Posted on 11th September 2017 by Paul Ritchie
Secarma are getting more requests from customers for product reviews, radio frequency analysis and hardware hacking in general. This is mostly due to the proliferation of IoT devices which are making these skills more relevant than ever. While we already have several experts in these areas, it is because those individuals were exploring their own curiosity. Here I am starting my own journey.
I am a self-confessed hardware and RF noob as I have spent my career mostly at the application layer. 2017 was the year I set myself the goal of teaching this old dog new tricks. By documenting my baby steps, it is my hope to fill some of what I am going to call the "documentation gap". While some areas I have dipped my toe in already have had stunning documentation. Others are very much at bleeding edge. PandwaRF is somewhere closer to cutting yourself at the moment.
The first gap I am tackling is getting the PandwaRF working within a Kali Linux VM using VMWare Workstation on a Windows host. We bought ourselves a PandwaRF from here:
You can install an android application but I also wanted to operate this from within a Kali Linux VM. My end goal is creating a VM that I can redistribute among the team which "works" for all of the juicy devices that have been made available to me (not just PandwaRF).
I learn best if I think I am going to be passing on the knowledge someday as it pushes me to make appropriate notes and ensure steps are reproducible. Operating from a Windows Host into a VM is rated as "untested" on all the documentation that I read. So I figured I would briefly document how I got on with this.
Relatively painless that one. The device will not work at all until "Enable USB" has been ticked.
To ensure I had a clean VM I downloaded the most recent Kali VM image from here:
I booted that image in VMWare Workstation and updated all packages with the usual commands:
apt-get update apt-get upgrade
Within the Virtual Machine Settings screen I altered the USB Controller to operate over USB 3.0 as shown below:
|Enable USB 3.0 Compatibility|
At this point I plugged the PandwaRF into the Windows host via USB.
Note: before installing all firmware updates to the PandwaRF this did absolutely nothing but complain. After the latest updates were applied I had more success and was able to use the "VM" -> "Removable Devices" menu option to select the PandwaRF Dongle as shown below:
|Connect removable media to Kali VM|
|OpenMoko in "lsusb" output means PandwaRF is connected|
Great so everything was connected and I could now start to play with RfCat!
At this point unplug the PandwaRF and then reconnect it so you get a prompt asking you about automatically connecting the device into the Kali VM on reconnections. This is important since various parts of debugging rely on disconnecting and reconnecting and we do not want Windows getting any ideas about using our device!
This article from VMWare covers automatically connecting a device:
The vendor has made a quick start guide located here:
As it says itself: "We didn't test it on an Ubuntu image on a virtual machine running on Windows." Hence this article, although we want Kali instead of Ubuntu.
The PandwaRF has a customised version of the RFCat application. To download this you should use the following git command:
git clone https://github.com/ComThings/PandwaRF.git
The customised version of RFCat is in the "PandwaRF/SW/rfcat" folder. All dependencies for rfcat for me appeared already to be within that new Kali Image (and remember I started with the stock VM here).
The documentation says do not use the "setup.py" installation approach. We need to CD into our rfcat folder and directly execute that. Fans of shortcuts can however add the rfcat folder to their PATH variable as shown:
cd <path to PandwaRF/SW/rfcat/> echo export PATH=`pwd`/:$PATH >> ~/.bashrc source ~/.bashrc
At this point you should have permanently added the PandwaRF modified rfcat to your executable path. To check execute the "which rfcat" command:
|Putting rfcat into your path|
The usage information for RfCat is shown below:
usage: rfcat [-h] [-r] [-i INDEX] [-s] [-f BASEFREQ] [-c INC] [-n SPECCHANS] [--bootloader] [--force] optional arguments: -h, --help show this help message and exit -r, --research Interactive Python and the "d" instance to talk to your dongle. melikey longtime. -i INDEX, --index INDEX -s, --specan start spectrum analyzer -f BASEFREQ, --basefreq BASEFREQ -c INC, --inc INC -n SPECCHANS, --specchans SPECCHANS --bootloader trigger the bootloader (use in order to flash the dongle) --force use this to make sure you want to set bootloader mode (you *must* flash after setting --bootloader)
The easiest entry seems to be "-r" which drops us into an interactive python shell with which we can play with the API via the "d" instance.
Execute rfcat -r and if the stars are in the right place you will be dropped into an interactive python shell as shown:
|Rfcat -r interactive python shell|
Who does not love tab autocomplete? I for one am a big fan. What does "ping" do though:
|Pinging the alphabet|
I got a variety of errors while starting to work with the PandwaRF. The following shows the most common error:
|Operation timed out|
Error in resetup():USBError(110, u'Operation timed out')
Googling this error will hit standard rfcat posts and rarely hits the PandwaRF specifically. A forum post was found using Google within the PandwaRF community pages. This stated that you should disconnect from the USB Port and then connect it back in at this point. True facts folks that does indeed fix it:
|Fixed Operation Timed out error|
Next up is one that is definitely because of my carelessness:
|Resource Busy Error|
Error claiming usb interface:USBError(16, u'Resource busy')
If you get this you are already running rfcat in some forgotten terminal tab. As I said this one was definitely me being careless!
When using "rfcat -s" to "start spectrum analyzer" I saw a missing dependency error from python as shown:
|No module named PySide|
apt-get install python-pyside.qtgui
After satisfying that package the spectrum analyzer launched successfully as shown:
Share this post: