Evil Crow RF device.

Overview

EvilCrow-RF

EvilCrow

Idea, development and implementation: Joel Serna (@JoelSernaMoreno).

PCB design: Ignacio Díaz Álvarez (@Nacon_96) and Forensic Security (@ForensicSec).

Manufacturer and distributor: April Brother (@aprbrother).

Collaborators: Little Satan, Ernesto Sánchez (@ernesto_xload), Federico Maggi (@phretor), Andrea Guglielmini (@Guglio95) and RFQuack (@rfquack).

The developers and collaborators of this project do not earn money with this. You can invite me for a coffee to further develop Low-Cost hacking devices. If you don't invite me for a coffee, nothing happens, I will continue developing devices.

ko-fi

For Sale at:

Summary:

  1. Disclaimer
  2. Introduction
  3. Basic Firmware
    • Installation
    • First steps with EvilCrow-RF
    • RX Config Example
    • RX Log Example
    • TX Example
    • Brute Force Example
    • Pushbuttons Configuration
    • Public Demo
  4. Advanced Firmware with RFQuack
    • Installation and first steps
    • RX Example
    • TX Example
    • Public Demo
  5. Evil Crow RF Support

Disclaimer

Evil Crow RF is a basic device for professionals and cybersecurity enthusiasts.

We are not responsible for the incorrect use of Evil Crow RF.

We recommend using this device for testing, learning and fun :D

Be careful with this device and the transmission of signals. Make sure to follow the laws that apply to your country.

EvilCrowRF

Introduction

Evil Crow RF is a radiofrequency hacking device for pentest and Red Team operations, this device operates in the following radiofrequency bands:

  • 300Mhz-348Mhz
  • 387Mhz-464Mhz
  • 779Mhz-928Mhz

Evil Crow RF has two CC1101 radiofrequency modules, these modules can be configured to transmit or receive on different frequencies at the same time.

Evil Crow RF allows the following attacks:

  • Signal receiver
  • Signal transmitter
  • Replay attack
  • Brute Force
  • ...

NOTE:

  • All devices have been flashed with basic firmware EvilCrow-RF before shipping.
  • Please do not ask me to implement new functions in this code. You can develop code for Evil Crow RF and send PR with your new code.

Basic Firmware

The basic firmware allows to receive and transmit basic signals. You can configure the two radio modules through a web panel via WiFi.

  • RX: Configure modules and frequency for reception.
  • TX: Configure modules, frequency, code and bit length to transmit.
  • Bruteforce: Configure frequency, start code and bit length to brute force.

Installation

  1. Install esptool: sudo apt install esptool
  2. Install pyserial: sudo pip install pyserial
  3. Download and Install the Arduino IDE: https://www.arduino.cc/en/main/software
  4. Download EvilCrow-RF repository: git clone https://github.com/joelsernamoreno/EvilCrow-RF.git
  5. Copy the SmartRC-CC1101-Driver-Lib library included in the EvilCrow-RF repository into Arduino library directory
  6. Copy the rc-switch library included in the EvilCrow-RF repository into Arduino library directory
  7. Open Arduino IDE
  8. Go to File - Preferences. Locate the field "Additional Board Manager URLs:" Add "https://dl.espressif.com/dl/package_esp32_index.json" without quotes. Click "Ok"
  9. Select Tools - Board - Boards Manager. Search for "esp32". Install "esp32 by Espressif system version 1.0.4". Click "Close".
  10. Open the EvilCrow-RF.ino sketch
  11. Select Tools:
    • Board - "ESP32 Dev Module".
    • Flash Size - "4MB (32Mb)".
    • CPU Frequency - "240MHz (WiFi/BT)".
    • Flash Frequency - "80MHz"
    • Flash Mode - "DIO"
  12. Upload the code to the EvilCrow-RF device.
  13. Press reset button

First steps with EvilCrow-RF

  1. Visualize the wifi networks around you and connect to the EvilCrow-RF (default SSID: EvilCrow-RF).
  2. Enter the password for the wifi network (default password: 123456789).
  3. Open a browser and access the web panel (default IP: 192.168.4.1).
  4. Go!

RX Config Example

  • Module: 1 or 2 (1 for first CC1101 module, 2 for second CC1101 module)
  • Frequency (example 433.92)
  • RxBW bandwidth (Example 58)

RXConfig

RX Log Example

RXLog

TX Example

  • Module: 1 or 2 (1 for first CC1101 module, 2 for second CC1101 module)
  • Frequency (example 433.92)
  • Code (example 1642498)
  • Bit Length (example 24)

TXConfig

Brute Force Example

  • Frequency (example 433.92)
  • Start Code (example 1642490)
  • Bit Length (example 24)

BruteForce

Pushbuttons Configuration

PB

Configure actions for the pushbuttons. Edit the EvilCrow-RF.ino sketch with your new code:

Pushbutton

Public Demo:

Advanced Firmware with RFQuack

RFQuack is the only versatile RF-analysis tool that quacks!

It's a library firmware that allows you to sniff, manipulate, and transmit data over the air. Consider it as the hardware-agnostic and developer-friendly version of the great YardStick One, which is based on the CC1101 radio chip. Similarly to RFCat, RFQuack has a console-based, Python-scriptable client that allows you to set parameters, receive, transmit, and so on.

RFQuack is compatible with Evil Crow RF :D

Installation and first steps

  1. Download the RFQuack repository: git clone https://github.com/rfquack/RFQuack.git

  2. Go to RFQuack directory: cd RFQuack

  3. Edit build.env with this content:

Content

  1. Execute the following command: make docker-build-nc && make build

  2. Connect Evil Crow RF to your computer and flash RFQuack with the following command: PORT=/dev/ttyUSB0 make flash

  3. Disconnect and connect Evil Crow RF again

  4. Download the RFQuack-cli repository: git clone https://github.com/rfquack/RFQuack-cli.git

  5. Go to RFQuack-cli directory: cd RFQuack-cli

  6. Execute the following command: make docker-build

  7. Execute the following command: docker run --device /dev/ttyUSB0 --rm -it rfquack/cli:latest tty -P /dev/ttyUSB0

Cli

RX Example

In the RFQuack console run the following commands:

  1. q.radioA.set_modem_config(modulation="OOK", carrierFreq=433.920, syncWords=b"", useCRC=False, bitRate=1.7*2, rxBandwidth=58)
  2. q.radioA.set_packet_len(isFixedPacketLen=True, packetLen=100)
  3. q.radioA.rx()

This is a simple example, read the documentation for information: https://github.com/rfquack/RFQuack

TX Example

This example performs a replay attack with the signal received in the RX example. In the RFQuack console run the following commands:

  1. len(q.data)
  2. q.radioA.tx()
  3. q.radioA.send(data=q.data[0].data)

This is a simple example, read the documentation for information: https://github.com/rfquack/RFQuack

Public Demo

Evil Crow RF Support

You can open issue or send me a message via twitter (@JoelSernaMoreno).

Comments
  • "serial port not selcted" issue in arduino

    I'm reasonably sure I've done everything right but I can't get arduino to upload the included sketches to the board. I'm running ubuntu, i've done all the steps in the basic firmware instalation and this is the error I'm getting

    "Arduino: 1.8.16 (Linux), Board: "ESP32 Dev Module, Disabled, Default 4MB with spiffs (1.2MB APP/1.5MB SPIFFS), 240MHz (WiFi/BT), DIO, 80MHz, 4MB (32Mb), 921600, None"

    Sketch uses 782554 bytes (59%) of program storage space. Maximum is 1310720 bytes. Global variables use 51848 bytes (15%) of dynamic memory, leaving 275832 bytes for local variables. Maximum is 327680 bytes. Serial port not selected."

    Pretty sure it's something I've messed up along the way but any tips would be greatly appriciated

    opened by tompusey 42
  • Receiver granularity

    Receiver granularity

    Hello!

    I am wondering how this device could be used as a standalone tool and will it be sufficient, in particular I am thinking of a spectrum analyzer, is it going to be precise enough or would you still need an RTL-SDR?

    I am thinking of creating an Android app with easy autocompletion of RFQuack commands and some UI for specific tasks like signal analysis or spectrum analyzer.

    Can you think of any limitations in the hardware that would prevent this from working?

    Thank you

    opened by leo-lb 16
  • next production batch ?

    next production batch ?

    Hi, sorry in advance to reach you here, but, ...

    I see the hardware as unvailable on aliexpress : do you plan to lauch a second batch anytime soon ? I would be interested. Perhaps using croud supply if you need financing ?

    opened by timFaivre 11
  • Failed to connect to ESP32: Timed out waiting for packet header

    Failed to connect to ESP32: Timed out waiting for packet header

    Hello, after solving the problem mentioned in the last issue (the COM port one), Ive encountered another problem. Now, when I try to flash my unit in Arduino, it compiles god, but when it is time to upload the code, it keeps connecting for a while, and then it just drops an error:

    Arduino:1.8.13 (Windows 10), Tarjeta:"ESP32 Dev Module, Disabled, Default 4MB with spiffs (1.2MB APP/1.5MB SPIFFS), 240MHz (WiFi/BT), DIO, 80MHz, 4MB (32Mb), 921600, Core 1, Core 1, None"

    El Sketch usa 802349 bytes (61%) del espacio de almacenamiento de programa. El máximo es 1310720 bytes.

    Las variables Globales usan 34460 bytes (10%) de la memoria dinámica, dejando 293220 bytes para las variables locales. El máximo es 327680 bytes.

    esptool.py v3.1

    Serial port COM6

    Connecting.......................___...............__

    A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header

    A fatal error occurred: Failed to connect to ESP32: Timed out waiting for packet header

    Ive tried reintalling esptool and pyserial, reinstalling the drivers, try to flash it in other computers, with Windows and Linux, but same error keeps appearing. Im totally frustrated with this, first my PC couldnt recognise the devicve in the COM port, and now this. I know it not your fault, but looks like I had bad luck with this device. All help will be appreciated.

    opened by Yacal999 10
  • Add new features.

    Add new features.

    It's not realy a issues, but maybe someone can help me to add new features on the original firmware. I found this repo (link below) and tried adding a "De Bruijn" part, but no luck so far. I will try again, but maybe someone here could find an easier way than me!

    gusgorman/RFmoggy

    And many thanks Joel for this nice tool.

    Jérôme.

    opened by djecom1 10
  • Uploading sketches to the device

    Uploading sketches to the device

    Hi, I seem to have very hit and miss results when uploading firmware to the device.

    I followed the installation instructions and it failed to connect multiple times, but then pressing the reset button when the device was mid connecting seems to work around 1 in 20 times. Is there a trick to this that I have missed?

    Awesome project by the way! I will be submitting a PR with some funky features soon.

    opened by MrTakfly 5
  • Don't see any logs in web view

    Don't see any logs in web view

    Hi - I received my board today - thanks!

    I uploaded the lastest code (the EvilCrow-RF.ino sketch) via Arduino, but I don't see any logs in web view after I have set the rx parameters - I have tried periodically refreshing but that doesn't work - and I also don't see anything in the Serial terminal. If I use ASK_RAW_RX.ino instead I do get sensible looking ressults - so something's working - any clues?

    Cheers, David

    opened by davidchatting 5
  • RollJam attack

    RollJam attack

    Hi ..bought this at aliexpress and still waiting to receive it ...cant wait to play with it ...wondering why there's no samy's rolljam attack module available , i saw its available at https://github.com/rfquack/RFQuack/tree/8a9364766192ae660c95ee0392152190ab1d1176/src/modules/defaults ?

    is this due to security reasons ?

    opened by sumanblack666 5
  • bad USB ?

    bad USB ?

    image

    Are you familiar with this issue? What are my options To debug this issue and solve it myself? Most likely I need to solder one of the wires to the usb? p.s. I can login to the web UI.

    opened by oshri-almog 3
  • Problems with TX

    Problems with TX

    I’ve got my hands on a second batch unit and I’m playing around with it but I can’t seem to get it transmitting. I flashed it with the newer RAWv2.2-NewerInterface and everything seems to work on the RX side of things. My test object is a wireless doorbell at 433.92mhz, which I believe uses a simple ASK/OOK but I also tried FSK. Sniffing seems to work and I got everything in the logs, but transmitting either raw data or binary data doesn’t work and I get no errors. Do you have any idea if I’m doing something stupidly wrong or have missed something very obvious? (Should any of the LEDs indicate something during RX/TX?) I’m a little unsure if I’m using the RxBW, Deviation and Data rate correct, and I would really appreciate some insight into this. Thank you very much for all your work, Joel!

    opened by skaken 3
  • When new stock is available? (asked 09/2021)

    When new stock is available? (asked 09/2021)

    Can't find an expectation when new devices are available....so how many to expect and when?

    In reference to: I close this issue. If you ever need to know when new stock is available, please open a new issue

    Thanks

    Originally posted by @joelsernamoreno in https://github.com/joelsernamoreno/EvilCrow-RF/issues/8#issuecomment-852558753

    opened by bosb 2
  • Satan v1 new style case tolerances

    Satan v1 new style case tolerances

    Printed out the case in PLA on my Ender3 Pro, and it's just a wee bit too tight.

    I can shove the PCB in, but it's so tight the buttons don't fit without depressing the 3 switches.

    Have you heard any other reports of this? I might try re-printing at ~100.5% in all 3 dimensions.

    opened by gigawatts 2
  • LED programming

    LED programming

    Hi Joel, congratulations for your work. I bought 2 devices. Why not use the 3 LEDs to have a better understanding of the operation of the device?! Also use a led to indicate signal reception as a "tester" Example: LED 1 = Power on signal (As now) :) LED 2 = On when receiving signal / Flashing if signal in log memory. LED 3 = On steady or flashing when transmitting a signal. Thanks for your attention.

    opened by Azanot 2
Releases(RAWv3.0-NewInterface)
  • RAWv3.0-NewInterface(Aug 25, 2022)

Owner
Joel Serna Moreno
Cybersecurity researcher.
Joel Serna Moreno
Gaming Input Peripherals Device Firewall for Windows.

HidHide ⚠️ Compiling a signed BETA release is in the works, please be patient! ⚠️ Introduction Microsoft Windows offers support for a wide range of hu

Virtual Gamepad Emulation Framework 372 Dec 1, 2022
Add virtual monitors to your windows 10 device! Works with Oculus software, obs, and any desktop sharing software

License MIT and CC0 or Public Domain, whichever is least restrictive -- Use it AS IS - NO IMPLICIT OR EXPLICIT warranty This may break your computer,

Rashi Abramson 221 Nov 26, 2022
Arduino Sketch and a Web Bluetooth API for loading models and running inference on the Nano Sense 33 BLE device.

TF4Micro Motion Kit This repo contains the Arduino Sketch and a Web Bluetooth API for loading models and running inference on the device. Install and

Google Creative Lab 52 Nov 24, 2022
A framework for implementing block device drivers in user space

BDUS is a Linux 4.0+ framework for developing block devices in user space. More specifically, it enables you to implement block device drivers as regu

Alberto Faria 26 May 24, 2022
Device configuration for the Redmi Note 10 Pro / Max

Device configuration for the Redmi Note 10 Pro / Pro Max Copyright (C) 2021 ArrowOS The Redmi Note 10 Pro / Pro Max (sweet) is a mid-range smartphone

ArrowOS-Devices 28 Nov 10, 2022
Let any device connect to HomeKit.

homekit-bridge Introduction A HomeKit gateway specially designed for embedded devices, it allows you to connect non-HomeKit devices to HomeKit through

Zebin Wu 85 Nov 9, 2022
Doom port to the Ikea Tradfri RGB1923R5 and any device using Silicon labs EFR32MG21 based modules

MG21DOOM Doom port to the Ikea Tradfri RGB1923R5 lamp and any device using Silicon labs EFR32MG21 based modules. Coded by Nicola Wrachien. WARNING Do

null 20 Aug 2, 2022
control any electrical device.

let's build something together ?? You get: ?? Requirements: arduino IDE bread board NodeMcu8266 cp2102 1Chanel 5v relay Female female 20cm jumper wire

Milad Dehghan 13 Mar 5, 2022
Code and schematics for a mind control device.

mind_control Code and schematics for a mind control device (using Galvanice Vestibular Stimulation) described in this Video Printed Circuit Board avai

Gene Ruebsamen 25 Nov 1, 2022
This device repo aims to support booting AOSP on SDM845 devices supported by the mainline Linux kernel

device/generic/sdm845 (AOSP device config for SDM845 devices) This device repo aims to support booting AOSP on SDM845 devices supported by the mainlin

Caleb Connolly 21 Oct 24, 2022
The movements of your RC vehicles are jerky and not smooth? This Arduino device will solve this issue by adding acceleration and deceleration ramps to the PWM signals!

This is an Arduino Pro Mini 3.3V / 8MHz based RC servo ramp / delay generator Features: 4 RC servo PWM inputs and outputs (can be enhanced) Reads the

null 4 Apr 15, 2022
Bobby Cooke 316 Nov 29, 2022
On-device signing utility for iOS

ReProvision Reborn Re-sign applications on your device. This project aims at making it easier to (re-)sign iOS and Apple Watch applications on a jailb

Soh Satoh 71 Nov 22, 2022
Common Device Source For Xiaomi Redmi Note 5 Pro (whyred)

The Redmi Note 5 Pro (codenamed "whyred") are high-end mid-range smartphones from Xiaomi announced and released in February 2018. Device specification

Yash Biyani 0 Dec 22, 2021
Latest spark library rationalised for a single device

SparkIO3 Latest spark library rationalised for a single device With changes to the interface Connect to devices: connect_to_all(); Start the Spark li

null 4 Feb 17, 2022
Tiny and portable usb host and device stack for mcu with usb ip

Tiny and portable usb host and device stack for mcu with usb ip

sakumisu 514 Nov 29, 2022
My personal Linux device driver

LinuxDeviceDriver If you violate your legal rights, please contact me on [email protected] THANK YOU! . ├── adc │ └── tpc512.c ├── charger │ └── bq24

Fenix 1 Nov 18, 2021
A hardware device for visualizing music in a spiral

SpiralMusic_Teensy A hardware device for visualizing music in a spiral. Uses a teensy with audio sheild, and WS2812 pixels for display. For a python o

Gavin 4 Jan 9, 2022
TWRP device tree for the LG Q7

Device Tree for LG Q7 (mcv5a) The LG Q7 (codenamed "mcv5a") is a low-range smartphone from LG. It was released in May 2018. Basic Spec Sheet OS Androi

Roger Ortiz 5 Jan 11, 2022