I wish I had an interest in coding. These videos reminds me of when I was around 18 or 19 years old. Me and a friend bought cheap walkie talkies (under 20 dollars), soldered them so we could access some new menus and programmed them to transmit on the general car key frequenzy. We then just but a rubber band around them to transmit and placed them with 100 meters between in a parking lot outside this grocery store. No one could open their cars remotely and when they opened the cars without disabling the alarm it went of. We bought two icecreams and enjoyed the show when people went mad. Good old times. Thank you for reminding me! And make more videos! :)
Hi Keegan Baird, I couldn't respond to your comment directly as you have replies restricted, but to answer your question -- if I were using a more powerful SDR such as the HackRF, then we could simply record and replay the signal as you suggest, and while I'm a huge fan of and user of the HackRF, this video is to demonstrate what we can do with much more inexpensive hardware (even though HackRF is incredibly powerful for its price). However, using the $4 ASK transmitter we need to send digital data, thus requiring us to break down and interpret the signal in one way or another.
Samy I hope you read the comments and see this. I wanted to let you know that you are not only a hacker legend (not the stupid movie way, like the awesome way) I mean the curiosity kind and I have used your videos personally to get people interested and find the passion you and I seem to share. THANK YOU for the vids and your GitHub PoCs and most of all making it fun and relatable. I picked this video because it was such an awesome intro that a day after you released it, I had to buy the hardware lol. Seriously dude I thank you for reinvigorating my boring deveper job and bringing curiosity and joy back from work. PS The video about your first pic almost made MY MOM cry because it reminded her of my when I got my p1 with 14.4 and took it apart lol. THANKS MAN. keep it up!!!
This video makes me fall around laughing, it did give me an idea to totally and utterly confuse people - You know the simple knock sensors, I was thinking using the same tech on a defined doorbell - remove the doorbell ringer and when guests come and knock the door, it rings a REALLY loud and obvious doorbell. For those with no idea what im talking about a knock sensor detects litterally a knock, its used in toys mostly they hit the wall the sensor triggers and it reverses and moves a different direction, used on a door, when someone knocks the device can just detect that to trigger - same as if they pressed the doorbell, obviously anyone outside knocking would be like wtf how did the doorbell ring ....
Loved your videos ever since I saw your talk "How I met your girlfriend" at DEFCON I think it was, I'm happy to see you've got a full blown channel full of videos, subscribed!
Very nice video, thanks man! One thing though: consider buying a (cheap) microphone. A desktop microphone will cost less then 10$ and will significantly improve the audio quality. Obviously, I subscribed. :)
Samy Kamkar That's great to hear, looking forward to your next video! One question, is that sublime text you're using? It looks really slick and I'm getting kind of tired of the Arduino IDE.
ghostrider090, I'm using vim as my text editor. It's an extremely powerful, efficient and open source text editor, and has many plugins for code. There's even a plugin so you can compile straight to your Arduino without using the Arduino IDE! There is a learning curve to vim as it has different "modes" to accomplish different things, but if you stick with it, you won't believe how efficient you will become (and you will never, ever touch your mouse). Sublime also has a "vi" mode but it's not quite as powerful as vim's capabilities.
I subbed, your channel reminds me of the dubius things i would do in my childhood lol. Am now in uni and a programmer for my military XD Greetings from Finland. Will watch more eps when i get more beer and do not have to code. :) Happy Holidays
Samy Kamkar Yea. Your videos are very informative. And you explain it clearly. The only reason i havent subscribed is because you dont have many vids. But i have you book marked. Good luck and thanks for the vids
Today I learned that RTL doesn't stand for right to left, but Realtek. Seriously, so nice to know so long of not knowing what that had to do with radio.
HaHaHa That is funnyasfark! I stumbled upon your video wanting to learn more about SDR's. You're a pretty smart guy to figure this out. (8yrs. ago even) Bet your friends are just waiting when the next prank is coming. (lol) too cool. Sub'd.
If you cut a slice of audio and want to know if is the same as another slice place the two samples into different tracks and reverse the phase of one of them. If they are identical and they are lined up the same they will cancel each other out and you will hear nothing. It's an old recording technique to see if microphones are in or out of phase when recording but it should be much more accurate than your eyes. In recording if 2 drum mics are time aligned but out of phase the second mic will make the track weak or cancel the audio.
Absolutely fantastic vid and so interesting to watch this guy is just so intelligent makes me jealous imagine the things he could do 😊 what a interesting guy 👍🏻
+Samy Kamkar just kidding! thanks for the tutorials, I cant wait for my stuff to arrive from china to start playing. you have a new fan from Argentina ;)
Interesting video. I guess i would have tried to determine the actual binary string as opposed to looking at when to send highs. To get the period of the signal, i would take the length of the 7 bits and divide by 7 to get a more accurate result.
I started out this way including audacity, but finished of the job using a lilygo and a mk-xy-5v. I used rf433any to capture the signal which I then input in to rf433transmit and that did the trick. I had to hold the doorbell button right up the the antenna to get a signal however.
It would have been super-sick if you Noise Gate'ed the white noise while you were talking. Once I noticed it, I couldn't stop lol(any video editing software you use surely has a gate plug-in). Same with the very thick/low-freq-rich clicks. Sounded fatter than an 808. Just messin' around but straight up, you absolutely awesome man keep at it, i watch your videos like Netflix series', like I pause, run to the fridge and run back type of shit. Make us whitewashed Irans proud! yr a hella good lookin' guy (n.h.)
Hi +Samy Kamkar.Great video. I took a doorbell and it's operating at 305Mhz analyzed using rtl-sdr.When I opened the recorded waveform in audacity I believe to the best of my knowledge it is frequency modulation.How can I regenerate a signal at 305Mhz with FM ?Kindly help.
I guess I'm late to the party. I just found this today. But, this is a good video. Tip I saw on TV: at 8:10 with you had display problems, I'm 99% sure if you shout "ENHANCE" at your monitor, it will clear everything up. ;-)
Take a look at Ocatave/Matlab or Python with numpy; it is WAY easier to do the kind of signal analysis you're doing in audacity with those other tools. An alternative is gnuradio. These are all free tools that are indispensable when you're doing RF signal analysis.
