RF hacking with SDR, PandwaRF and Kaiju

ComThings, the company behind PandwaRF & Kaiju, offers training course for Law Enforcement Agencies and Police.

In this 2 to 5 days training session, you will learn the basics of RF hacking, with a particular focus on hacking gate openers & rolling codes.

The content is highly customizable per your needs and the course is interactive, so you will practice on real systems.

What you will learn

You will learn:

  • the basics of these devices, how they operate, their weaknesses, how to circumvent them
  • how to use Software Defined Radio (SDR) to capture and analyze RF transmissions
  • how to use PandwaRF Rogue, PandwaRF Marauder & Kaiju to:
  • capture, modify, retransmit RF data
  • identify the security protocol used by a device
  • perform various types of RF attacks
  • bypass rolling codes security
PandwaRF Brute Force
PandwaRF Rogue data rate measurement

Agenda

  • Introduction to RF & SDR
    • RF basics,
    • Modulation and Demodulation: ASK/OOK, 2-FSK/4-FSK
    • Antennas
    • Regulation
    • Electromagnetic Spectrum (sub-1 GHz)
  • Types of Keyfobs
    • Important information for a keyfob
    • 1-way & 2-ways RKE, PKES, …
  • RF capture & analysis
    • RF capture using SDR (RTL-SDR, HackRF, LimeSDR, …)
    • RF Waterfall and spectrum analyzers
    • RF analysis using URH
    • Observation of target device (OSINT)
    • Data analysis with various RF tools
    • Extracting information: Frequency, Modulation, Data rate, Fixed bits, Variable bits, Symbol encoding
    • Encoding vs encryption, Manchester, PWM
    • Fixed codes, rolling codes, Keeloq, …
    • Types of Rolling codes, levels of security: Keeloq, Keeloq Secure, …
    • Jam and Replay attack (RollJam)
  • Introduction to PandwaRF products
    • PandwaRF Rogue Gov
    • PandwaRF Marauder Ultimate
    • Kaiju, rolling code generator
  • Use cases, demo & practice
    • RF attack on a low cost Home Alarm
      • Sniff and replay (with/without PandwaRF)
      • Sniff, modify and replay (with/without PandwaRF)
    • RF attack on a gate opener (fixed code)
      • Sniff and replay (with/without PandwaRF)
      • Sniff, modify and replay (with/without PandwaRF)
    • Wireless brute forcing (with/without PandwaRF)
    • Rolling code: cloning a high end gate opener
    • Rolling code: Sensitive content redacted
    • Rolling code hacking: Sensitive content redacted
    • Sensitive content redacted
    • Very Sensitive content redacted
  • Next features currently under development
  • Agenda can be adapted to your particular needs.

Our training course is intended for Law Enforcement Agencies, Police, and companies providing services to LEA.

If you are a private company requiring deeper understanding of RF & rolling code security, please contact us.

  • All attendees will need to bring a laptop (Windows or Linux)
  • Basic knowledge of radio is not mandatory but is a plus
  • Students can bring their own remote controls (and/or receivers) for live hacking
  • Students can bring their own SDRs

In this training we do not cover Wi-Fi/Bluetooth, Cellular (2G/3G/4G/5G) technologies. Please contact us to add these topics to the training.

We also do not cover detailed RF theory, but only the RF basis necessary to perform a practical attack on existing systems.

All training classes can be held at our training facility in Nice, French Riviera, or at a location of your choosing.

The training is typically delivered as a 3 days training, and can be extended to 4 or 5 days in case some topics need to be given deeper consideration, or to allow students to perform more exercises. Depending on French or English level of students, it might be recommended to extend to 4 or 5 days.

Contact us to request a quotation.

About the trainer

All trainings are per given by Djamil Elaidi, founder of ComThings and creator of PandwaRF & Kaiju.

Djamil Elaidi
Djamil ElaidiFounder
22 years of SW dev in Wireless and Embedded products, RF hacker, FW reverser,
founder of ComThings and creator of PandwaRF & Kaiju.