This thing is a bit of a beast. People don't give it NEARLY the credit, or the documentation it deserves.
Two ways of using this thing: rfcat directly, or write a python script for it.
Basically, writing a python script is easier. Using rfcat directly is great but often, there are just too many silly settings to configure
Make sure you're transmitting in a band you're allowed to. No, this thing ain't that powerful at 20dBm (100mW) output but it's worth knowing that can literally kill people if you end up fucking with the wrong band...
Get a HAM license, look up the band plans the frequency coordinator in your area puts out, find the experimental allocation range, and stick to the middle of that range.
... Unless you're super clear on what you're doing.
Basically, don't transmit into a null load. Throw a 50Ohm antenna on there. If you didn't get one yet, go get one.
I found this note somewhere. It's as accurate as I've found:
>> What is the maximum transmitting power of the yardstick in mW?
>
> Roughly it is 100 mW (20 dBm). The transmit power is reduced a bit as
> the frequency increases, and it may vary from unit to unit. It is
> approximately 20 dBm at 300 MHz, 19 dBm at 450 MHz, and 18 dBm at 900
> MHz. (Those numbers are with the TX amplifier enabled.)
I don't know what the maximum input power this thing can handle is but basically don't fire up your Baofeng right next to the YARD Stick One or connect a transmitter directly to it without a good sized attenuator in the signal path.
There are a few good examples out there... but some of them are incomplete. The following script should cover the basics of transmitting data. Receiving "is left as an exercise for the reader" (lol. seriously, just haven't bothered yet. single ys1 here...)
There are a lot of example scripts that miss a really important piece of code: Setting the YS1 back to Idle mode. If you don't do this, rfcat seems to hang its responses to libusb and your host machine's OS will yell that the USB device has timed out.
Long and short of it: After you're done (doing RX or TX or whatever), call: d.setModeIDLE() as your scripts "final" command. That seems to tell rfcat/the YS1 to go back to it's normal USB handling.
#!/usr/bin/python2.7
import sys
from rflib import *
# The middle of the two NoCal, 70cm, Experimental bands
FREQ = 434200000 # (BW = 0.6MHz = 600kHz) 433.60+(434.80-433.60)/2
# FREQ = 438500000 # (BW = 0.05MHz = 50kHz) 438.45+(438.55-438.45)/2
PKTLEN = 1 # Set packet length
DRATE = 512
try:
d = RfCat()
d.setFreq(FREQ)
d.setMdmModulation(MOD_2FSK)
d.setMdmDeviatn(4500)
d.makePktFLEN(PKTLEN)
d.setMdmDRate(DRATE)
d.setMdmSyncMode(0) # disable syncword and preamble as this is not used
# by the remote.
#d.setMaxPower() # Pretty sure this turns on the TX amp
bytes = [0, 0x41, 0xff] # Data to send
d.setModeTX() # It's good to enter the right mode first...
d.RFxmit("".join(map(chr, bytes)))
# WITHOUT THIS YOU WILL GET USB TIMEOUTS!
d.setModeIDLE() # DO THIS OR GET USB TIMEOUTS!
except Exception, e: # Make sure things are sane...
d.setModeIDLE() # Probably a good idea here too... just in case
sys.exit("Error %s" % str(e))Just start playing with: rfcat -r
The author highly suggests picking up the cc1111 manual from TI...
After using rfcat -r to get an interactive terminal, you can type the following to get some help:
help(d)
These go for either using Python OR rfcat.
The simply way to see them is to just type MOD_ and hit tab in the interactive console...
I was dumb when I started and I had a bit of a hard time finding these. They are defined in rfcat/rflib/chipcon_nic.py along with a bunch of other useful things.
NOTE: Keep in mind that some of these modes are limited in various ways. Either bandwidth limitations (can't do RTTY using HAM 2FSK deviations), baud rate limitations, so on...
Also, each one has it's own strange ness with bit packing. Start digging... :D
""" MODULATIONS
Note that MSK is only supported for data rates above 26 kBaud and GFSK,
ASK , and OOK is only supported for data rate up until 250 kBaud. MSK
cannot be used if Manchester encoding/decoding is enabled.
