Skip to content

This firmware is an alternative to the EvilCrowRF default firmware. Module: CC1101 - Compatible Flipper Zero file.

Notifications You must be signed in to change notification settings

h-RAT/EvilCrowRF_Custom_Firmware_CC1101_FlipperZero

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

EvilCrowRF_Custom_Firmware_CC1101_FlipperZero

Idea, development and implementation of this firmware: h-RAT (https://github.com/h-RAT/).

Discord: h_rat

ko-fi


Idea, development and implementation of the original firmware: Joel Serna (@JoelSernaMoreno - https://github.com/joelsernamoreno/).

Main collaborator: Little Satan (https://github.com/LSatan/)

PCB design: Ignacio Díaz Álvarez (@Nacon_96), Forensic Security (@ForensicSec) and April Brother (@aprbrother).

Manufacturer and distributor: April Brother (@aprbrother).

Distributor from United Kingdom: KSEC Worldwide (@KSEC_KC).

For sale with April Brother (shipping from China):

For sale with KSEC Worldwide (shipping from United Kingdom):


Discord Group: https://discord.gg/Rb2j3jA5Ym

Preview

IMAGE ALT TEXT


Summary

  • Introduction
  • Installation
  • Features
  • Disclaimer
  • Introduction

    This firmware is an alternative to the EvilCrowRF default firmware.

    This firmware allows the following attacks:

    • Record Signal RAW Data
    • Record Signal Binary
    • Transmit .SUB File
    • Transmit RAW
    • Transmit Binary
    • Transmit Decimal**
    • Kaiju Analyze
    • Kaiju Rolling Codes
    • Signal Scanner
    • Bruteforce**
    • Rolljam
    • Rollback
    • Jammer
    • ...

    **Supported protocol: Princeton (24bits) , Holtek HT12X (12bits) , CAME (12bits) , CAME (18bits) , CAME (24bits) , CAME (25bits) , SMC5326 (25bits) , Nice FLO (12bits) , Nice FLO (24bits) , GateTX (24bits)

    Installation

    1) SD Files

    • Download and place the 'CONFIG' folder on a MicroSD card.
    • Download and place the 'HTML' folder on a MicroSD card.
    • Download and pPlace the 'SUBGHZ' folder on a MicroSD card.

    .SUB File

    • Place your file** (.sub) in the 'SUBGHZ' folder.

    **Supported protocol: AlutechAT, Ansonic, BETT, CAME, Clemsa, Doitrand, Dooya, FAAC, GateTX, Holtek, Holtek HT12X, Hormann, IntertechnoV3, KeeLoq, Linear, LinearDelta3, Magellan, Marantec, Nero Radio, Nero Sketch, Nice FLO, PhoenixV2, PowerSmart, Princeton, RAW, SMC5326, Security+ 1.0, Security+ 2.0, Starline, UNILARM

    2) Firmware

    • Install the .bin from OTA
    • or -->
    • Download & execute ESPHome-Flasher
    • Select COM port
    • Select .bin file
    • Press Flash ESP (You may need to put your device in download mode)

    ESPHome-Flasher

    3) Webpanel

    • Connect your mobile/laptop/computer to this Wi-Fi:

    SSID: ECRF
    Password: 123456789

    • Open a browser and navigate to the web panel. (Default IP: 192.168.4.1)

    • Enjoy

    4) Rolljam Firmware

    IMAGE ALT TEXT

    Download and upload Rolljam firmware on your second device.

    • Install the .bin from OTA
    • or -->
    • Download & execute ESPHome-Flasher
    • Select COM port
    • Select .bin file
    • Press Flash ESP (You may need to put your device in download mode)

    ESPHome-Flasher


    The first device must be powered ON and connected to the default ECRF network. (SSID: ECRF | Password: 123456789)

    • Plug your second device into your computer and get the IP address from the serial monitor. (Baudrate: 38400)

    • Go to the EvilCrowRF web panel and set the IP address of the second device. (ECRF Settings -> Jammer Device -> Local IP Address)

    • Now you can start a rolljam attack.

