OP 12 March, 2022 - 07:05 PM
DISCLAIMER:
I want to make this clear. I have NOT hacked into other vehicles I have not been allowed too.. I’d rather be smoking a blunt.
Also this is just techniques I have came across and used when I was fascinated about RF hacking and so forth. I’m sure you genius people out there have other ways of going about these attack vectors like via ODB2 connections or whatever BUT
SUMMARY:
in this tutorial I’ll be specifically going over unlocking car door using a REPLAY and ROLLING CODE attack methods for ASK/OOK modulation. You can apply this knowledge to 2,4fsk as well but if you’re at that stage, you can do your own research. Again this is for Remote Key Entry (RKE) for dummies. There will be A TON of missed info, that will be solely up to the user to go about further research.
CHAPTER JUAN (Intro/Background):
Before we start hackin and shmackin we must know how the key fob works, and how the car is communicating with that key fob to do THAT specific action. Well I’m going to make this as simple as Fucking possible, like explaining it to my dumb homies.
When I press the unlock button on my shitty Corolla outside, the key fob will send a RADIO SIGNAL on a specific RADIO FREQUENCY to the vehicle. Now vehicles have these codes already in them so if the radio signal matches the hard coded keys, the vehicle will proceed to unlock the door. These codes or keys shall we say, are different in every vehicle, as to why you can’t use ANY Ford Mustang key fob to open ANY Ford Mustang!
With that being said, if an attacker can sniff the key fob signals as a victim is unlocking their car door, he will then be able to replay the signals later on (let’s say at night) to gain access to the vehicle.
CHATPER TWO (Equipment/Prerequisites):
If you have the money to afford a hackRF from Scott gadgets then go that route.. but if you’re a broke ass mofo like myself and can’t afford a $300-400 piece of beautiful hacking equipment.. then follow along.
BASE OPTION:
1. 1 Raspberry Pi 2-4 ($40-60 Amazon)
2. 1 RTL-SDR Dongle ($20-25 Amazon)
3. 1 Copper Wire or a Jumper Wire (for GPIO pins on RPI) ($1 anywhere)
4. 1 Power Bank ($20-30 Amazon) - you don’t need a power bank if you’re sniffing from your car.
5. Laptop (option, not necessary)
UPGRADE OPTION:
1. 2 YardStick One ($120/each, $240 for both (Amazon))
EXTRA OPTION: (what I personally use everyday for replay attacks):
1. Evil CrowRF V1 ($25-45 AliExpress)
But V2s are coming out so best believe imma cop that bitch
RICH MOFO OPTION:
1. HackRF ($300-400 Amazon)
CHAPTER TREE (setup for REPLAY ATTACK):
1. Install Ubuntu OR a Linux distro onto the RPI
2. Setup SSH
3. Install dependencies for your dongles (RTL or Yardstick)
4. Download gqrx or rpitx
Use YouTube to setup everything.. it’s really not hard just follow simple directions.
Replay attacks are easy and only will need one yardstick one or RTL SDR. Now like I said before, the key fob sends the signal on a SPECIFIC radio FREQUENCY.. well these frequencies are mainly based off of WHERE the vehicles manufacturer is located. For instance, ALL US manufactured vehicles will be around 315.00 mhz +/- 2.5; in Europe and shit, they operate at a frequency of 433.92 +/- 2.5 mhz.
So let’s say our target is a Kia car, we would be recording all signals near 433.92 mhz frequency range. BUT if it was a Ford Focus, we would be sniffing all signals near the 315.00 mhz range.
** forgot to say, if you’re using the yardstick.. I’m expecting you to know what you’re doing. If not just grab a RTL SDR… **
CHAPTER FO (Recording the signal):
Now that you have your Ubuntu set up, your dongle ready to capture some key fobs LETS GET IT! (I’m using Ubuntu and gqrx with a RTL SDR dongle for this tutorial). My whippo is a beater and works under the frequency of 433.92.. I know this because like we said, the region of where the manufacturer is located. Well we want to find the exact frequency the key fob is sending these Signals from. Well gqrx has a waterfall screen to show all the peaks and spikes of all radio signals around you. We want to press the key fob and set the frequency range to the middle of that huge spike (View YouTube tutorial on how to view radio frequencies, it’ll take you 5 minutes) . This will allow our dongle to listen to the signal exactly where the key fob is sending it.
Press record and hit the Unlock button on the key fob again. Stop recording and replay the signal to see if the car will unlock. If your vehicle is vulnerable to replay attacks, your vehicle will proceed to unlock every time you replay that signal we just captured.
This technique is very common and I have found vehicles as old as 2011 that are vulnerable to such attacks. All you need is the frequency, someone to press the key fob to get into their car, and then sniff that signal to then be replayed later.
CHAPTER FIVE (Rolling Code):
This technique requires an extra piece of hardware like a piece of copper wire OR another yardstick one. This technique is pretty much the same as the last one, making sure we have the frequency the key fob is talking on and recording the signal, but instead of just recording the signal, and replaying it raw. We will first jam the key fob so the first unlock button does NOT get received by the car, instead OUR radio dongle will grab the key. Then when the victim presses the key fob again our program will grab the second code, send it to the car to unlock like normal and stop jamming. The victim thinks everything is okay when really we have a key ready to replay.