"""
MOD_2FSK = 0x00
MOD_GFSK = 0x10
MOD_ASK_OOK = 0x30
MOD_MSK = 0x70
MANCHESTER = 0x08
MODULATIONS = {
MOD_2FSK : "2FSK",
MOD_GFSK : "GFSK",
MOD_ASK_OOK : "ASK/OOK",
MOD_MSK : "MSK",
MOD_2FSK | MANCHESTER : "2FSK/Manchester encoding",
MOD_GFSK | MANCHESTER : "GFSK/Manchester encoding",
MOD_ASK_OOK | MANCHESTER : "ASK/OOK/Manchester encoding",
MOD_MSK | MANCHESTER : "MSK/Manchester encoding",
}sudo apt-get install mercurial ipython
TODO: OOPS! They finally moved to github!
git clone https://github.com/atlas0fd00m/rfcat.git
This needs both libusb and python-usb.
sudo pip install pyusb==1.0.0b1
cd rfcat
sudo python setup.py install
You probably want to skip these:
sudo apt-get install sdcc
cd rfcat/firmware/
Obviously, this thing uses libusb. Direct control shouldn't be too hard... But Termux, for example, has shitty libusb support :(
dir(d) ['FHSSxmit', 'RESET', 'RFcapture', 'RFdump', 'RFlisten', 'RFrecv', 'RFxmit', 'doc', 'init', 'module', '_bootloader', '_clear_buffers', '_d', '_debug', '_do', '_doSpecAn', '_init_on_reconnect', '_quiet', '_radio_configured', '_recvEP0', '_recvEP5', '_recv_time', '_rfmode', '_sendEP0', '_sendEP5', '_stopSpecAn', '_threadGo', '_usbcfg', '_usbeps', '_usberrorcnt', '_usbintf', '_usbmaxi', '_usbmaxo', 'adjustFreqOffset', 'bootloader', 'calculateFsIF', 'calculateFsOffset', 'calculateMdmDeviatn', 'calculatePktChanBW', 'changeChannel', 'checkRepr', 'chipnum', 'chipstr', 'cleanup', 'ctrl_thread', 'debug', 'devnum', 'discover', 'endec', 'ep0GetAddr', 'ep0Peek', 'ep0Ping', 'ep0Poke', 'ep0Reset', 'ep5timeout', 'freq_offset_accumulator', 'getAESmode', 'getAmpMode', 'getBSLimit', 'getBuildInfo', 'getChannel', 'getChannels', 'getDebugCodes', 'getEnableMdmDCFilter', 'getEnableMdmFEC', 'getEnableMdmManchester', 'getEnablePktAppendStatus', 'getEnablePktCRC', 'getEnablePktDataWhitening', 'getFHSSstate', 'getFreq', 'getFreqEst', 'getFsIF', 'getFsOffset', 'getInterruptRegisters', 'getLQI', 'getMACdata', 'getMACthreshold', 'getMARCSTATE', 'getMdmChanBW', 'getMdmChanSpc', 'getMdmDRate', 'getMdmDeviatn', 'getMdmModulation', 'getMdmNumPreamble', 'getMdmSyncMode', 'getMdmSyncWord', 'getPartNum', 'getPktAddr', 'getPktLEN', 'getPktPQT', 'getRSSI', 'getRadioConfig', 'idx', 'lowball', 'lowballRestore', 'mac_SyncCell', 'makePktFLEN', 'makePktVLEN', 'max_packet_size', 'mhz', 'nextChannel', 'peek', 'ping', 'poke', 'pokeReg', 'printClientState', 'printRadioConfig', 'printRadioState', 'radiocfg', 'recv', 'recvAll', 'recv_event', 'recv_mbox', 'recv_queue', 'recv_thread', 'recv_threadcounter', 'reprAESMode', 'reprClientState', 'reprFreqConfig', 'reprHardwareConfig', 'reprMACdata', 'reprMdmModulation', 'reprModemConfig', 'reprPacketConfig', 'reprRadioConfig', 'reprRadioState', 'reprRadioTestSignalConfig', 'reprSoftwareConfig', 'reset_event', 'resetup', 'rf_configure', 'rf_redirection', 'rsema', 'runEP5_recv', 'runEP5_send', 'run_ctrl', 'scan', 'send', 'send_thread', 'send_threadcounter', 'setAESiv', 'setAESkey', 'setAESmode', 'setAmpMode', 'setBSLimit', 'setChannel', 'setChannels', 'setEnDeCoder', 'setEnableCCA', 'setEnableMdmDCFilter', 'setEnableMdmFEC', 'setEnableMdmManchester', 'setEnablePktAppendStatus', 'setEnablePktCRC', 'setEnablePktDataWhitening', 'setFHSSstate', 'setFreq', 'setFsIF', 'setFsOffset', 'setMACdata', 'setMACperiod', 'setMACthreshold', 