Software-defined radios (SDRs) are indispensable for signal reconnaissance
and physical-layer dissection, but despite we have advanced tools like
Universal Radio Hacker, SDR-based approaches require substantial effort.
Contrarily, RF dongles such as the popular Yard Stick One are easy to use and
guarantee a deterministic physical-layer implementation. However, they’re not
very flexible, as each dongle is a static hardware system with a monolithic
We present RFquack, an open-source tool and library firmware that combines
the flexibility of a software-based approach with the determinism and
performance of embedded RF frontends. RFquack is based on a multi-radio
hardware system with swappable RF frontends, and a firmware that exposes a
uniform, hardware-agnostic API. RFquack focuses on a structured firmware
architecture that allows high- and low-level interaction with the RF frontends.
It facilitates the development of host-side scripts and firmware plug-ins, to
implement efficient data-processing pipelines or interactive protocols, thanks
to the multi-radio support. RFquack has an IPython shell and 9 firmware modules
for: spectrum scanning, automatic carrier detection and bitrate estimation,
headless operation with remote management, in-flight packet filtering and
manipulation, MouseJack, and RollJam (as examples).
We used RFquack to setup RF hacking contests, analyze industrial-grade
devices and key fobs, on which we found and reported 11 vulnerabilities in
their RF protocols.