HackRF One

By Alfore Nought · PAM Finds ·
HackRF One — MAX2839 + LPC4320 development board

The HackRF One from Great Scott Gadgets is the canonical open-source half-duplex SDR covering 1 MHz to 6 GHz with up to 20 MSPS bandwidth. TX output varies by frequency — roughly +15 dBm (~30 mW) below 1 GHz, dropping to about -5 dBm (~0.3 mW) near the 6 GHz top end. Hardware, gateware, and firmware are all open source under permissive licenses.

★★★★★ 4.5/5.0

The go-to SDR for protocol reverse engineering and any project that needs TX — overkill if you only want to receive.

Best for: Protocol reverse engineeringGSM/LTE air-interface analysiswireless CTF challengesRF replay attacks for car key fobs and garage doors
Not for: Weak-signal HF DXingfull-duplex applicationshigh-power transmit applications

Where to Buy

Check Price on Amazon (paid link) Check Price on Great Scott Gadgets (paid link)

Pros

  • Transmits AND receives 1 MHz to 6 GHz — covers HF, VHF, UHF, ISM (433/868/915 MHz), and Wi-Fi 2.4/5 GHz bands
  • 20 MSPS sample rate enables 20 MHz-wide spectrum captures for GSM, LTE, and wide protocol analysis
  • Fully open-source hardware, gateware, firmware, and software — modifiable and free of vendor lock-in
  • Software-switchable bias tee (3.3V) powers LNAs and active antennas without external supplies
  • Multi-radio sync via CLKIN/CLKOUT enables MIMO or DF arrays with multiple HackRFs

Cons

  • 8-bit ADC limits dynamic range — strong signals desensitize the receiver vs. 16-bit Airspy or USRP
  • Half-duplex only — cannot RX and TX simultaneously like the PlutoSDR or LimeSDR
  • TX power tapers from ~+15 dBm at HF/VHF to under 0 dBm above 4 GHz — practical range above 1 GHz requires an external amplifier
  • USB-A plug + 100g weight strains laptop USB ports — use a powered hub for sustained TX

Why open-source hardware matters here

Most commercial SDRs are closed black boxes — you get a driver, an SDK, and a 'do not modify' sticker. The HackRF is the opposite. Schematics, PCB layout, FPGA gateware (open), MCU firmware (open), host software (open) are all on GitHub under MIT and GPL licenses. The PCB exposes a 0.1-inch expansion header that breaks out the FPGA pins, baseband IQ lines, and clock signals — every published HackRF mod (PortaPack adapter, external clock disciplining, custom RF front ends) plugs into this header.

For wireless security research, this matters because exploits get published as GNU Radio Companion (.grc) flowgraphs that reference the HackRF source/sink blocks specifically. The HackRF + GNU Radio is the de facto reference platform — papers, conference talks, and CTF challenges all assume it. A USRP or LimeSDR may be technically superior in some axes, but reproducing published research is faster on HackRF because the flowgraphs are already wired up for it.

Half-duplex TX/RX and the bandwidth tradeoff

The HackRF is half-duplex: the MAX2839 transceiver IC has a single shared RX/TX signal path that switches modes in software. You can RX, switch to TX, switch back to RX — but never both at the same instant. For passive sniffing or active probing this is fine. For applications that need simultaneous TX and RX (cellular basestation impersonation, full-duplex mesh nodes), you need a PlutoSDR (full duplex, 56 MSPS) or a USRP B210 (full duplex, 56 MSPS).

The 20 MSPS sample rate is the headline spec. In practice, 8-10 MSPS is the largest sustained capture that USB 2.0 + a typical laptop can handle without sample drops. For a wider capture (GSM with multiple ARFCNs, LTE sub-bands) you need to drop the bit depth from 8 to 4 in software or buy a USB 3.0 SDR. The HackRF is bandwidth-limited by USB 2.0; the LimeSDR Mini moves to USB 3.0 and sustains the full 30+ MSPS. Practically, every published paper that uses HackRF works within these limits — the constraint matters more if you're inventing something new.

Software stack and getting going

On Linux, install hackrf-tools (apt-get on Debian/Ubuntu, brew on macOS, official installer on Windows). The hackrf_info command verifies enumeration and reports firmware version. Then install GNU Radio (3.10 or 4.x), open GNU Radio Companion, drop in an osmocom Source block, set frequency, and you're capturing IQ samples. For ready-made applications: gqrx for browsing, SDR++ for waterfall and demod, Universal Radio Hacker (URH) for protocol reversing without GNU Radio knowledge.

The PortaPack H2/H4 is the most popular hardware add-on — it stacks onto the HackRF's expansion header and turns it into a standalone handheld unit with display, buttons, and SD card storage. Loaded with Mayhem firmware, the PortaPack runs analyzers, jammers, replay attacks, and BLE / WiFi reconnaissance without a host computer. It is also the way most CTF teams carry HackRF gear into a competition — small, battery-powered, deniable.