As for the encoding method, could it be that it is actually OOK (On-Off Keying)? my method would be to measure/guess the period of each bit (hinted in the preamble?), and read the state (on or off) at each interval. that way you can store your data in an integer and bit bit-shift to the next value. That would make it a bit easier to make it to work on other doorbells. But your method works too obviously and is quicker in this one instance. nice job!
Hi Jelle Boomstra, correct, this is OOK (I describe OOK/ASK/etc in more detail on the website: samy.pl/dingdong) You're absolutely right -- since all pulses are divisible by ~750us (baudrate of ~1300), we could create a binary string and it would be more easily "portable" to similar doorbells. Then I got lazy :) Thanks for the note!
Great video! Really good walk through on reverse engineering radio. This is the kind of think I have been looking around for as I am learning more about (sd)r. I was also wondering, are you using vim there? And if so do you have your .vimrc posted anywhere? It looks incredible.
Thanks Ken Johnson! Yup, I'm using vim, and I've put up my vimrc for you: samy.pl/vimrc Also if you're working with Arduino, set .ino's to use C syntax highlighting, and also check out github.com/justinmk/vim-syntax-extra
Hi Samy, I really enjoyed this video and its helpful to me in my work as well with a wireless knee implant I was working on at Scripps clinic. I had a question about your thought process regarding translating the recording from an audio signal into a bit sequence. You use the delay function to transmit a high signal for a specific period of time, but I was wondering if there is a more elegant approach to this? I am not an expert, but I am assuming there is a clock frequency used to generate the door bell digital data. Can that frequency be used to create the data stream from the arduino? I am asking because if the frequency is used to generate the bit stream, it would be easier to make adjustments to the signal and reduce the amount of work that goes into measuring the time points between highs and lows in audacity. Thank in advance for your answer! I truly enjoy your videos and your knowledge and hope to see more soon.
Janusz Yup, that would be a more elegant approach, however I chose not to do it in this project because interpreting the signal would take me longer using the tools I was using, and I chose to use the most inexpensive tools in this project so others on a budget who wanted to learn could use the same methods and techniques (even knowing the quick and dirty way is beneficial). If I were doing it for a bigger project, I'd use a more expensive tool (like Yard Stick One/CC1111EMK), calculate the baudrate from the shortest signal, and have Yard Stick One demodulate and provide the bitstream for me.
hey so i really like your videos, and i would love to learn more about programing, so is there anyway you could make videos teaching something like python?
Wow dude, please make more videos. If you are having a pending project in line please educate once in a while on topics like security, courses, stuff to get started and prerequisites or simply anything of ur interest. I would also like to know basic security stuff for everyday life. Btw: 8:18 i dont belive you are bad at computers. If u are, then i dont even know what a computer is...
18:38 If you "listen" to several unlock codes, could you notice a pattern or generate an algorithm ( possibly the same one that the car and the key use ), to adapt with the car/key?
TheTechAdmins great question. Theoretically, yes, but usually only in very poor implementations of a rolling code (don't worry, they exist :), or if you have *so many* values that a pattern emerges. You could "listen" to the example in the video, and immediately detect the code is the same each time, and reproduce/replay it, but when it comes to rolling codes, *typically* they will be a bit more complex to reproduce just by listening to a few. However, there ARE definitely algorithms out there which are so weak that a computer could quickly detect a pattern with only a few values, and thus know the next value in the sequence. I've recently reverse engineered a popular product that uses frequency hopping -- the actual frequency changes and the pattern of the frequency hopping is the "secret" -- and the propriety implementation was definitely bad enough that generic pattern detection software could likely detect it. I look forward to doing that video and sharing the details!
Samy Kamkar Aweomse! I noticed your server is in Dallas but your domain is in Poland. Where are you located? You have a very monotone accent like me (New Jersey)
Пафнутий Корнеевич I would write the software myself. I'm releasing a number of car related tools at my talk at Defcon this year (www.defcon.org/html/defcon-23/dc-23-speakers.html#Kamkar), but expect a new garage related attack this week :)
Hi nice tutorial. A bit complicated though, what if the frequency is other than 433MHz or 315Mhz will arduino will be able to reproduce the signal? Thank you so much. Great job, keep on going... :-) Marc.
+Marc Paradis The Arduino can do it, but the transmitter needs to be tuned to that specific frequency. So you need to either find a transmitter tuned to that specific frequency, or find a transmitter with a configurable range, such as the CC1201 which can transmit between ~164-950MHz, but is a much more advanced chip and requires more work to transmit.
As far as i know the best way to hack on a car with rolling code is to jamm the signal by just transmitting a noice signal through 433MHz or whatever the frequency used by the car key, Save it and use it for a reply attack later. but the problem is when we are transmiting a noice signal in that same carrier frequency how can our SDR identify the data send by the key !! is there any possible way ?
When will you be releasing the source code for RollJam on your GitHub, or at least a modified version of the code like you did for OpenSesame? I am not finding any quality c++ libraries for the CC1101 and am curious how you interfaced with the teensy.
+Blake Wiley I've decided to not release the RollJam source code as it's too easy to abuse. I wouldn't want people's cars broken into! For the CC1101, I would suggest just using the datasheet and strobing SPI commands manually (I also never found a fully working library and wrote my own)
Samy Kamkar can you make a video on how to modify (adjust) content or traffic with in a wifi network !!!!! I saw the video of "MotherBoard" but I've didn't quite understand how did you do to change real traffic to your own!!!! please make a video on that!! I have another question How many Programming Languages do you know???? WAITING FOR YOUR AWNSER!!
Hi Hackers Tutorials, sure, I will try to focus on inline content alteration in a future video -- there are multiple ways to do this but one way you can quickly and effectively do this is by using a combination of ARP spoofing (to acquire traffic from another network device), DNS spoofing (to alter where specific hostname-based traffic is sent), and transparent proxying (to perform the content modification). You can even do this to traffic that we traditionally think of as encrypted (FB, Twitter, banks, email, etc) as users often hit the non-HTTPS URL first which redirects to HTTPS, but when you control the traffic, you can simply prevent the user from getting the HTTPS-redirect and perform a man-in-the-middle attack where you transmit all encrypted information (HTTPS) from the real site to the user over an unencrypted link (HTTP).
