After having successfully created PandwaRF, we used this expertise to develop a more powerful device for pentesting professionals and Law Enforcement Agencies.
PandwaRF Rogue is an improved variant of the PandwaRF, dedicated to brute forcing wireless devices available on the market.
The product comes in 2 versions: Rogue Pro and Rogue Gov.
PandwaRF Rogue Pro
The PandwaRF Rogue Pro is ideal for physical pentesters and cybersecurity professionals. It provides several additional features to the PandwaRF, making it the perfect tool for advanced brute forcing.
It brings significant improvement in automated brute forcing, making it easy to perform highly-targeted, rapid auditing and owning.
The embedded Brute Force engine has been reworked to reduce the brute force duration. You don’t have to worry about codes being sent multiple times. This allows a brute force session to be up to 30x faster than the PandwaRF.
Including predefined coding patterns
PandwaRF Rogue Pro also includes several predefined coding patterns (aka Function masks) corresponding to common wireless devices available on the market. Once you have a RF capture of the target device, you just need to set up the Function Mask. PandwaRF Rogue Pro will optimize the brute force duration for you.
32-bit codeword support
While the PandwaRF can brute force a codeword length of up to 16 bits (65K different codes), the Rogue Pro supports 32-bit brute force (4 billion different codewords).
PandwaRF Rogue Pro also allows Brute Force task splitting. You can resume a Brute Force operation from where you stopped it. This allows splitting a long Brute Force session into several shorter sessions.
De Bruijn Brute Force (aka OpenSesame attack)
The De Bruijn sequence is an algorithm used to efficiently produce every possible code in as few bits as possible. It is very effective against old receivers that contain shift registers. Using the De Bruijn mathematical algorithm, PandwaRF Rogue Pro is able to brute force a 12 bit code in 1.2 s instead of a normal brute force duration of 8 min.
Logic symbols on multiple bytes
Many wireless devices on the market have complex symbol encoding, and their symbols are generally mapped onto multiple bits or even bytes. While the PandwaRF can only map one symbol to one byte, the PandwaRF Rogue Pro can map one symbol to up to 5 bytes, allowing much complex devices to be brute forced.
Synchro & tail bits support
PandwaRF Rogue Pro can automatically: prepend fixed synchronization bits before the codeword, and append fixed tail bits after the codeword. This allows complex codes to be sent when brute forcing, without any latency, as this feature is directly integrated inside the HW. Up to 40 bits for the synchronization and tail part can be set up.
Autonomous Brute Force
Once started by the smartphone, the brute force will continue even if the phone is disconnected. The user can reconnect later, even from another phone, and see the brute force progress. If PandwaRF Rogue Pro ran out of battery while brute forcing, it will resume as soon as powered again from a USB source.
Many generic encoder chipsets and protocols are natively supported and allow the user to emulate a remote control.
Supported chipsets: EV1527, HT12E, PT2260, PT2262, PT2270, PT2272, UM3578. Supported protocols: Somfy, Evology, Chacon, Dio, KaKu, HomeEasy, Extel, IDK, SimpliSafe, Meiantech, Atlantic, Adebaio, DX Linear etc.
With Rogue Pro, the user can resume a previously interrupted brute force session. The session includes the full Brute force configuration, and the current progress. Brute Force sessions can be saved in the phone in the JSON format.
Bigger RX/TX memory
While regular PandwaRF cannot capture or transmit more than 512 bytes of data, the Rogue Pro has a greater amount of memory and can capture/transmit up to 2048 bytes. As the amount of collected data can grow significantly with the increase of the sampling rate, increasing the max number of captured/transmitted bytes allows better RF data analysis.
Higher sampling rate
Rogue Pro can sample up to 100kbits/s, instead of the 10kbits/s of regular PandwaRF. The captured data’s precision is consequently much better. Coupled with the post process error correction, this increases the quality of data when analyzing the type of chipset encoder used by the target device.
When sampling at high data rates, the amount of data to be transferred from PandwaRF to the smartphone can be significant. The Rogue family includes a real time frame compression, where all the data sent from the Rogue is compressed before the BLE transmission, reducing the risk of saturating the BLE connection. The PandwaRF Android application automatically unzips the data seamlessly for the user.
Data rate computation
Additionally to data rate measurement from a live data capture, captured data can be post-processed to find the used data rate after data has been captured.
Automatic frequency detection can be used when you don’t know the frequency the target device is using. The PandwaRF Rogue Pro will scan for all the commonly worldwide used bands (315/433/868/915 MHz) and report the exact frequency used.
Data analysis (Chipset database)
After capturing any data from the target’s remote control, Rogue Pro can automatically analyze the data and find what chipset is used to encode the data. This allows the attacker to clone and impersonate the target’s remote control faster than using the brute force. This feature relies on the Rogue Pro integrated chipset database.
Function inversion (Chipset database)
The function inversion feature allows an attacker to capture a single RF message from a keyfob (using a known chipset) when the target presses the keyfob button. The attacker then applies an inversion function to transform the captured message into another message. The attacker can then impersonate the target’s device by sending the transformed message to the receiver. This feature relies on the Rogue Pro integrated chipset database.
The PandwaRF Rogue Pro contains the chipset database (only available in the Rogue variants).
The PandwaRF Rogue Pro does NOT contain the home alarm database (only available in the Rogue Gov variant).
Basic RF knowledge (symbols, data rate etc) is required in order to use Rogue Pro’s Android application. To get started with the Brute Force feature in the application, please check the RF Brute Force section of our wiki. Please make sure that you are familiar with the terms used in this section before considering ordering the Rogue Pro.
For PandwaRF Rogue orders we also accept payments by bank transfer. Please contact us if you prefer this payment method.