d.RFxmit() throws exception on long bytestrings

[stdNullPtr]

Currently when I try to execute from the interactive shell (or from a script), d.RFxmit(b'') with a long byte sequence for example:

d.RFxmit(b'\xfe\xbd\x5e\xfb\xb7\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86\x08\x0f\x1e\x30\x60\xe0\xf9\xf3\x83\xe7\xce\x0f\x9f\x1e\x3e\x70\x78\xf9\xf1\x83\x07\xcf\x8f\x9c\x38\x30\x70\xe0\xc1\xf3\x83\xe7\x07\x8f\x9c\x18\x3e\x70\x7c\xc1\xf1\x83\x07\x07\x80\x00\x00\x00\x00\x00\x1f\xc0\x30\x60\xc1\xf1\x83\x03\xc6\x0c\x1c\x1f\x3e\x7c\x60\xf9\xf1\x83\x07\x07\xcf\x9c\x1f\x3e\x30\x7c\xf8\xf1\xf3\x83\xc7\xcf\x8c\x18\x3e\x7c\x7c\xe1\xc1\x83\x07\x06\x0f\x9c\x1f\x38\x3e\x7c\xe0\xc1\xf3\x83\xe7\x07\xcc\x1c\x18\x3e\x00\x00\x00\x00\x00\x00\xfe\x01\x83\x07\x07\x8c\x18\x3e\x30\x70\xe0\xf9\xf1\xe3\x07\xcf\x8c\x1c\x38\x3e\x7c\x60\xf9\xf1\x83\xe7\xc7\x8f\x9c\x1e\x3e\x7c\x60\xc1\xf3\xe3\xe6\x0e\x0c\x18\x38\x30\x7c\xe0\xf9\xc3\xe3\xc6\x0e\x1f\x18\x3e\x70\x7c\xe0\xc1\x83\xe0\x00\x00\x00\x00\x00\x0f\xe0\x18\x30\x70\x7c\xc1\xc1\xf3\x07\x06\x0f\x9f\x1e\x30\x7c\xf8\xc1\x83\x83\xe7\xce\x0f\x9f\x18\x3e\x7c\x78\xf9\xc1\xf3\xe7\xc6\x0c\x1f\x1e\x3e\x70\x60\xc1\xc1\x83\x07\xce\x0f\x9c\x1f\x3e\x70\x60\xf9\xc1\xf3\x83\xe6\x0e\x0c\x1f\x00\x00\x00\x00\x00\x00\x7f\x00\xc1\x83\x83\xc6\x0c\x1f\x18\x30\x70\x78\xf9\xf1\x83\xe7\xc6\x0c\x1c\x1e\x3e\x70\xf8\xf9\xc3\xe3\xe7\xcf\x8c\x1f\x3e\x3e\x70\xe0\xf9\xf1\xe3\x06\x0e\x0c\x18\x38\x3e\x70\x7c\xe0\xf1\xf3\x83\x07\xce\x0f\x9c\x1e\x30\x60\xe0\xf0\x00\x00\x00\x00\x00\x07\xf8\x0c\x0c\x18\x3e\x70\x60\xf9\xc1\x83\x87\xc7\xcf\x9c\x1f\x3e\x30\x60\xe1\xf1\xf3\x87\xc7\xcc\x1f\x1e\x3e\x7c\x60\xf9\xf1\xf3\x07\x07\x8f\x9f\x18\x30\x70\x60\xc1\xc1\xe3\x07\xce\x0f\x9f\x18\x30\x7c\xe0\xf9\xc1\xf3\x07\x06\x0f\x80\x00\x00\x00\x00\x00\x3f\x80\x60\xc1\x83\xe3\x06\x0f\x8c\x18\x38\x3c\x7c\xf8')

I get the error in the stacktrace, however when I try with a shorter one it transmits fine. This is very important because we cannot replay big transmissions.
When I try to transmit with a short bytestring, it works.

Stacktrace:
Traceback (most recent call last):
File "/home/xaxo/Desktop/rfcat-1.9.2/rf_car_replay.py", line 34, in
d.RFxmit(key_packed) # replay packet to car
File "/home/xaxo/Desktop/rfcat-1.9.2/rflib/chipcon_nic.py", line 1121, in RFxmit
return self.RFxmitLong(data, doencoding=False)
File "/home/xaxo/Desktop/rfcat-1.9.2/rflib/chipcon_nic.py", line 1154, in RFxmitLong
error = struct.unpack("<B", retval[0])[0]
TypeError: a bytes-like object is required, not 'int'
===== RESETUP set from recv thread
Error in resetup():Exception('No Dongle Found. Please insert a RFCAT dongle.')

[Loumiakas]

I've tried transmitting larger messages and the one that you have included in the post, they seem to be working fine for me (as of commit #601):

DEBUG: (1609425935.993) b'total bytes tx:'
DEBUG: (1609425936.001) 0x190 400
0

I recommend that you fast-forward code in rfcat directory, if you haven't done so already, as there were quite a few updates recently. Also you might want to update your device's boot-loader as well.

[stdNullPtr]

I will try updating everything in the following few days and give feedback. I remember trying once but none of the instructions seemed to work with a fresh kali and python3.

[atlas0fd00m]

@Xaxoxuxu are you using kali's version of RfCat? or did you check out from github, or pip install?

[stdNullPtr]

@atlas0fd00m I did pip install

[atlas0fd00m]

just pushed updates to pypi. check out the latest version: https://pypi.org/project/rfcat/1.9.4/
upgrade with

$ pip install -U rfcat

let me know if that solves your problem, @Xaxoxuxu . hopefully this is easier for you than working with the latest git checkout. i needed to cut a incremental update anyway.

[stdNullPtr]

I am happy to say that it works like a charm now. Since I am a bit inexperienced, I couldn't manage to make a script when installing with pip install, it kept giving me an error that it can't find rflib so that it can import. So I downloaded 1.9.4 from the repo and I put the script there. Now I can replay longer bytestrings.

[atlas0fd00m]

glad to hear it's working for you... but i'm confused about the problem.
could you explain in more detail? we can choose an offline method of comms (eg. email) if you are concerned about sounding inexperienced.

@
atlas_at_r4780y.com

[stdNullPtr]

Thanks for the support and assistance, I will contact you if I cannot manage something further.

[stdNullPtr]

It seems that I was mistaken, long strings no longer throw an error, but instead they are ignored and not transmitted.
I am testing simultaneously with rtl-sdr and gqrx.

My config is as follows:
In [14]: d.setMdmModulation(MOD_ASK_OOK)
...: d.setFreq(433920000)
...: d.setMdmDRate(4800)
...: d.setMdmChanBW(60000)
...: d.setMdmChanSpc(24000)
...: d.setChannel(0)
...: d.setMaxPower()
...: d.lowball(1)

And now:
d.RFxmit(b'fffffffffffff7ff1f1e3e707cf8c1f3e307ce0f9f383ee7060e707cf9c1f3e3060f8f1f38707ce0c1f383e7c78c')
Transmits and works, but however:
d.RFxmit(b'fffffffffffff7fffffffffffffff77ffe7dbdef5b9feffffff7ffffeffffff79ffff7fffff7fff7fffff5ffdb7ff8eeffffcbdfffffff7ddfffffff800000000000000c78f1f1e3e707cf8c1f3e307ce0f9f383e707cf9c1f3e3060f9f1f30707cc1c1f307c78f9c1e3e70f8f9f1e3e7078c1c383e000000000000fe01e3e60f8f9f3e3e7c7cf9f183e7c60f9f183e7078f9c1f307c7ce0f9f38307cf8f9c183e7060f9c1f3e3c60f9f183e7c7cf9f183e7060e1f0000000000007f00f9f183e7c78f9f3e3e7cf8c1f3e307cf8c1f383c7ce0f9c1f3e707cf9c183e7c7cc1c1f38307ce0f9f3e307cf8c1f1f3e7c7ce0f1830707c000000000001fc07c7ce1f1e3e7cfcf9f1e3e7078f9c1e3e707ce1f1f307ce0f9f183e7c60c1f1f3e7060f9c183e707cf9f183e7c60f9f1e3e7ce0f9c18307c000000000001fc03e7ce0f9f1f3e7c78f9f1f307c78c1f1f307ce0f9f383e707cf9c1f3e3060f8f1f38707ce0c1f383e7c78c1f3e307cf8f9f3e307ce0c183e000000000000fe01f3e707cf9f1f3e7c7cf9f183e7c60f9f183e707cf9c1f383e7ce0f9f18307c7cf9c183e7060f8c1f3e3e70f9f183e7c7cf9f183e7060c1f0000000000007f00f9f183e7c78f9')

