EvilCrowRF_Custom_Firmware_CC1101_FlipperZero
Idea, development and implementation of this firmware: h-RAT (https://github.com/h-RAT/).
Discord: h-RAT#2465
Idea, development and implementation of the original firmware: Joel Serna (@JoelSernaMoreno - https://github.com/joelsernamoreno/).
Main collaborator: Little Satan (https://github.com/LSatan/)
PCB design: Ignacio Díaz Álvarez (@Nacon_96), Forensic Security (@ForensicSec) and April Brother (@aprbrother).
Manufacturer and distributor: April Brother (@aprbrother).
Distributor from United Kingdom: KSEC Worldwide (@KSEC_KC).
For sale with April Brother (shipping from China):
- Evil Crow RF V2 Aliexpress: https://aliexpress.com/item/1005004019072519.html
- Evil Crow RF V2 Lite (without NRF2401L) Aliexpress: https://aliexpress.com/item/1005004032930927.html
- Evil Crow RF V2 Alibaba: https://www.alibaba.com/product-detail/Evil-Crow-RF2-signal-receiver-with_1600467911757.html
For sale with KSEC Worldwide (shipping from United Kingdom):
- Evil Crow RF V2: https://labs.ksec.co.uk/product/evil-crow-rf-v2/
- Evil Crow RF V2 Lite: https://labs.ksec.co.uk/product/evil-crow-rf2-lite/
Discord Group: https://discord.gg/evilcrowrf
Preview
Summary
Introduction
Installation
Features
Disclaimer
Introduction
This firmware is an alternative to the EvilCrowRF default firmware.
This firmware allows the following attacks:
- Record Signal RAW Data
- Record Signal Binary
- Transmit .SUB File
- Transmit RAW
- Transmit Binary
- Transmit Decimal**
- Kaiju Analyze
- Kaiju Rolling Codes
- Signal Scanner
- Bruteforce**
- Rolljam
- Rollback
- Jammer
- ...
**Supported protocol: Princeton (24bits) , Holtek HT12X (12bits) , CAME (12bits) , CAME (18bits) , CAME (24bits) , CAME (25bits) , SMC5326 (25bits) , Nice FLO (12bits) , Nice FLO (24bits) , GateTX (24bits)
Installation
1) SD Files
- Download and place the 'CONFIG' folder on a MicroSD card.
- Download and place the 'HTML' folder on a MicroSD card.
- Download and pPlace the 'SUBGHZ' folder on a MicroSD card.
.SUB File
- Place your file** (.sub) in the 'SUBGHZ' folder.
**Supported protocol: AlutechAT, Ansonic, BETT, CAME, Clemsa, Doitrand, Dooya, FAAC, GateTX, Holtek, Holtek HT12X, Hormann, IntertechnoV3, KeeLoq, Linear, LinearDelta3, Magellan, Marantec, Nero Radio, Nero Sketch, Nice FLO, PhoenixV2, PowerSmart, Princeton, RAW, SMC5326, Security+ 1.0, Security+ 2.0, Starline, UNILARM
2) Firmware
- Install the .bin from OTA
- or -->
- Download & execute ESPHome-Flasher
- Select COM port
- Select .bin file
- Press Flash ESP (You may need to put your device in download mode)
ESPHome-Flasher
3) Webpanel
- Connect your mobile/laptop/computer to this Wi-Fi:
SSID: ECRF
Password: 123456789
4) Rolljam Firmware
Download and upload Rolljam firmware on your second device.
- Install the .bin from OTA
- or -->
- Download & execute ESPHome-Flasher
- Select COM port
- Select .bin file
- Press Flash ESP (You may need to put your device in download mode)
ESPHome-Flasher
The first device must be powered ON and connected to the default ECRF network. (SSID: ECRF | Password: 123456789)
-
Plug your second device into your computer and get the IP address from the serial monitor. (Baudrate: 38400)
-
Go to the EvilCrowRF web panel and set the IP address of the second device. (ECRF Settings -> Jammer Device -> Local IP Address)
-
Now you can start a rolljam attack.
Features
1) Record
You have the choice to use the existing presets:
- Custom ( Custom CC1101 Settings )
- AM270 ( Modulation: ASK/OOK | Bandwidth: 270.83 kHz )
- AM650 ( Modulation: ASK/OOK | Bandwidth: 650.00 kHz )
- FM238 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 2.38 kHz)
- FM4768 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 47.61 kHz)
You can adjust the minimum RSSI.
Received signal format:
- RAW Data with sample count:
- -1004 370 -424 404 -389 405 -389 403 -421 374 -420 373 -388 406 -421 408 -389 409 -386 409 | Sample: 20
- Binary with symbol count:
- 1001001001001001001101101101101101001101101001001001001001101101001101101101101101101001101101001 | Symbol: 398
Possibility to send the signal in flipper zero .sub file format.
Possibility to analyze the signal with Kaiju.
Possibility to save the signal in flipper zero .sub file format.
