Packages and Binaries:


Rfcat is a sub GHz analysis tool. The goals of the project are to reduce the time for security researchers to create needed tools for analyzing unknown targets, to aid in reverse-engineering of hardware.

Installed size: 442 KB
How to install: sudo apt install rfcat

  • ipython3
  • python3
  • python3-ipython
  • python3-numpy
  • python3-pyside2.qtcore
  • python3-pyside2.qtgui
  • python3-pyside2.qtwidgets
  • python3-serial
  • python3-usb

(unknown subject)

root@kali:~# rfcat -h
usage: rfcat [-h] [-r] [-i INDEX] [-s] [-f CENTFREQ] [-c INC] [-n SPECCHANS]
             [--bootloader] [--force] [-S]

  -h, --help            show this help message and exit
  -r, --research        Interactive Python and the "d" instance to talk to
                        your dongle. melikey longtime.
  -i INDEX, --index INDEX
  -s, --specan          start spectrum analyzer
  -f CENTFREQ, --centfreq CENTFREQ
  -c INC, --inc INC
  -n SPECCHANS, --specchans SPECCHANS
  --bootloader          trigger the bootloader (use in order to flash the
  --force               use this to make sure you want to set bootloader mode
                        (you *must* flash after setting --bootloader)
  -S, --safemode        TROUBLESHOOTING ONLY, used with -r

root@kali:~# rfcat_bootloader -h

CC Bootloader Download Utility

Usage:  /usr/bin/rfcat_bootloader serial_port command


  download <hex_file>

    Download hex_file to the device.

    Run the user code.

    The bootloader will not erase pages that have previously been written to
    before writing new data to that page. This allows for random access writes
    but prevents you from overwriting downloaded code unless the device is
    power cycled. This command will reset the bootloader's record of what
    pages have been written to, allowing you to overwrite without power 

    Erases the entire user flash area.
  erase <n>

    Erases page n of the flash memory (organised into 1024 byte pages). The
    bootloader occupies the first few pages and the rest are reserved for user
    code. Attempting to erase a bootloader page will have no effect. To
    determine which page the user code starts on please check the
    USER_CODE_BASE setting in main.h.
  read <start_addr> <len> [hex_file]

    Reads len bytes from flash memory starting from start_addr and optionally
    write to hex_file. start_addr and len should be specified in hexadecimal 
    (e.g. 0x1234).

  verify <hex_file>

    Verify hex_file matches device flash memory.

root@kali:~# rfcat_msfrelay -h
usage: rfcat_msfrelay [-h] [-i INDEX] [-u USER] [-p PASSWORD] [-P PORT]
                      [--noauth] [--localonly]

  -h, --help            show this help message and exit
  -i INDEX, --index INDEX
  -u USER, --user USER  HTTP Username
  -p PASSWORD, --password PASSWORD
                        HTTP Password
  -P PORT, --Port PORT
  --noauth              Do not require authentication
  --localonly           Listen on localhost only


Updated on: 2024-Feb-16