Gives me:
Out[20]: 132
And does not transmit anything

I am using latest version from pip install - 1.9.4.1

Also, I did not quite understand the contact you left - is it an email?

I am once again sorry for anything unclear, doing my best and learning.

[Loumiakas]

That's odd... I've tried sending message with your settings on my system - it seems to be working (did not check if the data is transmitted correctly though). SDR clearly shows peaks when message is sent with rfcat, indicating that the was a transmission is taking place:

DEBUG: (1609605002.220) b'total bytes tx:'
DEBUG: (1609605002.261) 0x384 900
Out[222]: 0

As you mentioned above, 132 is returned (status/error code???). I am not exactly sure where that is returned; my guess would be one of the dependent libraries... Was there any debug/error messages after executing the command?

[stdNullPtr]

@Loumiakas No idea what the return is, I only get a one red line output. It gets shorter by 1 for each symbol I remove from the string...
And I am getting no output in gqrx.
Still getting spikes in gqrx with shorter strings though (and also, no red line output with shorter strings)....

[stdNullPtr]

My YS1:

In [1]: print(d.reprRadioConfig())
== Hardware ==
Dongle: b'YARDSTICKONE'
Firmware rev: b'0348\x00'
Compiler: Not found! Update needed!
Bootloader: CC-Bootloader

== Software ==
rflib rev: 604

== Frequency Configuration ==
Frequency: 901999877.929688 hz (0x259555)
Channel: 0
Intermediate freq: 281250 hz
Frequency Offset: 0 +/-
Est. Freq Offset: 28

== Modem Configuration ==
Modulation: 2FSK
DRate: 38360.595703 hz
ChanBW: 93750.000000 hz
DEVIATION: 20507.812500 hz
Sync Mode: 15 of 16 bits must match
Min TX Preamble: 4 bytes
Chan Spacing: 199951.171875 hz
BSLimit: No data rate offset compensation performed
DC Filter: enabled
Manchester Encoding: disabled
Fwd Err Correct: disabled

== Packet Configuration ==
Sync Word: 0x0C4E
Packet Length: 255
Length Config: Fixed Packet Mode
Configured Address: 0x0
Preamble Quality Threshold: 4 * 2
Append Status: No
Rcvd Packet Check: No address check
Data Whitening: off
Packet Format: Normal mode
CRC: disabled

== AES Crypto Configuration ==
AES Mode: CBC - Cipher Block Chaining
Crypt RF Input: off
Crypt RF Output: off

== Radio Test Signal Configuration ==
TEST2: 0x88
TEST1: 0x31
TEST0: 0x9
VCO_SEL_CAL_EN: 0x0

== Radio State ==
MARCSTATE: MARC_STATE_RX (d)
DONGLE RESPONDING: mode :d, last error# 1

== Client State ==

 client thread cycles:      58/14
 client errored cycles:     0
 recv_queue:                (0 bytes) b''
 trash:                     (3 blobs) "[128, 142, (1609607557.7029576, b'')]"
 recv_mbox                  (2 keys)  "['0xff', '0x42']"
   app 0xff (4 records)
         [0x82]    (0 frames)  "[]"
         [0x88]    (0 frames)  "[]"
         [0x80]    (0 frames)  "[]"
         [0x86]    (0 frames)  "[]"

   app 0x42 (2 records)
         [0x1]    (1 frames)  "[(b'B\x01\xff\x00\x16>\xb3\xe5\x82y\xf4#\xbd\xe4~2\xc6\x1b\xf8\xd6V \xab\xe8\xd9<\xe"
         [0x7]    (0 frames)  "[]"

[Loumiakas]

I've noticed that your firmware version is quite old: Firmware rev: b'0348\x00'. I would recommend that you update that...