Hi Samy Kamkar , you are my heroe ! you intend to share more details about rolljam ? I 'm Brazilian student and I'm trying to build your project , is fantastic , I tried with two yardstick one , but I had issues .The closest I came was with Hackrf but have trouble filters the jam signal .If you can help us . Thanks ( sorry my bad english )
Samy, thank you for sharing. What's your education background? I would like to be able to come up with such projects by myself, and would like to get an idea of the learning I would need.
Hi Chris Lee, fortunately you don't need much! I dropped out of high school around 10th grade. I've learned everything thanks to the Internet and plain old trial and error (lots and lots of error). With the information and tools available today, you can pick up things incredibly quickly and build off of other great work for new ideas and projects. Just start researching an interest you have and attempt a project, even if it seems out of your wheelhouse!
@@samykamkar your explainations are awesome. Not sure if it's your background that makes you explain it so well, but it's nice to be able to see how ASK and other things I'm meant to be able to understand are used. Love tools like Audacity and cheap equipment as it makes this stuff so accessible and easy to play around with. Get heaps more out of doing.
Weird way to program. It looks like it’s transmitting the code 0XAA04 repeatedly from the brief glimpse I got of the signal. Just send the high bit of that code every 800ms and shift it left. I may be wrong about the actual but you get the idea.
you can use this to send signals to devices in your home. make the coffee maker turn on at 7 am for example. you always have coffee in 7 am. how great is that. this guy just turned alot of homes automated. great job man... the future is made by guys like this. like com subb wp
+Marc Paradis Yes, but key fobs use rolling codes. My OpenSesame project and video goes further into that (ruclips.net/video/iSSRaIU9_Vc/видео.html) and my RollJam attack actually is able to attack rolling codes (samy.pl/defcon), though I haven't released the source code.
Hi Sammy, I bought a wireless doorbell for testing purposes. However, it operates at 302 MHz and signal doesn't look meaningful at all. It's not a OOK for sure. What it could be? It looks like an analog signal. No chip or companent was identifiable, just 32 kHz crystals. Chips are not printed/labelled. Thanks.
Tamer Çelik I need more info...could be anything. What does it look like in GQRX? Does the box have an FCC ID? It could be using FSK or PSK for example, but let's take a look at it in a spectrum analyzer first.
Samy Kamkar here is the SDR# video of the remote: tamercelik.com/rtl/remote.mp4 Notice the peaks when i press the transmitter. No audio, just a high pitch noise when i press it. No FCC id or any identifiable chips. I did some research on manufacturer page and it says analog coding. It says 315 MHz, however all transmission visible on 302-305 MHz. Does it related with RTL-SDR? And, i would like to know other coding schemes, FSK/PSK and others. Do you recommend any resource to study?
Hey LiquidLotus, that would be a fun video -- I don't have an Xbox One but if I get a controller, I'll definitely do a video on that. The same concepts would apply, although we would likely use different hardware to reach the frequencies the controller uses (2.4GHz and 5GHz).
This is intriguing! I caught word of you via Tim Ferris and wanna learn more on what you generally speak of. I'd worked with wood for 20 yrs. and don't know where to begin learning what you are doing. Advice?
jb121993 Thanks! What area is intriguing to you? If you want to stay in the hardware realm, I would suggest learning about Arduino and looking up some Arduino tutorials. It would be cool to integrate Arduinos into your wood working, such as interactive, light up tables!
Yes, it is the hardware that impresses me more than programming. That idea, implementing this stuff into my shop performance, is the first thought that came to mind. I had already purchased a Raspberry Pi, but haven't had time to do anything with it. My imagination tells me that this is what will increase performance on my lathe production, thus increase output and improve income. Should I scrap RP & get Arduino, or is there no difference other than brand name? What reading material would you suggest?
I unintentionally left out word of my having been a woodcrafter for almost 20 yrs. and am leaning towards this type of thinking as a new income/fun/creativity/happy-at-my-job kind of mentality.
jb121993 Keep the RP, you can use it with LEDs, but it is a bit different than Arduino. They both can do some of the same stuff, but both do plenty of other things the other can't. Just google something like "raspberry pi controlling led strip" and look over a few.
I'm slowly getting into SDR, in fact I think that's the exact model of RTL-SDR I have, I've tried airplane tracking with ADS-B which is neat. But with custom projects I find it hard to "sniff" the frequency of systems I don't have documentation for, even if that system is limited to certain bands. Do you have any suggestions for nailing down specific frequencies easier than simply cycling through huge ranges of frequencies and looking by eye?
Hi *****, give me an example of something you're trying to sniff? If you know the brand, do a search on the FCC's website for the company: transition.fcc.gov/oet/ea/fccid/ Actually, it's probably easier to search google like so (without quotes): "site:fcc.gov company name" I have tools that make frequency scanning easier but you can usually find what you're looking for with just an RTL-SDR and some searching, FCC docs, and looking at common ISM bands -- which is partly why I made this video; I wanted to provide a demonstration of just using RTL-SDR and nothing more.
Samy Kamkar It's a bespoke design, I know that it's being broadcast over what is called in the UK as PMR (Public Mobile Radio) which is a range of frequencies of 174-225Mhz which is a former TV broadcasting band. I think the FCC is US specific? I'm not sure, I'll see if there's a regulatory body in the UK that logs all usage but I think the public band is a free for all so may not need to be documented publicly. I guess it's just a case of monitoring the airways a slice of frequency at a time, unfortunately it's burst transmission, it's at predictable intervals but it feels like a needle in a haystack kind of situation.
***** check out OfCom as they should have some more information on PMR in the UK. Also, you can use the "rtl_fm" application I used in the video to scan frequencies rather than sit on a single frequency. You can find examples here: kmkeen.com/rtl-demod-guide/
Samy Kamkar Thanks so much Samy, I'm going to finish watching this video today and go out with these tools and do some research! Ofcom may hold some data on this but I may just approach the designers of this system directly and see what they're prepared to volunteer :)
I have this idea to use this with Boy Scouts. Maybe you can hear the turmoil in my head as it convulses with that thought.... I am pretty sure that I can have everyone in the troop riveted doing this. I can also see the uproar that might result....
