SDR

RfCat on BigSur (Yard Stick One)

Some time ago, I wrote a tutorial about RfCat installation on Kali Linux. Many people asked me for similar tutorial on macOS (Big Sur). So I will use this time now (my first tutorial of year 2021), to show and try to explain (as best I can do). Also I will try to provide some basics for usage, as the community seems not so big and less online documentation is available like for other topics. You can reuse the knowledge for other OS, too.

Precondition

  • latest macOS Commandline Tools installed (xcode-select --install)

Install RfCat incl. everything needed

First you need to download libusb tarball, unzip the downloaded archive and compile/install it (don’t worry sounds harder as it is). If you choose other sources like macports, you may run into location issues (paths to binaries/libraries).

Note: the following examples will just provide the latest version (1.0.24), while I was writing this tutorial. Please look beforehand if there is a newer libusb version already available.

# download via curl
$ curl -L -C - "https://github.com/libusb/libusb/releases/download/v1.0.24/libusb-1.0.24.tar.bz2" -o ~/Downloads/libusb-1.0.24.tar.bz2

# unzip archive
$ tar -xf ~/Downloads/libusb-1.0.24.tar.bz2 -C ~/Downloads/

# change into extraced archive directory
$ cd Downloads/libusb-1.0.24

# verify dependencies for build and install process are available
$ ./configure

# run build
$ make

# run installation
$ sudo make install

# verify installation (optional)
$ ls -la /usr/local/lib/libusb*

# delete archive and directory (optional)
$ rm -fr ~/Downloads/libusb-1.0.24*

Install required Python packages with Python Pip. Without these the RfCat compilation, installation and usage will not correctly work!

Note: As I do have different Python version installed, I specify the excat Python version (2.7.x) in the following examples. If you have only the default MacOS Python version installed – you could use pip directly (without python2.7 -m).

# verify already installed packages (optional)
$ python2.7 -m pip freeze

# install libusb via pip
$ python2.7 -m pip install libusb

# install pyusb via pip
$ python2.7 -m pip install pyusb

# install pyreadline via pip
$ python2.7 -m pip install pyreadline

# install ipython via pip
$ python2.7 -m pip install ipython

# install PySide2 via pip
$ python2.7 -m pip install PySide2

Clone RfCat Git repository from Github (may some older online documentations still link to Bitbucket). In the following example I choose the Downloads directory – of course you can choose any preferred destination.

# clone from GitHub
$ git clone https://github.com/atlas0fd00m/rfcat.git ~/Downloads/rfcat

# change directory
$ cd Downloads/rfcat

# run the installation
$ sudo python2.7 setup.py install

# verify the installation (optional)
$ ls -la /usr/local/bin/rfcat*

# show rfcat help (optional)
$ /usr/local/bin/rfcat -h

# delete cloned directory (optional)
$ rm -fr ~/Downloads/rfcat

If everything went well so far, you should take a look at your installed Python packages.

# verify installed packages (optional)
$ python2.7 -m pip freeze | grep -i 'libusb\|pyusb\|pyreadline\|ipython\|PySide2\|rfcat'

Optional installation of ooktools

Now I recommend to install the ooktools packages via Python Pip. The ooktools will make your life much easier and you will have much faster results.

# install ooktools via pip
$ python2.7 -m pip install ooktools

# verify and show help (optional)
$ python2.7 -m ooktools.console --help

# verify and show specific help topic (optional)
$ python2.7 -m ooktools.console wave --help

I’ll go into the ooktools in a later tutorial, but not today.

Run RfCat

So far so good. Let’s start to connect the Yard Stick One (plug into USB) and run the first example. Always have in mind, the official operating frequencies (for the Yard Stick One):

  • 300 – 348 MHz
  • 391 – 464 MHz
  • 782 – 928 MHz

Note: RfCat expact the values in “Hz”, so 315 MHz are 315000000 Hz.

Hint: don’t put any other transmitter next to the Yard Stick One while you use it (eq. Mobile, Wifi router, etc.). You could destroy it or weaken/disrupt your signals.

