Frequently Asked Questions
PandwaRF Rogue Pro can do that, assuming you have captured a RF frame previously, and submitted it to Kaiju for analysis (PandwaRF <-> Kaiju communication is handled by the app).
If analysis is succesful, Kaiju will generate new rolling codes that will open the gate.
Warning: You should only do this on your own gate opener in case you have lost the transmitter for example.
Yes PandwaRF Rogue Pro can do brute force. But brute force is not magic. You need to know the parameters to use for brute forcing: frequency, modulation, data rate, symbol length, interframe duration, repetition, etc…
The goal of the PandwaRF family of product is to make RF as much fun and simple as possible. But some RF knowledge can indeed help understand the mechanics inside: modulation, bit rate, sampling rate, deviation, etc…
If you have no idea what the previous terms mean, don’t worry, PandwaRF comes with a lot of predefined settings.
If you want to practice RF sniffing and transmission without too much technical knowledge, PandwaRF Rogue Pro is probably what you are looking for. It comes with an Android app that tries to make everything as simple as possible.
- On Android version 6, Bluetooth Low Energy (BLE) scanning will only work if Location services are enabled. This is a requirement from Google. If you don’t grant location permission to the app, the scan may not find any BLE device.
- Starting Android 13, the location/GPS doesn’t need to be enabled to use the BLE.
See Android Permissions for more details.
When you purchase a PandwaRF (Rogue Pro, Marauder Standard, …) with a Kaiju license, the PandwaRF is automatically registered into Kaiju. When you first request a Kaiju analysis from your PandwaRF, you will be requested to create or link a Kaiju account. The PandwaRF, the Kaiju license and your email will then be linked together.
Once this first association is done, you can use Kaiju without using your PandwaRF.
See Kaiju Account Creation for more details.
You need a Kaiju account and a valid Kaiju License. You will then have the option to generate a Flipper Zero .sub file for each of your generated rolling codes.
Flipper Zero Sub file generation is the ability to generate binary files (.sub files) from within the Kaiju server.
Sub files are generally used for rolling codes transmissions and can be loaded onto your Flipper Zero.
Kaiju is a rolling code management server made by ComThings.
Flipper Zero is general purpose hacking device made by Flipper Devices Inc.
There is no link between the 2 companies.
The De Bruijn sequence is an algorithm used to efficiently produce every possible code in as few bits as possible.
It is very effective against old gate openers receivers that contain shift registers.
More information here.
De Bruijn Brute Force is possibel with the PandwaRF Rogue Pro.
Kaiju is a Rolling code analyzer & generator.
It is the server that handle rolling codes decryption and generation.
Yes, but only for some fixed codes models like Came and Nice gate openers for the moment.
Is PandwaRF Rogue capable of brute force? If yes, do I need anything to start or it uses in-app database?
I mainly want a tool to capture key fobs, generate rolling codes and replay them, is that possible? If yes, what model of PandwaRF?
You can do all that with a PandwaRF Rogue Pro.
Rolling codes decryption and generation require a Kaiju License.
Once started, PandwaRF Marauder captures all RF data from the specified frequency/modulation and store it internally for future analysis.
PandwaRF Rogue Pro is more for “interactive” data manipulation: capture/replay/rolling code generation…
We try to make it as simple as possible, but some RF knowledge is required: modulation, bit rate, sampling rate, binary vs hexadecimal, bandwidth…
PandwaRF Rogue Pro is the best version to start practicing and learning.
After purchasing a Kaiju License or Token Pack, you will receive a license key by email (email used when purchasing).
This license key needs to be added to your Kaiju profile (https://rolling.pandwarf.com/profile-user) by using the buttons “Add license” or “Add tokens”.
No. New rolling code from Kaiju can only be replayed using a Rogue (Pro/Gov).
Yes! In fact Rogue & Marauder work better together.
Marauder Standard/Ultimate can export captured data to Rogue, and Rogue can also send the data to Kaiju for analysis.
Marauder can only replay the data it has previously captured.
PandwaRF can be powered by several sources:
- internal battery
- USB port with an external power bank
- USB port, powered from smartphone using an USB OTG male-male cable (provided)
Yes, there is a ON/OFF power switch inside the case.
It depends on the usage.
- PandwaRF can last several weeks in idle mode.
- In TX or RX mode, the battery will last for approx. 10 hours.
As explained here, PandwaRF is not a SDR.
