SpectralDNA

8 Protocols. One Fingerprint.

Each protocol module captures raw IQ samples and extracts both identity markers and hardware-intrinsic RF signatures.

WI-FI 802.11

2.412 – 5.785 GHz · 20 Msps

OFDM preamble detection, CFO estimation from Short Training Field autocorrelation, transmitter clustering by crystal offset.

MAC SSID OUI CFO RSSI

BLE ADVERTISING

2.402 / 2.426 / 2.480 GHz · 4 Msps

GFSK demodulation, access address correlation, PDU parsing with data dewhitening, Apple Continuity decoding.

MAC Name Mfr ID Clock Drift Interval

LTE (4G)

617 MHz – 2.69 GHz · B2/4/12/41/71

PSS correlation via Zadoff-Chu sequences, cell search across 5 bands, IQ imbalance and PA IMD3 measurement.

PCI EARFCN Carrier IQ Imbalance IMD3

5G NR

3.3 – 4.2 GHz · n77/n78 C-Band

NR PSS m-sequence detection, SSB timing drift measurement, per-beam RSRP across multiple gNodeB beams.

Cell ID Carrier Beams SSB Drift RSRP

TPMS

315 MHz · OOK / Manchester

Envelope detection with adaptive thresholding, Manchester decoding, Schrader/Continental/Sensata frame parsing.

Sensor ID Pressure Temp Bit Rate

RKE

315 MHz · ASK

ASK burst detection, PA ramp profile analysis (rise/fall/overshoot), KeeLoq-style rolling code extraction.

Fixed Code Rolling Code Rise Time PA Profile

ANT / ANT+

2.457 / 2.466 GHz · 1 Mbps GFSK

Sync byte (0xA4) correlation, checksum validation, ANT+ device profile parsing (HR, power, speed).

Device # Type Clock Drift Interval

GPS / GNSS

1.57542 / 1.17645 GHz · L1/L5

Passive band power measurement, satellite PRN detection via C/A code correlation, interference characterization.

Satellite PRNs Band Power Interference

Beyond Capture

Enrichment, persistence, and presence detection built on top of the raw fingerprinting engine.

Offline Data Enrichment

170+ OUI manufacturer lookups, 47 BLE company IDs, 31 GATT service UUIDs, LTE carrier identification from EARFCN, 5G NR carrier mapping, ANT+ device type resolution. MAC randomization detection flags privacy-rotated addresses. All offline, no network calls.

Environment Snapshots

Save a baseline scan as JSON. Compare future scans against it to see which devices are still PRESENT, which are ABSENT, and which are NEW. Each match includes an RF similarity score computed from CFO, clock drift, and RSSI deltas.

Subject Profiles

Associate scans with people. Enroll a subject, repeat scans to strengthen their profile (devices seen in >50% of scans become "stable"), then check if their personal devices are present in any future scan. Stored locally at ~/.spectral_dna/subjects/.

RF Environment Summary

2.4 GHz congestion scoring (Wi-Fi + BLE + ANT device density), MAC randomization ratio across all detected devices, active LTE/5G carrier diversity, and per-protocol device counts.

Physical-Layer Fingerprints

CFO from oscillator crystal offset, IQ imbalance from mixer/DAC manufacturing variance, clock drift from BLE/ANT timer crystals, PA rise/fall profile from analog circuitry. These signatures are hardware-intrinsic and cannot be spoofed without replacing components.

Multi-Format Output

Rich dark-themed terminal display, machine-readable JSON export, styled self-contained HTML reports, and a SHA-256 composite hash over all collected values that changes if any transmitter in the environment changes.

How It Works

From antenna to composite hash in four stages.

IQ Capture

HackRF One Pro captures raw 8-bit IQ samples via hackrf_transfer across each protocol's frequency bands.

Demodulation

Protocol-specific DSP: OFDM FFT for Wi-Fi, GFSK FM discriminator for BLE/ANT, Zadoff-Chu correlation for LTE/5G, OOK/ASK envelope detection for TPMS/RKE.

Extraction

Protocol-layer identifiers (MACs, cell IDs, sensor IDs) and physical-layer signatures (CFO, clock drift, IQ imbalance, PA characteristics) are extracted from each transmitter.

Fingerprint

All values are aggregated, enriched with offline lookups, and hashed (SHA-256) to produce the composite SpectralDNA identifier.

CLI

Single command. All protocols. Full fingerprint.

spectral_dna

# Full scan with JSON + HTML export
$ python -m spectral_dna -t "Office Baseline" -o scan.json --html scan.html

# Save environment snapshot
$ python -m spectral_dna -t "Office" --snapshot baseline.json

# Compare against baseline (PRESENT / ABSENT / NEW)
$ python -m spectral_dna -t "Office Later" --compare baseline.json

# Enroll a subject's device profile
$ python -m spectral_dna -t "Alice" --enroll Alice

# Check if subject is present
$ python -m spectral_dna --check Alice

# Scan only Wi-Fi + BLE, fast durations
$ python -m spectral_dna -p wifi -p ble --wifi-duration 1 --ble-duration 2

Architecture

Modular design. Each protocol is an independent module with a shared capture engine.

Module	Purpose
capture.py	HackRF capture engine — dual backend (hackrf_transfer CLI + SoapySDR fallback), IQ to complex64 conversion, CFO/IQ utilities
wifi_print.py	802.11 OFDM preamble detection, CFO clustering, scapy passive capture for protocol fields
ble_print.py	GFSK demodulation, BLE access address correlation, PDU parsing, advertising interval analysis
lte_print.py	PSS/SSS Zadoff-Chu correlation, cell search across 5 bands, IQ imbalance + PA IMD3
fiveg_print.py	NR PSS m-sequence detection, SSB timing drift, per-beam RSRP measurement
tpms_print.py	OOK envelope detection, Manchester decoding, multi-vendor TPMS frame parsing
rke_print.py	ASK burst detection, PA ramp profile analysis, KeeLoq-style code extraction
ant_print.py	ANT sync byte correlation, checksum validation, ANT+ profile parsing
gnss_print.py	Passive L1/L5 band power measurement, C/A code PRN detection
lookups.py	Offline lookup tables — OUI, BLE company IDs, GATT services, LTE/5G carriers, ANT types
environment.py	Snapshot save/load, device extraction, scan comparison, RF environment summary
subjects.py	Subject profiles — enroll, update, presence check, stored at ~/.spectral_dna/
renderer.py	Rich terminal output, JSON export, styled HTML reports, comparison rendering