Supercharge your PandwaRF with RfCat Python scripts and Kaiju

We have released a powerful feature for PandwaRF that will allow you to create your own RF attack scripts. 

RfCat is a handy python module that allows RF hackers to create custom RF scripts very simply. For example a RF replay attack can be developed in less than 10 lines of Python code.

RfCat was initially developed to use with Yard Stick One (YS1), but a script written for YS1 can now work the same way for PandwaRF.

All you need to do is replace:

d = RfCat()

with

d = PandwaRF()

and your script is now compatible with PandwaRF!

RfCat example using PandwaRF

Here is a short example that performs a RF capture:

d = PandwaRF()
FREQ = 433920000
DATARATE = 2500
d.setModeIDLE()
d.rxSetup(FREQ, MOD_ASK_OOK, DATARATE)
d.setAmpMode(RF_RX_POWER_AMPLIFIER_ACTION_ON)
d.setModeRX()
print("Please send some data...")
time.sleep(5)
print("Data received :")
print(d.RFrecv())
d.setModeIDLE()

Very simple…

Additionally, the RfCat fork for PandwaRF contains several examples of scripts:

• RX, TX
• Brute Force
• Data rate measurement
• Automatic data rate measurement
• Automatic frequency finder
• RF Jamming (don’t do that, it is illegal)

PandwaRF+Kaiju+RfCat

But all the interest comes from the possibility to send/receive data to/from Kaiju.

Don’t know Kaiju? Kaiju is an online rolling code analyzer & generator.
Its primary purpose is to attack systems that implement rolling codes (sometimes called hopping codes), such as KeeLoq. These systems are commonly found on Remote Keyless Entry (RKE) key fobs for gate & garage openers, cars, alarms, etc.

Here are some examples of how to use RfCat with Kaiju:

kaiju_analysis.py

capture RF data using PandwaRF/YS1 and send it to Kaiju for analysis

kaiju_generate_rolling_code.py

request Kaiju to create some rolling codes for a gate opener using S/N, sync counter, button, … and transmit the generated rolling codes using PandwaRF/YS1

kaiju_generate_rolling_code_2.py

request Kaiju to create some rolling codes for a gate opener using a previously captured RF transmission. and transmit the generated rolling codes using PandwaRF/YS1

Notes:

1. RfCat scripts are compatible with the PandwaRF & PandwaRF Rogue family.
2. RfCat scripts are not compatible with the PandwaRF Marauder familly.
3. Kaiju analysis requires an API token that can be obtained from your Kaiju profile page for free for any Kaiju account.
4. Support of Kaiju Free Plans will end on 01/04/2022. More details here.

Here is the link to the RfCat fork fork PandwaRF.

Happy hacking!