EvilCrow-RF
Idea, development and implementation: Joel Serna (@JoelSernaMoreno).
PCB design: Ignacio Díaz Álvarez (@Nacon_96) and Forensic Security (@ForensicSec).
Manufacturer and distributor: April Brother (@aprbrother).
Distributor from United Kingdom: KSEC Worldwide (@KSEC_KC).
Collaborators: Little Satan, Ernesto Sánchez (@ernesto_xload), Federico Maggi (@phretor), Andrea Guglielmini (@Guglio95) and RFQuack (@rfquack).
The developers and collaborators of this project do not earn money with this. You can invite me for a coffee to further develop Low-Cost hacking devices. If you don't invite me for a coffee, nothing happens, I will continue developing devices.
For sale with April Brother (shipping from China):
For sale with KSEC Worldwide (shipping from United Kingdom):
- Evil Crow RF: https://labs.ksec.co.uk/product/evil-crow-rf/
Discord Group: https://discord.gg/jECPUtdrnW
Summary:
- Disclaimer
- Introduction
- Firmware
- Installation
- First steps with Evil Crow RF
- RX Config Example
- RX Log Example
- RAW TX Config Example
- Binary TX Config Example
- Pushbuttons Configuration
- Tesla Charge Door Opener
- OTA Update
- Wi-Fi Config
- Power management
- Other Sketches
- Public Demo
- Advanced Firmware with RFQuack
- Installation and first steps
- RX Example
- TX Example
- Public Demo
- Evil Crow RF Support
Disclaimer
Evil Crow RF is a basic device for professionals and cybersecurity enthusiasts.
We are not responsible for the incorrect use of Evil Crow RF.
We recommend using this device for testing, learning and fun :D
Be careful with this device and the transmission of signals. Make sure to follow the laws that apply to your country.
Introduction
Evil Crow RF is a radiofrequency hacking device for pentest and Red Team operations, this device operates in the following radiofrequency bands:
- 300Mhz-348Mhz
- 387Mhz-464Mhz
- 779Mhz-928Mhz
Evil Crow RF has two CC1101 radiofrequency modules, these modules can be configured to transmit or receive on different frequencies at the same time.
Evil Crow RF allows the following attacks:
- Signal receiver
- Signal transmitter
- Replay attack
- Brute Force
- ...
NOTE:
- All devices have been flashed with basic firmware EvilCrow-RF before shipping.
- Please do not ask me to implement new functions in this code. You can develop code for Evil Crow RF and send PR with your new code.
Firmware
The basic firmware allows to receive and transmit signals. You can configure the two radio modules through a web panel via WiFi.
Installation
- Install esptool: sudo apt install esptool
- Install pyserial: sudo pip install pyserial
- Download and Install the Arduino IDE: https://www.arduino.cc/en/main/software
- Download EvilCrow-RF repository: git clone https://github.com/joelsernamoreno/EvilCrow-RF.git
- Download and Install the Arduino IDE: https://www.arduino.cc/en/main/software
- Download the ESPAsyncWebServer library in the Arduino library directory: git clone https://github.com/me-no-dev/ESPAsyncWebServer.git
- Download the AsyncElegantOTA library in the Arduino library directory: git clone https://github.com/ayushsharma82/AsyncElegantOTA.git
- Download the AsyncTCP library in the Arduino library directory: git clone https://github.com/me-no-dev/AsyncTCP.git
- Edit AsyncTCP/src/AsyncTCP.h and change the following:
- #define CONFIG_ASYNC_TCP_USE_WDT 1 to #define CONFIG_ASYNC_TCP_USE_WDT 0
- Open Arduino IDE
- Go to File - Preferences. Locate the field "Additional Board Manager URLs:" Add "https://dl.espressif.com/dl/package_esp32_index.json" without quotes. Click "Ok"
- Select Tools - Board - Boards Manager. Search for "esp32". Install "esp32 by Espressif system version 1.0.4". Click "Close".
- Open the EvilCrow-RF/EvilCrowRF-RAWv2/RAWv3.0-NewInterface/RAWv3.0-NewInterface.ino sketch
- Select Tools:
- Board - "ESP32 Dev Module".
- Flash Size - "4MB (32Mb)".
- CPU Frequency - "240MHz (WiFi/BT)".
- Flash Frequency - "80MHz"
- Flash Mode - "DIO"
- Upload the code to the EvilCrow-RF device.
- Press reset button
First steps with EvilCrow-RF
- Visualize the wifi networks around you and connect to the EvilCrow-RF (default SSID: RAW Replay v3).
- Enter the password for the wifi network (default password: 123456789).
- Open a browser and access the web panel (default IP: 192.168.4.1).
- Go!
RX Config Example
- Module: (1 for first CC1101 module, 2 for second CC1101 module)
- Modulation: (example ASK/OOK)
- Frequency: (example 433.92)
- RxBW bandwidth: (example 58)
- Deviation: (example 0)
- Data rate: (example 5)
2-FSK NOTES:
-
Evil Crow RF allows 2-FSK (RX/TX) modulation, this is configured for use with CC1101 module 2. Do not use CC1101 module 1 for 2-FSK RX.
-
You can use 2-FSK TX with module 1 or with module 2.
-
Evil Crow RF allows you to receive signals at the same time on two different frequencies, but this does not work correctly if you use 2-FSK. Make sure you use module 2 for 2-FSK RX, while doing this do not use module 1 for anything or you will not receive the 2-FSK signals correctly.
