Cloning my key and opening my garage gate with my 10 USD DIY CC1101 tool and Universal Radio Hacker
ฝัง
- เผยแพร่เมื่อ 26 ก.ย. 2024
- Simple record & replay attack. This video shows how to use my DIY cc1101 tool in real world scenarios. I am using Universal Radio Hacker to find out what is data sequence used by my RF keyfob and CC1101 to replay key sequences.
The project data is available here : github.com/mco... covering Arduino Pro Micro/ Nano / esp32 / esp8266 boards
I made portable pen testing device with Android smartphone + serial terminal application + Micro USB to USB-C cable + my CC1101 tool . All of that fits into the pocket.
DISCLAIMER - you use this device at your own risk. I can not be held responsible of your own actions and damages you could do with this device. My video has only educational value and the device should be used responsibly following local law regulations.
If you like this project please press LIKE button and SUBSCRIBE the channel !
Thank you for your support !
#alchnl #arduino #sdr
I successfully used your software tool for the cc1101, an esp32 wroom, the RTL-SDR, and the URH to decode my wireless wall switch. Thank you very much for your informative video!!!
great !
@@justanengineer5599 Hello. I have a small question. I have now created my light timer module to turn ON/OFF my indoor lights when I'm away. I noticed that when the CC1101 is powered up, it permanently jams my car key & other electronic switches in the house. This is even when I am not sending messages. I fixed it by setting the gain with ELECHOUSE_cc1101.setPA(10), sending Playraw(), then ELECHOUSE_cc1101.setPA(-30). Does this make sense? Does the CC1101 transmit even when not sending messages? Thanks.
Holy cow your a genius ☺️sir me and my college friends really appreciate your hard work
I am not a genius I am just an engineer. This is just an example how to use the knowledge in practice. Knowledge is power.
@@justanengineer5599 wow sir amazing work thank you so much for your reply I will show my friends all your vids as well
@@justanengineer5599 - Some of my customers call me "Bill you're a magician!"... and I always say "I'm not a magician, just a technician". hehe
Thanks for the great project. Worked perfectly once i figured out how to work radio hacker.
Great ! I made it simple and cheap so everyone could replicate this device on his own. When using ESP8266 modules the building cost decreases even further to 5 USD and you have 4KB of non-volatile Flash memory for signal recording storage. That amount is sufficient for most of RF attacks.
Try to build couple of these devices and use chat function
@@justanengineer5599 yeah im planning on trying to adapt it start 3 cameras on a track car with one button press. They all use radio remote controls. I ill have to look into how this could work.
Thanks for sharing all your hard work
This is great project to test Car Key Fobs
Thanks for this one! I switched to esp32. My signal is very odd and Universal Radio Hacker could not decode it even with using the moving average. I could see the signs of the signal, however it was also hard to manually figure out what was going on. However, using recraw a few times I managed to get the right byte sequence and made it possible to replay my garage.
Adding the webserver now and making it api accessible. Also I'm very surprised by the range of the cc1101, it goes incredibly far.
great. which board did u use ?
@@justanengineer5599 ESP32. The api to open the garage trough the esp is working and I’ve managed to add it to home assist. Last goal would be to have it in HomeKit.
Beau travail je vais essayer dès demain j'ai tout ce qu'il me faut à part la connaissance en espérant que votre vidéo va m'aider. J'ai déjà essayé plusieurs fois avec un Arduino et le CC1101 mais j'ai toujours eu un échec. Merci pour votre partage
Thank you so much! Really good! I connect to the mobile phone through the Bluetooth-to-serial port module, which is more concealed😸
super! I plan to introduce wifi communication for esp32 and esp8266 versions but it will take some time...
@@justanengineer5599 Looking forward to it!😀
check out my WIFI version for ESP8266 based boards. You will not need bluetooth adapter anymore..
You need a WIFI access point to which ESP8266 will connect to , also you need to populate settings in the source code : WIFI SSID, WIFI password, IP address of ESP8266 board and IP address of WIFI router (default gateway) :
IPAddress ip(192, 168, 1, 200); // Local Static IP address that you will telnet to
IPAddress gateway(192, 168, 1, 254); // Gateway IP address of your WIFI router
IPAddress subnet(255, 255, 255, 0); // Subnet Mask
const char ssid[] = "your-WIFI-SSID-here"; // Change to your Router SSID
const char password[] = "your-WIFI-PASSWORD-here"; // Change to your Router Password
the source code is here
raw.githubusercontent.com/mcore1976/cc1101-tool/main/cc1101-tool-esp8266-wifi.ino
Also ESP8266 as a WIFI ACCESS POINT version is here
raw.githubusercontent.com/mcore1976/cc1101-tool/main/cc1101-tool-esp8266-wifi-ap.ino
Great job.