This technique is used for modern cars, as the codes in the car change every time the key fob is pressed, which makes replay attacks Impossible. BUT by jamming the signal we can stop the car from receiving the first code which we will keep when we want to gain access to the car later.
To do this we will need to install a copper wire on pin 12 of the GPIO as shown below:
https://github.com/trishmapow/rf-jam-rep..._setup.png
This will be our jammer.
Rpitx is a program capable of transmitting signals with the GPIO pins, and since we set up our antenna (the copper wire), we can now use rpitx to jam the signal. The thing is, we don’t want to jam the signal directly. For instance, my key fob works on the exact frequency of 433.92, THAT DOESNT MEAN WE JAM ON 433.92!! We will jam a little below but STAYING in the frequency range the car is listening to. So where we will jam is about 433.800 or 433.850; you see how I’m not jamming on the EXACT range of the key fob signal rather around the signal to disrupt what the car will be picking up.
So to do this, on my gqrx I am recording on frequency 433.92 and in another terminal I’m going to type this command below
sudo ./rpitx -m VFO -f 433.850
This command will jam the frequency range the car is listening to which will make the car not hear the key fob. So when the victim presses the unlock button.. the car will not unlock; instead the code is being recorded. We can stop jamming whenever we feel comfortable by ctrl-c and boom. Consider it a fucking dub.
There are plenty of programs out there that do all of this for you, and some even find the exact frequency as well.
Here is some links I used in my research, or I hope you guys are willing to show me what you guys have made!!
https://github.com/trishmapow/rf-jam-replay
https://web.stanford.edu/class/ee26n/Ass...ment5.html
Using yardstick ones in my opinion is the easiest and most versatile way. Python is my life so making a script that’ll jam, and recording, and log at the same time automatically will make your life easy.
Personally I use the evil crow RF for my daily replay attack device.
It’s a hand held device with two cc1101s on it and an esp to connect and control the dongles via wifi. I just walk around with it in my pocket grabbing key fobs all day sometimes.
With this technique, you can open more than just cars, anything that’s vulnerable to replay attacks can be hit. Garage doors, front gates, anything that works with RF.
I know I missed tons of info and shit, but this is just for fun. I’m sure you all have your own setup but it’s just a foot in the door. Plenty of tutorials, and YouTube videos on radio frequency shit. ??
If you’re truly Interested by advice is to research RF in all ways, grab you a dongle and have some fun. Just grab an RTL SDR and experiment my friends ??
Hack the planet!!
I want to make this clear. I have NOT hacked into other vehicles I have not been allowed too.. I’d rather be smoking a blunt.
Also this is just techniques I have came across and used when I was fascinated about RF hacking and so forth. I’m sure you genius people out there have other ways of going about these attack vectors like via ODB2 connections or whatever BUT
SUMMARY:
in this tutorial I’ll be specifically going over unlocking car door using a REPLAY and ROLLING CODE attack methods for ASK/OOK modulation. You can apply this knowledge to 2,4fsk as well but if you’re at that stage, you can do your own research. Again this is for Remote Key Entry (RKE) for dummies. There will be A TON of missed info, that will be solely up to the user to go about further research.
CHAPTER JUAN (Intro/Background):
Before we start hackin and shmackin we must know how the key fob works, and how the car is communicating with that key fob to do THAT specific action. Well I’m going to make this as simple as Fucking possible, like explaining it to my dumb homies.
When I press the unlock button on my shitty Corolla outside, the key fob will send a RADIO SIGNAL on a specific RADIO FREQUENCY to the vehicle. Now vehicles have these codes already in them so if the radio signal matches the hard coded keys, the vehicle will proceed to unlock the door. These codes or keys shall we say, are different in every vehicle, as to why you can’t use ANY Ford Mustang key fob to open ANY Ford Mustang!
With that being said, if an attacker can sniff the key fob signals as a victim is unlocking their car door, he will then be able to replay the signals later on (let’s say at night) to gain access to the vehicle.
CHATPER TWO (Equipment/Prerequisites):
If you have the money to afford a hackRF from Scott gadgets then go that route.. but if you’re a broke ass mofo like myself and can’t afford a $300-400 piece of beautiful hacking equipment.. then follow along.
BASE OPTION:
1. 1 Raspberry Pi 2-4 ($40-60 Amazon)
2. 1 RTL-SDR Dongle ($20-25 Amazon)
3. 1 Copper Wire or a Jumper Wire (for GPIO pins on RPI) ($1 anywhere)
4. 1 Power Bank ($20-30 Amazon) - you don’t need a power bank if you’re sniffing from your car.
5. Laptop (option, not necessary)
UPGRADE OPTION:
1. 2 YardStick One ($120/each, $240 for both (Amazon))
EXTRA OPTION: (what I personally use everyday for replay attacks):
1. Evil CrowRF V1 ($25-45 AliExpress)
But V2s are coming out so best believe imma cop that bitch
RICH MOFO OPTION:
1. HackRF ($300-400 Amazon)
CHAPTER TREE (setup for REPLAY ATTACK):
1. Install Ubuntu OR a Linux distro onto the RPI
2. Setup SSH
3. Install dependencies for your dongles (RTL or Yardstick)
4. Download gqrx or rpitx
Use YouTube to setup everything.. it’s really not hard just follow simple directions.