My system is completely portable, and requires NO PC, NO Laptops , total stealth. I'm using a Icom-R20 Portable communications Receiver and a Optoelectronics Digital Scout. the Icom R-20 operates 500Khz - 1300 Mhz and it has Reaction Tune with Frequency Counters, it also has a Automatic Memory Write function. the Opotoelectronics Digital Scout has a Similar range but tunes ONLY nearfield Transmissions. that Means it Rejects all Powerful transmissions and only targets Low Power but NEAR tragets. its Digital as well as Analog, so I can use it for Trunking, DMR and Analog/Digital Cellular Phones !!!!!!! I cant hear the Audio (that's Illegal ) but it can capture the Frequency the Cellphones are active on. I can Analyze RF remotes by removing the Antenna and measuring the remote Directly, as with the Antenna I will pick up ALL the Remotes in the Neighborhood !!!!!!!
Samy, I'm trying to do something similar, but the device I'm trying to emulate uses 318 MHz. I have looked all over and can not find a simple 318 MHz transmitter like the one you used in the video. Any suggestions?
Hi Sean Auffinger, things get a bit more complex -- you could build your own saw resonator (do you know if the signal is ASK?), or you could use a sub-GHz transceiver chip like the CC1101/CC1111 (the CC1111EMK comes on a USB dongle, though you may need a GoodFET to flash it), or go for an even more powerful device like a HackRF where it becomes even easier (bigger but you can use it for so many things!) It's a bit of a sliding scale from ease and pricier (but reusable) to size and complexity. Update: it might even be easier to get an inexpensive garage door opener on 318MHz (I see plenty on eBay) and modify it to accept your signal, assuming what you're trying to transmit to takes the same frequency modulation (most likely ASK). No guarantee this will work but might be a quick and cheap route.
Samy Kamkar The signal is indeed ASK. I was thinking I could get the Sparkfun 315 MHz transmitter and just replace the resonator, but I also couldn't find any 318 MHz resonators in the same package. I also looked at building a transmitter based around an IC like MICRF102. I will have to look into the garage door opener mod. It seems like it could be fairly simple to make it transmit my signal. Thanks for the help!
+Marc Paradis Possibly -- most cars use rolling codes however. I explain how rolling codes work and how a replay attack may work in my recent defcon video - samy.pl/defcon2015/
MY dad flipped out when i watched this video cuz he thought it was illegal to watch
+Jeremiah Lowe Even as simple as using Matches can be illegal if misused properly
MrCrystan ik
ha ha
Your dad is an idiot. Tell him you think he's an idiot.
Dave B indeed
+1
I wish I had an interest in coding. These videos reminds me of when I was around 18 or 19 years old. Me and a friend bought cheap walkie talkies (under 20 dollars), soldered them so we could access some new menus and programmed them to transmit on the general car key frequenzy. We then just but a rubber band around them to transmit and placed them with 100 meters between in a parking lot outside this grocery store. No one could open their cars remotely and when they opened the cars without disabling the alarm it went of. We bought two icecreams and enjoyed the show when people went mad. Good old times. Thank you for reminding me!
And make more videos! :)
Gac Myver Oh man, the good ol' days! Thanks!
Hi Keegan Baird, I couldn't respond to your comment directly as you have replies restricted, but to answer your question -- if I were using a more powerful SDR such as the HackRF, then we could simply record and replay the signal as you suggest, and while I'm a huge fan of and user of the HackRF, this video is to demonstrate what we can do with much more inexpensive hardware (even though HackRF is incredibly powerful for its price).
However, using the $4 ASK transmitter we need to send digital data, thus requiring us to break down and interpret the signal in one way or another.
Hey Samy it would be cool to connect ur drone and have it connected to when u drive by his house with the drone and it would ring it
Samy Kamkar
Come to the dark side samy Black hats are so much fun.
As far as I'm aware RTL stands for register-transfer-level at least in electronics hardware design
Samy I hope you read the comments and see this. I wanted to let you know that you are not only a hacker legend (not the stupid movie way, like the awesome way) I mean the curiosity kind and I have used your videos personally to get people interested and find the passion you and I seem to share. THANK YOU for the vids and your GitHub PoCs and most of all making it fun and relatable. I picked this video because it was such an awesome intro that a day after you released it, I had to buy the hardware lol. Seriously dude I thank you for reinvigorating my boring deveper job and bringing curiosity and joy back from work. PS The video about your first pic almost made MY MOM cry because it reminded her of my when I got my p1 with 14.4 and took it apart lol. THANKS MAN. keep it up!!!
Samy at it again! This guy rocks.
Thanks Jason Baptiste!
This video makes me fall around laughing, it did give me an idea to totally and utterly confuse people - You know the simple knock sensors, I was thinking using the same tech on a defined doorbell - remove the doorbell ringer and when guests come and knock the door, it rings a REALLY loud and obvious doorbell. For those with no idea what im talking about a knock sensor detects litterally a knock, its used in toys mostly they hit the wall the sensor triggers and it reverses and moves a different direction, used on a door, when someone knocks the device can just detect that to trigger - same as if they pressed the doorbell, obviously anyone outside knocking would be like wtf how did the doorbell ring ....
Loved your videos ever since I saw your talk "How I met your girlfriend" at DEFCON I think it was, I'm happy to see you've got a full blown channel full of videos, subscribed!
Love it! Good stuff for starting SDR hobbyist. Nice LOUD mouse clicks, too!
Super as always !!!. but why are you cutting the video when you are programming ??, that is so fun, you are my hero !!
HAHAHA, that's a lot of energy and premeditated activity to screw with someone haha
Modern prank require modern improvisation
"I'm not good in computer"
That's why you created one of the best worm ever, LOL
Very nice video, thanks man! One thing though: consider buying a (cheap) microphone. A desktop microphone will cost less then 10$ and will significantly improve the audio quality.