It's basically a home-made Flipper like device. :) Now, it would be truly amazing if you could decode the algorithm of the rolling code instead of a simple replay. ;)
Well I leave it to others... But I can give you a hint... If you would attach the device to the PC over serial port and use Python to collect the radio transmissions you might be able to play with decoding : github.com/robert-mcdermott/rolling-code-auth
@@justanengineer5599 - Honestly I was thinking about the same, you would need a large enough number of samples with a hopefully small enough key size to be able to reverse the algo. If they are using anything over a 128 bits encryption, it would take too many years to decode.
@@justanengineer5599 - With larger keys, you're probably better off attacking the Code Validation Tolerance instead, by trying to extend the validation window indefinitely till you hit the right code. ;)
Excelentes saludos. Mr. Adam
I think mic jammer was active during this video, can't hear you.
Very impressive presentation. I like your practical approach with no unuseful information so one can get the work done efficiently. I will try your tool to hack all of my home wireless switches and add a timer to turn them on/off in the appropriate way to give a potential burgler the impression that there's someone at home while I'm on vacation. Question: Will your pro micro code work on a pro mini 3.3V 8 MHz after modifying the schematic for the SPI pins? What about GDO0 and GDO2? Thanks!
yes. the main requirement is to use 3.3V TTL logic in arduino. If this is met then it should work
For GDOx pins you may use any of free available pins, you just need to set pin number in the code accordingly
@@justanengineer5599OK Thanks! I have some pro mini boards in stock. I am waiting for the cc1101 board and the SDR key to continue my project. Meanwhile, if you please, I have 2 more questions after studying this tutorial in detail:
1. The .373usec bit duration that you calculated is configured where in the cc1101 tool?
2. What is the purpose of adding those hex zero letters after the 6-letter preamble and the 50-letter data stream (Nbletters)? For me, the number of zeros (Nbzeros) seems to be calculated by Nbsmpls2 (value displayed after "pause:") and "Nbsmpls1 selected" using the formula Nbzeros=(Nbsmpls2/Nbsmps1)*Nbletters. Can you confirm?
Thank you!
Ad.1. this microsecond symbol length is used in the commands
playraw XXX
recraw XXX
rxraw XXX
Ad.2.
I have added leading zeros to warm up the transmitter. In fact zeros in ASK/OOK type of modulation mean no signal is sent
@@justanengineer5599Thank you!
you may want also to try with 2.4GHz CC2500 modules. According to this info it may work with my code aswell
e2e.ti.com/support/wireless-connectivity/other-wireless-group/other-wireless/f/other-wireless-technologies-forum/281641/compatibility-between-cc1100-and-cc2500
Is there a way to just automate the whole process of calculating the signal? Is there a software for that?
there is no software but you can create one if you wish. Learn python programming and use serial port library and PC to interact with this tool. Create something useful and give it to others as I did. Be an open source programmer.
Do not only take, give something to the community. Show that you are worth something and you are not mindless consumer. Be a man
When I use your universal CC1101 interactive tool my addraw and showraw displays as a single line across the screen whereas your video shows it as block of lines. Is there a setting I need to make in order to display in a block on the page and not one long line?
it will do one big line, at least for showraw
Great stuff on converting to use with RCswitch! I have two questions. Do you think it's possible to also clone a garage door that has a 8 three-way dip switches? (I guess it is just a way to add more bit combinations, right?). Second, would it be hard to port the WiFi esp8266 version to esp32?
My goal is to make an API on the ESP32 which will be in the garage that will send the signal to the garage door, so I can use my phone to open it from further distance than with the remote :). Thanks a lot!
yes. dip switches based doors can be easily cloned
But if you use the ESP32 as a microcontroller, then you can connect it to your phone via bluetooth?
you can connect over wifi. there is already source code prepared for this but for ESP8266
Dzień dobry. Mam pytanie czy w ten sposób również zamyka się bramę? Czy kod do zamykania jest inny?
to zależy od bramy. Ta brama zamyka się automatycznie.