# start rfcat (interactive Python)
$ sudo rfcat -r

If no error message appears, you’re good to go.

# start scan on specific frequency (315 MHz)
In [1]: d.specan(315000000)

You should see now the spectrum analyser.

RfCat specan on 315 MHz

Okay, stop the scanning process by closing the spectrum analyzer window. Now let’s start a simple record (also if you don’t have a signal nearby).

Note: there are many more settings and I cannot describe all here! It always depends to the problem you like/need to solve.

# enter the IDLE state (important after any action)
In [2]: d.setModeIDLE()

# specific frequency (315 MHz)
In [3]: d.setFreq(315000000)

# specific modulation (ASK/OOK/Manchester encoding)
In [4]: d.setMdmModulation(MOD_ASK_OOK)

# specific baudrate (4800 Hz)
In [5]: d.setMdmDRate(4800)

# turn on the amplifier
In [6]: d.setMaxPower()

# drops most blocks to pkts (CARRIER)
In [7]: d.lowball()

# start and dump data to screen
In [8]: d.RFlisten()

# stop listen (press Enter to stop)

# enter the IDLE state (or you need to unplug from USB)
In [9]: d.setModeIDLE()

# exit
In [10]: exit()

Your result should look like:

RfCat listen example

Hint: use the Tabulator key for command-line completion (also tab completion) and take use of the internal help of RfCat (eq. help(d.setMdmModulation))

The popular frequencies are mostly near by:

  • 315 MHz (car fobs)
  • 433 MHz (door openers, medical devices)
  • 868 MHz (door openers in EU/swiss)
  • 915 MHz (industrial equipment, medical devices)

Send via Python script

It would be not enough to show you only Command line and nothing about transmit. Therefore now a small Python script, which send out some example data. I think the following script is self explanatory.

from rflib import *

d = RfCat()
d.setFreq(315000000)
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)

print("Transmission starting")
d.RFxmit("\x2e\x2e\x2d\x2e\x2e\x2d\x2e\x00\x00\x00\x00\x00\x00"*10)
print("Transmission complete")

Hint: \x escape sequence means the next two characters are interpreted as hex digits for the character code (\x is used inside strings to represent a character), 0x is used for literal numbers in Python.

Install HackRF One on macOS (Big Sur)

This time it’s about installing HackRF One binaries on the macOS Big Sur. In another later tutorial I will dive deeper into macOS, HackRF ONE and GnuRadio (gnuradio-companion), but not yet. The installation takes place via latest MacPorts.

Preparation

  • macPorts installed
  • Commandline Tools installed (SDK higher 11)
  • HackRF One connected and started (via USB cable)

CommandLineTools SDK

My first installation failed with a error (even as MacPorts where completely new installed and Command Line Tools where installed, too). I looked into log file and saw a issue with clang version.

# read log file (optional)
$ cat /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_science_hackrf/hackrf/main.log
 …
 clang: error: invalid version number in 'MACOSX_DEPLOYMENT_TARGET=11.0'
 …
 

# show clang version (optional)
$ clang --version

So looked it up on the Internet and saw that the clang version in the new SDK is higher and will solve this issue. To confirm I had a look installed SDK’s.

# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk
CommandLine Tools 12.3

To be really sure. Yes new SDK is installed.

# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk MacOSX11.1.sdk

# show xcrun configs (optional)
$ xcrun --sdk macosx11.1 --show-sdk-path
$ xcrun --sdk macosx11.1 --show-sdk-version

Installation

After the installation and verification (yes the new sdk was getting installed), I tried the macPorts installation again.

# install hackrf via mac ports
$ sudo port install hackrf

Test installation

This time all went fine and I could start testing the device.

# show USB device info (optional)
$ ioreg -p IOUSB -l -w 0 -b

# show hackrf info
$ hackrf_info

# start debug (optional)
$ hackrf_debug --si5351c -n 0 -r

# start record
$ hackrf_transfer -r myRecord.raw -f 433780000

# start transmit record
$ hackrf_transfer -t myRecord.raw -f 433780000 -x 20

Install RfCat on Kali Linux (2020.4)

I finally received my Yard Stick One (Yet Another Radio Dongle) and can get started with it. It is available from Hak5 (incl. ANT500 antenna) and various other resellers. In this tutorial I would like to show you, how to install RfCat on Kali Linux (version 2020.4) and point out the necessary steps, so that you can start pentesting immediately with this awesome device.

