loading

This is my first instructable so please bear with me if I'm not clear enough. And note that this is for educational purpose only. Hope this will help someone to evaluate how secure/non-secure their so-called secure locking mechanisms fixed in cars or home garage doors. This hack can be used to open wide variety of security locks used in cheap after market car security systems to almost all cheap remote garage doors.

There are several Instructables such as " Arduino 433Mhz Wireless Communication Rc Switch" explaining how to use generic RF remote keys. But most of them does not give the full picture of advantages/ disadvantages of using basic RF remote keys. My main goal of this instructable is to fill that gap, and explain how easy it is to hack basic remote keys.

There are two main RF remote key methods currently available. In high-level, these are active and passive entry systems.

Passive entry system is using fixed code (usually 24 bit/40 bit) every time to authenticate a key. Therefore it's just a matter of capture the signal and re-transmit it to gain access. Even with this major vulnerability, these type of security systems are still widely used. Main reason this method still popular is that it's not practical to brute force and break these codes (2^24 combinations to brute force with 24 bit code).

On other hand active entry systems are much harder to hack. There are several ways these systems implemented. Most common method is Rolling code which dynamically change codes based on common algorithm on both key and receiver. Currently I'm working on these types of systems, hopefully will be able to do a instructable on these as well.

In this instructable i'll explain how to analyse passive entry system codes and how to repeat the codes to gain access.

I've tested this method on following security systems.

Even though I've tested with above systems this hack will work on any passive entry systems which uses 315MHz , 433.92MHz frequencies.

It's worth note that by convention, it's a must to restrict all commercial Remote keyless system to use only 315MHz(In europe) and 433.92MHz (in USA and other countries) radio frequencies.

Step 1: Materials

I usually buy from ebay where I can find very cheap working parts with free or almost free shipping.

Following are major parts I used for this project:

  1. Arduino uno - USD 5.17
    (Please note that this is not the original Arduino. If you are using cheap clone Arduino's just like me please goto Arduino website contribute few dollars. If they never open source these schematics we'll never have arduino's this cheap)
  2. DVB-T SDR TV Tuner Receiver Stick RTL2832U+R820T - USD 7.09
    (I bought this some time back where R820T was the cheapest option available with RTL2832U which has frequency range 24-1766 MHz. There's a new version with R820T2 chipset which is said to be less prone to rf noise compared to previous. If you can find a dongle with R820T2 buy it instead of R820T.)
  3. 433Mhz RF Transmitter/Receiver Module - USD 0.74
  4. 315Mhz RF transmitter/receiver Module - USD 0.99

Following items are used to make this project more portable and easy to handle:
(Note that I found these items at home, but i'll post ebay links to buy them as well)

  1. Veroboard - USD 1
  2. Few connector wires female - USD 0.99
  3. Few header pins - USD 0.2
  4. (Optional) USB type A male port - USD 0.99
  5. (Optional) USB type B male port

Note: If you can just buy a " USB type B to type A male to male connector" from local store or ebay no need to buy usb type A, type B male ports separately. Since I didn't have that connector at home I had to made it with available items.

Apart from these items we need few connector wires as well as a computer. Even though I have done this in windows 7, mac osx and ubuntu, I'll explain step by step instructions for Mac OSX-10.9.4(64bit). These instructions will be very similar to both other operating systems if you have fair understanding in your operating system. Feel free to ask any questions in comment section if you're using windows or linux/ubuntu.

Step 2: Summary of Steps

Following are the main steps need to follow.

  1. Identify the passive code:
    • Install RTL-433 library on computer.
      (this is necessary as these libraries will enable us to listen whatever radio frequencies dongle can handle).
    • Start listening to 315MHz and 433.92MHz frequencies and decode.
  2. Transmit passive code (using Arduino):
    • Setup Arduino hardware and sketch.
    • Test Arduino setup with serial monitor.
    • Setup GUI interface to Arduino setup.
      (I wrote a java swing GUI application for easily change parameters on the go without going through hassle of using serial monitor or uploading Arduino sketches for each parameter change)
  3. Finishing Touches to the Prototype:
    • Build simple rf transmitter shield
    • (Optional) Build USB Type A to B Adapter

Step 3: Identify the Passive Code: Install RTL-433 Library

RTL library will turn your Realtek RTL2832 based DVB dongle into a generic data receiver. Since RTL2832 chipset allows to tune 24-1766 MHz range it can be used in various other projects as well. Such as monitoring adb aircraft transponder data which broadcasts from each and every commercial flight.