Obviously, I subscribed. :)
Hi ghostrider090, thanks for the note! You're right so I've just ordered a decent microphone to improve the quality of future videos. Thanks
Samy Kamkar That's great to hear, looking forward to your next video! One question, is that sublime text you're using? It looks really slick and I'm getting kind of tired of the Arduino IDE.
ghostrider090, I'm using vim as my text editor. It's an extremely powerful, efficient and open source text editor, and has many plugins for code. There's even a plugin so you can compile straight to your Arduino without using the Arduino IDE! There is a learning curve to vim as it has different "modes" to accomplish different things, but if you stick with it, you won't believe how efficient you will become (and you will never, ever touch your mouse). Sublime also has a "vi" mode but it's not quite as powerful as vim's capabilities.
I subbed, your channel reminds me of the dubius things i would do in my childhood lol. Am now in uni and a programmer for my military XD Greetings from Finland. Will watch more eps when i get more beer and do not have to code. :) Happy Holidays
Thanks Darkenedbyshadows! I just had the opportunity to visit Helsinki a few weeks ago. Trying to swim to Tallinn was a bad idea.
Wonderful tutorial still very much applicable today, with so many insightful points that are thoroughly explained. Thanks for the knowledge.
I'm very happy to watch a new video from you , awesome :)
Make more videos dude
randomlettersqzkebkw, you got it dude. Any topics of interest in particular?
Samy Kamkar the hacking stuff dude!
randomlettersqzkebkw Cowabunga dude! More hacking videos for you are on the way!
Samy Kamkar Yea. Your videos are very informative. And you explain it clearly. The only reason i havent subscribed is because you dont have many vids. But i have you book marked. Good luck and thanks for the vids
I hope your new video means your channel is coming back. Hardware hacking is very cool.
30:49 - When you tak a look for a moment on something else other than on the board.
sammy is my hero
Today I learned that RTL doesn't stand for right to left, but Realtek. Seriously, so nice to know so long of not knowing what that had to do with radio.
thanks for the inspiration. i have been using the arduino for 6 months. i am now waiting for my rtl sdr. keep up the great videos.
Thanks deanc2006, great, let us know how your projects go with them!
Looks like some good Winter projects. :) I am wanting to work on abeacon circuit for a quadcopter locator. Thanks for your
ideas and the video.
HaHaHa That is funnyasfark! I stumbled upon your video wanting to learn more about SDR's. You're a pretty smart guy to figure this out. (8yrs. ago even) Bet your friends are just waiting when the next prank is coming. (lol) too cool. Sub'd.
lol @ 30:50 when it transitions from like 40 to 400 LOC 😂
Very cool project, great explanation!
Dude your garage door must be going nuts! lol :) hope the wife isnt trying to back out!
It may not be the exact reason, but "RTL" can be [R]eal[T]ek Semiconductor Co, [L]td."
At least it's *an* explanation, though.
cool stuff man i cant wait for the video on key less entry
Antonio Aguirre, I will try to release some research and demos on that in the next month!
Your channel is awesome, got my subscription.
Thanks Claudio D.!
Claudio D. I keep seeing you around.
Awesome hack ! Thanks for sharing.
Thanks Georgi Himchev!
If you cut a slice of audio and want to know if is the same as another slice place the two samples into different tracks and reverse the phase of one of them. If they are identical and they are lined up the same they will cancel each other out and you will hear nothing. It's an old recording technique to see if microphones are in or out of phase when recording but it should be much more accurate than your eyes. In recording if 2 drum mics are time aligned but out of phase the second mic will make the track weak or cancel the audio.
But most of all, samy is really my Hero
Lol, just the prank on it's own deserves a like :)))
Absolutely fantastic vid and so interesting to watch this guy is just so intelligent makes me jealous imagine the things he could do 😊 what a interesting guy 👍🏻
05:00 that am tunning blowed my 'kin ears out! thanks!
+TheLitoPictureShow My bad
+Samy Kamkar just kidding! thanks for the tutorials, I cant wait for my stuff to arrive from china to start playing. you have a new fan from Argentina ;)
Interesting video. I guess i would have tried to determine the actual binary string as opposed to looking at when to send highs. To get the period of the signal, i would take the length of the 7 bits and divide by 7 to get a more accurate result.
I started out this way including audacity, but finished of the job using a lilygo and a mk-xy-5v. I used rf433any to capture the signal which I then input in to rf433transmit and that did the trick. I had to hold the doorbell button right up the the antenna to get a signal however.
Everytime I watch one of your videos I just feel bad, I feel too stupid :/
Great channel man! :D
It would have been super-sick if you Noise Gate'ed the white noise while you were talking. Once I noticed it, I couldn't stop lol(any video editing software you use surely has a gate plug-in). Same with the very thick/low-freq-rich clicks. Sounded fatter than an 808.
Just messin' around but straight up, you absolutely awesome man keep at it, i watch your videos like Netflix series', like I pause, run to the fridge and run back type of shit. Make us whitewashed Irans proud! yr a hella good lookin' guy (n.h.)
Hi +Samy Kamkar.Great video. I took a doorbell and it's operating at 305Mhz analyzed using rtl-sdr.When I opened the recorded waveform in audacity I believe to the best of my knowledge it is frequency modulation.How can I regenerate a signal at 305Mhz with FM ?Kindly help.
Cool shit man
I guess I'm late to the party. I just found this today. But, this is a good video. Tip I saw on TV: at 8:10 with you had display problems, I'm 99% sure if you shout "ENHANCE" at your monitor, it will clear everything up. ;-)
The 433.92mhz is the same frequency used for 30 years. I don't believe that one more day or one less makes a difference
I just found your channel and Im about to order a soldering iron and some parts to try a few things. (y) New hobby ;)
John Inge Erlandsen Awesome! I love hearing that! Share your progress with us.
Take a look at Ocatave/Matlab or Python with numpy; it is WAY easier to do the kind of signal analysis you're doing in audacity with those other tools. An alternative is gnuradio. These are all free tools that are indispensable when you're doing RF signal analysis.
Nice. I love your work. Good prank
Great video ..lots of information .. Is there a way to kill the keyboard sound ? It interupts the quality of the video :-)TY
hey men. awesome videos. Thank you
Thanks Webo Firm!