Install needed packages

The installation is actually very simple. Python3 is not a problem, even if many sources claim different. The following steps show the installation of the necessary packages (before RfCat can be installed and used). You may have already installed some of them on your system (depends on Kali Metapackages installed).

On my system following packages are installed already: curl, git, make, libusb-1.0-0, python3-numpy, python3-serial, python3-future and ipython3.

# update packages
$ sudo apt update -y

# install packages via apt
$ sudo apt install -y python3-pip python3-usb 

# show python3 packages (optional)
$ pip3 freeze

# install needed python3 packages
$ sudo pip3 install PySide2 pyreadline

The RfCat website explicitly indicates the version of SDCC (max. 3.5.0), so you can decide now to follow this request or take latest by apt.

# show package info
$ apt info sdcc

# install via apt
$ sudo apt install -y sdcc

# verify version (optional)
$ sdcc --version

If you will not use the Kali apt repository. You can find all needed packages for “Debian stretch” here (SDCC & SDCC-Libraries).

# download sdcc-libraries package (version 3.5.0)
$ curl -l -C- http://ftp.de.debian.org/debian/pool/main/s/sdcc/sdcc-libraries_3.5.0+dfsg-2_all.deb -o sdcc-libraries_3.5.0+dfsg-2_all.deb

# download sdcc package (version 3.5.0)
$ curl -l -C- http://ftp.de.debian.org/debian/pool/main/s/sdcc/sdcc_3.5.0+dfsg-2+b1_amd64.deb -o sdcc_3.5.0+dfsg-2+b1_amd64.deb

# install sdcc-libraries
$ sudo dpkg -i sdcc-libraries_3.5.0+dfsg-2_all.deb

# install sdcc package
$ sudo dpkg -i sdcc_3.5.0+dfsg-2+b1_amd64.deb

# show version (optional)
$ sdcc --version

Also for RfCat we don’t use the Kali apt repository but clone the GitHub repository from https://github.com/atlas0fd00m/rfcat (and install it from there).

# clone repository
$ git clone https://github.com/atlas0fd00m/rfcat.git

# change into cloned directory
$ cd rfcat/

# install rfcat
$ sudo python3 setup.py install

Note: Because of security settings (of my provider), I need to show the next command as picture.

copy Yard Stick One rules
# refresh rules
$ sudo udevadm control --reload-rules

Test the installation

That was actually super easy and also happened very quickly. A little test (show help) and then you can start using Yard Stick One.

# change back to home directory
$ cd ~

# show rfcat help (optional)
$ rfcat -h

If you do not get help or an error message, please verify that all dependencies are installed or that you did not mix up different Python versions.

You may need to install the following packages: python3-pyside2.qtcore, python3-pyside2.qtgui and python3-pyside2.qtwidgets.

Run RfCat

I do run Kali Linux as VirtualBox (6.1) VM, so it’s time to plugin and passthrough the USB device.

Yard Stick One - VirtualBox

Note: I don’t like Passwordless Sudo, but you’re welcome to customize it, to suit your needs.

# verify USB device (optional)
$ lsusb
...
Bus 002 Device 003: ID 1d50:605b OpenMoko, Inc. RfCat YARD Stick One
...

# start rfcat (interactive + d.* objects)
$ sudo rfcat -r

The following commands should help you to get familiar with the Yard Stick One device, as I want just to show the setup in this tutorial and will end here with these examples.

# show help (optional)
In [1]: help(d.setRFRegister)

# show current settings (optional)
In [2]: print(d.reprRadioConfig())

# start listen (ENTER stops)
In [3]: d.RFlisten()

# reset after scan/transmit (important)
In [4]: d.setModeIDLE()

# exit rfcat
In [5]: exit