- A SDR sends I/Q samples directly (over USB) to the host. This allows the I/Q demodulation to be made by the SW running on the host.
- PandwaRF doesn’t send the I/Q samples to the host over USB. These I/Q samples are directly demodulated by the chipset and the demodulated data is then sent to the host.
The battery lasts about 10 hours and depending on the Marauder version, it can perform a maximum of 256 or 512 captures of 1-second duration each.
We don’t provide free samples.
Long time ago we provided one free to an Elf, but he was famous. If you are famous or an Elf, contact us. You will not get a free sample, but we will discuss about Orcs.
You can find the user guide here or have a look at our wiki.
If you are a company in Europe and have a VAT number, please contact us to provide your billing information (including VAT number) and the VAT will not be charged.
Orders from unauthorized resellers are poor quality clones and do not benefit from technical support and bug fixes, and are not compatible with the PandwaRF Android application.
The connection from smartphone to PandwaRF uses Bluetooth 4.0 (LE), and theoretical range is up to 100m, but depends on radio conditions.
The range from remote control to PandwaRF is approx. 30m, but also depends on radio conditions.
No, our office is not open to the public. You can only buy online.
Yes, use a coin or similar tool as shown here.
PandwaRF Rogue Pro has many auto-detection features:
- Auto frequency detection
- auto data rate measurement
- data rate computation from over-sampled data
- model searcher…
Well, we would love to say yes, but the truth is that you need to understand the basis, like modulation, data rate, sampling rate, deviation, RSSI, etc…
Hopefully, we have made the app as easy as possible.
The PandwaRF family is composed of several product versions:
- PandwaRF Bare: the cheapest version, no battery, no case. To experiment without big investment. €.
- PandwaRF: Fits in your pocket, battery, nice black case. For basic RF tasks. €€.
- PandwaRF Rogue Pro: Better at pentesting and brute forcing. Faster and more powerful. €€€.
- PandwaRF Rogue Gov: Faster. Home Alarm hacking feature. Not for the Dark Side. €€€€.
- PandwaRF Marauder: drop and forget. Capture and replay. Works without a Smartphone. €€€ to €€€€.
Before choosing a product version, you should think about what you are planning to use your PandwaRF for.
- If you are not sure or you just want to try it out, the PandwaRF is probably right for you.
- If you have a more specific purpose you should take a look at the Rogue Pro or the Marauder.
- If you are part of/working with LEA and you don’t have a vast RF knowledge, the Rogue Gov is probably the best choice.
More details here: https://pandwarf.com/news/which-pandwarf-variant-should-you-choose/
It can happen that your battery become weak, or dead. Don’t worry you can replace your battery easily with instructions.
PandwaRF is a tool. Like any tool, it can be used to do good or bad. We are not responsible for what you do with it. PandwaRF is made to assess the security of your own devices only.
Please raise a ticket for any technical issue. Contact us directly if you have a malfunctioning board.
Any technical issue can be handled through our GitHub issue tracking. You can also reach us by chat/email/forum.
PandwaRF application can only work on Android KitKat (API level 19 and higher). However, some phones have better Bluetooth than others. Please check the list of Android Tested Devices.
PandwaRF prefers working on OOK modulation, because it is the most common. However, supported modulation are ASK/OOK/MSK/2-FSK/GFSK.
PandwaRF can capture data from devices like:
- car keyfobs
- garage door opener keyfobs
- wireless plugs
- wireless chimes etc.
We only use express carriers like UPS or DHL.
If you prefer another shipping option like the postal service, please request it in the Notes for seller section when checking out and we will see what we can do 🙂
Occasionally we may request documents or more information in order to confirm your identity or address before shipping your order.
This is necessary for us to be covered in case of credit card fraud.
If you do not wish to provide the requested documents or information, you can also pay by bank transfer or purchase PandwaRF from one of our resellers (listed on our website) and soon on Amazon.
Please check the Product return information page in our wiki.
Please check the Requirements page in our wiki to see if your Android version is compatible with PandwaRF.
We did our best to make sure that PandwaRF can be used by anybody, but basic RF knowledge (being familiar with terms like data rate, modulation etc) is recommended in order to fully enjoy all the features.
Yes, FW updates are completely free.
You can only replace items in your order with other items that have the same price. Please contact us at email@example.com and we’ll update your order.
You can’t, so please contact us and we will do it for you.
For PandwaRF and Rogue Family: no, this is not possible. Each product version is independent.