As for the encoding method, could it be that it is actually OOK (On-Off Keying)? my method would be to measure/guess the period of each bit (hinted in the preamble?), and read the state (on or off) at each interval. that way you can store your data in an integer and bit bit-shift to the next value. That would make it a bit easier to make it to work on other doorbells. But your method works too obviously and is quicker in this one instance.
nice job!
Hi Jelle Boomstra, correct, this is OOK (I describe OOK/ASK/etc in more detail on the website: samy.pl/dingdong)
You're absolutely right -- since all pulses are divisible by ~750us (baudrate of ~1300), we could create a binary string and it would be more easily "portable" to similar doorbells. Then I got lazy :)
Thanks for the note!
Great video! Really good walk through on reverse engineering radio. This is the kind of think I have been looking around for as I am learning more about (sd)r.
I was also wondering, are you using vim there? And if so do you have your .vimrc posted anywhere? It looks incredible.
Thanks Ken Johnson! Yup, I'm using vim, and I've put up my vimrc for you: samy.pl/vimrc
Also if you're working with Arduino, set .ino's to use C syntax highlighting, and also check out github.com/justinmk/vim-syntax-extra
Why is your microphone inside your mouse pad?
Dave B sounds like its in his keyboard
$.
It's an internal laptop microphone lol
Sorry, I was recording this video using a calculator.
damn you got matt real good
Hi Samy, I really enjoyed this video and its helpful to me in my work as well with a wireless knee implant I was working on at Scripps clinic. I had a question about your thought process regarding translating the recording from an audio signal into a bit sequence. You use the delay function to transmit a high signal for a specific period of time, but I was wondering if there is a more elegant approach to this? I am not an expert, but I am assuming there is a clock frequency used to generate the door bell digital data. Can that frequency be used to create the data stream from the arduino? I am asking because if the frequency is used to generate the bit stream, it would be easier to make adjustments to the signal and reduce the amount of work that goes into measuring the time points between highs and lows in audacity. Thank in advance for your answer! I truly enjoy your videos and your knowledge and hope to see more soon.
Janusz Yup, that would be a more elegant approach, however I chose not to do it in this project because interpreting the signal would take me longer using the tools I was using, and I chose to use the most inexpensive tools in this project so others on a budget who wanted to learn could use the same methods and techniques (even knowing the quick and dirty way is beneficial). If I were doing it for a bigger project, I'd use a more expensive tool (like Yard Stick One/CC1111EMK), calculate the baudrate from the shortest signal, and have Yard Stick One demodulate and provide the bitstream for me.
Samy Kamkar That's great info, thank you! I already got a bunch of ideas for my projects from watching your videos and this is of great help.
RTL is the first 3 characters of the model number on the chip inside the radio its made by real tech and i agree with you it should be RLT
hey so i really like your videos, and i would love to learn more about programing, so is there anyway you could make videos teaching something like python?
Both rtl sdr and hackrf are broadcast? I think It’s really easy to transpire old magicar remotes cause most of them have just generate pseudo codes
Wow dude, please make more videos.
If you are having a pending project in line please educate once in a while on topics like security, courses, stuff to get started and prerequisites or simply anything of ur interest.
I would also like to know basic security stuff for everyday life.
Btw: 8:18 i dont belive you are bad at computers. If u are, then i dont even know what a computer is...
A digie-dong-ditch!
18:38 If you "listen" to several unlock codes, could you notice a pattern or generate an algorithm ( possibly the same one that the car and the key use ), to adapt with the car/key?
TheTechAdmins great question. Theoretically, yes, but usually only in very poor implementations of a rolling code (don't worry, they exist :), or if you have *so many* values that a pattern emerges.
You could "listen" to the example in the video, and immediately detect the code is the same each time, and reproduce/replay it, but when it comes to rolling codes, *typically* they will be a bit more complex to reproduce just by listening to a few.
However, there ARE definitely algorithms out there which are so weak that a computer could quickly detect a pattern with only a few values, and thus know the next value in the sequence. I've recently reverse engineered a popular product that uses frequency hopping -- the actual frequency changes and the pattern of the frequency hopping is the "secret" -- and the propriety implementation was definitely bad enough that generic pattern detection software could likely detect it.
I look forward to doing that video and sharing the details!
Samy Kamkar Aweomse! I noticed your server is in Dallas but your domain is in Poland. Where are you located? You have a very monotone accent like me (New Jersey)
TheTechAdmins living in Los Angeles!
Samy Kamkar when do we expect this video?! what is the name of this generic patter detection software?
Пафнутий Корнеевич I would write the software myself. I'm releasing a number of car related tools at my talk at Defcon this year (www.defcon.org/html/defcon-23/dc-23-speakers.html#Kamkar), but expect a new garage related attack this week :)
Great work Man thanks
Wouldn't it be easier to just re-transmit the captured audio file? Or would the modulation not be correct?
Amazing work
would it be hard to decrypt wifi packets using wpa2, thats if you find a SDR that reaches up to the 2.4ghz range
Hi nice tutorial. A bit complicated though, what if the frequency is other than 433MHz or 315Mhz will arduino will be able to reproduce the signal?
Thank you so much.
Great job, keep on going... :-)
Marc.
+Marc Paradis The Arduino can do it, but the transmitter needs to be tuned to that specific frequency. So you need to either find a transmitter tuned to that specific frequency, or find a transmitter with a configurable range, such as the CC1201 which can transmit between ~164-950MHz, but is a much more advanced chip and requires more work to transmit.
As far as i know the best way to hack on a car with rolling code is to jamm the signal by just transmitting a noice signal through 433MHz or whatever the frequency used by the car key, Save it and use it for a reply attack later.
but the problem is when we are transmiting a noice signal in that same carrier frequency how can our SDR identify the data send by the key !! is there any possible way ?
I go over the RollJam attack in detail here: samy.pl/defcon2015
When will you be releasing the source code for RollJam on your GitHub, or at least a modified version of the code like you did for OpenSesame? I am not finding any quality c++ libraries for the CC1101 and am curious how you interfaced with the teensy.