Thanks for the video!
Someday, could you make a video with FSK modulation? I've 2 awning that use FSK and I can't find any video how decode & replay. Thanks in advance!!
i think Universal Radio Hacker has an option to decode FSK but you need to switch it on manually
Thank you for the reply! I’ll check. I’ll also use your device :)
Will HC-11 work? It’s a bit difficult since it only has 5 pin headers. Not a lot of Cc1101 boards are available in my country and aliexpress isn’t an option either.
it will not work. it has serial port
👏👏👏👏👏👏👏👏👏👏👏👏
Panie Adamie dobra robota :) uzywam ze swoim esp8266 i serial przez kabel do telefonu, wiec tez nie moge sie doczekac z serialem przez wifi ;)
Mam nadzieję, że urządzenie się sprawdza w terenie. Jak znajde troche czasu to dorobię dodatkową wersję z wifi. Niestety jest konieczne przerobienie całego kodu od podstaw
EDIT
wersja wifi dla ESP8266 gotowa
raw.githubusercontent.com/mcore1976/cc1101-tool/main/cc1101-tool-esp8266-wifi.ino
do u make custom key jammers the ones u posted before willing to pay high ticket
nope
Cześć! Kawał dobrej roboty ! Zbudowałem Twoje urzadzenie z ciekawości na wemos s2 mini, generalnie działa choć dosyć często traci połączenie w trakcie wysyłania komend w terminalu. Mam kilka pytań, masz może toutorial co poszczególne komendy znaczą w praktyce ? Np. Pierwszy lepszy z brzegu "Recraw" wymaga podania czasu w ms, jak go dobierasz? Albo czemu nie które komendy traktuje jako nieznane np. Show...a w skrypcie help występują. Pozdrawiam !
komendy nieznane pojawia sie wtedy gdy zle rozpozna komende np. brak parametrow albo złe parametry lub tez jakis znak nie dojdzie co wskazuje na problem z portem OTG w telefonie. Jeśli chodzi o Recraw i inne z raw w nazwie to dobranie interwału czasowego dobrze można zrobić jedynie za pomocą Universal Radio Hacker co też pokazuję na filmie. Jeśli zrywa ci połączenie to na 100 procent wina portu OTG w twoim telefonie albo brak styku w gniazdku portu lub kabelku. Upewnij się też że prędkość portu szeregowego masz ustawioną na 115200
Sprobuj uzyc innego telefonu/kabelka/pc bo cos tam nie kontaktuje. Jak masz dobry sprzet to działa zawsze bezbłednie. Na aliexpress można kupic za dolara gotowe kabelki micro usb do usbc
zrobilem wersje na plytki esp8266 w ktorej łączysz sie po wifi zamiast kabelkiem. W kodzie przed wgraniem do płytki trzeba podać SSID rutera oraz hasło do WIFI i adres jaki ma ruter (default gateway) jak tez adres IP jaki ma miec esp8266. Następnie łączysz się przez telnet np. aplikacją Connectbot do tego wifi na wpisany adres esp8266 i śmiga git.
raw.githubusercontent.com/mcore1976/cc1101-tool/main/cc1101-tool-esp8266-wifi.ino
How do I repurpose this pattern on Teensy?
which teensy board? you need to have something that is supported with SmartRC library
@@justanengineer5599 Teensy is compatible with Arduino IDE so no problem.
SmartRC library that I am using in this project only supports a subset of boards not all of them. So there is only a chance that it could work, nothing certain
@@justanengineer5599 👍
very informative video, how much experience do you have in this field?
a bit 😀
@@justanengineer5599 I want to contact you but there is no way . so what do I have to do
Have you clicked my email data in my channels description ?
