|
| 1 | +# RF 433MHz Tool - Usage Guide |
| 2 | + |
| 3 | +## Features |
| 4 | +- ✅ Replay saved RF signals |
| 5 | +- ✅ Brute force attacks |
| 6 | +- ✅ Manual signal entry |
| 7 | +- ✅ Signal library management |
| 8 | + |
| 9 | +## Brute Force Attack |
| 10 | + |
| 11 | +### What it does: |
| 12 | +Iterates through a range of values and transmits each one. Useful for: |
| 13 | +- Testing garage door openers (common range: 0x445700 with 8-16 bits) |
| 14 | +- Rolling code attacks |
| 15 | +- Remote control testing |
| 16 | + |
| 17 | +### Settings Explained: |
| 18 | + |
| 19 | +**Prefix (Hex)** |
| 20 | +- The starting value (e.g., 0x445700) |
| 21 | +- All values will start with this prefix |
| 22 | + |
| 23 | +**Range Bits** |
| 24 | +- How many bits to iterate (1-24) |
| 25 | +- Total values = 2^bits |
| 26 | +- Examples: |
| 27 | + - 8 bits = 256 values |
| 28 | + - 12 bits = 4,096 values |
| 29 | + - 16 bits = 65,536 values |
| 30 | + - 20 bits = 1,048,576 values |
| 31 | + |
| 32 | +**Delay (ms)** |
| 33 | +- Wait time between each transmission |
| 34 | +- 200ms recommended (default) |
| 35 | +- Lower = faster but may miss responses |
| 36 | +- Higher = slower but more reliable |
| 37 | + |
| 38 | +**Frequency** |
| 39 | +- Target frequency in MHz |
| 40 | +- Common: 433.92 MHz (default) |
| 41 | +- Others: 315 MHz, 868 MHz, 915 MHz |
| 42 | + |
| 43 | +**TE (Pulse Length)** |
| 44 | +- Timing parameter (microseconds) |
| 45 | +- Default: 174 μs |
| 46 | +- Different protocols use different values |
| 47 | +- Common values: 174, 320, 200 |
| 48 | + |
| 49 | +**Repeat Count** |
| 50 | +- How many times to send each value |
| 51 | +- Default: 10 |
| 52 | +- Higher = more reliable but slower |
| 53 | + |
| 54 | +### Example Attack Scenarios: |
| 55 | + |
| 56 | +**Garage Door (8-bit)** |
| 57 | +``` |
| 58 | +Prefix: 0x445700 |
| 59 | +Bits: 8 |
| 60 | +Delay: 200ms |
| 61 | +Frequency: 433.92 MHz |
| 62 | +TE: 174 |
| 63 | +Repeat: 10 |
| 64 | +Time: ~51 seconds (256 values) |
| 65 | +``` |
| 66 | + |
| 67 | +**Larger Range (12-bit)** |
| 68 | +``` |
| 69 | +Prefix: 0x445700 |
| 70 | +Bits: 12 |
| 71 | +Delay: 200ms |
| 72 | +Time: ~13.6 minutes (4,096 values) |
| 73 | +``` |
| 74 | + |
| 75 | +**Gate Opener (16-bit)** |
| 76 | +``` |
| 77 | +Prefix: 0x440000 |
| 78 | +Bits: 16 |
| 79 | +Delay: 150ms |
| 80 | +Time: ~2.7 hours (65,536 values) |
| 81 | +``` |
| 82 | + |
| 83 | +### Security Warning: |
| 84 | +⚠️ **USE RESPONSIBLY!** |
| 85 | +- Only use on your own devices |
| 86 | +- Some systems may lock out after multiple attempts |
| 87 | +- Excessive transmissions may be illegal in some jurisdictions |
| 88 | +- Always check local regulations |
| 89 | + |
| 90 | +### Tips: |
| 91 | +1. Start with smaller bit ranges (8-10) to test |
| 92 | +2. If you know part of the code, use it as the prefix |
| 93 | +3. Monitor the target device for responses |
| 94 | +4. Hold any key to stop the attack at any time |
| 95 | +5. Consider using lower delays if device is responsive |
| 96 | + |
| 97 | +## Signal Replay |
| 98 | + |
| 99 | +### Add New Signal: |
| 100 | +1. Use Bruce's RF menu to capture a signal |
| 101 | +2. Note the hex data, frequency, and TE |
| 102 | +3. Go to "Add New Signal" in this script |
| 103 | +4. Enter the details |
| 104 | + |
| 105 | +### Replay Signal: |
| 106 | +1. Navigate to "Saved Signals" |
| 107 | +2. Select your signal |
| 108 | +3. Choose "Replay" |
| 109 | + |
| 110 | +## Storage: |
| 111 | +- Signals saved to: `/rf433_saved.json` |
| 112 | +- Persists between reboots |
| 113 | +- Can be backed up from SD card |
| 114 | + |
| 115 | +## Bruce Firmware Limitation: |
| 116 | +Bruce JS cannot scan/receive RF signals - only transmit. |
| 117 | +Use the built-in RF menu for scanning: **RF → SubGHz → Receive** |
0 commit comments