This blog post will discuss the implementation of Codegrabbing / RollJam, just one method of attacking AM/OOK systems that implement rolling codes (such as keeloq) — these systems are commonly found on modern vehicles and entry systems such as gates and garages. This technique has been used and spoken about for a number of years (Marko Wolf describes it in “Security Engineering for Vehicular IT Systems” from 2009).

However the advancement in easy to use and cheap hardware has made this a readily available research path for almost anyone. Samy Kamkar showed it at Defcon 2015, you can read about that and his device at This blog entry will be more discussing the integral parts of how it works and how easy it is to do.

I was optimistic that the 2015 talk @elasticninja and myself did at zacon on this topic would be published so that I could lazily just link to the video instead of having to write it up, but alas, here we are! ;)

Naturally its important to have a spoiler before the long boring text. Here is a video carefully crafted by my friend Roelof Temmingh showing us opening a VW car with two YS1 (YardStick One):

Read more »


Its been absolutely ages since I’ve posted anything on the blog, not that I havent been doing things, just really not many things I felt good enough to write an entry about. I got a lot of feedback regarding my previous entry about Hacking Fixed key remotes and I decided to build on that slightly.

One of the pains of the previous method was that it was a rather tedious to do the following:

* Finding the key for the remote essentially it was broken into:

* Finding the signal with RTLSDR
* Saving demodulated .wav
* Running a script to decode that audio
* Replay remote with RFCat

* Transmitting the remote also meant another piece of hardware (RFcat) and then taking the signal from the decoded script into a format RFCat understands.

So much like the sex pistols album I am also going to be flogging a dead horse, this time the AM/OOK one. In this blog post I will explore discovering signals as well as replaying them with RFCat.


Read more »

The ZaCon badges were a ton of work on the hardware side (see ZaCon V Badge [1/2]: Build Time), however they provided their own challenges on the software side as well.

Since my knowledge of chipsets only extended to the Arduino the badges are essentially a complete Arduino without the UBS->FTDI breakout. This means that each badge includes an Arduino bootloader which is _really_ nice if you are coming from an Arduino background or simply have an Arduino and want to play.

The idea behind the badges was that they would provide a means of tracking communication between individuals at the conference. Additionally I wanted this information transmitted to a central location so that it could be stored and visualised (yes yes, Maltego and all). Additionally because people would be moving around I needed to create a ‘mesh network’ of sorts so that anytime someone came into range of any other badges they would be automatically be part of the network. This blog entry is going to cover how the badges did this and the challenges faced, if you are not interested make like a heartbleed and go away.

Eye Candy:

Here is a video of a few of the black badges communicating to each and flashing for all the valid messages received:

Read more »

I realise I should have done this entry a little sooner, but as everyone should be well aware of by now, I am lazy. Also I moved to Cape Town just after ZaCon V which proved rather time consuming! Please note this is gonna be a first of 2 big entries on them so if you don’t like reading, pull up now.


(pic from

One of the highlights of the annual Las Vegas pilgrimage for me has always been the electronic badges, whether it’s for defcon, ninja networks or custom badges that people have built for their hackerspaces. I especially enjoy the ones that are a little more complex (more than just lights) and are hackable. I have always been in awe of security researchers such as Adam Laurie, Zak Franken, Michael Ossman, At1as and the other hardware hackers.

For ZaCon V ( ) I built some electronic badges for the conference that are based on an Arduino framework (at least using an ATMega328 with an Arduino Bootloader) and communicate to each other via 433Mhz RF (the same that is used in remotes). The idea with the badges was to have a way to see who was interacting with whom and show it in a visual representation (Maltego — yes yes, man with a hammer etc). Additionally I needed the badges to be cheap as.. well… I am cheap :)

The badges took about 3 months to go from breadboard to finished and a large majority of that time was spent learning how electronics work (and don’t!). This however was not my first attempt at building badges, for the last 3 years I have built a design on a breadboard and then basically done nothing with it (apart from make a shakey cam video at 3am and suggest the idea).

A lot of the design actually came from me wondering around hobbyist electronic stores on the internet and coming across two really cool things namely, very cheap communication in the form of 433mhz RF chips and Nokia 5110 LCDs (also cheap :P ).