-
You can receive two signals on different frequencies with ASK/OOK.
RX Log Example
RAW TX Config Example
- Module: (1 for first CC1101 module, 2 for second CC1101 module)
- Modulation: (example ASK/OOK)
- Transmissions: (number transmissions)
- Frequency: (example 433.92)
- RAW Data: (raw data or raw data corrected displayed in RX Log)
- Deviation: (example 0)
Binary TX Config Example
- Module: (1 for first CC1101 module, 2 for second CC1101 module)
- Modulation: (example ASK/OOK)
- Transmissions: (number transmissions)
- Frequency: (example 433.92)
- Binary Data: (binary data displayed in RX Log)
- Sample Pulse: (samples/symbol displayed in RX Log)
- Deviation: (example 0)
Pushbuttons Configuration
- Button: (1 for first pushbutton, 2 for second pushbutton)
- Modulation: (example ASK/OOK)
- Transmissions: (number transmissions)
- Frequency: (example 433.92)
- RAW Data: (raw data or raw data corrected displayed in RX Log)
- Deviation: (example 0)
Tesla Charge Door Opener
Demo: https://www.youtube.com/watch?v=feNokjfEGgs
OTA Update
Demo: https://www.youtube.com/watch?v=YQFNLyHu42A
WiFi Config
Evil Crow RF is configured in AP mode with a default SSID and password. You can change the mode to STATION or AP, change SSID, change password and change Wi-Fi channel remotely from the web panel.
The changes will be stored in the device, every time you restart Evil Crow RF the new Wi-Fi settings will be applied. If you want to return to the default settings, you can delete the stored Wi-Fi configuration from the web panel.
NOTE: When changing the Wi-Fi configuration you have to fill in all the fields correctly, if you do not do this you bricked the device.
Power Management
- In normal mode, press push2 + reset, then release reset: Evil Crow RF blinks several times and goes to sleep.
- In sleep mode, press push2 + reset, then release reset to wake him up.
Demo: https://www.youtube.com/shorts/K_Qkss6-pEY
NOTE: If Evil Crow RF is sleeping and you accidentally press reset, he'll go straight back to sleep. If he isn't asleep and you press reset then he will stay awake too.
Other Sketches
You can program Evil Crow RF with other configurations without using the basic firmware. In the OtherSketches folder you can find two examples:
- ASK_RAW_RX.ino: Receive raw data (Only ASK)
- ASK_RAW_TX.ino: Transmit raw data (Only ASK)
- EvilCrowRF-RAWv2_Pushbutton: Two new sketches for using Evil Crow RF with push buttons: RawPushButton_Basic and RawPushButton_Web. Read the document EvilCrowRF-RAWv2 Pushbutton.pdf for more information.
Read the code to know how to configure this for your environment.
Additionally, you can develop other sketches for Evil Crow RF and PR to this repository :)
Public Demo:
- Replay attack with pushbuttons: https://twitter.com/JoelSernaMoreno/status/1343573202967126022
- Simple Brute Force: https://twitter.com/JoelSernaMoreno/status/1344798890516770817
- Hacking a X-RAY Machine with WHIDelite & EvilCrowRF: https://lucabongiorni.medium.com/hacking-a-x-ray-machine-with-whidelite-evilcrowrf-74b871f8e23b
Advanced Firmware with RFQuack
RFQuack is the only versatile RF-analysis tool that quacks!
It's a library firmware that allows you to sniff, manipulate, and transmit data over the air. Consider it as the hardware-agnostic and developer-friendly version of the great YardStick One, which is based on the CC1101 radio chip. Similarly to RFCat, RFQuack has a console-based, Python-scriptable client that allows you to set parameters, receive, transmit, and so on.
RFQuack is compatible with Evil Crow RF :D
Installation and first steps
-
Download the RFQuack repository: git clone https://github.com/rfquack/RFQuack.git
-
Go to RFQuack directory: cd RFQuack
-
Edit build.env with this content:
-
Execute the following command: make docker-build-nc && make build
-
Connect Evil Crow RF to your computer and flash RFQuack with the following command: PORT=/dev/ttyUSB0 make flash
-
Disconnect and connect Evil Crow RF again
-
Download the RFQuack-cli repository: git clone https://github.com/rfquack/RFQuack-cli.git
-
Go to RFQuack-cli directory: cd RFQuack-cli
-
Execute the following command: make docker-build
-
Execute the following command: docker run --device /dev/ttyUSB0 --rm -it rfquack/cli:latest tty -P /dev/ttyUSB0
RX Example
In the RFQuack console run the following commands:
- q.radioA.set_modem_config(modulation="OOK", carrierFreq=433.920, syncWords=b"", useCRC=False, bitRate=1.7*2, rxBandwidth=58)
- q.radioA.set_packet_len(isFixedPacketLen=True, packetLen=100)
- q.radioA.rx()
This is a simple example, read the documentation for information: https://github.com/rfquack/RFQuack
TX Example
This example performs a replay attack with the signal received in the RX example. In the RFQuack console run the following commands:
- len(q.data)
- q.radioA.tx()
- q.radioA.send(data=q.data[0].data)
This is a simple example, read the documentation for information: https://github.com/rfquack/RFQuack
Public Demo
Evil Crow RF Support
- You can ask in the Discord group: https://discord.gg/jECPUtdrnW
- You can open issue or send me a message via twitter (@JoelSernaMoreno).