Help us make GollumRF more useful: please take this GollumRF survey.

GollumRF Block Diagram

GollumRF:

• is a programmable Sub-1GHz RF remote control,
• is programmed & controlled with your Smartphone but can work in standalone mode
• can acquire & show you RF codes from your existing remote controls,
• can generate new codes for any existing brands and models,
• replaces various existing remote controls from different vendors,
• allows RF data to be transmitted & received,
• can communicate with many proprietary RF device.

GollumRF embeds 2 microcontrollers :

• Nordic Semiconductor nRF51822 Bluetooth low energy System on Chip, with ARM Cortex-M0 32 bit processor, 256 kB embedded flash program memory & 16 kB RAM
• Texas Instruments CC1111 Low-Power SoC (System-on-Chip) with 8051 MCU, 32 kB Memory, Sub-1 GHz RF Transceiver, and USB Controller

And some useful peripherals :

• 8 MB SPI Flash memory
• Battery fuel gauge
• Charge IC
• Buttons, Leds
• Debug pins

Usage

GollumRF can be used at 315/433/868/915 MHz frequencies for :

• Transmit and receive RF data

Here is a short video we made some time ago, showing how to duplicate a fixed code remote control with GollumRF V1.

French speaking, but English subtitles ;-)

• Spectrum analyzer

• Sniff & Replay attack
• Jamming - Achtung! Verboten :-)
• Cloning garage door remote controls, but it works also for keyfobs, proprietary home automation protocols, and a lot of others RF protocols. GollumRF already supports fixed code, and we are currently implementing some of the major rolling codes algorithm used (Keeloq, …) for garage door remote controls like FAAC, Nice, Cardin, etc…
• Share captured data & settings with another GollumRF

Again, a short video made with GollumRF V1, showing how to transfer RF codes between 2 GollumRF devices, using our backend.

• Whatever you can think of using its JavaScript & Python scripting engine…

BLE or USB Connection mode

GollumRF can be connected to :

• Smartphone using :

• Bluetooth Smart (BLE 4.0), using either our Android & iOS applications or embed provided Gollum libraries into your own Android or iOS application
• Micro USB Male-Male, using either our Android application or embed provided Gollum library into your own Android application
• Linux computer using :
  • USB cable & Python (enjoy the power of RfCat)
  • USB cable & our native-C library

Note there is a much better throughput when using USB, so it is recommended method for capturing or transmitting data with high data rates.

However BLE connection is more than enough when dealing with keyfobs or gate openers.

Standalone mode

GollumRF has a LiPo battery inside and can be recharged by USB.

You can program GollumRF with whatever transmit function you want and assign this function to any of the 4 available buttons. GollumRF now behaves as a standard remote control and you do not need to be connected using USB or BLE to use it.

Scripting with Python

GollumRF natively supports RfCat and its Python scripting mode (interactive shell or file parsing).

This mode can only be used when GollumRF is connected to a Linux PC using USB.

All other RfCat helpers are also supported, eg. PWM AM/OOK Scanner from RfCatHelpers from Andrew Mohawk

Scripting with JavaScript

GollumRF also supports JavaScript dynamic programming.

Similarly as for Python engine, the JavaScript engine is hosted and running on host side (inside our Gollum host library) so for now JavaScript usage is only possible when connected to a Smartphone.

You can use any example from our default scripts provided in Gollum application and modify it to fit your need.

For example, our Gollum library understand some custom JavaScript functions like :

gollumRfSetRfConfigPredefined(0);
gollumRfSetFrequency(435000000);
gollumRfSetModulation(OOK);
gollumRfTxFlush();
gollumRfSendStream(codeword);
...

Detailed API documentation will be available soon.

Multi GollumRF connection

We are currently working on a new feature allowing our app to connect to more than one GollumRF at the same time.

This allows some interesting scenarii :

• Jam, capture & replay attacks. Cf. RollJam & Anatomy of the RollJam Wireless Car Hack
• data capture of Frequency hopping devices
• and many other we didn’t even think of…

Wireless Firmware Update

Both our microcontrollers firmwares (CC1111 & nRF51822) contain bootloaders, and our application automatically detects availability of new FW and flash the device if needed. You can also wirelessly flash your own FW if you want to, assuming you have the required knowledge & compilers.

RF SW customization

Assuming you need to develop your own transmit or receive function, the RF SW is open source so you can modify it and reflash it.

You can also directly read and write CC1111 Radio registers, either with Android/iOS application

or with JavaScript file using a GollumRF function:

...
// Read Frequency Control Word, Low Byte
reg = gollumRfRegisterRead(CC1111_FREQ0);

// Change modulation to OOK
gollumRfRegisterWrite(CC1111_MDMCFG2, 0x30);
...

Hardware

We have already made 5 different HW, and are now working on the Rev C of the Gollum V2.

Debug pins

GollumRF enables external debuggers to be connected.

GollumRF has debug pins for :

• nRF51822 BLE chip (SWDIO/SWDCLK). We use the embedded Segger debugger from a nRF51 DK board and connect its Debug out connector to the GollumRF. This gives us a powerful debugger fro a very low cost (70€).
• CC1111 RF SoC (DD/DC). We use a Texas Instruments CC-Debugger, which is also very low cost (45€).
• UART (TX/RX/RTS/CTS). Connecting 2 USB to TTL USB UART Module Serial Converters to the RX and TX pins of the UART will allow you to see all data exchanged between nRF51822 and CC1111.

Debug board provided

We know it is sometime not easy to debug or reprogram a board which is not designed for this.

This is why we provide also a dedicated debug board, specifically designed for GollumRF.

Gollum features

SW

• Device cloning by capturing existing codes
• Fixed codes & rolling codes
• Over The Air FW update
• JavaScript RF scripting language on host side
• Evolutive as new RF protocols can be added on the fly
• RF Packet sniffer
• Spectrum analyzer
• Real time data display
• RfCat Python script support (USB version). Thanks @at1as
• Cloud Backend for storing and sharing RF codes & protocols (optional)
• Android and iOS SDK & demo application
• Open API (Android/iOS/C) for USB or BLE connection

HW

• Multi frequencies (300-348 MHz, 391-464 MHz and 782-928 MHz)
• Multi modulation (ASK/OOK/MSK/2-FSK/GFSK)
• Transmit and receive in half duplex mode
• Programmable data rate up to 500 kBaud
• Programmable output power up to 10 dBm
• Communication with host using USB (Linux or Android) or Bluetooth 4.1 (Android or iOS)
• USB charging & battery powered
• 4 buttons to assign codes
• 3 Status LEDs
• 8 Mbit embedded memory
• Open hardware

Evolution