EvilCrowRF_Custom_Firmware_CC1101_FlipperZero

Idea, development and implementation of this firmware: h-RAT (https://github.com/h-RAT/).

Discord: h-RAT#2465

Idea, development and implementation of the original firmware: Joel Serna (@JoelSernaMoreno - https://github.com/joelsernamoreno/).

Main collaborator: Little Satan (https://github.com/LSatan/)

PCB design: Ignacio Díaz Álvarez (@Nacon_96), Forensic Security (@ForensicSec) and April Brother (@aprbrother).

Manufacturer and distributor: April Brother (@aprbrother).

Distributor from United Kingdom: KSEC Worldwide (@KSEC_KC).

For sale with April Brother (shipping from China):

• Evil Crow RF V2 Aliexpress: https://aliexpress.com/item/1005004019072519.html
• Evil Crow RF V2 Lite (without NRF2401L) Aliexpress: https://aliexpress.com/item/1005004032930927.html
• Evil Crow RF V2 Alibaba: https://www.alibaba.com/product-detail/Evil-Crow-RF2-signal-receiver-with_1600467911757.html

For sale with KSEC Worldwide (shipping from United Kingdom):

• Evil Crow RF V2: https://labs.ksec.co.uk/product/evil-crow-rf-v2/
• Evil Crow RF V2 Lite: https://labs.ksec.co.uk/product/evil-crow-rf2-lite/

Discord Group: https://discord.gg/evilcrowrf

Preview

• Kaiju analyze example: https://www.youtube.com/watch?v=-UQZsz2dbqI
• Kaiju rolling code example: https://www.youtube.com/watch?v=AoA9FV-VG6w
• Rollback example: https://www.youtube.com/watch?v=LSzn4hr09bA

Summary

Introduction

Installation

• 1) SD Files
• 2) Firmware
• 3) Webpanel
• 4) Rolljam Firmware

Features

• 1) Record
• 2) Transmit
• 3) Saved
• 4) Jammer
• 5) Scanner
• 6) Bruteforcer
• 7) CC1101 Settings
• 8) Kaiju Analyze
• 9) Kaiju Rolling Codes
• 10) Rolljam Attack
• 11) Rollback Attack
• 12) ECRF Logs
• 13) ECRF Settings
• 14) Firmware Update

Disclaimer

Introduction

This firmware is an alternative to the EvilCrowRF default firmware.

This firmware allows the following attacks:

• Record Signal RAW Data
• Record Signal Binary
• Transmit .SUB File
• Transmit RAW
• Transmit Binary
• Transmit Decimal**
• Kaiju Analyze
• Kaiju Rolling Codes
• Signal Scanner
• Bruteforce**
• Rolljam
• Rollback
• Jammer
• ...

**Supported protocol: Princeton (24bits) , Holtek HT12X (12bits) , CAME (12bits) , CAME (18bits) , CAME (24bits) , CAME (25bits) , SMC5326 (25bits) , Nice FLO (12bits) , Nice FLO (24bits) , GateTX (24bits)

Installation

1) SD Files

• Download and place the 'CONFIG' folder on a MicroSD card.
• Download and place the 'HTML' folder on a MicroSD card.
• Download and pPlace the 'SUBGHZ' folder on a MicroSD card.

.SUB File

• Place your file** (.sub) in the 'SUBGHZ' folder.

**Supported protocol: AlutechAT, Ansonic, BETT, CAME, Clemsa, Doitrand, Dooya, FAAC, GateTX, Holtek, Holtek HT12X, Hormann, IntertechnoV3, KeeLoq, Linear, LinearDelta3, Magellan, Marantec, Nero Radio, Nero Sketch, Nice FLO, PhoenixV2, PowerSmart, Princeton, RAW, SMC5326, Security+ 1.0, Security+ 2.0, Starline, UNILARM

2) Firmware

• Install the .bin from OTA
• or -->
• Download & execute ESPHome-Flasher
• Select COM port
• Select .bin file
• Press Flash ESP (You may need to put your device in download mode)

ESPHome-Flasher

3) Webpanel

• Connect your mobile/laptop/computer to this Wi-Fi:

SSID: ECRF
Password: 123456789

• Open a browser and navigate to the web panel. (Default IP: 192.168.4.1)

• Enjoy

4) Rolljam Firmware

Download and upload Rolljam firmware on your second device.

• Install the .bin from OTA
• or -->
• Download & execute ESPHome-Flasher
• Select COM port
• Select .bin file
• Press Flash ESP (You may need to put your device in download mode)

ESPHome-Flasher

The first device must be powered ON and connected to the default ECRF network. (SSID: ECRF | Password: 123456789)

• Plug your second device into your computer and get the IP address from the serial monitor. (Baudrate: 38400)

• Go to the EvilCrowRF web panel and set the IP address of the second device. (ECRF Settings -> Jammer Device -> Local IP Address)

• Now you can start a rolljam attack.

Features

1) Record

You have the choice to use the existing presets:

• Custom ( Custom CC1101 Settings )
• AM270 ( Modulation: ASK/OOK | Bandwidth: 270.83 kHz )
• AM650 ( Modulation: ASK/OOK | Bandwidth: 650.00 kHz )
• FM238 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 2.38 kHz)
• FM4768 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 47.61 kHz)

You can adjust the minimum RSSI.