When i use recraw wifi is disconnecting in esp8266
use recraw XXXX where xxxxx is a microseconds (did you read the help?). if you use this command without the number the esp8266 will restart itself
@@justanengineer5599 hey I did it worked very well
@@justanengineer5599 I am using esp8266 as wifi access point thanks for the code
Thank you for the video
I managed to control my DC fan using your tool
my next step is to convert the hex i have working to ESPHome so i can control it from home assistant
do you have any ideas on how to do that ? Here is what i'm running to control the fan
flush
addraw e8eeee88ee888ee88e8e8e8ee8e8e80000
addraw e8eeee88ee888ee88e8e8e8ee8e8e80000
playraw 350
Thanks
great that my tool worked for you.. I have no experience with ESPHome therefore I am unable to help you with this
@@justanengineer5599 I guess what I'm trying to do is figure out how to convert the hex I get to the rc switch format
i think here is the answer esphome.io/components/remote_transmitter.html#remote-transmitter-transmit-raw-action
the rcswitch operates on symbol length. negative values means 0 is send for particular time , positive number means 1 is send for specified time
you have to use remote_transmitter.transmit_raw
@@justanengineer5599hmmm 🤔 then I guess my next question is how do I convert the hex to the format transmit raw format esphome expects?
if you do showbit command in my cc1101 tool it will display the stream of bits. then you have to use calculator and count the number of microsecon for each zero and one symbols. then prepare negative values for zeros and positive values for ones separated by comma
I have a evil crow v2 And wish i can put raw hex but can not do you have a way to flash this to a Evil crow v2?
you have to ask Evilcrow developers to make their device working this way. I am neither developing evilcrow nor have knowledge about their hardware.
Hey. I've started my project of cloning my garage door with an RTL-SDR. I quickly figured that the frequency is 287.8mHz. However, when I record the signal URH does not autodetect the signal type and there is also a lot of noise before and after the button presses. Any idea which parameters i should change in order to get a better recording?
well its hard to tell without seeing the signal. Is it some old type od radio keyfob or newer one? The most frequently the use ASK type of modulation. Also try to switch off Auto Gain in RTLSDR in URH
@@justanengineer5599 It’s an older one so I assumed it would have been property easy to decide. I’ll try your tip, hope it will help. I’ve tried playing with the gain a bit but no luck so far. If you want I can send you the recorded signal file
@@justanengineer5599 I cannot seem to find auto-gain in URH, any idea where the setting is?
www.oldergeeks.com/downloads/files/userguide.pdf
its named "default gain" field when selecting your RTLSDR hardware as a source and choosing the frequency. Experiment with this value
Can I replace the E7-M1101D module with this type nrf42|01
no. This is for CC1101 boards only
Właśnie spróbowałem nagrać sygnał z wlącznika światła w domu(433mhz), sprawa tam jest jeszcze prostsza niż u Ciebie, policzyłem to wszystko i kurcze nie działa. Dodatkowo co dziwne jak włącza playraw to u Ciebie moment i jest zakończone a u mnie to trwa ok 45s zanim dostanę napis o skończonym odtwarzaniu sygnału. Masz pomysł co może być nie tak? Uzywam ESP32 wroom.
Mój sygnał z włącznika wygląda tak:
1e0c48 00 8f0624 00 8f0624 00 8f0624 00 8f0624 00 8f0624 00 8f0624 000000000000
Zera to oczywiście pauzy, niestety po odtworzeniu przez Twoje narzędzie i ponowne nagranie w URH sygnał wygląda tak:
c48 00 8f0624 00 8f0624 00 8f0624 00 8f0624 00 8f0624 00 8f0624 00 | 0624 00 8f0624 00 ... itd
Czyli wygląda na to, że już na początku gubi "1e0" i potem kolejna sekwencja też nie ma "8f0" . Wiesz co może być nie tak?
esp32 ma chodząca w tle obsługę wifi która robi przerwy w łapaniu/nadawaniu sygnału o których piszesz, to jest single core CPU. Dla esp8266 dorobiłem w odpowiednich miejscach funkcję yield() ale w przypadku esp32 to chyba tylko sam chiński projektant wie jak to działa
mozesz dodac jakies zera 0000000 na poczatku w tej sekwencji to może nie zgubi następnego kawałka i pozwoli mu się "rozpędzić"
@@justanengineer5599 nie znam dobrze esp32 ale internety podają że to ma 2 rdzenie z czego pierwszy odpowiada za wifi a na drugim jest uruchamiany kod z Arduino, trochę to dziwne ale wcale się nie dziwię że są jakieś kwiatki na tym wynalazku
tu masz stronę producenta - zależy to od wersji ESP32. Na przykład ESP32C3 jest single core... Innymi słowy obsługa WIFI i TCP wywłaszcza twój kod programu..