Here is the steps that I usually perform to do firmware update:

1. Clone this repository (I will use /opt for this example)
2. Download sdcc 3.5.0, if your OS is x86 Linux: https://sourceforge.net/projects/sdcc/files/sdcc-linux-x86/3.5.0.
3. Extract said archive to some location (I will use /opt for this example)
4. Copy contents of sdcc directory over to usr/local: cp -r /opt/sdcc-3.5.0 /usr/local
5. Navigate to rfcat cloned directory: cd /opt/rfcat/firmware
6. rfcat_bootloader should be available in path, if not present, add it: export PATH=$PATH:/opt/rfcat/CC-Bootloader
7. Invoke make file to update firmware/bootloader: make installRfCatYS1CCBootloader; You might need to run this as sudo, if your device is not accessible by logged in user.
8. Process will take about 10 minutes; Once done, try running your commands again..

[stdNullPtr]

@Loumiakas I am getting a ton of python errors due to the version mismatch.. Is there a clean way to perform this with python 3? Do I have to somehow switch to python2?

`sudo make installRfCatYS1CCBootloader

==RfCatYS1CCBootloader.hex building==
sdcc -Iinclude -DBUILD_VERSION=../revision.sh --xram-loc 0xF000 --code-loc 0x1400 appFHSSNIC.c chipcon_usb.rel chipcon_usbdebug.rel chipcon_dma.rel bootloader.rel cc1111rf.rel global.rel cc1111_aes.rel -DYARDSTICKONE -DCC1111 -DUSBDEVICE
packihx <appFHSSNIC.ihx >bins/RfCatYS1CCBootloader.hex
packihx: read 622 lines, wrote 1199: OK.
if [ ! -c /dev/RFCAT_BL_YS1 ] ; then ../rfcat --bootloader --force -S && sleep 1 ; fi ;
Entering RfCat Bootloader mode, ready for new image...
===== RESETUP set from recv thread
rfcat_bootloader /dev/RFCAT_BL_YS1 erase_all
File "/usr/local/bin/rfcat_bootloader", line 22
print "Writing", line[:-1],
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("Writing", line[:-1], end=" ")?
make: *** [Makefile:379: installRfCatYS1CCBootloader] Error 1
`

[Loumiakas]

@Loumiakas I am getting a ton of python errors due to the version mismatch.. Is there a clean way to perform this with python 3? Do I have to somehow switch to python2?

`sudo make installRfCatYS1CCBootloader

==RfCatYS1CCBootloader.hex building==
sdcc -Iinclude -DBUILD_VERSION=../revision.sh --xram-loc 0xF000 --code-loc 0x1400 appFHSSNIC.c chipcon_usb.rel chipcon_usbdebug.rel chipcon_dma.rel bootloader.rel cc1111rf.rel global.rel cc1111_aes.rel -DYARDSTICKONE -DCC1111 -DUSBDEVICE
packihx <appFHSSNIC.ihx >bins/RfCatYS1CCBootloader.hex
packihx: read 622 lines, wrote 1199: OK.
if [ ! -c /dev/RFCAT_BL_YS1 ] ; then ../rfcat --bootloader --force -S && sleep 1 ; fi ;
Entering RfCat Bootloader mode, ready for new image...
===== RESETUP set from recv thread
rfcat_bootloader /dev/RFCAT_BL_YS1 erase_all
File "/usr/local/bin/rfcat_bootloader", line 22
print "Writing", line[:-1],
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("Writing", line[:-1], end=" ")?
make: *** [Makefile:379: installRfCatYS1CCBootloader] Error 1
`

Are you invoking this update from cloned repository? If so, you might want to update it git pull. Code for rfcat_bootloader is outdated...

