RFCut

⚠️ Work in Progress — unstable codebase, no release build, no guarantees.

Android app for HackRF One to capture, decode, and replay Sub-GHz signals.
Built with Kotlin/Jetpack Compose (frontend) and a Rust/JNI native core (rust_core).

thanks to creators of protopirate and Flipper-arf and KAT, dunno where else the code comes from. ai mystery

---

What the app does

Receive (RX)

• Connect HackRF One via USB-OTG
• Set frequency, start RX
• IQ data is demodulated on-device (OOK/ASK)
• Decoded signals appear in the signal list

Decoding

The Rust core decodes received pulses against ~120 protocol decoders.

Gate / garage door / barrier (fixed code & rolling code):

• CAME TOP (12/24 bit), CAME Atomo, CAME Twee
• NICE FLO (12/24 bit), NICE Flor-S (rolling)
• Hörmann HSM, Hörmann HS4
• Somfy RTS (rolling), Somfy Keytis
• KeeLoq HCS301 (rolling), KeeLoq BFT/Mitto (rolling)
• Alutech AT-4N, Ansonic, Beninca ARC, Bett, Chamberlain Code
• Dickert MAHS, Doitrand, Dooya, Elplast, FAAC SLH
• Gangqi, Gate TX, Hay21, Holtek HT12x, Hollarm
• IDO, IntertechnoV3, Jarolift, KingGates Stylo 4K
• Legrand, Linear, Linear Delta3, Magellan
• Marantec, Marantec24, Mastercode, MegaCode, Nero Radio, Nero Sketch
• Phoenix V2, Power Smart, Princeton, Roger, Sheriff CFM, SMC5326
• Star Line, Revers RB2, Security+ V1/V2, Somfy Telis

Automotive (✓ = encoder implemented, ✗ = decode only):

• VAG (VW/Audi/Skoda/SEAT) ✓, Ford V0 ✓, Ford V1 ✓, Ford V2 ✗, Ford V3 ✗
• Fiat V0 ✓, Fiat V1 ✗, Fiat Marelli ✓, Fiat SPA ✓, PSA ✓, PSA2 ✓
• Kia V0 ✓, Kia V1 ✓, Kia V2 ✓, Kia V3/V4 ✓, Kia V5 ✗, Kia V6 ✓, Kia V7 ✓
• Hyundai/Kia Rio ✓, Santa Fe ✓
• Mazda V0 ✗, Mazda Siemens ✓, Mitsubishi V0 ✓
• Subaru ✓, Suzuki ✓, Chrysler ✓, Scher-Khan ✓, BMW CAS4 ✗
• Honda Static ✓, Porsche Cayenne ✓, Porsche Touareg ✓, Land Rover RKE ✓

Other:

• Oregon Scientific V2 (weather station)
• LaCrosse TX (weather station)
• TPMS 433 MHz (tire pressure sensors, display only)
• Versacom (DIN 43861-401, ripple control)
• Semagyr-Top (DIN 43861-402, ripple control)
• Honeywell, Honeywell WDB, Keyfinder, Treadmill37
• BinRaw (fallback)
• KeeLoq Generic (brute-force against embedded keystore)

Replay / TX

• Signals with encoderCapable = true can be replayed directly
• ControlPad bottom sheet shows available buttons per protocol (e.g. Open, Close, Stop)
• Rolling-code protocols (KeeLoq, Nice Flor-S, Somfy RTS, CAME Atomo, Security+ 2.0):
  83 manufacturer keys embedded (BFT, DoorHan, NICE Smilo/MHouse, Sommer, EcoStar, CAME Space, Beninca ARC, FAAC SLH, and more) — for unknown manufacturers without a matching key, only a single one-shot replay of the captured frame is possible
• Automotive protocols: TX supported where encoder is implemented (see decoder list above); decode-only where marked ✗

Import / Export

• Import Flipper Zero .sub files (RAW and decoded protocols)
• Export as .sub file (compatible with Flipper Zero Sub-GHz format)
• IQ captures are not exported as .sub (raw IQ ≠ Sub-GHz level/duration format)

Waterfall

• Real-time spectrum display during RX

---

Requirements

Requirement	Version
Android	9.0+ (minSdk 28)
HackRF One	via USB-OTG
Android Studio	Hedgehog or newer
Android SDK	34
Kotlin	2.0.21
Rust	stable + cargo-ndk
Android NDK	r26b (26.1.10909125)

---

Build

1. hackrf_android.aar

mkdir -p app/libs
curl -fL https://github.com/demantz/hackrf_android/raw/master/hackrf_android.aar \
     -o app/libs/hackrf_android.aar

The CI script patches the AAR automatically (broken theme reference in the manifest).
For local builds, patch manually:

cd app/libs
mkdir -p _patch && unzip -o hackrf_android.aar -d _patch
sed -i 's|Theme\.Material\.NoTitleBar\.Fullscreen|Theme.NoTitleBar.Fullscreen|g' \
  _patch/AndroidManifest.xml
cd _patch && zip -r ../hackrf_android.aar . && cd .. && rm -rf _patch

2. Install Rust targets

rustup target add aarch64-linux-android armv7-linux-androideabi \
                  i686-linux-android x86_64-linux-android
cargo install cargo-ndk --locked

3. Set NDK path

echo "ndk.dir=$ANDROID_NDK_ROOT" >> local.properties

4. Build

./gradlew assembleDebug

APK: app/build/outputs/apk/debug/

CI (GitHub Actions)

Push to main/master automatically builds a debug APK and uploads it as an artifact.

---

Architecture

MainActivity (Kotlin/Compose)
  └── MainViewModel
        ├── HackRfRepository       ← hackrf_android.aar, half-duplex guard (no simultaneous RX/TX)
        ├── SignalRepository        ← Room DB (captured signals)
        └── rust_core (JNI)
              ├── ProtocolRegistry  ← ~120 decoders, Flipper-style: all decoders fed per pulse
              ├── Demodulator       ← IQ → OOK level/duration pairs
              ├── Keystore          ← embedded manufacturer keys (KeeLoq etc.)
              └── Encoder           ← IQ generation for TX (session handle pattern)

The Rust core is compiled for all Android ABIs via cargo-ndk and linked through JNI.
Each protocol has its own decoder implementing the ProtocolDecoder trait: feed(), encode(), supported_buttons().

---

Known limitations (Work in Progress)

• No release build / no APK signing configured
• Waterfall FFT is simplified (no real FFT library)
• Not all ~120 Rust decoders have a corresponding Kotlin encoder
• Automotive decoders: most have TX/encode support; Ford V2/V3, Fiat V1, Kia V5, BMW CAS4 are decode-only

---

Legal

For research and educational purposes only. Use only on devices you own or have explicit permission to test.

Unauthorized interception or transmission of radio signals may be illegal in your jurisdiction. Use at your own risk.

---

Repository

limbo111111/rfcut