Pocket-sized, portable RF analysis tool operating the sub-1 GHz range.
It allows the capture, analysis and re-transmission of RF via an Android device or a Linux PC.
- Captured Data processing offload
- RF Packet sniffer
- Spectrum analyzer
- Fixed codes
- Brute Force Attack
- Android API & SDK
- Capture/ replay attack
- USB on Android
- De Bruijn attack (OpenSesame)
Brute Force improvements
Function mask bit skipping (time optimization)
PandwaRF Rogue Pro will optimize the brute force duration for you. You don’t have to worry about codes being sent multiple times. This allows a brute force session to be 2x to 30x faster than the public version of PandwaRF. The brute force speed increase depends on the device being attacked.
Zero Delay between attempts
While performing a brute force, regular PandwaRF cannot send a new code faster than 100ms after the last attempt was done, limiting the number of attempts per second. The PandwaRF Rogue Pro doesn’t have this limitation because of its different Brute Force engine, allowing virtually a 0ms delay between each code attempt. This contributes to make PandwaRF Rogue Pro much faster than a regular PandwaRF.
Including predefined coding patterns
PandwaRF Rogue Pro also includes several predefined coding patterns (aka Function masks) corresponding to common wireless devices available on the market. Once you have a RF capture of the target device, you just need to set up the Function Mask.
Included custom encodings are:
- Synchro + Code
- Synchro + Code + Tail
- Synchro + Code + Tail + Symbols on multiple bytes
Please note that Rogue Pro doesn’t include a device database, which is reserved for public agencies (Rogue Gov).
De Bruijn Brute Force (aka OpenSesame attack)
The De Bruijn sequence is an algorithm used to efficiently produce every possible code in as few bits as possible. It is very effective against old receivers that contain shift registers. Using the De Bruijn mathematical algorithm, PandwaRF Rogue Pro is able to brute force a 12 bits code in 1.2 s instead of a normal brute forced duration of 8mn.
For more information about the De Bruijn attack and vulnerable devices, refer to http://samy.pl/opensesame/
Logic symbols on multiple bytes
Many wireless devices on the market have complex symbol encoding, and their symbols are generally mapped onto multiple bits or even bytes. While the PandwaRF can only map one symbol to one byte, the PandwaRF Rogue Pro can map one symbol to up to 5 bytes, allowing much complex devices to be brute forced.
Codeword length up to 32 bits
While the PandwaRF (Public) can brute force a codeword length of up to 16 bits (65K different codes), the Rogue Pro supports 32-bit brute force (4 billion different codewords). Note that brute forcing a 32-bit code is extremely long and not efficient.
PandwaRF Rogue Pro also allows BF task splitting. You can resume a BF operation from where you stopped it. This allows splitting a long Brute Force session into several shorter sessions.
Synchro & tail bits support
PandwaRF Rogue Pro can automatically:
- prepend fixed synchronization bits before the codeword to be sent
- append fixed tail bits after the codeword to be sent
This allows complex codes to be sent when brute forcing, without any latency, as this feature is directly integrated inside the HW. Up to 40 bits for synchronization and tail part can be set up.
Autonomous Brute Force
Once started by the smartphone, the brute force will continue even if the phone is disconnected. The user can reconnect later, even from another phone, and see the brute force progress.
If PandwaRF Rogue Pro ran out of battery while brute forcing, it will resume as soon as powered again from a USB source.
With Rogue Pro, the user can resume a previously interrupted brute force session. The session includes the full Brute force configuration, and the current progress.
Brute Force sessions can be saved in the phone in JSON format.
Many generic encoder chipsets and protocols are natively supported and allow the user to emulate a remote control.
- Supported chipsets are: EV1527, HT12E, PT2260, PT2262, PT2270, PT2272, UM3578, …
- Supported protocols are: Somfy, Evology, Chacon, Dio, KaKu, HomeEasy, Extel, IDK, SimpliSafe, Meiantech, Atlantic, Adebaio, DX Linear, …
Bigger RX/TX memory
While regular PandwaRF cannot capture or transmit more than 512 bytes of data, the Rogue Pro has a greater amount of memory and can capture/transmit up to 2048 bytes. As the amount of collected data can grow significantly with the increase of the sampling rate, increasing the max number of captured/transmitted bytes allows better RF data analysis.
Higher sampling rate
Rogue Pro can sample up to 100kbits/s, instead of the 10kbits/s of regular PandwaRF. The captured data’s precision is consequently much better. Coupled with the post process error correction, this increases the quality of data when analyzing the type of chipset encoder used by the target device.
When sampling at high data rates, the amount of data to be transferred from PandwaRF to the smartphone can be significant. The Rogue family includes a real time frame compression, where all data sent from the Rogue is compressed before BLE transmission, reducing the risk of saturating the BLE connection. The PandwaRF Android application automatically unzips the data seamlessly for the user.
Data rate computation
Additionally to data rate measurement from a live data capture, captured data can be post-processed to find the used data rate after data has been captured.
Note: This feature is subject to RF capture condition.
Automatic frequency detection can be used when you don’t know the frequency the target device is using. The PandwaRF Rogue Pro will scan for all commonly worldwide used bands (315/433/868/915 MHz) and report the exact frequency used.
Data analysis (chipset database)
After capturing any data from the target’s remote control, Rogue Pro can automatically analyze the data and find what chipset is used to encode the data. This allows the attacker to clone and impersonate the target’s remote control faster than using the brute force. This feature relies on the Rogue Pro integrated chipset database.
Function inversion (chipset database)
The function inversion feature allows an attacker to capture a single RF message from a keyfob (using a known chipset) when the target presses the keyfob button. The attacker then applies an inversion function to transform the captured message into an another message. The attacker can then impersonate the target’s device by sending the transformed message to the receiver. This feature relies on the Rogue Pro integrated chipset database.
- The PandwaRF Rogue Pro contains the chipset database (only available in the Rogue variants).
- The PandwaRF Rogue Pro does NOT contain the home alarm database (only available in the Rogue Gov variant).