Overview of the tool
RFQuack is a versatile RF-hacking tool that allows you to sniff, analyze, and transmit data over the air. Consider it as the modular version of the great YardStick One, which is based on the CC1111 radio chip. Similarly to RFCat for the YardStick One, RFQuack has a console-based and Python-scriptable client that allows you to set parameters on the radio, receive, transmit, and so on.
Another RF-hacking dongle? RFQuack is midway between software-defined radios (SDRs), which offer great flexibility at the price of a fatter code base, and RF dongles, which offer great speed and a plug-and-play experience at the price of less flexibility (you can’t change the radio chip). So, if you need to analyze a weird RF protocol with that special packet format or that very special modulation scheme, with mixed symbol encodings, with RFQuack you just swap the radio shield and you can just start working right away. And if we don’t support that special radio chip yet, you can just craft your shield and add support to the software!
RFQuack is unique in some ways. First, it supports multiple embedded radio chips (e.g., RF69, RF95, CC1120), basically all the chips supported by RadioHead (which we forked to create RadioHAL, a more hackable radio hardware abstraction layer), and we’re adding more. Secondly, it does not require a wired connection to the host computer: the serial port is used only to display debugging messages, but the interaction between the client and the node is over TCP using WiFi (via Arduino WiFi) or via GPRS (via TinyGSM library) as networking layers. Third, the Python client allows both high-level operations (e.g., change frequency, change modulation) as well as to interact with the radio chip at a very low level (read or write registers). So, you have the power of an embedded radio chip driven by native code running on the MCU, but you can program in it Python via a simple API! Last, the firmware and the API implement the concept of in-flight packet-filtering and packet-modification rules (it’s like a tiny firewall), which means that you can instruct the firmware to listen for a packet matching a given signature (in addition to the usual sync-word- and address-based filtering, which you can disable for full promiscuous mode), optionally modify it right away, and re-transmit it with under a few milliseconds delay, because all the processing happens on the MCU.
RFQuack has a modular software and hardware architecture comprising a radio chip, a micro-controller unit (MCU, a network adapter (e.g., WiFi or cellular). The communication layers are organized as follows. The Python client encodes the message for the RFQuack dongle with Protobuf: this ensures data-type consistency across firmware (written in C) and client (written in Python), a bit of data validation, and low development effort. The serialized messages are transported over MQTT (which allows multi-node and multi-client scenarios) or just serial (when you need minimal latency). The connectivity layer is just a thin abstraction over various cellular modems and the Arduino/ESP WiFi.