I ordered a few of the screens and RF kits and started tinkering- having a display connected to my Arduino brought all kinds of warm and fuzzy feelings. Next I started playing with the 433Mhz, originally thinking that the badges would only receive a simple message, something like who was currently speaking, from a PC near the stage. Roelof looked at it and suggested that this idea was boring and if I really wanted to do something cool I should make all the badges talk to each other. And so the tinkering began.

Read more »


For those people that missed the friday night the code and slides are here:

Slides: Badger Badger.pptx



Ever since I first saw something Joe Grand, Adam Laurie or the Ninja networks team built I have loved the idea of having hackable electronics. So much that every year before ZaCon I foam at the mouth, put on my prettiest big boy pants and get out my Arduino in a vain attempt to make an electronic badge.

…However every year all I end up with is a terrible video and a realization that electronics are not that cheap. Additionally I also find I have little to no knowledge on how to take anything off the Arduino dev board. This year however I finally built a badge. Its the first PCB I’ve ever made and its not on an Arduino dev board! I am generally surprised they boot up! The badges this year will look as follows:



Down to the nitty gritty I guess. The badges consist of the following:

* ATMEGA328 (aka, the chip in your Arduino) – in an IC socket
* 433Mhz RF receiver (yes, the same as cars/garages)
* 433Mhz RF transmitter
* Nokia 5110 LCD
* ICSP headers
* 4x Push buttons

The badges work on the principle of hybrid-mesh-stuxnet-SCADA-badbios-in-the-cloud communication… no but really this is how it works:

1. Each badge has a particular number (organised by status)
2. At a random interval it will transmit its badge number
3. While NOT transmitting badges will ‘listen’ for any other message data
4. If message data is decoded to one of a few types the LED will flash (this may change depending on battery life). Primary types are relationships and badge number transmissions
5. If a badge ‘hears’ another badges number it means it must be close enough for you to be talking and adds it to your ‘friends’ list (EEPROM)
6. When a badge transmits its number it ALSO transmits 1 of the last 5 ‘friends’ that it has seen (a relationship)
7. If a badge ‘hears’ a relationship message it stores it in a 5 relationship wide array
8. When a badge transmits its number and a friends (see 6) it has it will ALSO transmit 1 of the last 5 relationships it has ‘heard’

What this basically means is that if Luke and Annie are talking in the corner too far away from a receiver, but Leia is standing in between them and the receiver. Leia’s badge can tell the receiver that Luke and Annie are talking :)


badgeSide1 badgeSide2

The badges should be relatively easy to hack and hopefully will be a nice opening for people who want to start. As the badges are based on the Arduino you can literally pull out the chip from the back of the badge, plug it into your Arduino and upload code to it. For those who want to get wirey, you can simply connect your Arduino directly up to the ICSP headers and upload your code to the badge.

ICSP pins are as follows (looking at the front of the badge – with the screen – and the ICSP pins on the right) from top to bottom:

1. Digital 12 ( MISO )
2. 5v
3. Digital 13 ( SCK )
4. GND
5. RST
6. Digital 11 ( MOSI )

Additionally at the top of the board there are also the digital pins 0,1,2 that can be used for doing anything arduino-y. The LCD uses digital pins 8,9,10,11,12. RF TX uses digital pin 7 and RF RX uses digital pin 6. The buttons use A1,A2,A3,A4. Digital Pins 3,4,5 are all used for the RGB LED. And thats the lot of them. Of course you can simply use these for other things, just remember what they are connected to.


Here is the very first speaker badge:

Speaker Badge 0001

Speaker Badge 0001


Here is a REALLY short video of 5 black badges ‘talking’ to each other (blue LEDs indicate messages received).


Their arent enough badges for everyone, naturally speakers get for adding research and putting in the time and effort required for a great talk. Everyone one else should sign up to the mailing list as we will be announcing how you can get a badge (hint:

There are 40 attendee badges and 20 build-your-own-boards for people who want to go the extra mile and solder their badge together (The badges are simple enough that even a first time solderererer should be able to do it! – and we will be there to help)

The badge talk will be on the Friday night before ZaCon (aka ZaCon Nights), so if you are interested in them keep the friday open!


Honestly I can’t thank the people that supported this project enough, from giving money so we can have badges to suggestions and ideas. Special shouts go to Jameel Haffejee (@RC1140) and Roelof Temmingh!