This blog post will discuss the implementation of Codegrabbing / RollJam, just one method of attacking AM/OOK systems that implement rolling codes (such as keeloq) — these systems are commonly found on modern vehicles and entry systems such as gates and garages. This technique has been used and spoken about for a number of years (Marko Wolf describes it in “Security Engineering for Vehicular IT Systems” from 2009).
However the advancement in easy to use and cheap hardware has made this a readily available research path for almost anyone. Samy Kamkar showed it at Defcon 2015, you can read about that and his device at http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/. This blog entry will be more discussing the integral parts of how it works and how easy it is to do.
I was optimistic that the 2015 talk @elasticninja and myself did at zacon on this topic would be published so that I could lazily just link to the video instead of having to write it up, but alas, here we are! ;)
Naturally its important to have a spoiler before the long boring text. Here is a video carefully crafted by my friend Roelof Temmingh showing us opening a VW car with two YS1 (YardStick One):
Its been absolutely ages since I’ve posted anything on the blog, not that I havent been doing things, just really not many things I felt good enough to write an entry about. I got a lot of feedback regarding my previous entry about Hacking Fixed key remotes and I decided to build on that slightly.
One of the pains of the previous method was that it was a rather tedious to do the following:
* Finding the key for the remote essentially it was broken into:
* Finding the signal with RTLSDR
* Saving demodulated .wav
* Running a script to decode that audio
* Replay remote with RFCat
* Transmitting the remote also meant another piece of hardware (RFcat) and then taking the signal from the decoded script into a format RFCat understands.
So much like the sex pistols album I am also going to be flogging a dead horse, this time the AM/OOK one. In this blog post I will explore discovering signals as well as replaying them with RFCat.
Previously I discussed using my RTL-SDR to merely listen for analog audio signals. In this entry I’ll discuss using it to decode digital signals (this example on fixed remote signals often used for garages / gates ) so that they can be replayed/brute forced with something like the RFCat project (based on TI’s CC1111EMK module). This has probably been done to death already but I figured since I struggled with it maybe this will help someone else do it a lot quicker (and mostly cause I think its cool).
The basic components are:
* RTL-SDR on a windows machine with the HDSDR application installed (really easy to use — saves me doing hard work)
* Audio application to look at demodulated stream (I like the open-source project Audacity )
* RFcat under linux for easy transmission of data – find more about RFcat at http://code.google.com/p/rfcat/
Then there are 3 basic steps to a replay/bruteforce attack:
* Capture Signal: Figure out what frequency it is on, figure out what modulation is used
* Decode Captured Signal: Decode the signal to data you can work with so you can replay it and if possible brute force similar ones
* Transmit Signal: Send off your data for epic-winness (okay its not that complex, but it still feels cool)
I am going to assume at this stage that you have access to the remote (otherwise it may be illegal, I think.. lets just go with that). The easiest thing to do firstly is try and identify your remote, here is my garage remote for the complex that I live in (with many garages all of the same type):
A few weeks ago (I’ve been meaning to do this post for ages, few weeks ago is give or take 2 months) there was a post on reddit regarding a new software defined radio that cost around $20. After reading a few topics on the discussion (now all avail at http://www.reddit.com/r/RTLSDR now http://rtlsdr.reddit.com) my interest was peaked. RF was a whole new world of WTF for me. I think it offers the same awe and wonder that I had putting a tape into my very first tape into my vomit brown fischer-price tape player:
The basic gist of how it all works is as follows:
* There is a common chip found in video cards known as an RTL2832U
* This chip is commonly used for specific frequencies used for Television signals (and then software decodes this so you could watch TV on your pc)
* A bunch of cool guys ™ found a way to read the data coming into the card directly with drivers
* These cards also offered some tuners that allowed tuning beyond the basic TV ranges
So there are 2 basic sections:
* RTL2832U chips – reading data
* Tuner (E4K,other) – allows changing frequencies to various ranges
With such I started hunting around in Centurion for a Video card that had these options, after phoning a few places (read 5/6) I eventually found a TV card known as a Compro VisionMate U650F. It costs around R250 from pcpalace in centurion which offers a RTL2832U as well as the E4K tuner (the best one at this stage). *update* the cheaper visionmates (without remote) go for about R100 less than this!
* I can tune to frequencies from around 55MHz to 1800Mhz
* For R250!
This was super, ordered my card and a few days later it arrived!
Following some _really_ easy guides for installing a few tools in windows:
* HDSDR, WRPlus, ExtIO, zadig ( http://spench.net/ has all the info but at time of writing was having some issues, try one of these: http://rtlsdr.org/ http://rtlsdr.reddit.com)
And on linux:
* GnuRadio (install guide: http://gnuradio.org/redmine/projects/gnuradio/wiki/InstallingGR)
Off the bat I loaded up HDSDR (after all the config and setup – zadig for drivers, extIO copied) and immediately got that sinking feeling of ‘I know absolutely nothing’:
Not the quickest of cats
on the best of days.