Jump to content

Noob - rfcat - Hacked my Ceiling Fan - NOW WHAT?!


Recommended Posts

I'm very green to this style of programming, but I could use some help please.

I picked up an RTL-SDR dongle and a YardstickOne this week.  I've figured out the control codes for my 20+ year-old ceiling fan and its lights and can manually transmit them via the YS1.vs Fan 

My problem now is that while I can paste commands into rfcat running on a centrally located RPI3, I would like to be able to run those at will. Fan Hi, vs Fan Off, vs Up Light On, etc.

Those sets of rfcat commands work just fine when *I* put them in.

Can anyone please point me to a way to a) lump my rfcat commands into something I can call collectively, and b) trigger them from outside.

My ultimate goal is to have Amazon Alexa call these scripts, but I need to learn more first.

Thanks for any help you can provide or point me to!


Link to comment
Share on other sites


Do you know how to script in Python2.7? If not no worries, it's easy :D

Yes! You can write a dedicated script that pulls from the RfCat liberies (The software used to control CC1111 chips) and have them run independently from the RfCat interactive environment.


So here's what you'll need to do.

1.) You either need to have your script run the same directory where 'rfcat' is located or...

2.) Make a copy of the folders  'rflib' and 'vstruct' and and all their contents and put them in the same working directory of your script.

3.) Import the rflib libraries into your python script with 'from rflib import *'

4.) assign the function 'RfCat()' to 'd'

5.) set variables and make calls to each function as you would in RfCat


Here's a quick and dirty example on how to use RfCat in a python script. I didn't call any of the functions in the example below but you can use this as an example on how to format your script.

You can always read up on any RfCat function by typing in 'help(d)' while your in the rfcat interactive environment. 

#Lets make a python script for RfCat!
#Example below deminstrates TX with ASK/OOK

#Imports all the liberys from rflib into your script
from rflib import *
import datetime

#assign the function RfCat() to 'd'
d = RfCat()

#Just like in the interactive environment, you can set veriables by typing in 'd.FUNCTION(VALUE)'
def SetRadio():

#How to RX
def RX():
	while True: #or 'while not keystop()' if you want to kill the loop by hitting the enter key
		packet, timestamp = d.RFrecv()
			if VerifyPacket(packet): #sanity check, makes sure the packet is valid
				time = datetime.datetime.fromtimestamp(ts).strftime('%H:%M:%S')
				data = str(pkt.encode('hex'))
				print "<*> %s: RX: %s" % (time,data) 

#Example sanity check, if your packet dosen't start with 0x00a2888a after what you have the preamble set to
#this function will return False and 'if VerifyPacket(packet):' will not execute the commands below. 
#It will loop back to 'while True:' and try again.
def VerifyPkt(pkt): 
        if ord(pkt[0]) != 0x00:
                return False
        if ord(pkt[1]) != 0xa2:
                return False
        if ord(pkt[2]) != 0x88:
                return False
        if ord(pkt[3]) != 0x8a:
                return False
return True
#Any data being TXed can be ASCII, decoded HEX, at least as far as I know :D
#d.RFxmit(data, repeat=0, offset=0)
#repeat of 65535 means 'forever'

#How to TX ASCII
def TxASCII():

#How to TX decoded HEX
def TxHEX():
	#Hex hardcoded in, 0xff00ff is 111111110000000011111111 in binary and your ASK/OOK will look like that too!
	#1 is on, 0 is off

	#Hex in a veriable
	HexMessage = '1234ffff0000' #starts as a string
	d.RFxmit(HexMessage.decode('hex')) #decoded so RfCat is happy :D

If you want to learn more about RfCat I would recommend watching this.


Also I just finished a project using RfCat to reverse a Juke Box remote and made a small script that dose sends remote commands, passive PIN discovery, and brute forcing!



Here's a video series I recommend if you are brand new to Python. The video series teaches Python3 and even thou RfCat works with Python2.7, both versions of python are not that different. If you google the differences between Python2.7 and Python3 you'll see what I mean.  



Let me know if you have any questions and happy hacking! :D

Edited by NotPike
Link to comment
Share on other sites

3 hours ago, dazer said:

Thank you!  You've made my head spin with all this information.  I'm sure I'll come up with some questions soon.

No worries! Yah I would take the time and learn Python and use the code above as an example. Best of luck!

Link to comment
Share on other sites

  • 2 weeks later...

So, building off what you wrote, I've got:

d****@***pi:~ $ cat top2.py
from rflib import *

d = RfCat()

d.RFxmit("\xb2\xd9\x24\xb2\x58\x00\x00\x00\x00\x00" *10)

However, when I try to run it, I get:

d****@***pi:~ $ python top2.py
Error in resetup():USBError('error sending control message: Operation not permitted',)
Error in resetup():USBError('error sending control message: Operation not permitted',)
Error in resetup():USBError('error sending control message: Operation not permitted',)
Error in resetup():USBError('error sending control message: Operation not permitted',)


If, however, I go into RfCat and paste those same commands, my light turns on.

HALP, please!


Link to comment
Share on other sites

Try running it as root or use sudo.

Name@Computer:~$ sudo python top2.py

Also that's an interesting way to repeat the command 10 times. It's not wrong don't get me wrong but it's a way to keep the 10101010... preamble from being transmitted 10 times instead of using the repeat feature of the RFxmit() function.

Link to comment
Share on other sites

sudo python top2.py works!

Next hurdle, I'd like to be able to run that when a particular web page gets a hit, so that I can have Alexa hit the page when I give a voice command.  The problem now is that the Apache server needs to be able to do "python top2.py" which only works with a sudo....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...