Posted on 11th September 2017 by Paul Ritchie

Secarma are getting more requests from customers for product reviews, radio frequency analysis and hardware hacking in general. This is mostly due to the proliferation of IoT devices which are making these skills more relevant than ever. While we already have several experts in these areas, it is because those individuals were exploring their own curiosity. Here I am starting my own journey.

I am a self-confessed hardware and RF noob as I have spent my career mostly at the application layer. 2017 was the year I set myself the goal of teaching this old dog new tricks. By documenting my baby steps, it is my hope to fill some of what I am going to call the "documentation gap". While some areas I have dipped my toe in already have had stunning documentation. Others are very much at bleeding edge. PandwaRF is somewhere closer to cutting yourself at the moment.

The first gap I am tackling is getting the PandwaRF working within a Kali Linux VM using VMWare Workstation on a Windows host. We bought ourselves a PandwaRF from here:

You can install an android application but I also wanted to operate this from within a Kali Linux VM. My end goal is creating a VM that I can redistribute among the team which "works" for all of the juicy devices that have been made available to me (not just PandwaRF).

I learn best if I think I am going to be passing on the knowledge someday as it pushes me to make appropriate notes and ensure steps are reproducible. Operating from a Windows Host into a VM is rated as "untested" on all the documentation that I read. So I figured I would briefly document how I got on with this.

Process on Android Device

  • Install Android Application from the play store.
  • Connect to the PandwaRF via Bluetooth
  • Install any and all updates to firmware (important for me because Windows 10 seemed to refuse the device over USB until I did).
  • Enable Dev Mode. Goto "Settings" and select "Enable Dev Mode".

 

Enabling Dev Mode on Android Enabling Dev Mode on Android

 

  • Then goto "Bus Service" and scroll down to find the new dev mode settings including "Enable USB".

Relatively painless that one. The device will not work at all until "Enable USB" has been ticked.

Process on Windows Host

To ensure I had a clean VM I downloaded the most recent Kali VM image from here:

I booted that image in VMWare Workstation and updated all packages with the usual commands:

apt-get update
apt-get upgrade

Within the Virtual Machine Settings screen I altered the USB Controller to operate over USB 3.0 as shown below:

Enable USB 3.0 Compatibility
 Enable USB 3.0 Compatibility
 

 At this point I plugged the PandwaRF into the Windows host via USB.

Note: before installing all firmware updates to the PandwaRF this did absolutely nothing but complain. After the latest updates were applied I had more success and was able to use the "VM" -> "Removable Devices" menu option to select the PandwaRF Dongle as shown below:

Connect removable media to Kali VM
Connect removable media to Kali VM
 
A run of "lsusb" within the kali VM showed that we had a functional USB device:
 
OpenMoko in "lsusb" output means PandwaRF is connected
OpenMoko in "lsusb" output means PandwaRF is connected
 

 Great so everything was connected and I could now start to play with RfCat!

At this point unplug the PandwaRF and then reconnect it so you get a prompt asking you about automatically connecting the device into the Kali VM on reconnections. This is important since various parts of debugging rely on disconnecting and reconnecting and we do not want Windows getting any ideas about using our device!

This article from VMWare covers automatically connecting a device:

Setting up RFCat

The vendor has made a quick start guide located here:

As it says itself: "We didn't test it on an Ubuntu image on a virtual machine running on Windows." Hence this article, although we want Kali instead of Ubuntu.

The PandwaRF has a customised version of the RFCat application. To download this you should use the following git command:

git clone https://github.com/ComThings/PandwaRF.git

The customised version of RFCat is in the "PandwaRF/SW/rfcat" folder. All dependencies for rfcat for me appeared already to be within that new Kali Image (and remember I started with the stock VM here).

The documentation says do not use the "setup.py" installation approach. We need to CD into our rfcat folder and directly execute that. Fans of shortcuts can however add the rfcat folder to their PATH variable as shown:

cd <path to PandwaRF/SW/rfcat/>
echo export PATH=`pwd`/:$PATH >> ~/.bashrc
source ~/.bashrc

At this point you should have permanently added the PandwaRF modified rfcat to your executable path. To check execute the "which rfcat" command:

Putting rfcat into your path
 Putting rfcat into your path
 
There you go it is now executable from wherever you need it.

Running RfCat for the first time

The usage information for RfCat is shown below:

usage: rfcat [-h] [-r] [-i INDEX] [-s] [-f BASEFREQ] [-c INC] [-n SPECCHANS]
[--bootloader] [--force]

optional arguments:
-h, --help            show this help message and exit
-r, --research        Interactive Python and the "d" instance to talk to
                      your dongle. melikey longtime.
-i INDEX, --index INDEX
-s, --specan          start spectrum analyzer
-f BASEFREQ, --basefreq BASEFREQ
-c INC, --inc INC
-n SPECCHANS, --specchans SPECCHANS
--bootloader          trigger the bootloader (use in order to flash the
                      dongle)
--force               use this to make sure you want to set bootloader mode
                      (you *must* flash after setting --bootloader)

The easiest entry seems to be "-r" which drops us into an interactive python shell with which we can play with the API via the "d" instance.

Execute rfcat -r and if the stars are in the right place you will be dropped into an interactive python shell as shown:

Rfcat -r interactive python shell
 Rfcat -r interactive python shell
 
Note: if you get an error instead of this screen then see the appendix of errors below.

Who does not love tab autocomplete? I for one am a big fan. What does "ping" do though:

Pinging the alphabet
 Pinging the alphabet
 
At this point I just blasted the alphabet over whatever frequency the default is. You can see or change the frequency with "d.getFreq()" or "d.setFreq( <number> )" respectively. However for the purposes of this tutorial if you are this far along your Kali VM will be working and you can start to play along.

Appendix of Errors

I got a variety of errors while starting to work with the PandwaRF. The following shows the most common error:

Operation timed out
 Operation timed out
 
 To aid google hunters the following is the text from that error:
Error in resetup():USBError(110, u'Operation timed out')

Googling this error will hit standard rfcat posts and rarely hits the PandwaRF specifically. A forum post was found using Google within the PandwaRF community pages. This stated that you should disconnect from the USB Port and then connect it back in at this point. True facts folks that does indeed fix it:

Fixed Operation Timed out error
 Fixed Operation Timed out error
 
The green text is the interactive python shell and we can now execute commands.

Next up is one that is definitely because of my carelessness:

Resource Busy Error
Resource Busy Error
 
For Google fans here is the top line text:
Error claiming usb interface:USBError(16, u'Resource busy')

If you get this you are already running rfcat in some forgotten terminal tab. As I said this one was definitely me being careless!

When using "rfcat -s" to "start spectrum analyzer" I saw a missing dependency error from python as shown:

No module named PySide
 No module named PySide
 
The following shows the apt-get command to solve that dependency:
apt-get install python-pyside.qtgui

After satisfying that package the spectrum analyzer launched successfully as shown:

Spectrum Analyzer
Spectrum Analyzer
 
Neat now to investigate the spikes...