Skip to content

Commit 590f56a

Browse files
authored
Add files via upload
1 parent b7366c9 commit 590f56a

3 files changed

Lines changed: 512 additions & 0 deletions

File tree

2.44 KB
Loading

RF_TOOL_GUIDE.md

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
# RF 433MHz Tool - Usage Guide
2+
3+
## Features
4+
- ✅ Replay saved RF signals
5+
- ✅ Brute force attacks
6+
- ✅ Manual signal entry
7+
- ✅ Signal library management
8+
9+
## Brute Force Attack
10+
11+
### What it does:
12+
Iterates through a range of values and transmits each one. Useful for:
13+
- Testing garage door openers (common range: 0x445700 with 8-16 bits)
14+
- Rolling code attacks
15+
- Remote control testing
16+
17+
### Settings Explained:
18+
19+
**Prefix (Hex)**
20+
- The starting value (e.g., 0x445700)
21+
- All values will start with this prefix
22+
23+
**Range Bits**
24+
- How many bits to iterate (1-24)
25+
- Total values = 2^bits
26+
- Examples:
27+
- 8 bits = 256 values
28+
- 12 bits = 4,096 values
29+
- 16 bits = 65,536 values
30+
- 20 bits = 1,048,576 values
31+
32+
**Delay (ms)**
33+
- Wait time between each transmission
34+
- 200ms recommended (default)
35+
- Lower = faster but may miss responses
36+
- Higher = slower but more reliable
37+
38+
**Frequency**
39+
- Target frequency in MHz
40+
- Common: 433.92 MHz (default)
41+
- Others: 315 MHz, 868 MHz, 915 MHz
42+
43+
**TE (Pulse Length)**
44+
- Timing parameter (microseconds)
45+
- Default: 174 μs
46+
- Different protocols use different values
47+
- Common values: 174, 320, 200
48+
49+
**Repeat Count**
50+
- How many times to send each value
51+
- Default: 10
52+
- Higher = more reliable but slower
53+
54+
### Example Attack Scenarios:
55+
56+
**Garage Door (8-bit)**
57+
```
58+
Prefix: 0x445700
59+
Bits: 8
60+
Delay: 200ms
61+
Frequency: 433.92 MHz
62+
TE: 174
63+
Repeat: 10
64+
Time: ~51 seconds (256 values)
65+
```
66+
67+
**Larger Range (12-bit)**
68+
```
69+
Prefix: 0x445700
70+
Bits: 12
71+
Delay: 200ms
72+
Time: ~13.6 minutes (4,096 values)
73+
```
74+
75+
**Gate Opener (16-bit)**
76+
```
77+
Prefix: 0x440000
78+
Bits: 16
79+
Delay: 150ms
80+
Time: ~2.7 hours (65,536 values)
81+
```
82+
83+
### Security Warning:
84+
⚠️ **USE RESPONSIBLY!**
85+
- Only use on your own devices
86+
- Some systems may lock out after multiple attempts
87+
- Excessive transmissions may be illegal in some jurisdictions
88+
- Always check local regulations
89+
90+
### Tips:
91+
1. Start with smaller bit ranges (8-10) to test
92+
2. If you know part of the code, use it as the prefix
93+
3. Monitor the target device for responses
94+
4. Hold any key to stop the attack at any time
95+
5. Consider using lower delays if device is responsive
96+
97+
## Signal Replay
98+
99+
### Add New Signal:
100+
1. Use Bruce's RF menu to capture a signal
101+
2. Note the hex data, frequency, and TE
102+
3. Go to "Add New Signal" in this script
103+
4. Enter the details
104+
105+
### Replay Signal:
106+
1. Navigate to "Saved Signals"
107+
2. Select your signal
108+
3. Choose "Replay"
109+
110+
## Storage:
111+
- Signals saved to: `/rf433_saved.json`
112+
- Persists between reboots
113+
- Can be backed up from SD card
114+
115+
## Bruce Firmware Limitation:
116+
Bruce JS cannot scan/receive RF signals - only transmit.
117+
Use the built-in RF menu for scanning: **RF → SubGHz → Receive**

0 commit comments

Comments
 (0)