Full Specifications

Connectivity

Specification Value
rx_frequency_range 1 MHz – 6 GHz [1]
tx_frequency_range 1 MHz – 6 GHz [1]
max_sample_rate 20 MSPS (8 MSPS recommended) [1]
tx_capability Half-duplex TX (output varies by frequency: ~+15 dBm below 1 GHz, ~-5 dBm at 6 GHz) [1]
adc_bits 8-bit [1]
reference_clock 25 MHz internal (external in/out supported) [1]
open_source Hardware + firmware fully open-source [1]

I/O & Interfaces

Specification Value
antenna_connector SMA female (RX/TX shared) [1]
USB USB-A (Hi-Speed USB 2.0) [1]
bias_tee Yes (3.3V via TX, switchable) [1]
clock_io CLKIN + CLKOUT for multi-radio sync [1]
expansion 0.1" header for daughterboards [1]

Physical

Specification Value
Dimensions 120 x 75 x 20 mm [1]
weight_g 100 g [1]
Form Factor PCB with optional plastic case [1]

Who Should Buy This

Buy Protocol reverse engineering and TX-capable experimentation

The canonical choice. Replay attacks on legacy garage door openers, ISM-band sensors, RFID at 13.56 MHz (via downconversion), and 433 MHz IoT devices all work out of the box with GNU Radio Companion flowgraphs. The open-source nature means every published wireless-security paper at DEF CON / CCC includes HackRF-compatible flowgraphs.

Skip First-time SDR buyer who only wants to receive

Overkill at 10x the price of the basic RTL-SDR Blog V4. RTL-SDR covers 500 kHz to 1.766 GHz RX (including HF via the built-in upconverter), runs in every SDR application, and is the dongle every internet tutorial assumes. Buy the HackRF later if and when TX or 6 GHz coverage becomes a real need.

Better alternative: RTL-SDR Blog V4

Consider Serious GSM, LTE, or LoRa analysis

HackRF's 20 MSPS is enough for a full GSM ARFCN or single LoRa channel. For multi-channel LTE or simultaneous TX/RX (impersonating a basestation), step up to a USRP B210 or LimeSDR — those are full-duplex with 56 MSPS and 16-bit ADCs. HackRF is the right starting point but you may outgrow it.

Frequently Asked Questions

HackRF One vs PlutoSDR vs LimeSDR — which should I pick?

HackRF: 1 MHz to 6 GHz, half-duplex, 20 MSPS, 8-bit, open-source, $337. PlutoSDR: 70 MHz to 6 GHz, full-duplex, 56 MSPS, 12-bit, $250. LimeSDR Mini: 10 MHz to 3.5 GHz, full-duplex, 30 MSPS, 12-bit, $200. Pick HackRF if you need below 70 MHz (HF/MW) or want the open-source reference platform. Pick PlutoSDR for full-duplex with the best price-per-capability.

How much can the HackRF One transmit?

TX output is frequency-dependent — roughly +15 dBm (~30 mW) below 1 GHz, falling to around 0 dBm (~1 mW) at 2.4 GHz and as low as -5 dBm (~0.3 mW) near 6 GHz. Adequate for short-range (<10m) experimentation indoors below 1 GHz. For practical range above 1 GHz you need an external amplifier via the SMA connector. Transmitting on licensed frequencies without a license is illegal in most jurisdictions — confine TX to ISM bands (433, 868, 915 MHz) and shielded enclosures.

Is it legal to own and use a HackRF?

Owning a HackRF is legal everywhere it ships. Receiving on most frequencies is legal in most countries. Transmitting is regulated — only ISM bands (433, 868, 915 MHz, 2.4 GHz, 5 GHz) allow unlicensed TX at low power, and even there with restrictions. Transmitting on ham bands requires a license; transmitting on cellular bands is illegal and traceable. Confine TX experimentation to ISM bands and shielded conditions.

Does the HackRF work with SDR# / SDR++?

Yes. SDR# has an osmocom plugin; SDR++ has native HackRF support. Both work on Windows. On Linux and macOS, GQRX is the most popular GUI, and CubicSDR works as well. For protocol reversing, Universal Radio Hacker (URH) is the easiest GUI; for serious flowgraph work, GNU Radio Companion.

Do I need the PortaPack accessory?

Not to start. The PortaPack is a stack-on display + battery + SD card that turns HackRF into a standalone handheld with Mayhem firmware. Useful for CTF, field operations, and standalone replay attacks. For desktop GNU Radio work it adds nothing — buy it later if you find yourself wanting to take the HackRF out of the lab.

What's the difference between HackRF One Rev2024 and earlier revisions?

Rev2024 (current) uses a redesigned RF front end that improves sensitivity above 3 GHz and reduces in-band spurs. Earlier Rev1.0-1.7.x boards are functionally identical for most users — the same MAX2839 + LPC4320 chips, same software, same expansion header. Rev2024 ships from Great Scott Gadgets and authorized resellers; Amazon stock is usually older revs and works fine.

Related Products