    Features

    1) Record

  • You have the choice to use the existing presets:
    • Custom ( Custom CC1101 Settings )
    • AM270 ( Modulation: ASK/OOK | Bandwidth: 270.83 kHz )
    • AM650 ( Modulation: ASK/OOK | Bandwidth: 650.00 kHz )
    • FM238 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 2.38 kHz)
    • FM4768 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 47.61 kHz)
  • You can adjust the minimum RSSI.
  • IMAGE ALT TEXT

  • Received signal format:
    • RAW Data with sample count:
    • -1004 370 -424 404 -389 405 -389 403 -421 374 -420 373 -388 406 -421 408 -389 409 -386 409 | Sample: 20
    • Binary with symbol count:
    • 1001001001001001001101101101101101001101101001001001001001101101001101101101101101101001101101001 | Symbol: 398

    IMAGE ALT TEXT

  • Possibility to send the signal in flipper zero .sub file format.
  • Possibility to analyze the signal with Kaiju.
  • Possibility to save the signal in flipper zero .sub file format.

  • IMAGE ALT TEXT

    2) Transmit

  • You can send a decimal signal with a known protocol:
    • Princeton
    • Holtek HT12X
    • CAME
    • SMC5326
    • Nice FLO
    • GateTX

    IMAGE ALT TEXT

  • You can send a RAW signal.
  • IMAGE ALT TEXT

  • You can send a binary signal with symbol count.
  • IMAGE ALT TEXT

    3) Saved

  • You can upload a signal (.sub) to the MicroSD card from the webpanel.
  • IMAGE ALT TEXT

  • You can send a signal (.sub) from the MicroSD card.
    • Max. Lenght: 4096
  • You can download a signal (.sub) from the MicroSD card.

  • You can delete a signal (.sub) from the MicroSD card.

  • You can apply a signal to a button to send it later.
    • Button 1
    • Button 2

    IMAGE ALT TEXT

    4) Jammer

  • You can jam both frequency at the same time.
  • You can select many jamming power:
    • 12 (Max.)
    • 11
    • 10
    • 7
    • 5
    • 0 (Min.)

    IMAGE ALT TEXT

    5) Scanner

  • You can scan with min. RSSI many frequencies:
    • 300.00 mHz
    • 303.87 mHz
    • 304.25 mHz
    • 315.00 mHz
    • 318.00 mHz
    • 390.00 mHz
    • 418.00 mHz
    • 433.07 mHz
    • 433.92 mHz
    • 434.42 mHz
    • 434.77 mHz
    • 438.90 mHz
    • 868.30 mHz
    • 868.35 mHz
    • 868.86 mHz
    • 868.95 mHz
    • 915.00 mHz
    • 925.00 mHz

  • You can apply the frequency found.
  • IMAGE ALT TEXT

    6) Bruteforcer

  • You can bruteforce a decimal signal with a known protocol:
    • Princeton (24bits)
    • Holtek HT12X (12bits)
    • CAME (12bits)
    • CAME (18bits)
    • CAME (24bits)
    • CAME (25bits)
    • SMC5326 (25bits)
    • Nice FLO (12bits)
    • Nice FLO (24bits)
    • GateTX(24bits)

    • Max. Decimal: 2147483647

    IMAGE ALT TEXT

  • You can bruteforce the jukebox:
    • Free Credit
    • Pause Song
    • Skip Song
    • Volume UP
    • Volume DOWN
    • Power OFF
    • Lock Queue

    • Default ID (0x00) used. Most jukeboxes use the default ID.

