Garage door… packet sniffer

posted Oct 3rd 2009 1:00pm by Jacob Woj
filed under: home hacks, security hacks

Some type of logger or sniffer exists for almost every form of electronic communication. Your keystrokes, phone conversations, and wireless networks could all be monitored. In this awesome proof-of-concept project, [James] expanded that array to include garage door openers. After receiving a piece of chain mail which stated that criminals have the technology to record any remote code and play it back, [James] wondered if he could build such a device that would work on at least his opener model.

[James] started off with a trip to the hardware store. He was unable to find both a transceiver that worked on the frequency of his remote control (308MHz clocked MAX7042 chip), so at least for this incarnation (he plans to build another one that is capable of replaying a captured signal), only a receiver was implemented. The receiver was connected to a logic analyzer in order to determine its protocol. Since the signal coming from the receiver was very low, [James] had to amplify it through a buffer before it could be detected.

An ATtiny26 and a 4 line x 20 character backlit LCD were used to interpret and display info from the receiver. [James] built the sniffer around a custom PCB (though he ran into a few layout errors that he had to fix post-production). All of the firmware was written in C. It is fairly straightforward, but takes up 98% of the microcontroller’s memory. The program is designed to monitor pin change interrupts and timers to filter out invalid codes as well as noise. Any info (the door codes that have been sniffed) is displayed through a 4-bit interface on the LCD, for easy recording. With the codes, one can configure another garage remote to open the door. If you have any suggestions for V2, We’re sure [James] will be reading the comments.

Update: The code and PCB files (with the error) are available through one of the following mirrors:
filesavr.com/codegrabber
filefactory.com/file/a0eb0gg/n/code_grabber_zip
filedropper.com/codegrabber_1
mediafire.com/?sharekey=7c4692dd4f3ad2c36e7203eb87368129e04e75f6e8ebb871

Comments [34]

tagged: attiny, garage, remote, sniffer

Reader Comments

ironic, a peace of mail sent out to warn people about there security makes them less secure. this is still a coll project though, and i got the first post!

Posted at 1:15 pm on Oct 3rd, 2009 by TheFIsh

lol security tip. don’t send emails saying what can be done…
btw nice job

Posted at 1:19 pm on Oct 3rd, 2009 by monkeyslayer56

Looks pretty good! Whats the distance on this? I think v4 needs a built in transmitter!

Especially a transmitter and a program to resend the signal 1-3 seconds after recived. Watch people in thier own driveways as thier door yo yos.

Posted at 1:31 pm on Oct 3rd, 2009 by Zendu

A grand majority of modern garage door openers from the last 20 years implement a rolling code security measure. This will never give you the same code twice. It’s highly unlikely that you will be able to predict the next code in the sequence without massively reverse engineering the opener.

Just saying.

Posted at 1:37 pm on Oct 3rd, 2009 by Doc Oct

While this is a neat project, Doc Oct has a valid point – even though you can grab the code, the majority of garage door openers use the rolling code. Playing back the same code would be pointless as the opener will have already moved onto the next random sequence, and the odds of the same code coming up again are slim to none.

Posted at 1:48 pm on Oct 3rd, 2009 by xgarrettx

It would be nice if you could have slots for different codes. So if you have more then one opener (one for the gate, the garage, the office) you can record more then one code and ditch 3 remotes for 1

Posted at 1:53 pm on Oct 3rd, 2009 by Dave-0

Most garages are built with cladding and siding on just one side of the framework. A battery sawzall gains you entry in about a minute, and can be done from the non-street side to minimize being seen.

//just pointing out that all those security mailings about how their opener uses rolling codes doesn’t add much to the overall security of your garage.

Posted at 1:54 pm on Oct 3rd, 2009 by vonskippy

You’d be surprised at how many of those older openers are still out there. Mine was just replaced a few months ago, it used a static 12bit key.

How about spamming all 2^12 possibilities on the various frequencies used by popular openers? The neighbors would love that.

Posted at 1:58 pm on Oct 3rd, 2009 by amk

Or depending on make and model, put a 200 watt linear amp on your CB, drive into the neigborhood and key it. Poor RFI filtration means that a lot of older ones just trigger. Play musical doors…

Posted at 2:12 pm on Oct 3rd, 2009 by sean

Seems to me like picking the basement door deadbolt is a much faster, reliable, and subtle approach.

It’s scary how cheap a set of decent picks is, and how easy it is to learn to use them.

Posted at 3:14 pm on Oct 3rd, 2009 by Robert Buchberger

i wish i was skilled in electronics.

Posted at 3:26 pm on Oct 3rd, 2009 by than

@than
read books/internet resources and find someone to teach u o ya and WANT that wish to come true :)

Posted at 3:29 pm on Oct 3rd, 2009 by monkeyslayer56

KeeLOQ is a common rolling-code algorithm used in gate doors and automotive remote-keyless-entry systems that was busted a few years ago. Using a sniffer like this you can get the serial of the fob (which is not encrypted in KeeLOQ) and implement your attack. The “rolling code” is just a counter that is synced at the time the fob is programmed into the receiver, each button press on the fob increments the counter. As long as the counter is within ~16 numbers of the true count it will authenticate you. If you are further out it requires two transmissions with the counter in sequence and then the receiver will resync to you. The keyspace is large enough to make this not a weakness to bruteforce (since you have effectively divided the keyspace by 16). But all that is moot since the encryption used on the counter has been busted in several ways and the algorithm is now published on wikipedia: http://en.wikipedia.org/wiki/KeeLoq

Posted at 3:31 pm on Oct 3rd, 2009 by dosman

Another thing I should point out is the total lack of publicity about seeing keeloq busted. If your remote-keyless-entry fob for your car says “TRW” on the back then you are vulnerable (Hint: if you drive a Chrysler, Dodge, or several others). Of course, it’s still way easier to smash a window, but this has received no press at all.

Posted at 3:40 pm on Oct 3rd, 2009 by dosman

I never understood why you would use this for criminal purposes. The people in the house are going to hear the loud ass garage door opening, and if they aren’t home there are much easier ways to get into the house. If you are trying to steal the car then you could just get in and use the opener button on the wall.

Posted at 3:55 pm on Oct 3rd, 2009 by shibathedog

Knock out the cheap/flimsy plastic window, and pull the chain release hanging nearby…

nice work, but please focus your pictures before sharing them. I strain my eyes enough.

thanks for the related keeloq info dosman.
–PidGin128

Posted at 4:31 pm on Oct 3rd, 2009 by PidGin128

@shibathedog
Exactly. This is pretty much just a “because I can” project. Still very cool.

Posted at 4:45 pm on Oct 3rd, 2009 by Pilotgeek

And I thought I was the man for buying another remote control and copying the switch settings over to get two cars into our communal park.

Not saying it was anything special but it made me feel pretty sharp. Till now that is…

Posted at 5:44 pm on Oct 3rd, 2009 by rutherford

I was told by a Linear Corp sales rep that they moved approximately a million units a month of their 10 bit non rolling code transmitters.
There is much value in hacking those since they are used in nearly 90% of all residential automatic gate operating systems. There has been no effort in moving to a more secure product. Even higher security access control systems still do not implement any sort of rolling code. (DoorKing Microclik, Linear Megacode, etc.) Many people who live in gated communities have a false sense of security. This exercise has great relevance, even today.

Posted at 6:31 pm on Oct 3rd, 2009 by sk

Why use this to break into a house?

If you walk up to a house and hit (what appears to be a garage door opener) the neighbors will probably just assume that you are friends of the people who lived there. As long as the residents are out people probably wont even care.

Posted at 8:42 pm on Oct 3rd, 2009 by Just dance

or if you want to get a little more advanced… http://www.dealextreme.com/details.dx/sku.28717

Posted at 9:03 pm on Oct 3rd, 2009 by kjb

Now this is a hack in the true sense of the word. Well done Hackaday for putting this up and well done to James for this extraordinary bit of kit.

Posted at 9:42 pm on Oct 3rd, 2009 by Neckbeard

Good hack, even if it outdated it show a lot of really useful info for RF sniffing / decoding

Posted at 12:13 am on Oct 4th, 2009 by therian

@dosman
KeeLoq being “broken” does not entirely mean that it is insecure.

For the rolling codes used in rke for key fobs and garage door openers, there are three valid attacks: First, a side-channel attack which requires physical access and works mostly on pre-1996 devices. Second, a birthday paradox-based attack to attempt to guess the correct slot for the rolling codes (works relatively well as the code space is ~64K, and with a valid code window of 16 we AT MAX have to try ~4K codes). Third, jam the signal to prevent the car from locking. None of these are really that fantastic of a break.

In any of these cases, that is alot of work to do when a good-sized rock through the window will get you into the car just as effectively.

The real break has to do with STEALING cars. For almost all cars manufactured in the last decade, the keys have a tiny .5″x.25″x.1″ rfid-type micro in them. The car sends this micro a random 32-bit plaintext and the micro responds with a 32-bit cyphertext, if the cyphertext is valid, the immobilizer releases. The break occurs if a third party sends the micro 65536 plaintexts and receives the resulting cyphers back (takes ~1hr). Then, using a cluster it is usually possible to get the encryption key from this (you have a ~65% chance of success). Additionally, some manufactures obtain the encryption key from combining a model-specific manufacturer’s code with the serial # from the key (the micro will give the serial # up if you ask it). If this is the case for the key you cracked, then you can obtain the manufacturer’s code, and get the encryption key for all other cars of this model just by asking the micro what its serial # is. Once you are around the immobilizer, you now need a way to start the car (photographic reproduction of a key, bump keys, hot-wiring the ignition, etc). Note – this method works for some rki systems as well.

Posted at 1:01 am on Oct 4th, 2009 by Prof Plum

I actually wanted to add transmit capability but there just wasn’t enough room on the chip so I had to remove it. I’m busy with v2 based on the atmega88 which has a number of extra features including saving codes etc.

I’m also gonna try my hand at rolling code systems and whatever else I can find, these are the most common here so that’s why I started with them.

For anyone interested in the keeyloq hack check out the ccc conference from last year, it’s a pretty entertaining watch.

Speech overview:
http://events.ccc.de/congress/2008/Fahrplan/events/3030.en.html

Conference Recordings (#3030):
http://events.ccc.de/congress/2008/wiki/Conference_Recordings

Posted at 5:11 am on Oct 4th, 2009 by James

Nice project, neat setup, but not hardly new. KeeLoq was busted a while back. Here’s the decoding datasheet on it: http://www.keeloq.boom.ru/decryption.pdf

Posted at 7:20 am on Oct 4th, 2009 by M4CGYV3R

@Zendu: That could be a very useful approach to this->”The most devastating practical consequence of the side-channel analysis is an attack in which keys can be cloned by intercepting only two messages sent by the legitimate key from a distance of up to 100 metres (330 ft).”

Posted at 10:28 am on Oct 4th, 2009 by Skitchin

@Dave0:

Certain vehicles, like many Chrysler/Dodges, have a system to record and playback 3 different garage door opener codes. The system is called HomeLink (homelink.com).

Posted at 6:45 pm on Oct 4th, 2009 by Shadyman

hello

i need more information for this device

Posted at 11:42 am on Oct 5th, 2009 by bogdan

Not much more I can tell you, the code was done in AVRStudio and the schematic and layout in kicad, I used a standard garage door receiver that receives a 12 bit code, the receiver has active low logic levels. Rest you can get from the code and schematic.

Posted at 12:33 pm on Oct 6th, 2009 by James

Wonderful job. I am unable resist my myself from praising your work. Its among the results of creativity. It educated even me. Now onwards I will keep on observing this blog for such valuable information.

Posted at 12:16 am on Oct 7th, 2009 by Mel Garage organization

Nice I’am a Repo man in colorado need info for scanner R.F transmitter/scanner code grabber for fixed 12 pin security gates. Would love some other type of application for rolling algorithm’s. taw22576@yahoo.com

Posted at 11:32 pm on Oct 28th, 2009 by sunny

Or where or how can I build one or buy one. I’ve also heard of people clonning smart key R.F signals for the vehicles that don’t use a key only a R.F transmitter key fob. Any info would love to hear back will always make my job easier.

Posted at 11:36 pm on Oct 28th, 2009 by sunny

Please contact me, I have something to propose you :)

Posted at 7:13 pm on Nov 19th, 2009 by maya

Garage door… packet sniffer

Recent Posts

Reader Comments

Leave a Reply

Hacks

Resources

RSS newsfeeds

Most commented on (30 days)

Recent comments