RFCat

RFCat is a Python-based RF (radio frequency) analysis and attack tool that leverages Texas Instruments CC1111 and CC2531 USB dongles for wireless testing. It enables frequency analysis, packet capture, signal injection, and protocol testing across various RF bands. Critical for IoT security research, wireless protocol analysis, and authorized penetration testing.

Installation

Hardware Requirements

Texas Instruments CC1111 USB Dongle - Primary RF transceiver
CC2531 USB Stick - ZigBee protocol analysis (alternative)
External antenna (optional) - Improved range and signal quality

Kali Linux Setup

# Install Python dependencies
sudo apt-get install python3 python3-pip python-dev

# Clone RFCat repository
git clone https://github.com/atlas0fd00m/rfcat.git
cd rfcat

# Install via setup
sudo python3 setup.py install

# Or install via pip
sudo pip3 install rfcat

# Verify installation
rfcat -h

Install Firmware on Device

# Connect CC1111 dongle via USB

# Flash firmware
cd rfcat/firmware/cc1111
sudo rfcat -i

# For CC2531
cd rfcat/firmware/cc2531
# Use programmer or bootloader

# Test connection
rfcat -c 'd.ping()'

Basic Syntax

Command	Purpose
`rfcat -h`	Display help information
`rfcat -c '<python_code>'`	Execute single Python command
`rfcat -l`	List available RF frequencies
`rfcat -r`	Interactive Python shell
`rfcat -i`	Flash firmware to device

Interactive Shell

Start RFCat Shell

# Open interactive console
rfcat -r

# Python interactive session opens
rfcat> d = getRfCat()
rfcat> d.setFreq(2400000000)  # 2.4 GHz (2400 MHz)
rfcat> d.setMdmModulation(MOD_FSK)  # Set modulation

# Basic commands
rfcat> d.ping()              # Test device connection
rfcat> d.getFWstr()          # Get firmware version
rfcat> d.getFreq()           # Current frequency
rfcat> exit()                # Exit shell

Frequency Configuration

Set Frequency

# Load RFCat in Python
from rfcat import *

d = getRfCat()

# ISM bands (common frequencies)
d.setFreq(868000000)    # 868 MHz (EU)
d.setFreq(915000000)    # 915 MHz (US, AU)
d.setFreq(2400000000)   # 2.4 GHz (WiFi, ZigBee)
d.setFreq(2450000000)   # 2.45 GHz (Bluetooth)

# Get current frequency
current_freq = d.getFreq()
print(f"Current frequency: {current_freq} Hz")

# Scan frequency range
for freq in range(2400000000, 2500000000, 1000000):
    d.setFreq(freq)
    print(f"Monitoring: {freq/1000000} MHz")

Modulation Types

Modulation	Constant	Use Case
FSK	MOD_FSK	Frequency Shift Keying (common)
GFSK	MOD_GFSK	Gaussian FSK (Bluetooth, ZigBee)
ASK/OOK	MOD_ASK_OOK	Amplitude Shift Keying
MSK	MOD_MSK	Minimum Shift Keying
GMSK	MOD_GMSK	Gaussian MSK
PSK	MOD_PSK	Phase Shift Keying

# Set modulation types
d.setMdmModulation(MOD_FSK)     # FSK modulation
d.setMdmModulation(MOD_GFSK)    # Gaussian FSK (Bluetooth)
d.setMdmModulation(MOD_ASK_OOK) # ASK/OOK

# Get current modulation
current_mod = d.getMdmModulation()

Packet Capture and Analysis

Monitor RF Signals

from rfcat import *

d = getRfCat()
d.setFreq(915000000)    # Set to 915 MHz
d.setMdmModulation(MOD_FSK)

# Capture packets
print("[*] Listening for packets...")
while True:
    try:
        pkt, timestamp = d.recvPacket()
        print(f"[+] Packet received: {pkt.hex()}")
        print(f"    Timestamp: {timestamp}")
        print(f"    RSSI: {pkt.rssi}")
    except Exception as e:
        print(f"[-] Error: {e}")

Packet Transmission

from rfcat import *

d = getRfCat()
d.setFreq(915000000)
d.setMdmModulation(MOD_FSK)

# Create and send packet
payload = b'\x41\x42\x43\x44'  # "ABCD"
d.sendPacket(payload)

print("[+] Packet sent")

