Hacking The IM-ME To Open Garages

If you have a wireless controlled garage door, a child’s toy can wirelessly open it in a few seconds. [Samy Kamkar] is a security researcher who likes to”think bad, do good”. He’s built OpenSesame, a device that can wirelessly open virtually any fixed-code garage door in seconds, exploiting a new attack he’s discovered in wireless fixed-pin devices, using the Mattel IM-ME toy.

The exploit works only on a gate or garage which uses “fixed codes”. To prevent this type of attack, all you need to do is to upgrade to a system which uses rolling codes, hopping codes, Security+ or Intellicode. These are not foolproof from attack, but do prevent the OpenSesame attack along with other traditional brute forcing attacks. It seems there are at least a couple of vendors who still have such vulnerable products, as well as several more whose older versions are affected too.

Before you read further, a caveat – the code released by [Samy] is intentionally bricked to prevent it from being abused. It might work, but just not quite. If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn’t need his help in the first place, would you?

The IM-ME is a defunct toy and Mattel no longer produces it, but it can be snagged from Amazon or eBay if you’re lucky. The Radica Girltech IM-ME texting toy has been extensively hacked and documented. Not surprising, since it sports a TI CC1110 sub-GHz RF chip, an LCD display, keyboard, backlight, and more.  A good start point is the GoodFET open-source JTAG adapter, followed by the work of [Travis Godspeed] , [Dave] and [Michael Ossmann].

One issue with fixed code systems is their limited key space. For example, a remote with 12 binary dip switches supports 12 bits of possible combinations. Since its binary and 12 bits long, that’s 2^12, which is 4096 possible combinations. With a bit of math, [Samy] shows that it takes 29 minutes to open an (8-12)-bit garage, assuming you know the frequency and baud rate, both of which are pretty common. If you have to attempt a few different frequencies and baud rates, then the time it takes is a multiple of 29 minutes. If you don’t transmit the codes multiple times, and remove the pauses in between codes, the whole exercise can be completed in 3 minutes.

The weak link in the hardware is how the shift registers which decode the received codes work. Each bit is loaded in the register sequentially, gradually moving as additional bits come in and push the previous ones. This, and using an algorithm [Samy] wrote based on the De Bruijn sequence, the whole brute force attack can be completed in just over 8 seconds. OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time.

You can take a look at understanding how the code works by checking it out on Github. [Samy] loves doing such investigative work – check out his combo lock code breaker we featured recently, the scary, keyboard sniffing wall wart and the SkyJack – a drone to hack all drones.

Continue reading “Hacking The IM-ME To Open Garages”

Indicator for Forgetful-Minded Garage Door Users

[Gareth] had a friend who regularly forgot to close his garage door after parking his car and heading inside. Since [Gareth] was familiar with basic electronics and an overall good pal, he offered to make a device that would indicate whether the garage door was open or not.

The project starts off simple with an Arduino and ultrasonic distance sensor. Both are mounted to the ceiling of the garage with the ultrasonic sensor pointed down. When the garage door is open, the sensor outputs a shorter distance measurement than when the garage door is closed.

Now that the system knows when the door is open or closed, the next part was sending a signal inside the house. He could have run a wire up through the house walls to an LED indicator but decided to go wireless with a 433mhz transmitter. There is a second Arduino inside equipped with a 433mhz receiver. When the garage door is open, the Arduino inside the house flashes an LED reminding the forgetful occupant to close the door.

[Gareth] made all his code for both the sensor/transmitter and the receiver available on his site for anyone interested in making something similar.

Another Garage Door Opener, This Time With Security

We’ve been seeing a lot of garage door opener hacks, whether it’s because one person inspired everyone else to build their own Internet-connected GDO or because there’s something in the water that’s caused the simultaneous building of one specific type of project, we’re not sure. However, the latest one we’ve seen adds a little something extra: motion-based security.

[DeckerEgo] really went all out with this one, too. The core of the project is a Raspberry Pi hardwired to a universal garage door remote. The Pi also handles a small webcam and runs a program called motion, which is a Linux program that allows for all kinds of webcam fun including motion detection. While the other builds we see usually use a button or limit switch to tell whether the door is open or closed, this one just watches the door with the webcam so [DeckerEgo] can actually see what’s going on in the garage. As a bonus, the motion software can be configured to alert him if anything suspicious is going on in the garage.