I'll try to make this instructable as complete as possible by giving each and every step. To install RTL libraries we have several prerequisites fulfill as follows.

Main goal of this step is to setup merbanan/rtl_433 on a computer. With some googling and little brainstorming you'll find quick and dirty ways to set it up.But I always prefer build from basics just to keep in control.

Prerequisites:

Please note that these steps are given for Mac OSX. If you need any specifics or stuck in a dead-end, please let me know in comment section. I've tested this end to end on all major operating systems(windows 7, ubuntu 14.04 and mac osx 10.9.4) as well.

If you're on Windows just use prebuild executables for "rtl-433" on this website. I haven't tried it though, with some googling this is will be the quickest way to setup "rtl-433" on windows.

Install "cmake"

  1. Download CMake from the CMake website. (make sure to download dmg version)
  2. Once you have successfully downloaded the .dmg file, simply double-click.
  3. To install CMake application drag and drop CMake onto the Applications folder.
  4. Launch CMake from Launchpad or Spotlight.
  5. From the "Tools" menu select "How to Install For Command Line Use". From the dialog that pops up, note the cmake-gui path (ex: /Applications/CMake.app/Contents/bin/cmake-gui).
  6. Open a terminal by executing "cmd+Space", typing "terminal" and execute following commands on terminal :
  7. sudo mkdir -p /usr/local/bin
    sudo /Applications/CMake.app/Contents/bin/cmake-gui --install=/usr/local/bin 
  8. Verify that it has been correctly installed to PATH by executing:
  9. cmake --version 


Install "libtool" "libusb-1.0.0-dev" libraries

  1. Install libtool and libusb by executing following commands in terminal :
  2. brew install libtool
    
    brew install libusb


Install "rtl-sdr" library

rtl-sdr library has well-documented documentation. And steps are fairly simple. Please goahead and install it properly.

Install RTL-433 library

Once all the prerequisites are completed, clone rtl_433 git repository and follow steps bellow to build the library using cmake. In repository main page there's a comprehensive guide to each and every command and how to use it as well.

cd rtl_433/

mkdir build

cd build

cmake ../

make

sudo make install

Once rtl-433 install on your system plug the DVB-T USB dongle and run following command.

rtl_433

If everything worked well rtl_433 will identify the usb device and start listening to any incoming rf transmissions. I have attached successful Console output for reference.

Step 4: Identify the Passive Code: Start Listening to 315MHz and 433.92MHz

Depending on the rf frequancy on your test security lock, you need to listen to either 433.92MHz or 315MHz. Since all rf key fobes are regulated to use one of these frequencies, if you don't know the exact frequency on your key you can try both frequencies.

For 433.92 MHz RF keys

"rtl-433" by default tunes to 433.92MHz frequency. In order to listen to all incoming transmissions under this

frequency, we need to switch to analyzer mode as follows.

  1. Plugin the DVB-T tuner dongle to one of the usb ports of the computer.
  2. Open a terminal and enter following command:
rtl_433 -a 

It'll start listening to any incoming traffic and print it on the console. press a button on the remote key and it'll register on console output.


For 315MHz RF keys


Name of the library is slightly misleading as it says "433" implying it can only receive on 433MHz frequency. This is not true. This library can receive any frequency if the connected hardware permits.

In order to tune into 315MHz using the tuner:

  1. Plugin the DVB-T tuner dongle to one of the usb ports of the computer.
  2. Open terminal and enter following command :
 rtl_433 -f 315000000 -a

press a button on the remote key and it'll register on console output.

IMPORTANT: Just like a radio, DVB-T tuner can only tune into one frequency at a given time. You can not tune into both frequencies simultaneously using one receiver.

If everything works as expected you'll see similar console output as follows :

Reading samples in async mode...

Tuned to 315000000 Hz.

*** signal_start = 90713609, signal_end = 90787588
signal_len = 73979,  pulses = 125
Iteration 1. t: 185    min: 97 (80)    max: 273 (45)    delta 5
Iteration 2. t: 185    min: 97 (80)    max: 273 (45)    delta 0
Pulse coding: Short pulse length 97 - Long pulse length 273

Short distance: 81, long distance: 257, packet distance: 2720 p_limit: 185
bitbuffer:: Number of rows: 5
[00] {25} 55 24 8c 00 : 01010101 00100100 10001100 0
[01] {25} 55 24 8c 00 : 01010101 00100100 10001100 0
[02] {25} 55 24 8c 00 : 01010101 00100100 10001100 0
[03] {25} 55 24 8c 00 : 01010101 00100100 10001100 0
[04] {25} 55 24 8c 00 : 01010101 00100100 10001100 0

As you can see there's clear binary pattern "01010101 00100100 10001100 0" repeated 5 times with long pulse length around 273. If we can simply repeat this binary pattern, receiver should identify it as a valid key and authenticate.

Step 5: Transmit Passive Code: Setup Arduino Hardware and Sketch

Arduino hardware setup

Hardware setup is very simple as shown in the attached diagram. I've included a breadboard just keep the diagram clean. If you can connect 5v and ground wires properly to the Arduino, there's no need to use a breadboard.

Further, data pins are configurable using GUI interface which will explain later. Therefore, no need to stick to the 12 and 10 pins. you can use any digital output pins as required.

Arduino sketch

In order to send binary codes, we need a 3rd party library for Arduino named rc_switch developed by Suat Özgür.

Follow the steps bellow to properly install the rc-switch library and upload the sketch.

  1. Download rc-switch library from "sui77/rc-switch" git repository.
  2. Place the unzipped rc-switch library directory inside "{USER_HOME}/Documents/Arduino/libraries/".
    (There are several methods to install libraries. For more info on how to install libraries check out Arduino official guide)
  3. Download attached arduino sketch file(RfProjectArduinoCode.ino) or latest sketch from my git repository. Sketch is simple, well commented and self-explanatory.
    On high-level, what it do is monitor any incoming serial messages and transmit rf codes based on serial input parameters.
    I have added inline comments to make it more readable. Feel free to ask any questions in comments section if need more info.

  4. Open the sketch file from Arduino IDE, verify and upload it to Arduino.

Arduino Sketch Internals

I've explained all the major functions through inline comments in sketch file. I'll try to make it clearer for a first-time Arduino user by going through important code lines.

INPUT_SIZE variable defines the size of the input char array.

#define INPUT_SIZE 150

Create necessary variables including RC switch instance.

RCSwitch mySwitch = RCSwitch();

char* binaryCode;
char* pulseLength;
char* rfTransmitPin;
char* rfProtocolType;
char* repeatIterations;

One time setup to initialize serial baud rate and initialize build in LED output to notify status. This will flush the serial input buffer just to make sure no garbage serial data passed to rc switch library.

void setup()

{
  // Initialize serial:
  Serial.begin(9600);
  pinMode(13, OUTPUT);

// Flush serial buffer
  serialFlush();
}

I believe rest of the code within "loop()" is self-explaining. As I have added inline comments for each critical code line. If you have any questions ask them in the comment section.

Step 6: Transmit Passive Code: Test Arduino Setup With Serial Monitor

Before proceed we need to make sure that Arduino is properly setup and ready to transmit codes properly.

In order to verify follow the steps bellow:

  1. Start receiving 433.92MHz rf signals using DVB-T usb dongle as explained in step 4.
  2. Connect Arduino to computer using usb cable.
  3. Open serial monitor in Arduino IDE by navigating to "Tools -> Serial Monitor".
  4. Send following line through serial mointor input to Arduino.
binaryCode:0101011010&pulseLength:321&rfTransmitPin:10&rfType:1&repeatIterations:5

This should register binary code properly on DVB tuner as attached console output screenshots.

Similarly, Test 315MHz transmitter by changing "rfTransmitPin" to 12 and tune into 315MHz frequency using rtl_433. Refer attached screenshots to get a clearer idea.

Now, by changing serial input parameters you can transmit binary codes got from your rf key and mimic the key.

Step 7: Transmit Passive Code: Setup GUI Interface to Arduino Setup

This step is not mandatory as we can mimic rf keys by sending properly formatted serial input as explained in previous step. But interfacing arduino with GUI will make it easy to use for anyone with basic computer literacy.

I choose java/swing to develop the RC SWITCH GUI mainly due to my personal preference. Further, java apps are highly portable across all platforms, which makes it easy to share/run executables.


About RXTX java library and why it's needed

Java JDK does not support serial port communication natively at the moment. Therefore, we need to rely on external java library which can communicate with serial ports. RXTX library has developed to address this issue.

RXTX is an open source java library, using a native implementation (via JNI), providing serial and parallel communication for the Java Development Toolkit (JDK). Even though there are few other alternatives to rxtx this is the most complete serial communication library backed by wide community support for troubleshooting(stack overflow :) ).

Rxtx library contains two parts.