[stdNullPtr]

I had python-is-python3, so I installed python-is-python2 and now when I run the above cmd I get:
....
===== RESETUP set from recv thread
rfcat_bootloader /dev/RFCAT_BL_YS1 erase_all
Traceback (most recent call last):
File "/usr/local/bin/rfcat_bootloader", line 5, in
import serial
ImportError: No module named serial
make: *** [Makefile:379: installRfCatYS1CCBootloader] Error 1

And also, I am invoking inside 1.9.4.1 source. Isn't that the latest?

Edit: Just cloned again, getting same error :ImportError: No module named serial
Although I have it:
sudo pip install serial
Requirement already satisfied: serial in /usr/local/lib/python3.9/dist-packages (0.0.97)
Requirement already satisfied: pyyaml>=3.13 in /usr/lib/python3/dist-packages (from serial) (5.3.1)
Requirement already satisfied: iso8601>=0.1.12 in /usr/local/lib/python3.9/dist-packages (from serial) (0.1.13)
Requirement already satisfied: future>=0.17.1 in /usr/lib/python3/dist-packages (from serial) (0.18.2)

[Loumiakas]

I had python-is-python3, so I installed python-is-python2 and now when I run the above cmd I get:
....
===== RESETUP set from recv thread
rfcat_bootloader /dev/RFCAT_BL_YS1 erase_all
Traceback (most recent call last):
File "/usr/local/bin/rfcat_bootloader", line 5, in
import serial
ImportError: No module named serial
make: *** [Makefile:379: installRfCatYS1CCBootloader] Error 1

And also, I am invoking inside 1.9.4.1 source. Isn't that the latest?

It is the latest, and it has no syntax errors for Python3. Your rfcat_bootloader looks outdated; my guess is that it's picking up older version of the script. You might want to make sure that rfcat_bootloader is not coming from older installation that you might have performed earlier...

Since you have both Python2 and Python3 installed on your system, pip will be referencing Python2. In order to reference pip for Python3, you must invoke pip3 instead, i.e. pip3 install pyserial

[stdNullPtr]

Ok it seems that I had old rfcat files, I did sudo pip3 install -U rfcat and now I got everything updated.

The issue i get now is:
rfcat_bootloader /dev/RFCAT_BL_YS1 erase_all
Traceback (most recent call last):
File "/usr/local/bin/rfcat_bootloader", line 7, in
from serial.serialutil import SerialException
ModuleNotFoundError: No module named 'serial.serialutil'

But I have it installed:
pip3 install pyserial Requirement already satisfied: pyserial in /usr/lib/python3/dist-packages (3.5b0)

[stdNullPtr]

What I did now is sudo pip uninstall serial and it seems to get past the previous error
I ran sudo make installRfCatYS1CCBootloader
And I am stuck in a loop:

===== RESETUP set from recv thread
rfcat_bootloader /dev/RFCAT_BL_YS1 erase_all

Something is talking to the RfCat dongle (Modem Manager, most likely). Retrying again after 5 seconds. This can take a minute, please be patient. (error: SerialException(2, "could not open port /dev/RFCAT_BL_YS1: [Errno 2] No such file or directory: '/dev/RFCAT_BL_YS1'"))

Something is talking to the RfCat dongle (Modem Manager, most likely). Retrying again after 5 seconds. This can take a minute, please be patient. (error: SerialException(2, "could not open port /dev/RFCAT_BL_YS1: [Errno 2] No such file or directory: '/dev/RFCAT_BL_YS1'"))

Something is talking to the RfCat dongle (Modem Manager, most likely). Retrying again after 5 seconds. This can take a minute, please be patient. (error: SerialException(2, "could not open port /dev/RFCAT_BL_YS1: [Errno 2] No such file or directory: '/dev/RFCAT_BL_YS1'"))

Something is talking to the RfCat dongle (Modem Manager, most likely). Retrying again after 5 seconds. This can take a minute, please be patient. (error: SerialException(2, "could not open port /dev/RFCAT_BL_YS1: [Errno 2] No such file or directory: '/dev/RFCAT_BL_YS1'"))