+Blake Wiley I've decided to not release the RollJam source code as it's too easy to abuse. I wouldn't want people's cars broken into! For the CC1101, I would suggest just using the datasheet and strobing SPI commands manually (I also never found a fully working library and wrote my own)
Samy Kamkar can you make a video on how to modify (adjust) content or traffic with in a wifi network !!!!!
I saw the video of "MotherBoard" but I've didn't quite understand how did you do to change real traffic to your own!!!!
please make a video on that!!
I have another question How many Programming Languages do you know????
WAITING FOR YOUR AWNSER!!
Hi Hackers Tutorials, sure, I will try to focus on inline content alteration in a future video -- there are multiple ways to do this but one way you can quickly and effectively do this is by using a combination of ARP spoofing (to acquire traffic from another network device), DNS spoofing (to alter where specific hostname-based traffic is sent), and transparent proxying (to perform the content modification).
You can even do this to traffic that we traditionally think of as encrypted (FB, Twitter, banks, email, etc) as users often hit the non-HTTPS URL first which redirects to HTTPS, but when you control the traffic, you can simply prevent the user from getting the HTTPS-redirect and perform a man-in-the-middle attack where you transmit all encrypted information (HTTPS) from the real site to the user over an unencrypted link (HTTP).
Haha, funny stuff! This has a pretty large potential with a lot of things going wireless/radio signal
Sub'd
Thanks Luke Towne, definitely!
Hi Samy Kamkar , you are my heroe ! you intend to share more details about rolljam ? I 'm Brazilian student and I'm trying to build your project , is fantastic , I tried with two yardstick one , but I had issues .The closest I came was with Hackrf but have trouble filters the jam signal .If you can help us . Thanks ( sorry my bad english )
That was great 👍 please upload more educational videos 🌹👍
What is this welcome tune?I love it 😍
Samy, thank you for sharing. What's your education background? I would like to be able to come up with such projects by myself, and would like to get an idea of the learning I would need.
Hi Chris Lee, fortunately you don't need much! I dropped out of high school around 10th grade. I've learned everything thanks to the Internet and plain old trial and error (lots and lots of error).
With the information and tools available today, you can pick up things incredibly quickly and build off of other great work for new ideas and projects. Just start researching an interest you have and attempt a project, even if it seems out of your wheelhouse!
Incredible. I would put your tinkering skills on par with my friends from MIT.
@@samykamkar your explainations are awesome. Not sure if it's your background that makes you explain it so well, but it's nice to be able to see how ASK and other things I'm meant to be able to understand are used. Love tools like Audacity and cheap equipment as it makes this stuff so accessible and easy to play around with. Get heaps more out of doing.
Weird way to program. It looks like it’s transmitting the code 0XAA04 repeatedly from the brief glimpse I got of the signal. Just send the high bit of that code every 800ms and shift it left. I may be wrong about the actual but you get the idea.
you can use this to send signals to devices in your home. make the coffee maker turn on at 7 am for example. you always have coffee in 7 am. how great is that. this guy just turned alot of homes automated. great job man... the future is made by guys like this. like com subb wp
Thank you for the quick response. Will you be able to get the code of a car keyfob with this ?
Thank You.
Marc.
+Marc Paradis Yes, but key fobs use rolling codes. My OpenSesame project and video goes further into that (ruclips.net/video/iSSRaIU9_Vc/видео.html) and my RollJam attack actually is able to attack rolling codes (samy.pl/defcon), though I haven't released the source code.
OMG .... this is so amazing :D
Hi Sammy,
I bought a wireless doorbell for testing purposes. However, it operates at 302 MHz and signal doesn't look meaningful at all. It's not a OOK for sure. What it could be? It looks like an analog signal. No chip or companent was identifiable, just 32 kHz crystals. Chips are not printed/labelled.
Thanks.
Tamer Çelik I need more info...could be anything. What does it look like in GQRX? Does the box have an FCC ID? It could be using FSK or PSK for example, but let's take a look at it in a spectrum analyzer first.
Samy Kamkar here is the SDR# video of the remote: tamercelik.com/rtl/remote.mp4
Notice the peaks when i press the transmitter.
No audio, just a high pitch noise when i press it.
No FCC id or any identifiable chips. I did some research on manufacturer page and it says analog coding.
It says 315 MHz, however all transmission visible on 302-305 MHz. Does it related with RTL-SDR?
And, i would like to know other coding schemes, FSK/PSK and others. Do you recommend any resource to study?
Tamer Çelik The 302-305MHz transmissions could be aliasing. Michael Ossmann's SDR videos have a lot of great information: greatscottgadgets.com/sdr/
*Makes complicated device that reads radio frequencies and programs it to hack varius objects
"I'm not good with computers"
Can I control the rf transmitter directly using arduino only? Or I must use GSM board to control it? Thank you.
The GSM board is optional.
So can i do this using Parrot Sec (Linux) or ANY other Linux Distro?
Can u use this method to open your friends garage?
Yeah but you could get in a lot of trouble
How could you use these kind of concepts to find the data that comes from a controller from a gaming system like an xbox 1?
Hey LiquidLotus, that would be a fun video -- I don't have an Xbox One but if I get a controller, I'll definitely do a video on that. The same concepts would apply, although we would likely use different hardware to reach the frequencies the controller uses (2.4GHz and 5GHz).
This is intriguing! I caught word of you via Tim Ferris and wanna learn more on what you generally speak of. I'd worked with wood for 20 yrs. and don't know where to begin learning what you are doing. Advice?
jb121993 Thanks! What area is intriguing to you? If you want to stay in the hardware realm, I would suggest learning about Arduino and looking up some Arduino tutorials. It would be cool to integrate Arduinos into your wood working, such as interactive, light up tables!
Yes, it is the hardware that impresses me more than programming. That idea, implementing this stuff into my shop performance, is the first thought that came to mind. I had already purchased a Raspberry Pi, but haven't had time to do anything with it. My imagination tells me that this is what will increase performance on my lathe production, thus increase output and improve income. Should I scrap RP & get Arduino, or is there no difference other than brand name? What reading material would you suggest?