For Marauder, yes you can upgrade from one version to the other. Please check the Marauder version table for more information.
No. We developed one iOS app 2 years ago, but it was a bad move as the Android App evolves constantly and we cannot maintain 2 apps at the same time. But one day we will… Also we can’t afford spending more than 1000€ on a single phone 🙂
Nordic or CC1111 are not planned to be open source. But we are working on “starter” code, like some basic BSP code to use the UART, GPIO, SPI, USB etc.
Yes, if the length is < 16bits. But it is not plug and play. You will have to configure PandwaRF with the correct settings (frequency, modulation, data rate, symbols etc).
We kindly remind you that brute forcing something that doesn’t belong to you is very very bad. Don’t do it. Seriously.
The PandwaRF uses a cloud connection to check for FW updates, provide anonymous statistic data about crashes, ANR etc. This is default Android/Google behaviour.
But you can still use your PandwaRF without being connected, it will work. However you won’t receive any FW update and will not be able to use the “Post data to API” feature (cf. github.com/ComThings/PandwaRF/wiki/Android-RX-Data-Post-Rest-API).
And we will not be able to spy on you and make money by selling your personal data to evil third parties. No, we are kidding.
No, it cannot be used with GNU radio, as PandwaRF is not a SDR and doesn’t send/receive IQ samples.
Bluetooth Smart (aka Bluetooth Low Energy – BLE) is not the same as Bluetooth.
Unfortunately PandwaRF cannot use normal Bluetooth.
We have added this message “The device does not have a Bluetooth feature” to indicate the lack of Bluetooth Smart HW support from your phone.
In doubt, please install System Info for Android or equivalent and check in System/Functionalities if you see android.hardware.bluetooth.le.
If you don’t, your phone doesn’t support Bluetooth Smart. Keep it preciously, it is a collector.
Possible applications include:
- Receive keyfobs transmission (car, alarm, gate opener, …)
- Replay captured transmission from keyfobs
- Replay a modified captured transmission
- Transmit your own custom payload
- Capture RF data and transmit it on another frequency
- Brute force wireless devices (alarms, gate openers, ..)
- Spectrum Analyzer
- Find the frequency used by a RF device
- Reverse engineer unknown protocols
- Measure the data rate of a transmission
- Check the RF jam-resistance of your own devices
- Send captured data to a server for post-processing
- Develop your own Android application
We normally ship once a week, so your order may be shipped between 1 day and 1 week after you made the payment.
But it can sometimes take 2 or 3 weeks because, well, we may be on holidays, or are busy working on a new feature. So if you are in a hurry, we recommend you order from one of our reseller.
We’ll mark your order as:
- completed: when it is ready and shipping has been scheduled with the delivery service
- fulfilled: when the order has been shipped
You’ll also receive an email with the tracking number once it has been shipped.
If you’re interested in becoming a reseller, please contact us.
You can link with PandwaRF using an Android/iOS smartphone with a Bluetooth Smart feature.
In some cases, you will need a higher throughput than what BLE can offer, so you will have to use PandwaRF using its USB port.
You can connect PandwaRF to an Android Smartphone with an USB Host mode (the USB host mode is supported in Android 3.1 and higher) using a USB micro Male/Male cable.
You can also connect PandwaRF to a computer (Linux) and use #rfcat Python scripts or our native C stack to send/receive data.
Some pieces are definitely open source (e.g. the #rfcat fork that we have made), and others will also be open source as they are important for developers in order to use PandwaRF
Other pieces are custom parts of our CTbee product, and cannot be disclosed without altering our relationship with existing CTbee customers.
But we will release everything needed for developers in order to use PandwaRF.
PandwaRF can be paired with a smartphone & used immediately after unboxing.
- Nordic Semiconductor nRF51822 Multiprotocol Bluetooth® low energy/2.4 GHz RF System on Chip with ARM® Cortex™-M0
- Texas Instruments CC1111 Low-Power SoC (System-on-Chip) with MCU, Memory, Sub-1 GHz RF Transceiver, and USB Controller
- Micro USB type B connection with full-speed USB 2.0 interface
- SPI memory
- Fuel Gauge
- 350mAh LiPo battery
- 4 buttons
- 3 LEDs
- preflashed with bootloaders
- Firmware: we provide binary firmware for both MCUs: Nordic nRF51822 & TI CC1111
- Software libraries: we provide Gollum Java Android libraries
- Reference application: we provide Android reference test application