# Send multiple packets
for i in range(5):
    d.sendPacket(bytes([i] * 10))
    print(f"[+] Sent packet {i}")

Signal Analysis

Frequency Hopping Detection

from rfcat import *
import time

d = getRfCat()
frequencies = [915000000, 916000000, 917000000]

print("[*] Detecting frequency hopping...")

for freq in frequencies:
    d.setFreq(freq)
    print(f"[*] Monitoring {freq/1000000} MHz")
    
    # Listen for 1 second
    start_time = time.time()
    packet_count = 0
    
    while time.time() - start_time < 1:
        try:
            pkt, ts = d.recvPacket(timeout=100)
            packet_count += 1
            print(f"[+] Packet detected on {freq/1000000} MHz")
        except:
            pass
    
    print(f"[+] Packets on {freq/1000000} MHz: {packet_count}")

RSSI (Signal Strength) Scanning

from rfcat import *

d = getRfCat()

print("[*] Scanning RSSI across frequency range...")

freq_range = range(2400000000, 2500000000, 5000000)

for freq in freq_range:
    d.setFreq(freq)
    
    rssi_values = []
    for _ in range(10):
        try:
            pkt, ts = d.recvPacket(timeout=50)
            if pkt:
                rssi_values.append(pkt.rssi)
        except:
            pass
    
    avg_rssi = sum(rssi_values) / len(rssi_values) if rssi_values else 0
    print(f"{freq/1000000:.1f} MHz: {avg_rssi:.1f} dBm")

Protocol Analysis

ZigBee Packet Capture

from rfcat import *

d = getRfCat()
d.setFreq(2405000000)           # ZigBee channel 11
d.setMdmModulation(MOD_GFSK)

print("[*] Capturing ZigBee packets...")

while True:
    try:
        pkt, ts = d.recvPacket()
        
        # Parse ZigBee frame format
        frame_type = pkt[0] & 0x03
        security = (pkt[0] >> 3) & 0x01
        ack_request = (pkt[0] >> 6) & 0x01
        
        print(f"[+] Frame Type: {frame_type}, Security: {security}, ACK: {ack_request}")
        print(f"    Payload: {pkt.hex()}")
    except Exception as e:
        print(f"[-] Error: {e}")

Bluetooth Advertising Capture

from rfcat import *

d = getRfCat()

# Bluetooth advertising channels
bt_channels = [2402000000, 2426000000, 2480000000]

print("[*] Scanning Bluetooth advertising...")

for channel in bt_channels:
    d.setFreq(channel)
    d.setMdmModulation(MOD_GFSK)
    
    print(f"[*] Channel: {channel/1000000} MHz")
    
    for _ in range(5):
        try:
            pkt, ts = d.recvPacket(timeout=200)
            print(f"[+] BT packet: {pkt.hex()}")
        except:
            pass

Attack and Fuzzing

Simple Jamming (Authorized Testing Only)

from rfcat import *
import time

d = getRfCat()
d.setFreq(915000000)
d.setMdmModulation(MOD_FSK)

print("[!] Starting RF transmission (authorized testing only)")

# Transmit continuous pattern
pattern = b'\xAA\xBB\xCC\xDD'

try:
    for i in range(100):
        d.sendPacket(pattern)
        time.sleep(0.1)
        print(f"[+] Transmission {i}")
except KeyboardInterrupt:
    print("\n[+] Transmission stopped")

d.close()

Packet Fuzzing

from rfcat import *
import random

d = getRfCat()
d.setFreq(915000000)

print("[*] Starting packet fuzzing...")

for i in range(50):
    # Generate random payload
    payload_length = random.randint(5, 50)
    payload = bytes([random.randint(0, 255) for _ in range(payload_length)])
    
    try:
        d.sendPacket(payload)
        print(f"[+] Fuzz packet {i}: {len(payload)} bytes")
    except Exception as e:
        print(f"[-] Error: {e}")

d.close()

Replay Attacks (Authorized Testing)

Capture and Replay

from rfcat import *
import time

d = getRfCat()
d.setFreq(915000000)

# Step 1: Capture packets
print("[*] Capturing packets...")
captured_packets = []

for _ in range(10):
    try:
        pkt, ts = d.recvPacket(timeout=500)
        captured_packets.append(pkt)
        print(f"[+] Captured: {pkt.hex()}")
    except:
        pass

# Step 2: Replay captured packets
print(f"\n[*] Replaying {len(captured_packets)} packets...")

for i, pkt in enumerate(captured_packets):
    d.sendPacket(pkt)
    print(f"[+] Replayed packet {i}")
    time.sleep(0.5)

d.close()