  1. RXTXcomm.jar - This enables JDK/JRE to communicate with OS specific serial drivers.
  2. OS specific serial drivers (ex: librxtxSerial.jnilib for mac osx) - This communicates with serial ports identified by the operating system.

Refer attached high-level architecture diagram to understand how rxtx library been used.

Java GUI program to control Arduino transmitter

I have provided all the java source codes in rc switch gui git repository. If you are a developer go ahead and use these sources as required.

I'm not planning to explain all the internals of the GUI project as it will make this instructable way Off course. Please ask any questions in the comments section. If you're planning to build the GUI from source make sure to import "RXTXComm.jar" library properly to the project.

Running the GUI program(using pre-build jars) on Mac osx 10.9.4 (64bit):

  1. Install latest java version on your computer. (As I have compiled these jars on java 1.8, it won't work in older java versions)
  2. Download and unzip attached "rc_switch_gui.zip" file.
  3. Move into unzipped directory and execute following command. This should open up the main window.
java -jar rc-switch-gui.jar

Using GUI program:

GUI interface is self-explanatory. For sake of completeness of this instructable, I'll briefly explain the functionality of each tab.

  • Connection Tab
    As name suggests this tab will let you select the serial port and connect. Note that you need to click on "Refresh" button next to drop down list in order to list down all available serial ports. There's a "status" notification indicating a successful connection or any errors(such as "port in use" error) while connecting. Refer attached image for more info.
  • Transmit Tab
    Without a successful connection, this tab won't be accessible to the user. After a successful connection, this tab will enabled and ready to send binary codes to Arduino. There's a progress bar indicating progress of the send operation at bottom of this tab as well.
  • Configurations Tab
    This tab will allow user to define Arduino data pins corresponding to 433MHz and 315MHz transmitters.

Step 8: ​Troubleshooting :)

Keep in mind that you might face some issues/errors while following above steps. I've documented all the issues which I faced while making this instructable. Hopefully, it'll help you to resolve any issues faced.

Common Errors/Exceptions on Mac OSX

  • java.lang.UnsatisfiedLink Error

If you face this error it's because architecture mismatch in serial driver library and host computer.

java.lang.UnsatisfiedLinkError: librxtxSerial.jnilib: no suitable image found. 

Did find: librxtxSerial.jnilib: no matching architecture in universal wrapper thrown while loading gnu.io.RXTXCommDriver

In official rxtx website they have provided Mac OSX libraries compiled for 32bit architecture. They haven't provided libraries to support on 64bit systems.

In the attached "rc_switch_gui.zip" it contains 64 bit compiled library(as I'm running on 64bit system). If you need 32bit Mac OSX libraries you can simply replace it from official rxtx libraries from the website.

  • Port already in use Error

The OS X has exclusion (locking) mechanism on the serials ports. The MacBooks never had serial ports, but the USB ports emulate them. When the Arduino connected, it appears in the port list as "/dev/tty.usbmodemXX" where "XX" are some digits. When exception thrown with port already in use, that's a standard I/O exception that meant we could not get gain access. The current owner was undefined because there was no current owner. We just did not have the required access to the directory to take ownership.

In order to fix this open terminal and execute following:

sudo mkdir /var/lock
sudo chmod 777 /var/lock 

This creates the required directory and makes it accessible. The serial port will no longer be busy, given that something else is not really using it! ;)

Common issues on Ubuntu 14.04 LTS

My initial plan was to cover only Mac OS through this instructable. But as I tried to run the jar in Ubuntu I faced one of the most annoying issues, where rxtx library failed to identify some serial ports even though there are no errors/exceptions.

After hours of research found that on Ubuntu 14.04, Arduino's recognized as /dev/ttyACMxx. The RXTX library only searches through /dev/ttyXXXX.

Therefore need to make symlink to available port as follows.

sudo ln -s /dev/ttyACM0 /dev/ttyUSB0

Make sure to replace "/dev/ttyACM0" with your Arduino's port identifier. This should solve the issue.

Another issue was that user does not have sufficient privileges to access serial ports. Therefore, make sure to run the GUI application as root user if possible. If you need to run the application using current user just add the current user to "dialout" user group and restart the computer.

sudo usermod -a -G dialout username

Make sure to replace "username" with your user.

Step 9: Finishing Touches to the Prototype

In order to finalize this project, we need to properly pack everything in a neat packaging. Of cause, we can't handle breadboards while wires hanging with tiny transmitters in a car park or a garage. :)

This step focuses on making this project portable and easy to handle.

