1. Home
  2. ikurniawan
  3. RfCat
  4. Overview
  • 0

ikurniawan/RfCat

Project ID: 17110

Description

Welcome to the rfcat project

The swiss army knife of subGHz RfCat allows you to control the wireless transceiver from an interactive Python shell or your own program running on your computer.

GOALS

The goals of the project are to reduce the time for security researchers to create needed tools for analyzing unknown targets, to aid in reverse-engineering of hardware, and to satiate my rf lust.

Using rfcat

If you have configured your system to allow non-root use:

  • type "rfcat -r" (if your system is not configured to allow non-root use, prepend "sudo" or you must run as root) you should have now entered an interactive python shell, where tab-completion and other aids should make a very powerful experience i love the raw-byte handling and introspection of it all.

  • try things like:

    • d.ping()
    • d.discover()
    • d.debug()
    • d.RFxmit('blahblahblah')
    • d.RFrecv()
    • print(d.reprRadioConfig())
    • d.setMdmDRate(19200) # this sets the modem baud rate (or DataRate)
    • d.setPktPQT(0) # this sets the preamble quality threshold to 0
    • d.setEnableMdmFEC(True) # enables the convolutional Forward Error Correction built into the radio

while the toolset was created to make communicating with <ghz much easier, you will find the cc1111 manual from ti a great value. the better you understand the radio, the better your experience will be. play with the radio settings, but i recommend playing in small amounts and watch for the effects. several things in the radio configuration settings are mandatory to get right in order to receive or transmit anything (one of those odd requirements is the TEST2/1/0 registers!)

If you watched any of my talks on rfcat, you will likely remember that you need to put the radio in IDLE state before configuring. (I said it three times, in a row, in different inflections).

However, you will find that I've done that for you in the client for most things. The only time you need to do this yourself are: * If you are doing the changes in firmware * If you are using the "d.poke()" functionality * if you use "d.setRFRegister()", this is handled for you * use d.setRFRegister()

External Projects

ZWave Attack: https://github.com/initbrain/Z-Attack

Epilogue

Other than that, hack fun, and feel free to share any details you can about successes and questions about failures you are able!

@ and the rest of the development team.

Installation Instructions

  • dnf copr enable ikurniawan/RfCat
  • dnf install rfcat rfcat-udev

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 39 x86_64 (8)* Fedora 39 (22 downloads)
Fedora 40 x86_64 (15)* Fedora 40 (16 downloads)

* Total number of downloaded packages.


Homepage Contact

Last Build

rfcat

Build: 7710481

State: succeeded

Finished: 4 months ago

Quick Enable

#> dnf copr enable ikurniawan/RfCat
More info about enabling Copr repositories

Other Actions

Report Abuse