Advanced Configuration

Power and Gain Settings

from rfcat import *

d = getRfCat()
d.setFreq(915000000)

# Set transmission power
d.setTxPower(0)     # Maximum power

# Get current settings
freq = d.getFreq()
power = d.getTxPower()
mod = d.getMdmModulation()

print(f"Frequency: {freq/1000000} MHz")
print(f"TX Power: {power}")
print(f"Modulation: {mod}")

Continuous Monitoring

from rfcat import *
import time

d = getRfCat()
d.setFreq(2400000000)

print("[*] Continuous monitoring started")
packet_count = 0
start_time = time.time()

try:
    while True:
        try:
            pkt, ts = d.recvPacket(timeout=100)
            packet_count += 1
            elapsed = time.time() - start_time
            rate = packet_count / elapsed
            print(f"[+] Packets: {packet_count} ({rate:.1f} pkt/s)")
        except:
            pass
except KeyboardInterrupt:
    print(f"\n[+] Monitoring stopped. Total packets: {packet_count}")
    d.close()

Common RF Bands and Frequencies

Band	Frequency	Use Case	Region
ISM 169 MHz	169000000 Hz	Industrial, Scientific	Varies
ISM 433 MHz	433000000 Hz	RF modules, IoT	EU, Asia
ISM 868 MHz	868000000 Hz	LoRa, SigFox	EU
ISM 915 MHz	915000000 Hz	Zigbee, LoRa	US, Canada, AU
2.4 GHz WiFi	2400-2500 MHz	WiFi, Bluetooth, ZigBee	Worldwide
Cellular	700-2600 MHz	Mobile networks	Region-specific

Python Script Templates

Frequency Scanner

#!/usr/bin/env python3
from rfcat import *

def scan_frequency_range(start_freq, end_freq, step, duration=1):
    d = getRfCat()
    
    print(f"[*] Scanning {start_freq/1000000} to {end_freq/1000000} MHz")
    
    for freq in range(start_freq, end_freq, step):
        d.setFreq(freq)
        
        packets = 0
        start = time.time()
        
        while time.time() - start < duration:
            try:
                pkt, ts = d.recvPacket(timeout=100)
                packets += 1
            except:
                pass
        
        if packets > 0:
            print(f"[+] {freq/1000000:.2f} MHz: {packets} packets detected")
    
    d.close()

# Scan 2.4 GHz band
scan_frequency_range(2400000000, 2500000000, 5000000)

Packet Logger

#!/usr/bin/env python3
from rfcat import *
import time

def log_packets(frequency, duration, output_file):
    d = getRfCat()
    d.setFreq(frequency)
    
    print(f"[*] Logging to {output_file} for {duration} seconds")
    
    with open(output_file, 'w') as f:
        f.write(f"Frequency: {frequency} Hz\n")
        f.write(f"Start: {time.time()}\n")
        f.write("Timestamp,Payload,RSSI\n")
        
        start = time.time()
        while time.time() - start < duration:
            try:
                pkt, ts = d.recvPacket(timeout=100)
                f.write(f"{ts},{pkt.hex()},{pkt.rssi}\n")
                print(f"[+] Packet logged: {pkt.hex()}")
            except:
                pass
    
    d.close()
    print(f"[+] Logging complete")

log_packets(2400000000, 30, "packets.csv")

Troubleshooting

Issue	Solution
Device not detected	Check USB connection, verify lsusb shows device
Permission denied	Add user to dialout group: `sudo usermod -a -G dialout $USER`
Firmware mismatch	Reflash firmware: `rfcat -i`
No packets received	Verify frequency, check antenna connection
Import errors	Install dependencies: `pip3 install rfcat pyusb`

Safety and Legal Considerations

Authorized testing only - Ensure proper authorization before any RF testing
Frequency regulations - Respect local frequency regulations and power limits
Interference - Be aware of potential impact on existing wireless systems
FCC regulations - Comply with FCC Part 15 for unlicensed bands
Documentation - Maintain detailed logs of testing activities
Professional standards - Follow responsible disclosure practices

Resources

Official RFCat GitHub - Latest documentation and examples
RF Safety Guidelines - FCC frequency regulations
Texas Instruments Documentation - CC1111/CC2531 datasheets
Wireless Security Research - Academic resources and case studies