[Loumiakas]

What I did now is sudo pip uninstall serial and it seems to get past the previous error
I ran sudo make installRfCatYS1CCBootloader
And I am stuck in a loop:

===== RESETUP set from recv thread
rfcat_bootloader /dev/RFCAT_BL_YS1 erase_all

Something is talking to the RfCat dongle (Modem Manager, most likely). Retrying again after 5 seconds. This can take a minute, please be patient. (error: SerialException(2, "could not open port /dev/RFCAT_BL_YS1: [Errno 2] No such file or directory: '/dev/RFCAT_BL_YS1'"))

Something is talking to the RfCat dongle (Modem Manager, most likely). Retrying again after 5 seconds. This can take a minute, please be patient. (error: SerialException(2, "could not open port /dev/RFCAT_BL_YS1: [Errno 2] No such file or directory: '/dev/RFCAT_BL_YS1'"))

Something is talking to the RfCat dongle (Modem Manager, most likely). Retrying again after 5 seconds. This can take a minute, please be patient. (error: SerialException(2, "could not open port /dev/RFCAT_BL_YS1: [Errno 2] No such file or directory: '/dev/RFCAT_BL_YS1'"))

Something is talking to the RfCat dongle (Modem Manager, most likely). Retrying again after 5 seconds. This can take a minute, please be patient. (error: SerialException(2, "could not open port /dev/RFCAT_BL_YS1: [Errno 2] No such file or directory: '/dev/RFCAT_BL_YS1'"))

It could be that case where the referenced device might have a different name. I recommend that you try following workaround:

1. Put yardstick into bootloader mode: rfcat --bootloader --force
2. Run ls -lart /dev/ and see if the device has a different name. For me it was named 'ttyACM0'
3. Edit Makefile in rfcat/firmware directory from /dev/RFCAT_BL_YS1 to /dev/ttyACM0

[stdNullPtr]

Thanks a lot.. it just finished updating.
Everything is working normally and transmitting, I even get debug output now.
Thanks a lot for your help and time and btw, how do I know that the device was ttyACM0? I had lots of devices, how did you know that was YS1?

[Loumiakas]

You are welcome, glad it worked out for you! In regards to identifying appropriate device, there was a bit of guesswork involved. When you put device into boot loader mode, timestamp of the device will change in /dev directory. When performing ls -lart command, device with most recent timestamp will be listed at the bottom.

I noticed that /dev/ttyACM0 was one of the most recent entries, so I cross checked with udev management tool: udevadm info -a /dev/ttyACM0.

Command output indicated that it was indeed YardStick One Bootloader, which was exactly what I needed:

  looking at device '/devices/pci0000:00/0000:00:06.0/usb2/2-1/2-1:1.0/tty/ttyACM0':
    KERNEL=="ttyACM0"
    SUBSYSTEM=="tty"
    DRIVER==""

  looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-1/2-1:1.0':
    KERNELS=="2-1:1.0"
    SUBSYSTEMS=="usb"
    DRIVERS=="cdc_acm"
    ATTRS{authorized}=="1"
    ATTRS{bInterfaceClass}=="02"
    ATTRS{bInterfaceNumber}=="00"
    ATTRS{bmCapabilities}=="2"
    ATTRS{bInterfaceProtocol}=="01"
    ATTRS{bNumEndpoints}=="01"
    ATTRS{supports_autosuspend}=="1"
    ATTRS{bInterfaceSubClass}=="02"
    ATTRS{bAlternateSetting}==" 0"

  looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-1':
    KERNELS=="2-1"
    SUBSYSTEMS=="usb"
    DRIVERS=="usb"
    ATTRS{product}=="YARD Stick One Bootloader"
    ATTRS{bmAttributes}=="c0"

There are probably myriad of easier ways to do this, but this process was the most convenient to me at the time :)

[stdNullPtr]

Thanks again for the info and assistance. Resolved. Closing.

[atlas0fd00m]

great job, @Loumiakas .
let me know if there are things i can do to make your life with RfCat easier.

@