The Evil Crow Is Ready To Cause Some RF Mayhem

There’s no doubt that the RTL-SDR project has made radio hacking more accessible than ever, but there’s only so far you can go with a repurposed TV tuner. Obviously the biggest shortcoming is the fact that you can only listen to signals, and not transmit them. If you’re ready to reach out and touch someone, but don’t necessarily want to spend the money on something like the HackRF, the Evil Crow RF might be your ideal next step.

This Creative Commons licensed board combines two CC1101 radio transceivers and an ESP32 in one handy package. The radios give you access to frequencies between 300 and 928 MHz (with some gaps), and the fact that there are two of them means you can listen on one frequency while transmitting on another; opening up interesting possibilities for relaying signals. With the standard firmware you connect to a web interface running on the ESP32 to configure basic reception and transmission options, but there’s also a more advanced RFQuack firmware that allows you to control the hardware via Python running on the host computer.

Using the Evil Crow RF without a computer.

One particularly nice feature is the series of buttons located down the side of the Evil Crow RF. Since the device is compatible with the Arduino IDE, you can easily modify the firmware to assign various functions or actions to the buttons.

In a demonstration by lead developer [Joel Serna], the physical buttons are used to trigger a replay attack while the device is plugged into a standard USB power bank. There’s a lot of potential there for covert operation, which makes sense, as the device was designed with pentesters in mind.

As an open source project you’re free to spin up your own build of the Evil Crow RF, but those looking for a more turn-key experience can order an assembled board from AliExpress for $27 USD. This approach to hardware manufacturing seems to be getting popular among the open source crowd, with the Open-SmartWatch offering a similar option.

[Thanks to DJ Biohazard for the tip.]

34 thoughts on “The Evil Crow Is Ready To Cause Some RF Mayhem

  1. nice project but this is no really SDR since the CC1101 radio transceivers are not for SDR they implement the phy layer and they output decoded bits or viceversa not IQ samples.

      1. Hi!

        Yes, you can use the RAW RX and RAX TX examples to receive and transmit raw data. I added these examples to the repository because some signals are not decoded correctly with the libraries.

        If you have any doubt about how to use this, you can write me via twitter (@JoelSernaMoreno) or open an issue in the repository.

        Thanks!

      2. No you are right they are a HDR (Hardware Defined Radio), but with their supported modulation they can totally run circles around a SDR. As long as your needs match what they provide, and lots of applications do, they are fantastic.
        Modulation: ASK modulation, OOK modulation, 2-FSK modulation, GFSK modulation, 4-FSK modulation, MSK modulation
        Data Rate[kBaud]: 0.6 up to 500
        Bandwidth: 812kHz, 650kHz, 541kHz, 464kHz, 406kHz, 325kHz, 270kHz, 232kHz, 203kHz, 162kHz, 135kHz, 116kHz, 102kHz, 81kHz, 68kHz, 58kHz

        1. There are many such radios, even ST has S2LP (but a little lower frequency range and when I’ve tried to use it, it sucked very badly on api front, lot’s of configuration problems and general software instability).

    1. Hi!

      You can use the RAW RX and RAX TX examples to receive and transmit raw data. I added these examples to the repository because some signals are not decoded correctly with the libraries

      If you have any doubt about how to use this, you can write me via twitter (@JoelSernaMoreno) or open an issue in the repository.

      Thanks!

        1. It is a simple raw recording which is recorded by the microcontroller. Almost like with the cheap 433 mhz modules. the cc1101 can do both. internally and also loop through the signal and process it externally

    1. I always assumed that it was legal, with an external filter to prevent transmissions outside of the band, on ISM bands. So long as the frequency, EIRP (Effective Isotropic Radiated Power) and duty cycle were within the legal limits defined for that ISM band that country.

          1. Are you just being pedantic or is there a point hidden in there ?
            Are you saying that people who have been allocated an amateur radio license can legally use a cell phone (with approved hardware using the telco’s license). Or is there some other thing that I’m missing ?

          2. So type accepted equipment?
            Which that design without any clear type acceptance is not?
            Tbh selling it on ali is the best way to do it. No regulatory hurdles to overcome when you don’t even try to comply :P

    2. Here in the US, licensed amateur radio operators can operate on any radio they want so long as the RF output falls within legal specs for things like signal purity and harmonic suppression. The frequency range is a bit limited, but this could be legally used to transmit on both the 70 cm band (420 – 450 MHz in the US) and 33 cm band (902 – 928 MHz in the US).

      1. I have an amateur radio license (in Canada), this device is only usable by a subcategory, and many not even qualify then, it would have to be self-certified by the license holder.

        Broadcasting in the ISM bands without an amateur radio license requires the device itself be certified in both Canada and the United States.

        I recently acquired boards for use in the ISM bands, and went through the hoops necessary to see that they were legal, that their usage will stay legal and that I don’t require an upgrade on my amateur radio license to use them.

        So yes, it bothers me when uncertified devices are presented without at least a minimum level of reminder of qualifications required to import and use them.

        (In Canada it requires Advanced certification for the described use and purpose).

      2. A ham license is only about ham use. It doesn’t mean you can do anything radio related.

        The original question was good. This thing can transmit over a wide spectrum range, but there are lots of limitations on what it might actually be used for.

      1. “The radios give you access to frequencies between 300 and 928 MHz”.

        That covers TV frequencies (or maybe former now), the 420MHz and 902MHz ham bands, the public service band around 450MHz, FRS and GMRS. ISM is just a small portion. And maybe some military allocations.

        And even if a frequency can be used, it doesn’t mean just any equipment is allowed

  2. Radio devices such as cell phones sold in the USA are licensed by the manufacturer, Apple, Samsung, etc. Applied for a license on their product to operate within a spec. Devices such as this ‘open’ and can be configured to operate in a number of ways. When in doubt look for stickers on the device. If no FC FCC ID sticker, then you need to licensed. Challenge the law if wish, but you been warned.

  3. I wonder if the name EvilCrow-RF has anything to do with the Association of Old Crows [1][2]:

    “The Association of Old Crows is an international nonprofit professional organization specializing in electronic warfare, tactical information operations, and associated disciplines headquartered in Alexandria, Virginia. Its mission is to “advocate the need for a strong defense capability emphasizing electronic warfare and information operations to government, industry, academia, and the public.”

    * References:

    1. https://en.wikipedia.org/wiki/Association_of_Old_Crows

    2. https://www.crows.org/

  4. In the article is says “As an open source project you’re free to spin up your own build of the Evil Crow RF”. Does anyone know where to find drawings for the PCB and a parts list?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.