I unintentionally left out word of my having been a woodcrafter for almost 20 yrs. and am leaning towards this type of thinking as a new income/fun/creativity/happy-at-my-job kind of mentality.
jb121993 Keep the RP, you can use it with LEDs, but it is a bit different than Arduino. They both can do some of the same stuff, but both do plenty of other things the other can't. Just google something like "raspberry pi controlling led strip" and look over a few.
float times[] = {.....};
int TIMES = sizeof(times)/sizeof(times[0]);
Imagine doing this to your neighborhood
I'm slowly getting into SDR, in fact I think that's the exact model of RTL-SDR I have, I've tried airplane tracking with ADS-B which is neat. But with custom projects I find it hard to "sniff" the frequency of systems I don't have documentation for, even if that system is limited to certain bands. Do you have any suggestions for nailing down specific frequencies easier than simply cycling through huge ranges of frequencies and looking by eye?
Hi *****, give me an example of something you're trying to sniff? If you know the brand, do a search on the FCC's website for the company: transition.fcc.gov/oet/ea/fccid/
Actually, it's probably easier to search google like so (without quotes): "site:fcc.gov company name"
I have tools that make frequency scanning easier but you can usually find what you're looking for with just an RTL-SDR and some searching, FCC docs, and looking at common ISM bands -- which is partly why I made this video; I wanted to provide a demonstration of just using RTL-SDR and nothing more.
Samy Kamkar It's a bespoke design, I know that it's being broadcast over what is called in the UK as PMR (Public Mobile Radio) which is a range of frequencies of 174-225Mhz which is a former TV broadcasting band. I think the FCC is US specific? I'm not sure, I'll see if there's a regulatory body in the UK that logs all usage but I think the public band is a free for all so may not need to be documented publicly.
I guess it's just a case of monitoring the airways a slice of frequency at a time, unfortunately it's burst transmission, it's at predictable intervals but it feels like a needle in a haystack kind of situation.
***** check out OfCom as they should have some more information on PMR in the UK.
Also, you can use the "rtl_fm" application I used in the video to scan frequencies rather than sit on a single frequency. You can find examples here: kmkeen.com/rtl-demod-guide/
Samy Kamkar Thanks so much Samy, I'm going to finish watching this video today and go out with these tools and do some research! Ofcom may hold some data on this but I may just approach the designers of this system directly and see what they're prepared to volunteer :)
***** cool! Let us know your findings
I have this idea to use this with Boy Scouts. Maybe you can hear the turmoil in my head as it convulses with that thought.... I am pretty sure that I can have everyone in the troop riveted doing this. I can also see the uproar that might result....
Your typing speed is respectably fast.
i found the software MultiPSK to decode audio , is it a good solution for audio decoding the radio signal? because it's hard to decode it manually
My Hero!
Use differential amplitude analysis to filter out the noise.
Can you make a tutorial "How to hack a nuclear missile launch controller"?
It's easy, just become president
How is the tolerance on the transmitter? I got an wireless switch with 433.92mhz. will an 434mhz transmitter work?
Your 434MHz transmitter is likely transmitting ~433.9MHz already, but most receivers will have > 100kHz receiver bandwidth.
Can i use these modules instead of the 434MHz ?
433 MHz supergenerative module Rx & Tx ?
thank you.
Marc.
+Marc Paradis You probably can
nodejs-against-humanity
OMG! Thank you!
Michael Scott haha, yup
My system is completely portable, and requires NO PC, NO Laptops , total stealth. I'm using a Icom-R20 Portable communications Receiver and a Optoelectronics Digital Scout. the Icom R-20 operates 500Khz - 1300 Mhz and it has Reaction Tune with Frequency Counters, it also has a Automatic Memory Write function. the Opotoelectronics Digital Scout has a Similar range but tunes ONLY nearfield Transmissions. that Means it Rejects all Powerful transmissions and only targets Low Power but NEAR tragets. its Digital as well as Analog, so I can use it for Trunking, DMR and Analog/Digital Cellular Phones !!!!!!!
I cant hear the Audio (that's Illegal ) but it can capture the Frequency the Cellphones are active on. I can Analyze RF remotes by removing the Antenna and measuring the remote Directly, as with the Antenna I will pick up ALL the Remotes in the Neighborhood !!!!!!!
I love you. Thank you.
Samy, I'm trying to do something similar, but the device I'm trying to emulate uses 318 MHz. I have looked all over and can not find a simple 318 MHz transmitter like the one you used in the video. Any suggestions?
Hi Sean Auffinger, things get a bit more complex -- you could build your own saw resonator (do you know if the signal is ASK?), or you could use a sub-GHz transceiver chip like the CC1101/CC1111 (the CC1111EMK comes on a USB dongle, though you may need a GoodFET to flash it), or go for an even more powerful device like a HackRF where it becomes even easier (bigger but you can use it for so many things!)
It's a bit of a sliding scale from ease and pricier (but reusable) to size and complexity.
Update: it might even be easier to get an inexpensive garage door opener on 318MHz (I see plenty on eBay) and modify it to accept your signal, assuming what you're trying to transmit to takes the same frequency modulation (most likely ASK). No guarantee this will work but might be a quick and cheap route.
Samy Kamkar The signal is indeed ASK. I was thinking I could get the Sparkfun 315 MHz transmitter and just replace the resonator, but I also couldn't find any 318 MHz resonators in the same package. I also looked at building a transmitter based around an IC like MICRF102. I will have to look into the garage door opener mod. It seems like it could be fairly simple to make it transmit my signal. Thanks for the help!
Sean Auffinger Let us know what you end up doing and how it goes!
Samy Kamkar I got a 315 MHz ASK transmitter and replaced the SAW resonator with a 318 MHz one. Works perfectly!
Sean Auffinger That's awesome! Thanks for the update
My mom's car remote is on 314Mhz frequency can i do something to replay it through my arduino?
thank you so much!
Marc.
+Marc Paradis Possibly -- most cars use rolling codes however. I explain how rolling codes work and how a replay attack may work in my recent defcon video - samy.pl/defcon2015/
meanwhile his garagedoor is going crazy
I know this is probably an idiot question, but how do I install and run rtl-fm? Or is it possible to record it using RTLSharp directly?
No such thing as a silly question we all had to learn somewhere: www.rtl-sdr.com/rtl-sdr-quick-start-guide/
there are no idiots questions, only idiot answers