Closed RobRusso closed 6 years ago
Your listener is going to need to be near the Keyfob... Based on the very nature of the attack its going to be intermittent per the notes in the ReadMe becuase its jamming a frequency as it is sniffing a frequency. Which as you can imagine is tricky. But there are a few things you can adjust which are switches in RFCrack.. Upper and Lower RSSI . -U -L . and Jamming Variance which is -a. With these I can usually get a pretty consistant rolling code attack.
You can play around with adjusting the upper and lower RSSI values based on your environment. Since its parsing on signal strength of the Keyfob vs the Jamming.. Opening the window based on the output you are seeing in the signal strength which is is listed during the attack.
You can also adjust the Jamming variance, which is how far away from the exact signal you want to Jam.. This may give you a better capture.
Hi, quite new to the exciting world of RF Hacking, I have been playing around with the rolling jam attacks, I noticed that while the attack is ongoing, it starts receiving apparently "ghost" signals, even though there is nothing transmitting near the two yard sticks. I tried it indoors and in an isolated room. Yet the yard sticks seem to be pickup a signal... Is it possible the Sniffer is picking up the Jammer?
Hi, quite new to the exciting world of RF Hacking, I have been playing around with the rolling jam attacks, I noticed that while the attack is ongoing, it starts receiving apparently "ghost" signals, even though there is nothing transmitting near the two yard sticks. I tried it indoors and in an isolated room. Yet the yard sticks seem to be pickup a signal... Is it possible the Sniffer is picking up the Jammer?
Yes your yardstick is 100% picking up your jamming.. you need to filter based on RSSI values for signal strength since your jammer is right near your other card it will be higher signal strength then your target. Play around with those numbers so your filtering for your target signal strength vs your yardsticks.
is there a better way to filter the jammer's signal from the sniffer's. So far I have tried using the RSSI switches -U and -L. And also the -a switch, to try to filter out the jammer's from being capture by the sniffer. Unfortunately, it seems it's signal strength is all over the range from -7 to -245 and anything in between...?
I have seen people fuzz with specific values then filter those out... you can give that a try.. I never had much luck with that technique though.
Thank you so much for the suggestion, please know, it is well appreciated. RF is extremely interesting, and there is so much to learn to interface the hardware with the software. Could I kindly ask, what are you referring to, with the term "fuzzing"? Also, is there a way to display the actual signal RSSI from the received messages using the python RFCrack.py -k -f command?
Once again, thank you for your time and patience.
On Wed, Feb 13, 2019 at 12:13 AM Ficti0n notifications@github.com wrote:
I have seen people fuzz with specific values then filter those out... you can give that a try.. I never had much luck with that technique though.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cclabsInc/RFCrack/issues/6#issuecomment-463061265, or mute the thread https://github.com/notifications/unsubscribe-auth/AIdWT6Ltsf7CP-AXFOIoeJDmbR6Om5qdks5vM57mgaJpZM4SGfsa .
Probably would want to do something like on line 56 of the following file: https://github.com/cclabsInc/RFCrack/blob/master/src/RFFunctions.py
Create a new line before if statement put something like: print signal_strength
This should print the signal strength every time a check is used to see if the RSSI values are between the specified value during your rolling code attack. I believe that should be correct.
Oh my bad, when i say fuzzing I meant jamming.. I have seen people try to jam with specific characters and then filter those out when sniffing for real things.. But I have never had that work so I can't say that its useful. But its an option. I just have never seen it work in practice.
Thank your for the reply, if I may ask, I trying to test the "fuzzing" technique. However I try sending specific characters by modifying the programs "jam.py" And un-commenting the lines under "jam.py,
Unfortunately, it did not seem to produce a stream of 111111 as I mistakenly, assume it would be the case.
Also I tried adding a line under "RFFunctions.py" adding a def FilterJammingTransmission (capture) if re.search('1111', capture): return True
Just to see, if perhaps, I can filter the jammer by a specific pattern, but it seems to create a random stream of characters...
Am I on the complete wrong track? Thank you for you help.
On Thu, Feb 21, 2019 at 6:18 PM Ficti0n notifications@github.com wrote:
Probably would want to do something like on line 56 of the following file: https://github.com/cclabsInc/RFCrack/blob/master/src/RFFunctions.py
Create a new line before if statement put something like: print signal_strength
This should print the signal strength every time a check is used to see if the RSSI values are between the specified value during your rolling code attack. I believe that should be correct.
Oh my bad, when i say fuzzing I meant jamming.. I have seen people try to jam with specific characters and then filter those out when sniffing for real things.. But I have never had that work so I can't say that its useful. But its an option. I just have never seen it work in practice.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cclabsInc/RFCrack/issues/6#issuecomment-466208545, or mute the thread https://github.com/notifications/unsubscribe-auth/AIdWT_IilHLWxsqUQU_evOkAsqsl3yGIks5vPykpgaJpZM4SGfsa .
Hi sorry my noob question but when using the rolling code mode (-r) only one of the signals is repeated, the second fails. Sometimes the first fails and the second works. Any tip how could I fix this?