodulate and Recover the Symbol Rate",{"type":262,"tag":270,"props":1125,"children":1126},{},[1127,1129,1134],{"type":268,"value":1128},"Hitag2 RKE frames are ASK with Manchester line coding. Set the modulation to ",{"type":262,"tag":320,"props":1130,"children":1131},{},[1132],{"type":268,"value":1133},"ASK",{"type":268,"value":1135}," in the modulation panel. Zoom in, and select a single bit to determine the length. Set this in the samples/symbol field. Also make sure the noise value is set up appropriately.",{"type":262,"tag":270,"props":1137,"children":1138},{},[1139],{"type":262,"tag":425,"props":1140,"children":1143},{"alt":1141,"src":1142},"URH modulation panel with ASK selected and the auto-detected bit length highlighted.","/images/knowledge-base/reverse-engineering/rf-urh-demod.png",[],{"type":262,"tag":717,"props":1145,"children":1147},{"id":1146},"apply-manchester-decoding",[1148],{"type":268,"value":1149},"Apply Manchester Decoding",{"type":262,"tag":270,"props":1151,"children":1152},{},[1153,1155,1160,1162,1166,1168,1172],{"type":268,"value":1154},"Switch to the ",{"type":262,"tag":320,"props":1156,"children":1157},{},[1158],{"type":268,"value":1159},"Analysis",{"type":268,"value":1161}," tab. Create a new decoding chain that applies ",{"type":262,"tag":320,"props":1163,"children":1164},{},[1165],{"type":268,"value":807},{"type":268,"value":1167}," or ",{"type":262,"tag":320,"props":1169,"children":1170},{},[1171],{"type":268,"value":833},{"type":268,"value":1173},". In the next stage we will identify the rolling counter. If it decreases instead of incrementing, change from Manchester I to II or vice versa.",{"type":262,"tag":270,"props":1175,"children":1176},{},[1177],{"type":268,"value":1178},"The decoded frame should be on the order of 64 to 128 bits including preamble and sync.",{"type":262,"tag":270,"props":1180,"children":1181},{},[1182],{"type":262,"tag":425,"props":1183,"children":1186},{"alt":1184,"src":1185},"URH analysis tab showing several aligned frames after Manchester decoding.","/images/knowledge-base/reverse-engineering/rf-urh-manchester.png",[],{"type":262,"tag":717,"props":1188,"children":1190},{"id":1189},"find-the-rolling-counter",[1191],{"type":268,"value":1192},"Find the Rolling Counter",{"type":262,"tag":270,"props":1194,"children":1195},{},[1196,1198,1203],{"type":268,"value":1197},"Line several decoded frames up in the analysis view. Most of the bits are identical across captures: the UID, the button code, and fixed framing fields do not change. The bits that ",{"type":262,"tag":860,"props":1199,"children":1200},{},[1201],{"type":268,"value":1202},"do",{"type":268,"value":1204}," change come from two places:",{"type":262,"tag":796,"props":1206,"children":1207},{},[1208,1219],{"type":262,"tag":800,"props":1209,"children":1210},{},[1211,1212,1217],{"type":268,"value":318},{"type":262,"tag":320,"props":1213,"children":1214},{},[1215],{"type":268,"value":1216},"rolling counter",{"type":268,"value":1218},", which increments by one (or a small fixed amount) every button press.",{"type":262,"tag":800,"props":1220,"children":1221},{},[1222,1223,1228],{"type":268,"value":318},{"type":262,"tag":320,"props":1224,"children":1225},{},[1226],{"type":268,"value":1227},"MAC",{"type":268,"value":1229},", which depends on the counter and the secret key, and therefore looks random.",{"type":262,"tag":270,"props":1231,"children":1232},{},[1233],{"type":268,"value":1234},"Sort the captures by press order. The counter shows up as a small contiguous block of bits that increments monotonically, with the low bits flipping most often. URH highlights changing bits per column, which makes this immediately visible.",{"type":262,"tag":270,"props":1236,"children":1237},{},[1238],{"type":262,"tag":425,"props":1239,"children":1242},{"alt":1240,"src":1241},"URH analysis view with bit-level diff colouring across five captured frames; the counter region is the small cluster of changing bits on the left of the MAC.","/images/knowledge-base/reverse-engineering/rf-urh-counter-diff.png",[],{"type":262,"tag":717,"props":1244,"children":1246},{"id":1245},"align-with-the-frame-layout",[1247],{"type":268,"value":1248},"Align with the Frame Layout",{"type":262,"tag":270,"props":1250,"children":1251},{},[1252,1254,1258],{"type":268,"value":1253},"Once the counter is located, the rest of the frame falls into place by alignment. The Hitag2 RKE frame layout is published in the existing-research papers referenced from the ",{"type":262,"tag":281,"props":1255,"children":1256},{"href":283},[1257],{"type":268,"value":286},{"type":268,"value":1259},":",{"type":262,"tag":270,"props":1261,"children":1262},{},[1263],{"type":262,"tag":425,"props":1264,"children":1267},{"alt":1265,"src":1266},"Hitag2 RKE frame layout showing the 102-bit packet structure: preamble, UID, button code, low-order counter bits (lctr), keystream (ks), padding, and checksum. Figure from Garcia et al., 2016 (Lock It and Still Lose It).","/images/knowledge-base/existing-research/remote-keyless-entry/garcia-hitag2-frame-1.png",[],{"type":262,"tag":270,"props":1269,"children":1270},{},[1271,1273,1278],{"type":268,"value":1272},"Mark each region in URH's ",{"type":262,"tag":320,"props":1274,"children":1275},{},[1276],{"type":268,"value":1277},"Label",{"type":268,"value":1279}," view to confirm the alignment is consistent across captures. The UID, button, and counter fields should be byte-aligned and stable in the expected way; the MAC region should differ in every frame.",{"type":262,"tag":270,"props":1281,"children":1282},{},[1283],{"type":262,"tag":425,"props":1284,"children":1287},{"alt":1285,"src":1286},"URH labels assigned to the UID, button, counter, and MAC regions of the decoded frame.","/images/knowledge-base/reverse-engineering/rf-urh-labels.png",[],{"type":262,"tag":270,"props":1289,"children":1290},{},[1291],{"type":268,"value":1292},"At this point you have a fully labelled frame: every bit on the air is accounted for, and a replay attack on a captured frame is one click away. The MAC is what stops a straight replay from working in practice, because the receiver tracks the counter and rejects anything that does not advance it. Breaking the MAC requires recovering the Hitag2 key, which is what the cryptographic attacks in the existing-research chapter do.",{"type":262,"tag":303,"props":1294,"children":1296},{"id":1295},"references",[1297],{"type":268,"value":1298},"References",{"type":262,"tag":1300,"props":1301,"children":1302},"chapter-references",{},[],{"title":184,"searchDepth":16,"depth":16,"links":1304},[1305,1306,1307,1312,1313,1320,1327],{"id":305,"depth":16,"text":308},{"id":512,"depth":16,"text":515},{"id":707,"depth":16,"text":710,"children":1308},[1309,1310,1311],{"id":719,"depth":22,"text":722},{"id":744,"depth":22,"text":747},{"id":761,"depth":22,"text":764},{"id":776,"depth":16,"text":779},{"id":869,"depth":16,"text":872,"children":1314},[1315,1316,1317,1318,1319],{"id":880,"depth":22,"text":883},{"id":932,"depth":22,"text":221},{"id":239,"depth":22,"text":961},{"id":986,"depth":22,"text":989},{"id":1016,"depth":22,"text":1016},{"id":1050,"depth":16,"text":1053,"children":1321},[1322,1323,1324,1325,1326],{"id":1067,"depth":22,"text":1070},{"id":1120,"depth":22,"text":1123},{"id":1146,"depth":22,"text":1149},{"id":1189,"depth":22,"text":1192},{"id":1245,"depth":22,"text":1248},{"id":1295,"depth":16,"text":1298},"markdown","content:7.knowledge-base:3.reverse-engineering:4.wireless-rf.md","content","md",1779615358733]