This time I am not writing a tutorial on software. I would like to introduce you to my DIY project here. At a later point in time, however, I will focus on the newly used and partly self-developed software deeper.
Why this little project?
Over the years I have accumulated various electronic devices, cables and lots of other electrical scrap. Always storing it neatly is hell (I hate cardboard or plastic boxes). In addition, I do not live alone and should actually take all other people in the household into account. So I was looking for a better solution for my beloved girlfriend, my dog (who also likes to eat things) and of course my self. In addition, everything should be tidy, ready to hand and mobile. When I then remembered my training as an electrician (especially on my toolbox), it quickly became clear to me which solution would be suitable for me. Different Suitcases made of aluminum (light and stable), where each of them have slightly different scope.
What’s in there?
Actually there are several suitcases with different contents (depending on what I have planned). I would like to show you now, two of my personal favorites here.
In addition, all cases are filled with brackets and foam so that the connecting cables are not visible (this is not shown in the pictures) and each device has a specific place.
Do you want such suitcases, too?
If you also want one (or more) suitcases and don’t have the time or inclination to build them yourself – just contact me! We can talk about it.
Note: It is important to know that each case and its contents are freely configurable (but it should fit).
In my last tutorial, I showed you how to install RfCat and the ooktools on your macOS, as I promised to go into more detail on the ooktools later – I want to keep this promise now.
Requirements
RfCat installed
ooktools installed
jq installed (optional)
you own a Yard Stick One (or any rfcat compatible device)
you own a Garage Door opener (or similar device)
Objective
Learn and understand the ooktools sub command ‘signal’.
ooktools signal
The ooktools offers many great features (look at the command line help)! In this tutorial I will focus on signal search, signal record, signal plot and signal play.
# show sub command signal help
$ python2.7 -m ooktools.console signal --help
...
Usage: console.py signal [OPTIONS] COMMAND [ARGS]…
Signal Commands.
Options:
--help Show this message and exit.
Commands:
brute Bruteforce a binary range.
jam Jam a frequency by just sending noise.
play Play frames from a source file.
plot Plot frames from a recorded signal.
record Record frames to a file.
search Search for signals.
send Send signals using a RFCat dongle.
Search a signal
My garage door opener has information about the frequency (868.3 MHz) on the back, which makes my search a little easier! If this is not the case for you, search for the FCC identifier.
If you have a rough idea about the frequency (and other values), look in the signal search help and compare all standard values with your needs! You only have to overwrite the values which do not match (as arguments).
# show help for signal search
$ python2.7 -m ooktools.console signal search --help
# search signal in specific range
$ python2.7 -m ooktools.console signal search -S 868200000 -E 868400000
Note: Only signal search throws sometimes an Python/USB exception on my OS (after finish the search), all other commands work perfectly. If you have the same problem, reconnect the USB device (Yard Stick One)!
Record a signal
Now run the signal record. Go the same way like you did for the signal search! First look at the sub command help, overwrite the default values and run the command.
# show help for signal record
$ python2.7 -m ooktools.console signal record --help
# start a signal record
$ python2.7 -m ooktools.console signal record -F 868300000 -f 60 -D ~/Desktop/test.json
After the signal record is finished, you can have a look on the JSON file.
# view file content and pipe output to jq (optional)
$ cat ~/Desktop/test.json | jq .
Plot the recorded signal
With signal plot you can easily create and watch frames from a recorded signal (json file). The help shows you the possible fine adjustments for the plot output. I have recorded 9 Frames, maybe that differs for you!
# show help for signal plot
$ python2.7 -m ooktools.console signal plot --help
# plot a signal record (number of frames)
$ python2.7 -m ooktools.console signal plot -c 6 -S ~/Desktop/test.json
To specify the plot you can use sub command agrument --series.
# plot a signal record (series of fields)
$ python2.7 -m ooktools.console signal plot -s 1:4 -S ~/Desktop/test.json
Play a signal
It’s time to try. For that I have to walk a long way to the parking garage gate (I usually drive this route). For signal play sub command only two arguments are needed (source & repeats).
# show help for signal play
$ python2.7 -m ooktools.console signal play --help
# play a signal record
$ python2.7 -m ooktools.console signal play -r 2 -S ~/Desktop/test.json
I did not modify the record file, just run all recorded frames for 2 times. If you are wondering if this worked for me? No – the signal is sent too quickly this way. The gate doesn’t open like this. With tools like GQRX / URH & HackRF One I was able to compare the signals. So some fine-tuning is needed (baud rate/modulation/etc.). Nevertheless, you should have got a good overview of the ooktools.
Some time ago, I wrote a tutorial about RfCat installation on Kali Linux. Many people asked me for similar tutorial on macOS (Big Sur). So I will use this time now (my first tutorial of year 2021), to show and try to explain (as best I can do). Also I will try to provide some basics for usage, as the community seems not so big and less online documentation is available like for other topics. You can reuse the knowledge for other OS, too.
First you need to download libusb tarball, unzip the downloaded archive and compile/install it (don’t worry sounds harder as it is). If you choose other sources like macports, you may run into location issues (paths to binaries/libraries).
Note: the following examples will just provide the latest version (1.0.24), while I was writing this tutorial. Please look beforehand if there is a newer libusb version already available.
# download via curl
$ curl -L -C - "https://github.com/libusb/libusb/releases/download/v1.0.24/libusb-1.0.24.tar.bz2" -o ~/Downloads/libusb-1.0.24.tar.bz2
# unzip archive
$ tar -xf ~/Downloads/libusb-1.0.24.tar.bz2 -C ~/Downloads/
# change into extraced archive directory
$ cd Downloads/libusb-1.0.24
# verify dependencies for build and install process are available
$ ./configure
# run build
$ make
# run installation
$ sudo make install
# verify installation (optional)
$ ls -la /usr/local/lib/libusb*
# delete archive and directory (optional)
$ rm -fr ~/Downloads/libusb-1.0.24*
Install required Python packages with Python Pip. Without these the RfCat compilation, installation and usage will not correctly work!
Note: As I do have different Python version installed, I specify the excat Python version (2.7.x) in the following examples. If you have only the default MacOS Python version installed – you could use pip directly (without python2.7 -m).
Clone RfCat Git repository from Github (may some older online documentations still link to Bitbucket). In the following example I choose the Downloads directory – of course you can choose any preferred destination.
# clone from GitHub
$ git clone https://github.com/atlas0fd00m/rfcat.git ~/Downloads/rfcat
# change directory
$ cd Downloads/rfcat
# run the installation
$ sudo python2.7 setup.py install
# verify the installation (optional)
$ ls -la /usr/local/bin/rfcat*
# show rfcat help (optional)
$ /usr/local/bin/rfcat -h
# delete cloned directory (optional)
$ rm -fr ~/Downloads/rfcat
If everything went well so far, you should take a look at your installed Python packages.
Now I recommend to install the ooktools packages via Python Pip. The ooktools will make your life much easier and you will have much faster results.
# install ooktools via pip
$ python2.7 -m pip install ooktools
# verify and show help (optional)
$ python2.7 -m ooktools.console --help
# verify and show specific help topic (optional)
$ python2.7 -m ooktools.console wave --help
I’ll go into the ooktools in a later tutorial, but not today.
Run RfCat
So far so good. Let’s start to connect the Yard Stick One (plug into USB) and run the first example. Always have in mind, the official operating frequencies (for the Yard Stick One):
300 – 348 MHz
391 – 464 MHz
782 – 928 MHz
Note: RfCat expact the values in “Hz”, so 315 MHz are 315000000 Hz.
Hint: don’t put any other transmitter next to the Yard Stick One while you use it (eq. Mobile, Wifi router, etc.). You could destroy it or weaken/disrupt your signals.
# start scan on specific frequency (315 MHz)
In [1]: d.specan(315000000)
You should see now the spectrum analyser.
Okay, stop the scanning process by closing the spectrum analyzer window. Now let’s start a simple record (also if you don’t have a signal nearby).
