Android Brute Force Session Import Tutorial

Add your own Brute Force config (PandwaRF Rogue only)

Using JSON

Here is an example of brute force config that you will now be able to add as a .json file in Document/Gollum/BruteForce/Configs

The JSON file should be formatted like this :

{
  "brandName": "ACME",                        // Brand 
  "modelName": "Model_1",                     // Model
  "encoderName": "Encoder_x",                 // Encoder name (informative)
  "typeAlarmName": "Home Alarm",              // Category
  
  // RF parameters
  "frequency": 433905000,                     // between 300,000,000 and 928,000,000 (in Hz)
  "modulationName": "ASK/OOK"                 // one between "ASK/OOK", "2-FSK", "4-FSK", "GFSK", "MSK" 
  "dataRate": 2850,                           // data rate: should be between 1000 and 10000 bits/s (in bits/s)  
  "deviation": 0,                             // only applicable in 2-FSK/GFSK/MSK (in Hz)) 
  
  // BF parameters
  "startValue": 0,                            // start value of the brute force config
  "stopValue": -1,                            // -1 is auto-computation, you can still fill your own value
  "currentValue": 0,                          // where to start the BF
  "delay_btw_attemps_ms": 50,                 // delay between each BF attempt (in ms))
  "codeLength": 12,                           // number of symbols per codeword
  "littleEndian": false,                      // Little/Big Endian
  "repeat": 5,                                // Number of codeword repetition before sending the next BF attempt
  
  "functionMask": "FFFFFFFFFFFFFFFFFFFF0000", // data to be ANDed with generated codeword before transmission  
  
  "mapEncoderNameToFunctionValue": {          // data to be ORed with generated codeword before transmission
    "Home": "00000000000000000000888E",       // For each function to brute force, a different Function Value
    "Lock": "000000000000000000008E88",       // is given. These are the fixed part of the transmitted codeword
    "SOS": "00000000000000000000E888",
    "Unlock": "0000000000000000000088E8"
  },
  
  "mode": "2",                        	      // 1: CLASSIC Available on PandwaRF & Rogue
                                              // 2: SYNC_CODE_TAIL, Only Available on Rogue
                                              // 3: SYNC_CODE_TAIL_LONG_SYMBOL, Only Available on Rogue

  "symbolLength": 1,                          // Number of bytes used to code 1 symbol
  "symbols": [                                // symbols as hex code. Here, base is 4 
    "88",                                     // Bytes to be used when sending symbol 0
    "EE",                                     // Bytes to be used when sending symbol 2
    "E8",                                     // Bytes to be used when sending symbol 2
    "8E"                                      // Bytes to be used when sending symbol 3
  ],
  
  "syncWord": "",                             // Bytes to add before the codeword
  "syncWordSize": 0,
  "tailWord": "8000",                         // Bytes to add after the codeword
  "tailWordSize": 2,  
}

ℹ️ Please refer to BruteForce Tutorial for further infos on how to complete fields.

Using URH - Universal Radio Hacker (.xml)

Homework

First, have a look at Universal Radio Hacker. Read their tutorials, and watch their videos. Do your homework.

It is really important to respect the following points to have a correct form of .xml.

Note: the way you "View data as" (Bits, Hex or ASCII) in URH doesn't have any influence.

Set up message names

First of all, you have to select, in order to name, each message as shown in the picture below. Do this for all of your messages. The name(s) you give will be the name(s) of the button(s) displayed in the application.

And type the name there :

Set up protocol labels

You have to add "protocol label" to define what you want:

• If you want Synchronization bits, you have to call the label "Sync Word"
• If you want Tail Word bits, you have to call the label "Tail Word"
• The button bits have to be called "Button Value"

For example, your URH file can look like that:

Save the protocol

On top right of the screen, click on "Save current protocol" and save the xml protocol (protocol.proto.xml).

The XML file should look like this:

<?xml version="1.0" ?>
<protocol>
   <decodings>
      <decoding>'Non Return To Zero (NRZ)', </decoding>
      <decoding>'Non Return To Zero Inverted (NRZ-I)', 'Invert', </decoding>
      <decoding>'Manchester I', 'Edge Trigger', </decoding>
      <decoding>'Manchester II', 'Edge Trigger', 'Invert', </decoding>
      <decoding>'Differential Manchester', 'Edge Trigger', 'Differential Encoding', </decoding>
   </decodings>
   <participants/>
   <messages>
      <message bits="1000100010001000100010001000100011101110111011101110111011101110111010001000100010001000100011101" decoding_index="0" message_type_id="198b257b-7acd-432d-86b1-84547ca2d6f0" modulator_index="0" pause="90911" timestamp="1532524953.1343777"/>
      <message bits="1000100010001000100010001000100011101110111011101110111011101110111010001000100010001000111010001" decoding_index="0" message_type_id="da125e27-3845-41f1-b081-c6674e8da904" modulator_index="0" pause="73225" timestamp="1532524953.1343777"/>
      <message bits="1000100010001000100010001000100011101110111011101110111011101110111010001000100011101000100010001" decoding_index="0" message_type_id="7b2dde0e-02b4-4255-a052-ffd10c79261a" modulator_index="0" pause="84870" timestamp="1532524953.1343777"/>
      <message bits="1000100010001000100010001000100011101110111011101110111011101110111010001000100010001110100010001" decoding_index="0" message_type_id="5619455c-5528-479c-a728-45f092924fb0" modulator_index="0" pause="33246" timestamp="1532524953.1343777"/>
   </messages>
   <message_types>
      <message_type assigned_by_logic_analyzer="0" assigned_by_ruleset="0" id="969cbe12-073e-4713-ba92-bbb1155c8d35" name="default">
         <ruleset mode="0"/>
      </message_type>
      <message_type assigned_by_logic_analyzer="0" assigned_by_ruleset="0" id="198b257b-7acd-432d-86b1-84547ca2d6f0" name="Lock">
         <label apply_decoding="True" auto_created="False" color_index="2" display_bit_order_index="0" display_endianness="big" display_format_index="0" end="16" fuzz_me="2" fuzz_values="" name="Sync Word" show="2" start="0"/>
         <label apply_decoding="True" auto_created="False" color_index="0" display_bit_order_index="0" display_endianness="big" display_format_index="1" end="100" fuzz_me="2" fuzz_values="" name="source address" show="2" start="16"/>
         <label apply_decoding="True" auto_created="False" color_index="1" display_bit_order_index="0" display_endianness="big" display_format_index="3" end="96" fuzz_me="2" fuzz_values="" name="Button Value" show="2" start="80"/>
         <ruleset mode="0"/>
      </message_type>
      <message_type assigned_by_logic_analyzer="0" assigned_by_ruleset="0" id="da125e27-3845-41f1-b081-c6674e8da904" name="Unlock">
         <label apply_decoding="True" auto_created="False" color_index="2" display_bit_order_index="0" display_endianness="big" display_format_index="0" end="16" fuzz_me="2" fuzz_values="" name="Sync Word" show="2" start="0"/>
         <label apply_decoding="True" auto_created="False" color_index="0" display_bit_order_index="0" display_endianness="big" display_format_index="1" end="100" fuzz_me="2" fuzz_values="" name="source address" show="2" start="16"/>
         <label apply_decoding="True" auto_created="False" color_index="1" display_bit_order_index="0" display_endianness="big" display_format_index="3" end="96" fuzz_me="2" fuzz_values="" name="Button Value" show="2" start="80"/>
         <ruleset mode="0"/>
      </message_type>
      <message_type assigned_by_logic_analyzer="0" assigned_by_ruleset="0" id="7b2dde0e-02b4-4255-a052-ffd10c79261a" name="Home">
         <label apply_decoding="True" auto_created="False" color_index="2" display_bit_order_index="0" display_endianness="big" display_format_index="0" end="16" fuzz_me="2" fuzz_values="" name="Sync Word" show="2" start="0"/>
         <label apply_decoding="True" auto_created="False" color_index="0" display_bit_order_index="0" display_endianness="big" display_format_index="1" end="100" fuzz_me="2" fuzz_values="" name="source address" show="2" start="16"/>
         <label apply_decoding="True" auto_created="False" color_index="1" display_bit_order_index="0" display_endianness="big" display_format_index="3" end="96" fuzz_me="2" fuzz_values="" name="Button Value" show="2" start="80"/>
         <ruleset mode="0"/>
      </message_type>
      <message_type assigned_by_logic_analyzer="0" assigned_by_ruleset="0" id="5619455c-5528-479c-a728-45f092924fb0" name="SOS">
         <label apply_decoding="True" auto_created="False" color_index="2" display_bit_order_index="0" display_endianness="big" display_format_index="0" end="16" fuzz_me="2" fuzz_values="" name="Sync Word" show="2" start="0"/>
         <label apply_decoding="True" auto_created="False" color_index="0" display_bit_order_index="0" display_endianness="big" display_format_index="1" end="100" fuzz_me="2" fuzz_values="" name="source address" show="2" start="16"/>
         <label apply_decoding="True" auto_created="False" color_index="1" display_bit_order_index="0" display_endianness="big" display_format_index="3" end="96" fuzz_me="2" fuzz_values="" name="Button Value" show="2" start="80"/>
         <ruleset mode="0"/>
      </message_type>
   </message_types>
</protocol>

You can just see the important fields in the picture (of the previous code) below. In red you have the name of your buttons, and in green, you can see (in bits) the different parts of all of your messages (Sync word starts at bit 0 and ends at bit 16 for example).

Copy the xml protocol to your smartphone

You can now just put the file (protocol.proto.xml) into your smartphone Document/Gollum/BruteForce/Configs