Comments on: Garage door… packet sniffer

By: justaguy

justaguy — Tue, 22 Nov 2011 05:43:51 +0000

I have a security gate opener in my possession that opens the common access gate for apartment complex. The one in my possession belongs to my room mate, and I simply want to dupe it so I can have one too. The homeowners association wants $275 for a new one, fuck that.

When I open it up and look at the wafer its very simple, but must be using a fixed code as there are no bit switches or interface ports. The plastic case says 418 MHz, the name of the company that issued it, and a sticker with a serial number AND a number marked ‘Code:’. I’d greatly appreciate advice, it sounds like the people posting here would know. Thank you!

By: endersgamer

endersgamer — Mon, 20 Jun 2011 19:51:29 +0000

The point of being able to pull off an intrusion like this is that you can really screw someone. Because if there is no sign of forced entry then there is no guarantee that the victims insurance will pay for the theft. Its the same issue that came up when bumpp keys first became prevalent. It screws the person twice because they lose their stuff and then have to pay to replace it ;)

By: Rob

Rob — Tue, 16 Nov 2010 03:22:41 +0000

Anyone know where to get the source files? The links are dead

By: Mish

Mish — Tue, 06 Jul 2010 03:51:54 +0000

I was reading a doorking manual and it seemed to me that the remotes for gate entry had to have their five digit code entered into the system and then receive their code to open the gate. This sounded to me like a wireless router where you can enter the device MAC address. Wouldn’t this make the sniffed code unusable as you wouldn’t have the correct device number?

By: maya

maya — Fri, 20 Nov 2009 02:13:26 +0000

Please contact me, I have something to propose you :)

By: sunny

sunny — Thu, 29 Oct 2009 06:36:09 +0000

Or where or how can I build one or buy one. I’ve also heard of people clonning smart key R.F signals for the vehicles that don’t use a key only a R.F transmitter key fob. Any info would love to hear back will always make my job easier.

By: sunny

sunny — Thu, 29 Oct 2009 06:32:27 +0000

Nice I’am a Repo man in colorado need info for scanner R.F transmitter/scanner code grabber for fixed 12 pin security gates. Would love some other type of application for rolling algorithm’s. taw22576@yahoo.com

By: Mel Garage organization

Mel Garage organization — Wed, 07 Oct 2009 07:16:33 +0000

Wonderful job. I am unable resist my myself from praising your work. Its among the results of creativity. It educated even me. Now onwards I will keep on observing this blog for such valuable information.

By: James

James — Tue, 06 Oct 2009 19:33:17 +0000

Not much more I can tell you, the code was done in AVRStudio and the schematic and layout in kicad, I used a standard garage door receiver that receives a 12 bit code, the receiver has active low logic levels. Rest you can get from the code and schematic.

By: bogdan

bogdan — Mon, 05 Oct 2009 18:42:52 +0000

hello

i need more information for this device

By: Shadyman

Shadyman — Mon, 05 Oct 2009 01:45:55 +0000

@Dave0:

Certain vehicles, like many Chrysler/Dodges, have a system to record and playback 3 different garage door opener codes. The system is called HomeLink (homelink.com).

By: Skitchin

Skitchin — Sun, 04 Oct 2009 17:28:28 +0000

@Zendu: That could be a very useful approach to this->”The most devastating practical consequence of the side-channel analysis is an attack in which keys can be cloned by intercepting only two messages sent by the legitimate key from a distance of up to 100 metres (330 ft).”

By: M4CGYV3R

M4CGYV3R — Sun, 04 Oct 2009 14:20:17 +0000

Nice project, neat setup, but not hardly new. KeeLoq was busted a while back. Here’s the decoding datasheet on it: http://www.keeloq.boom.ru/decryption.pdf

By: James

James — Sun, 04 Oct 2009 12:11:38 +0000

I actually wanted to add transmit capability but there just wasn’t enough room on the chip so I had to remove it. I’m busy with v2 based on the atmega88 which has a number of extra features including saving codes etc.

I’m also gonna try my hand at rolling code systems and whatever else I can find, these are the most common here so that’s why I started with them.

For anyone interested in the keeyloq hack check out the ccc conference from last year, it’s a pretty entertaining watch.

Speech overview:
http://events.ccc.de/congress/2008/Fahrplan/events/3030.en.html

Conference Recordings (#3030):
http://events.ccc.de/congress/2008/wiki/Conference_Recordings

By: Prof Plum

Prof Plum — Sun, 04 Oct 2009 08:01:09 +0000

@dosman
KeeLoq being “broken” does not entirely mean that it is insecure.

For the rolling codes used in rke for key fobs and garage door openers, there are three valid attacks: First, a side-channel attack which requires physical access and works mostly on pre-1996 devices. Second, a birthday paradox-based attack to attempt to guess the correct slot for the rolling codes (works relatively well as the code space is ~64K, and with a valid code window of 16 we AT MAX have to try ~4K codes). Third, jam the signal to prevent the car from locking. None of these are really that fantastic of a break.

In any of these cases, that is alot of work to do when a good-sized rock through the window will get you into the car just as effectively.

The real break has to do with STEALING cars. For almost all cars manufactured in the last decade, the keys have a tiny .5″x.25″x.1″ rfid-type micro in them. The car sends this micro a random 32-bit plaintext and the micro responds with a 32-bit cyphertext, if the cyphertext is valid, the immobilizer releases. The break occurs if a third party sends the micro 65536 plaintexts and receives the resulting cyphers back (takes ~1hr). Then, using a cluster it is usually possible to get the encryption key from this (you have a ~65% chance of success). Additionally, some manufactures obtain the encryption key from combining a model-specific manufacturer’s code with the serial # from the key (the micro will give the serial # up if you ask it). If this is the case for the key you cracked, then you can obtain the manufacturer’s code, and get the encryption key for all other cars of this model just by asking the micro what its serial # is. Once you are around the immobilizer, you now need a way to start the car (photographic reproduction of a key, bump keys, hot-wiring the ignition, etc). Note – this method works for some rki systems as well.