Roadmap

RFSAM is built in two tracks. The Wayfinder — the interactive per-technology kits — is complete across the technologies below. The Procedures — the written verification steps, with field cases and remediation — are authored and citation-verified across the protocols below; most field cases are still illustrative templates until real captures replace them.

Wayfinder toolchains 15/15 complete

Each technology mapped down the full six-step descent, with a verified hardware + software kit at every step.

Bluetooth Low Energy COMPLETE
2.400–2.480 GHz
Bluetooth Classic COMPLETE
2.402–2.480 GHz (BR/EDR)
Wi-Fi (802.11) COMPLETE
2.4 / 5 / 6 GHz
LoRa / LoRaWAN COMPLETE
ISM sub-GHz (US915 / EU868)
LTE / 4G COMPLETE
Licensed cellular
RFID / NFC COMPLETE
125 kHz LF / 13.56 MHz HF
Sub-GHz ISM / Remotes COMPLETE
315 / 433 / 868 / 915 MHz
Zigbee / 802.15.4 COMPLETE
2.4 GHz (+ 868/915 MHz)
Z-Wave COMPLETE
Sub-GHz, region-specific (~868/908 MHz)
Thread / Matter COMPLETE
2.4 GHz (802.15.4)
GNSS / GPS COMPLETE
L-band (e.g. GPS L1 1575.42 MHz)
ADS-B (aviation) COMPLETE
1090 MHz / 978 MHz UAT
5G NR COMPLETE
FR1 sub-6 GHz / FR2 mmWave
GSM / 2G COMPLETE
850 / 900 / 1800 / 1900 MHz
Ultra-Wideband COMPLETE
3.1–10.6 GHz

Procedures 49 written · 14 verified · 28 open gaps · 0 planned

RFSAM grows by pull request. This heatmap is the honest state of coverage — every cell is a protocol × layer of the descent, so you can see exactly what exists and what doesn't. The amber cells are where the Wayfinder already names the kit but no procedure is written yet: the best place to start. Read CONTRIBUTING, copy a template, and open a PR.

IG
SP
PHY
LL
CR
AT
AP
Bluetooth Low Energy + Bluetooth Classic
Wi-Fi (802.11)
++ LoRa / LoRaWAN
+
LTE / 4G
++ RFID / NFC
++ Sub-GHz ISM / Remotes
+ Zigbee / 802.15.4
++ Z-Wave
+++ Thread / Matter ++
++ GNSS / GPS
+
ADS-B (aviation)
+
++ 5G NR
++ GSM / 2G
+++ Ultra-Wideband
+
verified — real field case reviewed — illustrative field case (needs a real capture) kit ready — procedure unwritten (help wanted) not yet scoped

Per-protocol detail

Bluetooth Low Energy

RFSAM-BLE-IG-01 Known vulnerabilities of the SoC and host stack REVIEWED
RFSAM-BLE-SP-01 Channel map and capture feasibility REVIEWED
RFSAM-BLE-PHY-01 Demodulation and bit recovery REVIEWED
RFSAM-BLE-LL-01 Advertising and identifier exposure REVIEWED
RFSAM-BLE-LL-02 Connection-data capture REVIEWED
RFSAM-BLE-CR-01 Pairing and encryption assessment VERIFIED
RFSAM-BLE-AT-01 Hijack a live BLE connection VERIFIED

Bluetooth Classic

RFSAM-BTC-IG-01 Identify the device, BR/EDR mode and vulnerability corpus REVIEWED
RFSAM-BTC-SP-01 Inquiry-scan and confirm a reachable BR/EDR device REVIEWED
RFSAM-BTC-LL-01 Capture Bluetooth Classic baseband traffic VERIFIED
RFSAM-BTC-CR-01 Assess pairing and encryption key strength VERIFIED
RFSAM-BTC-AT-01 Test baseband/LMP resilience and availability REVIEWED
RFSAM-BTC-AP-01 Enumerate and exercise exposed BR/EDR profiles REVIEWED

Wi-Fi (802.11)

RFSAM-WIFI-SP-01 Band and channel survey VERIFIED
RFSAM-WIFI-LL-01 Management-frame exposure REVIEWED
RFSAM-WIFI-CR-01 WPA handshake / PMKID assessment REVIEWED

LoRa / LoRaWAN

RFSAM-LORA-SP-01 Sub-band occupancy and capture REVIEWED
RFSAM-LORA-PHY-01 Chirp demodulation REVIEWED
RFSAM-LORA-LL-01 LoRaWAN frame profiling REVIEWED
RFSAM-LORA-CR-01 Join and session-key assessment REVIEWED

LTE / 4G

RFSAM-LTE-IG-01 Baseband and modem vulnerabilities REVIEWED
RFSAM-LTE-SP-01 Cell identification and capture REVIEWED
RFSAM-LTE-PHY-01 Resource-grid recovery REVIEWED
RFSAM-LTE-LL-01 Control-channel / identity exposure REVIEWED

RFID / NFC

RFSAM-RFID-SP-01 Carrier and standard identification VERIFIED
RFSAM-RFID-CR-01 Crypto1 / key-strength assessment REVIEWED
RFSAM-RFID-AT-01 Clone, emulate and relay REVIEWED

Sub-GHz ISM / Remotes

RFSAM-SUBG-SP-01 Burst discovery and characterisation VERIFIED
RFSAM-SUBG-PHY-01 Demodulation and framing REVIEWED
RFSAM-SUBG-LL-01 Frame and addressing recovery VERIFIED
RFSAM-SUBG-CR-01 Rolling-code assessment REVIEWED
RFSAM-SUBG-AT-01 Replay and forge VERIFIED

Zigbee / 802.15.4

RFSAM-ZIGBEE-SP-01 Channel survey and capture feasibility REVIEWED
RFSAM-ZIGBEE-LL-01 PAN, addressing and device discovery VERIFIED
RFSAM-ZIGBEE-CR-01 Network-key provisioning and rotation REVIEWED

Z-Wave

RFSAM-ZWAVE-SP-01 Region/frequency identification REVIEWED
RFSAM-ZWAVE-CR-01 Key establishment assessment REVIEWED

Thread / Matter

RFSAM-THREAD-LL-01 Mesh discovery and commissioning exposure VERIFIED
RFSAM-THREAD-CR-01 Network credential assessment REVIEWED

GNSS / GPS

RFSAM-GNSS-SP-01 Signal presence and interference survey REVIEWED
RFSAM-GNSS-AT-01 Spoofing and jamming resilience REVIEWED

ADS-B (aviation)

RFSAM-ADSB-PHY-01 Message capture and decode REVIEWED
RFSAM-ADSB-LL-01 Message authenticity assessment REVIEWED

5G NR

RFSAM-NR5G-SP-01 Cell identification and capture VERIFIED
RFSAM-NR5G-LL-01 Broadcast / identity exposure REVIEWED

GSM / 2G

RFSAM-GSM-SP-01 ARFCN survey and capture VERIFIED
RFSAM-GSM-CR-01 Cipher and identity exposure VERIFIED

Ultra-Wideband

RFSAM-UWB-PHY-01 Ranging signal capture REVIEWED
RFSAM-UWB-AT-01 Distance-manipulation resilience REVIEWED