'setMaxPower', 'setMdmChanBW', 'setMdmChanSpc', 'setMdmDRate', 'setMdmDeviatn', 'setMdmModulation', 'setMdmNumPreamble', 'setMdmSyncMode', 'setMdmSyncWord', 'setModeIDLE', 'setModeRX', 'setModeTX', 'setPktAddr', 'setPktPQT', 'setPower', 'setRFRegister', 'setRFbits', 'setRFparameters', 'setRadioConfig', 'setRfMode', 'setup', 'setup24330MHz', 'setup900MHz', 'setup900MHzContTrans', 'setup900MHzHopTrans', 'setup_rfstudio_902PktTx', 'specan', 'startHopping', 'stopHopping', 'strobeModeCAL', 'strobeModeFSTXON', 'strobeModeIDLE', 'strobeModeRX', 'strobeModeReturn', 'strobeModeTX', 'testTX', 'trash', 'xmit_event', 'xmit_queue', 'xsema']
using ipython:
Display all 177 possibilities? (y or n)
d.FHSSxmit d.getMdmSyncMode d.setAmpMode
d.RESET d.getMdmSyncWord d.setBSLimit
d.RFcapture d.getPartNum d.setChannel
d.RFdump d.getPktAddr d.setChannels
d.RFlisten d.getPktLEN d.setEnDeCoder
d.RFrecv d.getPktPQT d.setEnableCCA
d.RFxmit d.getRSSI d.setEnableMdmDCFilter
d.adjustFreqOffset d.getRadioConfig d.setEnableMdmFEC
d.bootloader d.idx d.setEnableMdmManchester
d.calculateFsIF d.lowball d.setEnablePktAppendStatus
d.calculateFsOffset d.lowballRestore d.setEnablePktCRC
d.calculateMdmDeviatn d.mac_SyncCell d.setEnablePktDataWhitening
d.calculatePktChanBW d.makePktFLEN d.setFHSSstate
d.changeChannel d.makePktVLEN d.setFreq
d.checkRepr d.max_packet_size d.setFsIF
d.chipnum d.mhz d.setFsOffset
d.chipstr d.nextChannel d.setMACdata
d.cleanup d.peek d.setMACperiod
d.ctrl_thread d.ping d.setMACthreshold
d.debug d.poke d.setMaxPower
d.devnum d.pokeReg d.setMdmChanBW
d.discover d.printClientState d.setMdmChanSpc
d.endec d.printRadioConfig d.setMdmDRate
d.ep0GetAddr d.printRadioState d.setMdmDeviatn
d.ep0Peek d.radiocfg d.setMdmModulation
d.ep0Ping d.recv d.setMdmNumPreamble
d.ep0Poke d.recvAll d.setMdmSyncMode
d.ep0Reset d.recv_event d.setMdmSyncWord
d.ep5timeout d.recv_mbox d.setModeIDLE
d.freq_offset_accumulator d.recv_queue d.setModeRX
d.getAESmode d.recv_thread d.setModeTX
d.getAmpMode d.recv_threadcounter d.setPktAddr
d.getBSLimit d.reprAESMode d.setPktPQT
d.getBuildInfo d.reprClientState d.setPower
d.getChannel d.reprFreqConfig d.setRFRegister
d.getChannels d.reprHardwareConfig d.setRFbits
d.getDebugCodes d.reprMACdata d.setRFparameters
d.getEnableMdmDCFilter d.reprMdmModulation d.setRadioConfig
d.getEnableMdmFEC d.reprModemConfig d.setRfMode
d.getEnableMdmManchester d.reprPacketConfig d.setup
d.getEnablePktAppendStatus d.reprRadioConfig d.setup24330MHz
d.getEnablePktCRC d.reprRadioState d.setup900MHz
d.getEnablePktDataWhitening d.reprRadioTestSignalConfig d.setup900MHzContTrans
d.getFHSSstate d.reprSoftwareConfig d.setup900MHzHopTrans
d.getFreq d.reset_event d.setup_rfstudio_902PktTx
d.getFreqEst d.resetup d.specan
d.getFsIF d.rf_configure d.startHopping
d.getFsOffset d.rf_redirection d.stopHopping
d.getInterruptRegisters d.rsema d.strobeModeCAL
d.getLQI d.runEP5_recv d.strobeModeFSTXON
d.getMACdata d.runEP5_send d.strobeModeIDLE
d.getMACthreshold d.run_ctrl d.strobeModeRX
d.getMARCSTATE d.scan d.strobeModeReturn
d.getMdmChanBW d.send d.strobeModeTX
d.getMdmChanSpc d.send_thread d.testTX
d.getMdmDRate d.send_threadcounter d.trash
d.getMdmDeviatn d.setAESiv d.xmit_event
d.getMdmModulation d.setAESkey d.xmit_queue
d.getMdmNumPreamble d.setAESmode d.xsema
Thanks for the writeup homie!