rfcat

Rfcat is a versatile sub-GHz analysis tool designed to streamline security research and hardware reverse-engineering. By providing an interactive Python interface and specialized utilities, it enables rapid prototyping and analysis of sub-GHz radio communications commonly found in IoT devices, remote controls, and wireless sensors.

The toolset includes rfcat for direct radio interaction, rfcat_bootloader for firmware management on compatible devices, rfcat_msfrelay for integration with Metasploit, and rfcat_server for remote operations. These components support spectrum analysis, signal transmission/reception, and device firmware manipulation, making rfcat essential for analyzing proprietary wireless protocols.

Primary use cases include identifying unknown signal frequencies, decoding custom modulation schemes, replaying captured signals, and flashing custom firmware to sub-GHz transceivers for deeper protocol analysis.

Rfcat interfaces with sub-GHz radio dongles (typically Yard Stick One) via USB, providing Pythonic control over transmission, reception, and spectrum analysis. The core rfcat command spawns an interactive IPython shell with a 'd' instance that exposes low-level radio functions like frequency setting, modulation control, and bitstream manipulation. The bootloader utility communicates with the CC bootloader protocol on Texas Instruments chips to manage firmware pages, enabling custom firmware deployment without hardware modifications. MSF relay mode bridges rfcat's capabilities to Metasploit Framework, exposing radio functions as RPC endpoints for exploit integration.