-
Notifications
You must be signed in to change notification settings - Fork 53
Android Fragment RF Brute Force
PandwaRF has an integrated brute force feature. It can send many RF codes consecutively, and supports multiple types of encoding. Brute force mechanism runs entirely on the PandwaRF board, not on the smartphone, making it faster than a normal data transmission from smartphone (RX/TX page) or a JavaScript.
Note: Have a look also at the Android Brute Force Tutorial
- Frequency in Hz: the range is [300000000, 928000000] Hz
- Data rate: you can go as high as 100000 Bits/s
- Modulation: 2-FSK, GFSK, MSK, ASK, and OOK modulation formats are supported
- Length: Number of Symbols. This is the key size that PandwaRF will attack. As the code length increases, the amount of time to find the correct code increases exponentially.
- Frame Repetition: Number of Frames you want to send for each BruteForce attempt (you can adapt this parameter if you want to go faster, but sometimes the receiver needs at least 5 frames for example to recognize the signal).
- Endianess : The byte-order you want to use, generally Big-Endian.
The general logic is: Transmitted data = (data_to_send AND Function_Mask) OR (Function_Value). Note that these are bitwise AND/bitwise OR.
- Function Mask : This is like a Mask IP Address. Every symbol noted FF is brute-forced, and every symbol noted 00 is fixed.
- Function Value : This is the "contrary" of mask. Every symbol noted 00 is not fixed, and every symbol that you want to be fixed needs to be set here.
Symbols : This is how you encode your signal which is {0x88, 0xEE, 0xE8, 0x8E} so : [0: 88] [1: EE] [2: E8] [3: 8E] The corresponding encoding base is automatically displayed based on the number of symbols (from 2 to 4 symbols). Sync Word (in hex): If you have a synchronisation word, blank in this example. Tail Word (in hex) : If you have a tail word, I put 800000 to ensure time between every codeword.
- Symbols: this defines how a logical bit (0 or 1) shall be converted before transmission into physical bits. The code key space is always scanned based on logical data. The corresponding encoding base is automatically displayed based on the number of symbols (from 2 to 4 symbols). You can choose you own values of symbol mapping, eg. how a logical bit will be converted for transmission.
- Synchro word (in hex): Data that needs to be sent before each code word.
- Tail Word (in hex): Data that needs to be sent after each code word.
This is the delay between each frame you send. Minimum value is 100ms for a regular PandwaRF, 0ms for a PandwaRF Rogue Pro. This delays are approximate.
Specify the range of possible code to try. Can be used if you want to restart a previous brute force to where you stopped previously.
To brute force a device based on a PT2262 encoder/decoder, select a code length of 12 bits. The logical data generated will range from 0 (0b000000000000) to 4095 (0b111111111111). Then the PT2262 encoder option will convert each logical 0b0 into a 0x88 and each logical 0b1 into 0xee. So what will really be transmitted over the air will be:
MSB--------------------------------------------------------------LSB
0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88
0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0xee
0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0xee 0x88
0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0x88 0xee 0xee
...
...
0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0x88
0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee 0xee
Note: when brute forcing, PandwaRF will send MSB first.
Not clear enough?: Have a look also at the Android Brute Force Tutorial
Questions or need help? Get in touch or open an Issue!
Project Information
- PandwaRF Home
- General Overview
- Technical Overview
- Possible Applications
- Development Status
- Requirements
PandwaRF Android Application (Normal Mode)
- Quick Start
- Navigation
- Navigation on Tablet
- Android Permissions
- Activity states
- Kaiju account connection
- Kaiju delete account
- Scan
- Bus Service
- Rx/Tx
- Kaiju Analysis
- Rolling code analysis & generation
- Rx Data Rate Measurement
- Spectrum Analyzer
- RF Power Amplifiers
- RF Brute Force
- RF Brute Force Tutorial
- RF Brute Force Session Import Tutorial
- RF Brute Force De Bruijn
- Protocols
- Jamming
- JavaScript
- FW Update
- Dev Mode
- USB Connection
- Pairing/Bonding
- Keeloq Secure Decrypt
- Get PandwaRF Gov App
PandwaRF Android Application (Dev Mode)
- BLE Perf measurement
- CC1111 RF registers direct access
- BLE Errors
- Bus Service Extended
- BLE Parameters
Marauder Android Application
iOS Application
Linux
Hardware
- Architecture
- Power Management
- Buttons
- LEDs Indication States
- Schematics
- Programming
- Battery
- Antennas
- PandwaRF Bare Settings
- FW releases Nordic
- FW releases CC1111
For developers
- Scripting with JavaScript
- JavaScript Functions Mapping
- Scripting with Python
- BLE Services & Characteristics
- CC1111 RfCat Commands
- PandwaRF Android SDK
- PandwaRF Android API
- RX Data Post Rest API
- Software and available applications
Support
- User Guides
- FAQ
- Tested Devices
- Known Issues
- BLE connection issues
- How to clear secure pairing
- How to report an issue
- PandwaRF test procedure
- Recovery mode
- PandwaRF Device Bounty
- Product return information
- Discord Server
- Forum (legacy)
- Chat (legacy)
- Privacy Policy
- Terms & Conditions
Gimme moar!