Replay attacks are easy and only will need one yardstick one or RTL SDR. Now like I said before, the key fob sends the signal on a SPECIFIC radio FREQUENCY.. well these frequencies are mainly based off of WHERE the vehicles manufacturer is located. For instance, ALL US manufactured vehicles will be around 315.00 mhz +/- 2.5; in Europe and shit, they operate at a frequency of 433.92 +/- 2.5 mhz.
So let’s say our target is a Kia car, we would be recording all signals near 433.92 mhz frequency range. BUT if it was a Ford Focus, we would be sniffing all signals near the 315.00 mhz range.
** forgot to say, if you’re using the yardstick.. I’m expecting you to know what you’re doing. If not just grab a RTL SDR… **
CHAPTER FO (Recording the signal):
Now that you have your Ubuntu set up, your dongle ready to capture some key fobs LETS GET IT! (I’m using Ubuntu and gqrx with a RTL SDR dongle for this tutorial). My whippo is a beater and works under the frequency of 433.92.. I know this because like we said, the region of where the manufacturer is located. Well we want to find the exact frequency the key fob is sending these Signals from. Well gqrx has a waterfall screen to show all the peaks and spikes of all radio signals around you. We want to press the key fob and set the frequency range to the middle of that huge spike (View YouTube tutorial on how to view radio frequencies, it’ll take you 5 minutes) . This will allow our dongle to listen to the signal exactly where the key fob is sending it.
Press record and hit the Unlock button on the key fob again. Stop recording and replay the signal to see if the car will unlock. If your vehicle is vulnerable to replay attacks, your vehicle will proceed to unlock every time you replay that signal we just captured.
This technique is very common and I have found vehicles as old as 2011 that are vulnerable to such attacks. All you need is the frequency, someone to press the key fob to get into their car, and then sniff that signal to then be replayed later.
CHAPTER FIVE (Rolling Code):
This technique requires an extra piece of hardware like a piece of copper wire OR another yardstick one. This technique is pretty much the same as the last one, making sure we have the frequency the key fob is talking on and recording the signal, but instead of just recording the signal, and replaying it raw. We will first jam the key fob so the first unlock button does NOT get received by the car, instead OUR radio dongle will grab the key. Then when the victim presses the key fob again our program will grab the second code, send it to the car to unlock like normal and stop jamming. The victim thinks everything is okay when really we have a key ready to replay.
This technique is used for modern cars, as the codes in the car change every time the key fob is pressed, which makes replay attacks Impossible. BUT by jamming the signal we can stop the car from receiving the first code which we will keep when we want to gain access to the car later.
To do this we will need to install a copper wire on pin 12 of the GPIO as shown below:
https://github.com/trishmapow/rf-jam-rep..._setup.png
This will be our jammer.
Rpitx is a program capable of transmitting signals with the GPIO pins, and since we set up our antenna (the copper wire), we can now use rpitx to jam the signal. The thing is, we don’t want to jam the signal directly. For instance, my key fob works on the exact frequency of 433.92, THAT DOESNT MEAN WE JAM ON 433.92!! We will jam a little below but STAYING in the frequency range the car is listening to. So where we will jam is about 433.800 or 433.850; you see how I’m not jamming on the EXACT range of the key fob signal rather around the signal to disrupt what the car will be picking up.
So to do this, on my gqrx I am recording on frequency 433.92 and in another terminal I’m going to type this command below
sudo ./rpitx -m VFO -f 433.850
This command will jam the frequency range the car is listening to which will make the car not hear the key fob. So when the victim presses the unlock button.. the car will not unlock; instead the code is being recorded. We can stop jamming whenever we feel comfortable by ctrl-c and boom. Consider it a fucking dub.
There are plenty of programs out there that do all of this for you, and some even find the exact frequency as well.
Here is some links I used in my research, or I hope you guys are willing to show me what you guys have made!!
https://github.com/trishmapow/rf-jam-replay
https://web.stanford.edu/class/ee26n/Ass...ment5.html
Using yardstick ones in my opinion is the easiest and most versatile way. Python is my life so making a script that’ll jam, and recording, and log at the same time automatically will make your life easy.
Personally I use the evil crow RF for my daily replay attack device.
It’s a hand held device with two cc1101s on it and an esp to connect and control the dongles via wifi. I just walk around with it in my pocket grabbing key fobs all day sometimes.
With this technique, you can open more than just cars, anything that’s vulnerable to replay attacks can be hit. Garage doors, front gates, anything that works with RF.
I know I missed tons of info and shit, but this is just for fun. I’m sure you all have your own setup but it’s just a foot in the door. Plenty of tutorials, and YouTube videos on radio frequency shit. ??
If you’re truly Interested by advice is to research RF in all ways, grab you a dongle and have some fun. Just grab an RTL SDR and experiment my friends ??
Hack the planet!!
