Android Fragment RF Brute Force

Djamil Elaidi edited this page Nov 2, 2018 · 9 revisions

PandwaRF has an integrated brute force feature. It can send many RF codes consecutively, and supports multiple types of encoding. Brute force mechanism runs entirely on the PandwaRF board, not on the smartphone, making it faster than a normal data transmission from smartphone (RX/TX page) or a JavaScript.

Note: Have a look also at the Android Brute Force Tutorial

Parameters that need to be set up before use

RF parameters

  • Frequency in Hz: the range is [300000000, 928000000] Hz
  • Data rate: you can go as high as 100000 Bits/s
  • Modulation: 2-FSK, GFSK, MSK, ASK, and OOK modulation formats are supported

Codeword Settings

  • Length: Number of Symbols. This is the key size that PandwaRF will attack. As the code length increases, the amount of time to find the correct code increases exponentially.
  • Frame Repetition: Number of Frames you want to send for each BruteForce attempt (you can adapt this parameter if you want to go faster, but sometimes the receiver needs at least 5 frames for example to recognize the signal).
  • Endianess : The byte-order you want to use, generally Big-Endian.

Function Mask & Value

The general logic is: Transmitted data = (data_to_send AND Function_Mask) OR (Function_Value). Note that these are bitwise AND/bitwise OR.

  • Function Mask : This is like a Mask IP Address. Every symbol noted FF is brute-forced, and every symbol noted 00 is fixed.
  • Function Value : This is the "contrary" of mask. Every symbol noted 00 is not fixed, and every symbol that you want to be fixed needs to be set here.

Symbols Encoding

Symbols : This is how you encode your signal which is {0x88, 0xEE, 0xE8, 0x8E} so : [0: 88] [1: EE] [2: E8] [3: 8E] The corresponding encoding base is automatically displayed based on the number of symbols (from 2 to 4 symbols). Sync Word (in hex): If you have a synchronisation word, blank in this example. Tail Word (in hex) : If you have a tail word, I put 800000 to ensure time between every codeword.

  • Symbols: this defines how a logical bit (0 or 1) shall be converted before transmission into physical bits. The code key space is always scanned based on logical data. The corresponding encoding base is automatically displayed based on the number of symbols (from 2 to 4 symbols). You can choose you own values of symbol mapping, eg. how a logical bit will be converted for transmission.
  • Synchro word (in hex): Data that needs to be sent before each code word.
  • Tail Word (in hex): Data that needs to be sent after each code word.

Delay Between attemps

This is the delay between each frame you send. Minimum value is 100ms for a regular PandwaRF, 0ms for a PandwaRF Rogue Pro. This delays are approximate.

Start & stop values

Specify the range of possible code to try. Can be used if you want to restart a previous brute force to where you stopped previously.

Example

To brute force a device based on a PT2262 encoder/decoder, select a code length of 12 bits. The logical data generated will range from 0 (0b000000000000) to 4095 (0b111111111111). Then the PT2262 encoder option will convert each logical 0b0 into a 0x88 and each logical 0b1 into 0xee. So what will really be transmitted over the air will be:

MSB--------------------------------------------------------------LSB

0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88
0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0xee
0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0xee 0x88
0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0xee 0xee
...
...
0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0x88
0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee

Note: when brute forcing, PandwaRF will send MSB first.

Not clear enough?: Have a look also at the Android Brute Force Tutorial

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.