This step can be divided into two parts:

  • RF Transmitter Arduino Connector Shield
    (Instead of using breadboard, I needed something more portable and ability to easily attach/detach from Arduino.)
  • USB type A/ type B connector

    (male to male)

    (Using a USB cable is not convenient. In order to use this as a pluggable dongle, I needed a connector without the cable part. As I mention in "Materials" section(step 1) these connectors are available to buy.)

RF Transmitter Arduino Connector Shield

This is a simple setup which uses only 4 pins from arduino. I've attached the Veroboard diagram. Solder properly as shown in diagram and make sure to disconnect all non-used header pins as precaution. I've used connectors to attach/detach transmitters as well. If you don't wish to reuse transmitters in some other project just solder it directly to the board.

Make sure to verify each and every pin connection after soldering. Make sure opposite Arduino pins are not connected through Veroboard as well.

My final adaptor looks like this. I'm sure there are more nice ways to arrange it. I just made this from what's available to me at the moment :)

USB Type A to B Connector

It's better if you can buy pre-build adapter as it's cheap and well built. But since it takes long time to arrive(where I live) I decided to build my own adapter as I got all necessary parts at home.

Soldering a USB connection is very simple as well. There are only 4 wires to connect and there are clear pinout diagrams all over the internet as well. I used this pinout diagram which clearly identify pins by numbering.

Final outcome looks like this. It's not pretty but it does the job as expected.

Important: If you decided to build your own adapter make sure you do it right without short-circuiting wires. Double check each and every connection and soldering before connecting it to PC. Otherwise, in worst case your PC motherboard will pay the price.

If you don't want to risk anything best bet is to buy an adapter instead of building it on your own.

Step 10: Conclusion

This hack can be improved in various methods. For example if this can be implemented with arduino micro or nano, it will be easy to carry any where just like a pen drive. It's fairly simple to do as well. Only thing needs to be done apart from these steps, is mount RF transmitters properly to the arduino.

Further, since RF transmission can be directly controlled through serial inputs, there are lots of possibilities for various other projects as well.

Main goal of this instructable is to make aware how easy to hack passive RF remote systems and gain access. Passive RF coded systems are now outdated and it's high time to stop using them as security/entry systems. This is fairly easy hack for anyone with average knowledge in electronics and programming.

Hope this will help someone to evaluate their own rf security systems and take necessary actions to prevent any mishaps.

<p>Thanks for the share. Which software do you use? Can the same done </p><p>with rolling code or PKE systems? Can you help me with instructions</p><p>for this process shown on video? alexshmidt199@GMAIL.COM is my email.</p>
<p>Thanks for the share. Great Hack indeed. I tried to create self executable GUI jar from your git source. It always ended in error. Please explain how to create.</p><p>cheers</p><p>ps : i am a novice to java programming</p>
<p>There's no magic in self-executable jars. It's a container which contains all required class files/resources/resource paths in one place. </p><p>Since this contains GUI I suggest using a IDE to create the jar artifact(makes life easy). Following are the basic steps to follow in intelij IDE(my default development environment). This should be the highlevel steps to any IDE.</p><p>1. Open the project in intelij IDE.</p><p>2. Make sure you have imported correct RXTX library to the project as a resource.</p><p>3. Goto &quot;File-&gt;Project Structure&quot; and open &quot;Artifacts&quot; tab. Click on small &quot;+&quot; in right hand side tab. And select &quot;jar-&gt; From modules with dependencies&quot;.</p><p>4. Make sure MANIFEST.MF is in &quot;src/resources/META-INF/MANIFEST.MF&quot; path. and select &quot;extract to the target jar&quot;. Apply the changes and close the dialog.</p><p>5. Now on &quot;Build-&gt; Build Artifacts..&quot; menu click on &quot;Build&quot;.</p><p>6. Finally, you should see the self-executable in &quot;out&quot; directory. </p>
<p>Thank you allot for detail steps. will try this method.</p>
<p>How easy do you think this would be to implement on a raspberry pi to make an all-in-one portable system?</p>
<p> It can't be very hard as these transmitters/rc-switch libraries are compatible with raspberry pi's and oracle java jre also compatible with pi's(from what I read on internet :)). </p><p>Unfortunately, I don't have raspberry pi to test it.</p>
<p>Thanks for sharing :)</p>

About This Instructable

3,315views

169favorites

Bio: I'm a human, whom interested in hacking stuff. :)
More by pumudu88:Hack Remote RF Security Locks With Arduino 
Add instructable to: