A few days ago, I read this magnificent writeup about making a Raspberry Pi an FM transmitter using GPIO.
It was hacky and nerdy enough to get my attention and made me immerse myself into this kind of radio hacking thing for the recent few days. I wouldn’t say I fully understand what I’m about to write from now on since I’m not big on electronic engineering, but it is easy – even if you’re not an EE major – to understand how this whole thing works. For starters, let’s crack a gate opener remote!
So, first thing’s first, I have to bring up this keyword: software-defined radio. I found this domain very fascinating and think everyone who majors in CS should do it at least once in their lifetime. As a software engineer, I have to admit that I very much lack knowledge in the details of how wireless technologies actually work, even how those small things work – car remote, fan ceiling remote, gate opener remote, things like that. I’ve always been passionate about embedded software and circuitry since I was in high school. But my best rough guess I could come up with on how a gate remote would work was that there would be a RF transmitter and it would send a series of data to the gate receiver and if the password was correct, it would open the gate.
While my rough guess is still true, I wouldn’t know what to do to find out what actual data they’re exchanging, or what to do to replay the data, and more importantly, whether the replaying attack would work!
That’s when SDR comes in. Software-defined radio is basically a radio system where what actual hardware components do is replaced by software. If you look into a radio communication system, there are many parts that are kind of hard-coded into the circuit in order to implement some filters like low-pass filter, decoder, etc. But with SDR, you implement those hardware parts in software. As you can imagine, it being in the form of software can give you a lot of freedom! Like, cracking a gate opener remote.
What you need in order for you to follow this post further:
- A software-defined radio transceiver (there are a few options, google it. mine is HackRF One)
- GNURadio (just hit
sudo apt-get install gnuradio)
- Your gate opener
Recording what your gate opener says
First, you have to know at what frequency the gate opener talks to the receiver. In most cases, it’s written on its back. Like this:
it says 300MHz. So now we know what frequency we have to look into.
So let’s set up GNURadio to listen to that frequency. If you’re lost here, you can look at the below GNURadio flow graph and copy:
Now run the flow graph and try to press the button on your gate opener. Try to get the cleanest time series graph you can get, adjusting the parameters you have on the GUI menu. Like this:
Yay, this is what your gate opener actually says to the receiver.
Figuring out what it actually means
To understand further of what you just got in the graph, you have to know what OOK is. On-off keying, or OOK is one of the most basic modulation techniques that represent digital data. There are other modulation techniques that represent digital data, like ASK, PSK, FSK, but we won’t talk about these in this post, since our goal is just to crack our gate openers. OOK, simply speaking, is just shouting, with an interval, where not shouting means 0 and shouting means 1. For more details: https://en.wikipedia.org/wiki/On-off_keying
So, according to the graph above, the gate opener transmits digital data that goes like this:
Replaying the data
So now we know what digital data the gate opener was transmitting when you pressed the button, and what modulation method it uses to send the data over the air.
However, despite the fact that we know this much, there is one more thing to find out: baud rate. Baud rate is a unit that can tell you how many bits are transferred in a second. Why do we need to know about this? Because, if you don’t know what baud rate the gate opener was transmitting, you can’t replicate the exact behavior of the remote. The receiver would not understand what you say if you’re speaking too fast, or too slow. So how do we figure out? The secret is in the previous graph.
If you look at this, you can figure out the data is being transmitted at a rate of 1600 bits/second, because it’s transmitting 8 bits in 5ms. So the baud rate is 1600.
Now we have everything we need. How do we replay this digital data? GNURadio is capable of transmitting data if your device supports TX(transmitting). That’s why we needed a transceiver(transmitter + receiver), not a receiver.
Check the below:
I ended up adding 100 to the baud rate due to errors. I guess it’s because I got the number from just seeing the graph. If yours doesn’t work, try to increase/decrease the baud rate.
With the above process, I successfully opened the remote-controlled gate of my apartment’s parking lot. Done!
This post assumes the password is fixed code. There are a few other techniques that this kind of remote can have, such as rolling code. See: https://en.wikipedia.org/wiki/Rolling_code
Apparently, if the remote uses rolling code, it won’t be cracked in the way I described above. And that answers the question “whether the replaying attack would work”.
This techinque can be used to hack your way into a gated community, garage door, or a private parking lot. RF remotes that use fixed code are very vulnerable because most of them use short passwords, which can be cracked in seconds.
Do not use this to intentionally do illegal stuff. EDUCATIONAL PURPOSE ONLY.