www.espressif.com/en/products/socs
dopiero wersja ESP32S3 jest dual core
www.espressif.com/en/products/socs/esp32-s3
@@justanengineer5599 no to się zgadza, mam wersję D0WDQ6 czyli dual core
Need schematic diagram for esp826 wemos d1 mini to cc1101
EVERYTHING is on my github. If you cannot find it I have doubts you that are able to build and operate this device... Looked there ?
github.com/mcore1976/cc1101-tool/blob/main/wemos-d1-mini-cc1101-E07-M1101D.png
it's possible to make a spy camera jammer or locator ?
spy cameras are using local storage - micro sd cards - for storing videos. they are not sending anything over radio. The exception are wifi based cameras
Bro i want to build a hack rf as cheap as possible as i can't afford its price please help😢😢which other things i should buy?
depends on the frequencies you want to work on. On the beginning build this device and try to play with it to see what can you achieve. HackRF can operate also over 1GHz which is not possible with C1101 so there is a lot more of components needed that it is so expensive
looking forward to it
Ale to będzie dla pilota ze zmiennym kodem..?
na razie ze stałym. Ze zmiennym to by czasu nie wystarczylo w tym filmie i zaraz by samochody kradli na mieście więc wprost takich rzeczy nie wolno mi tu demonstrować - polityka YT...
W tym filmie pokazuje jak używać mojego narzędzia a jak ktoś nie potrafi sobie wyobrazic co z tym można zrobić no to sorry ale za głupi jest aby w ogóle tego używać
@@justanengineer5599 ja z tych głupich 🙂
Czyli na auta też może to działać po odpowiedniej konfiguracji ?@@justanengineer5599
oczywiście. Ale trzeba mieć dwie sztuki - poczytaj sobie
1) github.com/jordib123/replay-jamming-attack
2) www.hackster.io/news/hacking-a-car-s-key-fob-with-a-rolljam-attack-7f863c10c8da
We must root for android ?
no
how can I change the frequency of cc2500 to any frequency I want
dont ask me. This project is using cc1101 board not the cc2500
@@justanengineer5599 can i use cc2500 to work with higher frequencies than 1GHZ, if not what cheap product do u recommend If I wanted to work with frequencies higher than 1GHZ.
yes cc2500 is for 2.4GHz
Is there a way to change its frequency. I want it to operate on 1.8GHz. Is that possible or is it fixed to 2.4GHz.
also thanks for answering these questions.
i sent email,i didn't see like aaaaaa in universal radio hacker,how can i do?
thank you so much,where are you ?i need help!
I was on vacation. I have seen your showraw output. You just need to adjust your addraw commands to your output of universal radio hacker. Every wireless key is different therefore yours may not use aaaa hex numbers or any other preambles
@@justanengineer5599 OMG! It worked,at beginning i forgot set modulation and mhz on terminal!!Hope you enjoy the vacation!
@@justanengineer5599 thanks a lot!
great! this tool is powerful but there is always some effort needed to reverse engineer the keyfob
Who uses rf for garage doors without some kind of security , such as rolling code ? This is useless hehe
many people are using an old type of rf locks. And if you have two of such devices you can perform rolljam attack. Yes you arent as much secure as you think man...
Are you telling you need an sdr decide apart from the cc1101 you did for this to work?@@justanengineer5599
Which kind of sdr should I buy?
buy some shielded one in alloy housing also try to look for version with RTL8232 and R820T chips (not R820T2 !)
the blue one that's 10€ work fine if you don't want to pay 30€ for your first dongle
Before i start trying, do you think it will work on Arduino Uno?
no because uno has 5V ttl logicnot 3.3v required for cc1101
@@justanengineer5599 I just checked the LSatan SmartRC-CC1101 lib and he says "A logic level converter is recommended for arduino. It also works well without. Use at your own risk." I'm tempted to give it a shot, or do you think I can blow stuff up?
how can i program cc1101 to get more freq in one time?like 433mhz and 434mhz both work
or what device can do that,like send 433~440 all these freq at same time
not possible with single CC1101 board. You would have to use many boards at the same time, each one tuned to different frequency
Что за приложение терминал???
The application name is Serial USB Terminal by Kai Morich
Hi ! I need help for my project which I use sim808 for gps tracking. Where can I connect you ? email. etc