0161 513 0960
Jack O'Sullivan
March 22 2021
Secarma are getting more requests from customers for product reviews, radio frequency analysis and hardware hacking in general. This is mostly due to the proliferation of IoT devices which are making these skills more relevant than ever. While we already have several experts in these areas, it is because those individuals were exploring their own curiosity. Here I am starting my own journey.
I am a self-confessed hardware and RF noob as I have spent my career mostly at the application layer. 2017 was the year I set myself the goal of teaching this old dog new tricks. By documenting my baby steps, it is my hope to fill some of what I am going to call the “documentation gap”. While some areas I have dipped my toe in already have had stunning documentation. Others are very much at bleeding edge. PandwaRF is somewhere closer to cutting yourself at the moment.
The first gap I am tackling is getting the PandwaRF working within a Kali Linux VM using VMWare Workstation on a Windows host. We bought ourselves a PandwaRF from here:
You can install an android application but I also wanted to operate this from within a Kali Linux VM. My end goal is creating a VM that I can redistribute among the team which “works” for all of the juicy devices that have been made available to me (not just PandwaRF).
I learn best if I think I am going to be passing on the knowledge someday as it pushes me to make appropriate notes and ensure steps are reproducible. Operating from a Windows Host into a VM is rated as “untested” on all the documentation that I read. So I figured I would briefly document how I got on with this.
Process on Android Device
- Install Android Application from the play store.
- Connect to the PandwaRF via Bluetooth
- Install any and all updates to firmware (important for me because Windows 10 seemed to refuse the device over USB until I did).
- Enable Dev Mode. Goto “Settings” and select “Enable Dev Mode”.
- Then goto “Bus Service” and scroll down to find the new dev mode settings including “Enable USB”.
Relatively painless that one. The device will not work at all until “Enable USB” has been ticked.
Process on Windows Host
To ensure I had a clean VM I downloaded the most recent Kali VM image from here:
- https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ (Filename Kali-Linux-2017.1-vm-amd64.7z)
I booted that image in VMWare Workstation and updated all packages with the usual commands:
|
1
2
|
apt-get updateapt-get upgrade |
Within the Virtual Machine Settings screen I altered the USB Controller to operate over USB 3.0 as shown below:
Note: before installing all firmware updates to the PandwaRF this did absolutely nothing but complain. After the latest updates were applied I had more success and was able to use the “VM” -> “Removable Devices” menu option to select the PandwaRF Dongle as shown below:
At this point I plugged the PandwaRF into the Windows host via USB.
A run of “lsusb” within the kali VM showed that we had a functional USB device:
At this point unplug the PandwaRF and then reconnect it so you get a prompt asking you about automatically connecting the device into the Kali VM on reconnections. This is important since various parts of debugging rely on disconnecting and reconnecting and we do not want Windows getting any ideas about using our device!
Great so everything was connected and I could now start to play with RfCat!
This article from VMWare covers automatically connecting a device:
Setting up RFCat
The vendor has made a quick start guide located here:
As it says itself: “We didn’t test it on an Ubuntu image on a virtual machine running on Windows.” Hence this article, although we want Kali instead of Ubuntu.
The PandwaRF has a customised version of the RFCat application. To download this you should use the following git command:
|
1
|
git clone https://github.com/ComThings/PandwaRF.git |
The customised version of RFCat is in the “PandwaRF/SW/rfcat” folder. All dependencies for rfcat for me appeared already to be within that new Kali Image (and remember I started with the stock VM here).
The documentation says do not use the “setup.py” installation approach. We need to CD into our rfcat folder and directly execute that. Fans of shortcuts can however add the rfcat folder to their PATH variable as shown:
|
1
2
3
|
cd <path to PandwaRF/SW/rfcat/>echo export PATH=`pwd`/:$PATH >> ~/.bashrcsource ~/.bashrc |
At this point you should have permanently added the PandwaRF modified rfcat to your executable path. To check execute the “which rfcat” command:
Running RfCat for the first time
There you go it is now executable from wherever you need it.
The usage information for RfCat is shown below:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
usage: rfcat [-h] [-r] [-i INDEX] [-s] [-f BASEFREQ] [-c INC] [-n SPECCHANS][--bootloader] [--force]optional arguments:-h, --help show this help message and exit-r, --research Interactive Python and the "d" instance to talk to your dongle. melikey longtime.-i INDEX, --index INDEX-s, --specan start spectrum analyzer-f BASEFREQ, --basefreq BASEFREQ-c INC, --inc INC-n SPECCHANS, --specchans SPECCHANS--bootloader trigger the bootloader (use in order to flash the dongle)--force use this to make sure you want to set bootloader mode (you *must* flash after setting --bootloader) |
The easiest entry seems to be “-r” which drops us into an interactive python shell with which we can play with the API via the “d” instance.
Execute rfcat -r and if the stars are in the right place you will be dropped into an interactive python shell as shown:
Who does not love tab autocomplete? I for one am a big fan. What does “ping” do though:
Note: if you get an error instead of this screen then see the appendix of errors below.
Appendix of Errors
At this point I just blasted the alphabet over whatever frequency the default is. You can see or change the frequency with “d.getFreq()” or “d.setFreq( <number> )” respectively. However for the purposes of this tutorial if you are this far along your Kali VM will be working and you can start to play along.
I got a variety of errors while starting to work with the PandwaRF. The following shows the most common error:
|
1
|
Error in resetup():USBError(110, u'Operation timed out') |
Googling this error will hit standard rfcat posts and rarely hits the PandwaRF specifically. A forum post was found using Google within the PandwaRF community pages. This stated that you should disconnect from the USB Port and then connect it back in at this point. True facts folks that does indeed fix it:
For Google fans here is the top line text:
Next up is one that is definitely because of my carelessness:
|
1
|
Error claiming usb interface:USBError(16, u'Resource busy') |
If you get this you are already running rfcat in some forgotten terminal tab. As I said this one was definitely me being careless!
When using “rfcat -s” to “start spectrum analyzer” I saw a missing dependency error from python as shown:
The following shows the apt-get command to solve that dependency:
|
1
|
apt-get install python-pyside.qtgui |
After satisfying that package the spectrum analyzer launched successfully as shown:Neat now to investigate the spikes…
