Basic RF sniffing with the Bus Pirate

Getting some data out of those cheap dumb transmitter/receiver pairs takes the better part of 30 seconds. I hooked one up to see if I could capture some remote keyless entry traffic. (and it worked)

The first dump I took was of a cheap garage door opener that is real popular here, this is the same system I used in one of my previous projects. The data is composed of an active low signal, a frame starts with a single low going pulse followed by 12 static bits (ie, really easy to hack). Each bit is composed of a low and high portion, the ratio of these portions determine a zero or one bit. The system works on 403.55MHz so I needed to turn out the inductor core completely to pick it up.

The dump was made with the Alternate Sump Client and the Bus Pirate, I powered the module directly from the BP meaning that I had to turn on the power supplies through the terminal before using the logic analyzer mode. Next I dumped a keeloq remote control, the protocol is pretty well explained in the HCS301 datasheet which is used in the remote. This one worked on 433MHz.

Since the static code isn’t real interesting and I’ve hacked it before I’m going to try my hand at keeloq, I at least want to write a small ap that can decode the unencrypted bits.

[EDIT]

Found a similar page: http://bertrik.sikken.nl/433mhz/

Advertisement

~ by s3c on 2011/06/19.

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.