Procedures

A procedure verifies one thing for a single protocol × layer of the descent — a numbered, reproducible method with a worked field case, the known attacks with citations, and layered remediation. These are the entries you run during, and cite in, an assessment. Browse by technology in the sidebar, or pick one from the full list below.

colour = layer of the descent (IG → AP)·id = RFSAM-<PROTOCOL>-<LAYER>-NN·status VERIFIED real field case REVIEWED cited, illustrative field case DRAFT in progress
RFSAM-BLE-IG-01Identify the SoC and host stack, then check the published vulnerability corpusREVIEWEDRFSAM-BLE-SP-01Establish BLE channel map and capture feasibilityREVIEWEDRFSAM-BLE-PHY-01Demodulate the air and recover link-layer bitsREVIEWEDRFSAM-BLE-LL-01Audit advertising and identifier exposureREVIEWEDRFSAM-BLE-LL-02Capture an established connection's data channelREVIEWEDRFSAM-BLE-CR-01Assess BLE pairing and decrypt weak pairingsVERIFIEDRFSAM-BLE-AT-01Live connection hijackingVERIFIEDRFSAM-BTC-IG-01Identify the device, BR/EDR mode and vulnerability corpusREVIEWEDRFSAM-BTC-SP-01Inquiry-scan and confirm a reachable BR/EDR deviceREVIEWEDRFSAM-BTC-LL-01Capture Bluetooth Classic baseband trafficVERIFIEDRFSAM-BTC-CR-01Assess pairing and encryption key strengthVERIFIEDRFSAM-BTC-AT-01Test baseband/LMP resilience and availabilityREVIEWEDRFSAM-BTC-AP-01Enumerate and exercise exposed BR/EDR profilesREVIEWEDRFSAM-WIFI-SP-01Survey bands, channels and monitor-mode capture feasibilityVERIFIEDRFSAM-WIFI-LL-01Verify management-frame protection and identity exposureREVIEWEDRFSAM-WIFI-CR-01Assess WPA handshake and PMKID key recoveryREVIEWEDRFSAM-LORA-SP-01Survey the LoRa sub-band and prove sub-noise receptionREVIEWEDRFSAM-LORA-PHY-01Demodulate LoRa CSS symbols from captured I/QREVIEWEDRFSAM-LORA-LL-01Profile LoRaWAN frames and harvest cleartext join identifiersREVIEWEDRFSAM-LORA-CR-01Assess LoRaWAN join and session-key managementREVIEWEDRFSAM-LTE-IG-01Inventory the baseband and RAN/core stack, then check the published vulnerability corpusREVIEWEDRFSAM-LTE-SP-01Identify the operator, band and cell before captureREVIEWEDRFSAM-LTE-PHY-01Recover the LTE resource grid with coherent captureREVIEWEDRFSAM-LTE-LL-01Decode the control channel and inventory clear-text identifiersREVIEWEDRFSAM-RFID-SP-01Identify carrier, standard and chip familyVERIFIEDRFSAM-RFID-CR-01Assess Crypto1 key strength on MIFARE ClassicREVIEWEDRFSAM-RFID-AT-01Clone, emulate and relay a credentialREVIEWEDRFSAM-SUBG-SP-01Sweep the ISM bands and discover sub-GHz burstsVERIFIEDRFSAM-SUBG-PHY-01Demodulate and frame a Sub-GHz burstREVIEWEDRFSAM-SUBG-LL-01Recover frame structure and addressingVERIFIEDRFSAM-SUBG-CR-01Assess rolling-code interception, replay and key recoveryREVIEWEDRFSAM-SUBG-AT-01Replay and forge a sub-GHz burstVERIFIEDRFSAM-ZIGBEE-SP-01Survey the 802.15.4 channels and confirm capture feasibilityREVIEWEDRFSAM-ZIGBEE-LL-01Map PAN, addressing and devices from cleartext headersVERIFIEDRFSAM-ZIGBEE-CR-01Assess network-key provisioning and rotationREVIEWEDRFSAM-ZWAVE-SP-01Confirm the regional channel and prove Z-Wave captureREVIEWEDRFSAM-ZWAVE-CR-01Assess the key-establishment scheme (S0 vs S2)REVIEWEDRFSAM-THREAD-LL-01Map mesh discovery and commissioning exposureVERIFIEDRFSAM-THREAD-CR-01Assess mesh credential provisioning and protectionREVIEWEDRFSAM-GNSS-SP-01Survey L-band for GNSS signal presence and interferenceREVIEWEDRFSAM-GNSS-AT-01Test spoofing and jamming resilienceREVIEWEDRFSAM-ADSB-PHY-01Capture and decode ADS-B messagesREVIEWEDRFSAM-ADSB-LL-01Assess ADS-B message authenticityREVIEWEDRFSAM-NR5G-SP-01Identify and capture the target 5G NR cellVERIFIEDRFSAM-NR5G-LL-01Inventory identity and configuration exposed on the broadcast channelsREVIEWEDRFSAM-GSM-SP-01Survey ARFCNs and confirm a captureable GSM carrierVERIFIEDRFSAM-GSM-CR-01Assess A5 ciphering and IMSI/TMSI exposureVERIFIEDRFSAM-UWB-PHY-01Capture and characterise UWB ranging exchangesREVIEWEDRFSAM-UWB-AT-01Assess distance-manipulation resilienceREVIEWED