Note: there are many more settings and I cannot describe all here! It always depends to the problem you like/need to solve.
# enter the IDLE state (important after any action)
In [2]: d.setModeIDLE()
# specific frequency (315 MHz)
In [3]: d.setFreq(315000000)
# specific modulation (ASK/OOK/Manchester encoding)
In [4]: d.setMdmModulation(MOD_ASK_OOK)
# specific baudrate (4800 Hz)
In [5]: d.setMdmDRate(4800)
# turn on the amplifier
In [6]: d.setMaxPower()
# drops most blocks to pkts (CARRIER)
In [7]: d.lowball()
# start and dump data to screen
In [8]: d.RFlisten()
# stop listen (press Enter to stop)
# enter the IDLE state (or you need to unplug from USB)
In [9]: d.setModeIDLE()
# exit
In [10]: exit()
Your result should look like:
Hint: use the Tabulator key for command-line completion (also tab completion) and take use of the internal help of RfCat (eq. help(d.setMdmModulation))
The popular frequencies are mostly near by:
315 MHz (car fobs)
433 MHz (door openers, medical devices)
868 MHz (door openers in EU/swiss)
915 MHz (industrial equipment, medical devices)
Send via Python script
It would be not enough to show you only Command line and nothing about transmit. Therefore now a small Python script, which send out some example data. I think the following script is self explanatory.
from rflib import *
d = RfCat()
d.setFreq(315000000)
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)
print("Transmission starting")
d.RFxmit("\x2e\x2e\x2d\x2e\x2e\x2d\x2e\x00\x00\x00\x00\x00\x00"*10)
print("Transmission complete")
Hint: \x escape sequence means the next two characters are interpreted as hex digits for the character code (\x is used inside strings to represent a character), 0x is used for literal numbers in Python.
I finally received my Yard Stick One (Yet Another Radio Dongle) and can get started with it. It is available from Hak5 (incl. ANT500 antenna) and various other resellers. In this tutorial I would like to show you, how to install RfCat on Kali Linux (version 2020.4) and point out the necessary steps, so that you can start pentesting immediately with this awesome device.
Install needed packages
The installation is actually very simple. Python3 is not a problem, even if many sources claim different. The following steps show the installation of the necessary packages (before RfCat can be installed and used). You may have already installed some of them on your system (depends on Kali Metapackages installed).
On my system following packages are installed already: curl, git, make, libusb-1.0-0, python3-numpy, python3-serial, python3-future and ipython3.
Also for RfCat we don’t use the Kali apt repository but clone the GitHub repository from https://github.com/atlas0fd00m/rfcat (and install it from there).
Note: Because of security settings (of my provider), I need to show the next command as picture.
# refresh rules
$ sudo udevadm control --reload-rules
Test the installation
That was actually super easy and also happened very quickly. A little test (show help) and then you can start using Yard Stick One.
# change back to home directory
$ cd ~
# show rfcat help (optional)
$ rfcat -h
If you do not get help or an error message, please verify that all dependencies are installed or that you did not mix up different Python versions.
You may need to install the following packages: python3-pyside2.qtcore, python3-pyside2.qtgui and python3-pyside2.qtwidgets.
Run RfCat
I do run Kali Linux as VirtualBox (6.1) VM, so it’s time to plugin and passthrough the USB device.
Note: I don’t like Passwordless Sudo, but you’re welcome to customize it, to suit your needs.
# verify USB device (optional)
$ lsusb
...
Bus 002 Device 003: ID 1d50:605b OpenMoko, Inc. RfCat YARD Stick One
...
# start rfcat (interactive + d.* objects)
$ sudo rfcat -r
The following commands should help you to get familiar with the Yard Stick One device, as I want just to show the setup in this tutorial and will end here with these examples.
# show help (optional)
In [1]: help(d.setRFRegister)
# show current settings (optional)
In [2]: print(d.reprRadioConfig())
# start listen (ENTER stops)
In [3]: d.RFlisten()
# reset after scan/transmit (important)
In [4]: d.setModeIDLE()
# exit rfcat
In [5]: exit