The build is full-featured as well, with an interesting user interface overlaid on the live picture of the garage door. According to [DeckerEgo] the camera is a necessity because he wouldn’t trust a simple status indicator, but if you wanted to try one of those before breaking out the Raspberry Pi, we’ve featured one recently that you can check out.

Automatic Garage Door Opener Works for Your Cat

Using an Arduino or Raspberry Pi to perform a task in the real world is certainly a project we’ve seen here before, and certainly most of these projects help to make up the nebulous “Internet of Things” that’s all the rage these days. Once in a while though, a project comes along that really catches our eye, as is the case with [Jamie’s] meticulously documented automatic garage door opener.

This garage door opener uses an ATMega328 to connect the internet to the garage door. A reed switch is installed which lets the device sense the position of the door, which is relayed back to the internet. [Jamie] wrote an Android app that can open and close the door and give the user the information on the door’s status. One really interesting feature is the ability to “crack” the garage door. This is done by triggering the garage door opener twice with a delay in between. From the video after the break we’d say this is how [Jamie’s] cat gets in and out.

We love seeing projects that are extremely well documented so that anyone who wants to make one can easily figure out how. Internet-connected garage door openers have been featured in other unique ways before too, but we’ve also seen ways to automatically open blinds or chicken coops!

A Bluetooth Garage Door, Take Three

A few years ago, [Lou] came up with a pretty clever build to open his garage door with his phone. He simply took a Bluetooth headset, replaced the speaker with a transistor, and tied the transistor to a few wires coming out of his garage door opener. When the Bluetooth headset connected, the short beep coming from the speaker output opened the door.

The newest version of this build does away with the simple Bluetooth headset and replaces it with a Bluetooth 4.0 chip. The reason for this is that Apple and their walled garden of an App store would never allow a Samsung Bluetooth headset to be used with one of their iDevices.

The latest build is just about as simple as using a Bluetooth headset. A board that appears to use TI’s CC2540 chip is attached to the garage door opener with a few passives and a transistor. Pairing the new circuit with a phone is as simple as shorting a pair of pins, and the new iOS app does exactly what it should – opens a garage door at the press of a non-button.

While it’s not something that can be put together with scraps from a junk drawer, it’s still an extremely simple solution to opening a garage door with a phone. Video below.

Continue reading “A Bluetooth Garage Door, Take Three”

Upgrade Your Garage Door with Arduino and RFID

RFID Garage Door Opener

[Jason] really wanted to build an RFID controlled garage door opener and decided to turn to Arduino to get the job done. For someone who’s never worked with an Arduino before, he really seemed to know what he was doing.

The Arduino acts as the brains of the operation while an off-the-shelf NFC/RFID reader module is used to read the RFID tags. To add new keys to the system, [Jason] simply swipes his “master” RFID key. An indicator LED lights up and a piezo speaker beeps, letting you know that the system is ready to read a new key. Once the new key is read, the address is stored on an EEPROM. From that point forward the new key is permitted to activate the system.

Whenever a valid key is swiped, the Arduino triggers a relay which can then be used to control just about anything. In this case, [Jason] plans to use it to control his garage door. The system also has a few manual controls. First is the reset button. If this button is held down for two seconds, all of the keys from the EEPROM are erased. This button would obviously only be available to people who are already inside the garage. There is also a DIP switch that allows the user to select how long the relay circuit should remain open. This is configurable in increments of 100ms.

For now the circuit is wired up on a couple of breadboards, but it might be a good idea to use something more permanent. [Jason] could always take it a step further and learn to etch his own PCB’s. Or he could even design a board in Eagle CAD and order a real printed board. Don’t miss the video description of the RFID system below. Continue reading “Upgrade Your Garage Door with Arduino and RFID”

Sniffing Wired Garage Door Opener Signals

sniffing-garage-door-signals

In addition to being something fun to do with an oscilloscope, this could be a valuable time-saver for anyone looking to tap into the wired communications on a garage door opener. If you own an older model you might be scratching your head. But newer units have more than just one button operation, usually extending to at least two extra buttons that control the lights on the motor unit and lock out wireless control. A quick probing turned up the communication scheme used by the button unit mounted next to the door into the house.

We’ve patched into our own garage door using a simple relay to interface with a microcontroller which will still work for opening and closing the door But if you’re looking for extended control you need to spoof one of the timing signals detailed in this post. We like the stated examples for future hacks: building a better wired button unit, or adding some type of RFID integration. We could see this approach for hacking in motion light control for door openers that don’t have it.

[Thanks Victor]