2) Transmit
You can send a decimal signal with a known protocol:
- Princeton
- Holtek HT12X
- CAME
- SMC5326
- Nice FLO
- GateTX
You can send a RAW signal.
You can send a binary signal with symbol count.
3) Saved
You can upload a signal (.sub) to the MicroSD card from the webpanel.
You can send a signal (.sub) from the MicroSD card.
You can download a signal (.sub) from the MicroSD card.
You can delete a signal (.sub) from the MicroSD card.
You can apply a signal to a button to send it later.
4) Jammer
You can jam both frequency at the same time.
You can select many jamming power:
- 12 (Max.)
- 11
- 10
- 7
- 5
- 0 (Min.)
5) Scanner
You can scan with min. RSSI many frequencies:
- 300.00 mHz
- 303.87 mHz
- 304.25 mHz
- 315.00 mHz
- 318.00 mHz
- 390.00 mHz
- 418.00 mHz
- 433.07 mHz
- 433.92 mHz
- 434.42 mHz
- 434.77 mHz
- 438.90 mHz
- 868.30 mHz
- 868.35 mHz
- 868.86 mHz
- 868.95 mHz
- 915.00 mHz
- 925.00 mHz
You can apply the frequency found.
6) Bruteforcer
You can bruteforce a decimal signal with a known protocol:
- Princeton (24bits)
- Holtek HT12X (12bits)
- CAME (12bits)
- CAME (18bits)
- CAME (24bits)
- CAME (25bits)
- SMC5326 (25bits)
- Nice FLO (12bits)
- Nice FLO (24bits)
- GateTX(24bits)
- Max. Decimal: 2147483647
You can bruteforce the jukebox:
- Free Credit
- Pause Song
- Skip Song
- Volume UP
- Volume DOWN
- Power OFF
- Lock Queue
- Default ID (0x00) used. Most jukeboxes use the default ID.
You can bruteforce DIP Switch remote controls:
- Linear Multicode (10DIP)
- Stanley Multicode (10DIP)
- Chamberlain (9DIP)
- Chamberlain (8DIP)
- Chamberlain (7DIP)
- Linear MooreMatic (8DIP)
You can send De Bruijn sequences (Open Sesame):
- Linear Multicode (10bits)
- Stanley Multicode (10bits)
- Chamberlain (9bits)
- Linear MooreMatic (8bits)
7) CC1101 Settings
You have the choice to use the existing presets:
- Custom ( Custom CC1101 Settings )
- AM270 ( Modulation: ASK/OOK | Bandwidth: 270.83 kHz )
- AM650 ( Modulation: ASK/OOK | Bandwidth: 650.00 kHz )
- FM238 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 2.38 kHz)
- FM4768 ( Modulation: 2FSK | Bandwidth: 270.83 kHz | Deviation: 47.61 kHz)
You can assign a module for RX:
You can assign a module for TX:
You can assign a frequency:
- Range: 300.00 mHz to 348.00 mHz
- Range: 387.00 mHz to 464.00 mHz
- Range: 779.00 mHz to 928.00 mHz
You can assign a modulation:
You can assign a bandwidth:
- Range: 58.03 mHz to 812.50 kHz
You can assign a deviation:
- Range: 1.58 mHz to 385.85.00 kHz
You can assign a datarate:
- Range: 0.02 mHz to 1621.83 kBaud
You can assign a packet format:
- Synchronous
- Radnom
- Asynchronous
8) Kaiju Analyze
You can analyze the signals received with Kaiju.
9) Kaiju Rolling Codes
You can generate rolling codes with Kaiju.
You can send the rolling codes generated.
You can save the rolling codes generated.
10) Rolljam Attack
You can perform a rolljam attack with different parameters:
- Record Frequency
- Record Modulation
- Jammer Frequency (Usually: Record Frequency - 0.10 mHz)
- Jammer Power
You can send the second signal.
You can save the second signal to send it later.
11) Rollback Attack
You can perform a rollback attack with different parameters:
- Record Frquency
- Record Modulation
- Time Frame
- Signal Required
You can send the rollback sequence.
You can save the rollback sequence to send it later.
12) ECRF Logs
You can view the device logs.
You can download the device logs.
You can delete the device logs.
13) ECRF Settings
You can view the device uptime.
You can view the device free ram.
You can assign your kaiju token.
You can assign an action to the button:
- Send Tesla (US) Signal
- Send Tesla (EU) Signal
- Start Record Signal
- Send Last Recorded Signal
- Send SD Selected Signal
- Start Jammer (315.00 mHz)
- Start Jammer (433.92 mHz)
- Start Jammer (868.35 mHz)
- Stop Jammer
You can adjust wifi settings.
14) Firmware Update
You can update the firmware from the web panel.
Disclaimer
Evil Crow RF is a basic device for professionals and cybersecurity enthusiasts.
We are not responsible for the incorrect use of Evil Crow RF.
Be careful with this device and the transmission of signals. Make sure to follow the laws that apply to your country.