    IMAGE ALT TEXT

  • You can bruteforce DIP Switch remote controls:
    • Linear Multicode (10DIP)
    • Stanley Multicode (10DIP)
    • Chamberlain (9DIP)
    • Chamberlain (8DIP)
    • Chamberlain (7DIP)
    • Linear MooreMatic (8DIP)

    IMAGE ALT TEXT

  • You can send De Bruijn sequences (Open Sesame):
    • Linear Multicode (10bits)
    • Stanley Multicode (10bits)
    • Chamberlain (9bits)
    • Linear MooreMatic (8bits)

    IMAGE ALT TEXT

    7) CC1101 Settings

  • You have the choice to use the existing presets:
    • Custom ( Custom CC1101 Settings )
    • AM270 ( Modulation: ASK/OOK | Bandwidth: 270.83 kHz )
    • AM650 ( Modulation: ASK/OOK | Bandwidth: 650.00 kHz )
    • FM238 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 2.38 kHz)
    • FM4768 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 47.61 kHz)

    IMAGE ALT TEXT

  • You can assign a module for RX:
    • Module 1
    • Module 2

  • You can assign a module for TX:
    • Module 1
    • Module 2

    IMAGE ALT TEXT

  • You can assign a frequency:
    • Range: 300.00 mHz to 348.00 mHz
    • Range: 387.00 mHz to 464.00 mHz
    • Range: 779.00 mHz to 928.00 mHz
  • You can assign a modulation:
    • ASK/OOK
    • 2FSK
  • You can assign a bandwidth:
    • Range: 58.03 mHz to 812.50 kHz
  • You can assign a deviation:
    • Range: 1.58 mHz to 385.85.00 kHz
  • You can assign a datarate:
    • Range: 0.02 mHz to 1621.83 kBaud
  • You can assign a packet format:
    • Synchronous
    • Radnom
    • Asynchronous

    IMAGE ALT TEXT

    8) Kaiju Analyze

  • You can analyze the signals received with Kaiju.
  • IMAGE ALT TEXT

    9) Kaiju Rolling Codes

  • You can generate rolling codes with Kaiju.
  • You can send the rolling codes generated.
  • You can save the rolling codes generated.
  • IMAGE ALT TEXT

    10) Rolljam Attack

    IMAGE ALT TEXT
  • You can perform a rolljam attack with different parameters:
    • Record Frequency
    • Record Modulation
    • Jammer Frequency (Usually: Record Frequency - 0.10 mHz)
    • Jammer Power
  • You can send the second signal.
  • You can save the second signal to send it later.
  • IMAGE ALT TEXT

    11) Rollback Attack

  • You can perform a rollback attack with different parameters:
    • Record Frquency
    • Record Modulation
    • Time Frame
    • Signal Required
  • You can send the rollback sequence.
  • You can save the rollback sequence to send it later.
  • IMAGE ALT TEXT

    12) ECRF Logs

  • You can view the device logs.
  • You can download the device logs.
  • You can delete the device logs.
  • IMAGE ALT TEXT

    13) ECRF Settings

  • You can view the device uptime.
  • You can view the device free ram.
  • IMAGE ALT TEXT

  • You can assign your kaiju token.
  • IMAGE ALT TEXT

  • You can assign an action to the button:
    • Send Tesla (US) Signal
    • Send Tesla (EU) Signal
    • Start Record Signal
    • Send Last Recorded Signal
    • Send SD Selected Signal
    • Start Jammer (315.00 mHz)
    • Start Jammer (433.92 mHz)
    • Start Jammer (868.35 mHz)
    • Stop Jammer

    IMAGE ALT TEXT

  • You can adjust wifi settings.
  • IMAGE ALT TEXT

    14) Firmware Update

  • You can update the firmware from the web panel.
  • Disclaimer

    Evil Crow RF is a basic device for professionals and cybersecurity enthusiasts.

    We are not responsible for the incorrect use of Evil Crow RF.

    Be careful with this device and the transmission of signals. Make sure to follow the laws that apply to your country.

    About

    This firmware is an alternative to the EvilCrowRF default firmware. Module: CC1101 - Compatible Flipper Zero file.

    Topics

    Resources

    Stars

    Watchers

    Forks

    Releases

    No releases published

    Packages

    No packages published