Received signal format:

• RAW Data with sample count:
• -1004 370 -424 404 -389 405 -389 403 -421 374 -420 373 -388 406 -421 408 -389 409 -386 409 | Sample: 20
• Binary with symbol count:
• 1001001001001001001101101101101101001101101001001001001001101101001101101101101101101001101101001 | Symbol: 398

Possibility to send the signal in flipper zero .sub file format.

Possibility to analyze the signal with Kaiju.

Possibility to save the signal in flipper zero .sub file format.

2) Transmit

You can send a decimal signal with a known protocol:

• Princeton
• Holtek HT12X
• CAME
• SMC5326
• Nice FLO
• GateTX

You can send a RAW signal.

You can send a binary signal with symbol count.

3) Saved

You can upload a signal (.sub) to the MicroSD card from the webpanel.

You can send a signal (.sub) from the MicroSD card.

• Max. Lenght: 4096

You can download a signal (.sub) from the MicroSD card.

You can delete a signal (.sub) from the MicroSD card.

You can apply a signal to a button to send it later.

• Button 1
• Button 2

4) Jammer

You can jam both frequency at the same time.

You can select many jamming power:

• 12 (Max.)
• 11
• 10
• 7
• 5
• 0 (Min.)

5) Scanner

You can scan with min. RSSI many frequencies:

• 300.00 mHz
• 303.87 mHz
• 304.25 mHz
• 315.00 mHz
• 318.00 mHz
• 390.00 mHz
• 418.00 mHz
• 433.07 mHz
• 433.92 mHz
• 434.42 mHz
• 434.77 mHz
• 438.90 mHz
• 868.30 mHz
• 868.35 mHz
• 868.86 mHz
• 868.95 mHz
• 915.00 mHz
• 925.00 mHz

You can apply the frequency found.

6) Bruteforcer

You can bruteforce a decimal signal with a known protocol:

• Princeton (24bits)
• Holtek HT12X (12bits)
• CAME (12bits)
• CAME (18bits)
• CAME (24bits)
• CAME (25bits)
• SMC5326 (25bits)
• Nice FLO (12bits)
• Nice FLO (24bits)
• GateTX(24bits)


• Max. Decimal: 2147483647

You can bruteforce the jukebox:

• Free Credit
• Pause Song
• Skip Song
• Volume UP
• Volume DOWN
• Power OFF
• Lock Queue


• Default ID (0x00) used. Most jukeboxes use the default ID.

You can bruteforce DIP Switch remote controls:

• Linear Multicode (10DIP)
• Stanley Multicode (10DIP)
• Chamberlain (9DIP)
• Chamberlain (8DIP)
• Chamberlain (7DIP)
• Linear MooreMatic (8DIP)

You can send De Bruijn sequences (Open Sesame):

• Linear Multicode (10bits)
• Stanley Multicode (10bits)
• Chamberlain (9bits)
• Linear MooreMatic (8bits)

7) CC1101 Settings

You have the choice to use the existing presets:

• Custom ( Custom CC1101 Settings )
• AM270 ( Modulation: ASK/OOK | Bandwidth: 270.83 kHz )
• AM650 ( Modulation: ASK/OOK | Bandwidth: 650.00 kHz )
• FM238 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 2.38 kHz)
• FM4768 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 47.61 kHz)

You can assign a module for RX:

• Module 1
• Module 2

You can assign a module for TX:

• Module 1
• Module 2

You can assign a frequency:

• Range: 300.00 mHz to 348.00 mHz
• Range: 387.00 mHz to 464.00 mHz
• Range: 779.00 mHz to 928.00 mHz

You can assign a modulation:

• ASK/OOK
• 2FSK

You can assign a bandwidth:

• Range: 58.03 mHz to 812.50 kHz

You can assign a deviation:

• Range: 1.58 mHz to 385.85.00 kHz

You can assign a datarate:

• Range: 0.02 mHz to 1621.83 kBaud

You can assign a packet format:

• Synchronous
• Radnom
• Asynchronous

8) Kaiju Analyze

You can analyze the signals received with Kaiju.

9) Kaiju Rolling Codes

You can generate rolling codes with Kaiju.

You can send the rolling codes generated.

You can save the rolling codes generated.

10) Rolljam Attack

You can perform a rolljam attack with different parameters:

• Record Frequency
• Record Modulation
• Jammer Frequency (Usually: Record Frequency - 0.10 mHz)
• Jammer Power

You can send the second signal.

You can save the second signal to send it later.

11) Rollback Attack

You can perform a rollback attack with different parameters:

• Record Frquency
• Record Modulation
• Time Frame
• Signal Required

You can send the rollback sequence.

You can save the rollback sequence to send it later.

12) ECRF Logs

You can view the device logs.

You can download the device logs.

You can delete the device logs.

13) ECRF Settings

You can view the device uptime.

You can view the device free ram.

You can assign your kaiju token.

You can assign an action to the button:

• Send Tesla (US) Signal
• Send Tesla (EU) Signal
• Start Record Signal
• Send Last Recorded Signal
• Send SD Selected Signal
• Start Jammer (315.00 mHz)
• Start Jammer (433.92 mHz)
• Start Jammer (868.35 mHz)
• Stop Jammer

You can adjust wifi settings.

14) Firmware Update

You can update the firmware from the web panel.

Disclaimer

Evil Crow RF is a basic device for professionals and cybersecurity enthusiasts.

We are not responsible for the incorrect use of Evil Crow RF.

Be careful with this device and the transmission of signals. Make sure to follow the laws that apply to your country.