hacking & clonning my garage key with URH ( Universal radio Hacker ) and ARDUINO DIGISPARK + FS1000A
HTML-код
- Опубликовано: 11 сен 2024
- This is step-by-step tutorial how to clone simple garage keys / wireless keys operating on ISM 433,92 MHz / 315 MHz band with simple set of Digispark Arduino & FS1000A transmitter.
My garage keys do not have any rolling code and encryption so the reverse engineering was fast and simple ( something like 2 hours of work ).
In the video I have used Linux PC with RTL SDR dongle installed and set of tools Universal Radio Hacker to record and decode garage keyfob transmission on ISM band. Linux PC is not required, you can do all these steps on Windows PC or Mac (requirement is to have RTL-SDR dongle, URH and Arduino IDE installed)
After decoding the signal I was able to replicate 1:1 set of pulses and pauses within my simple Arduino sketch. In my design Arduino Digispark is connected with PIN 2 / PB2 to DATA input pin of FS1000A transmitting module.
Link to my example sketch : github.com/mco...
Link to the tool : github.com/jop...
Happy Hacking !!!
Remember to SUBSCRIBE my channel and LIKE the video !
Thank you !
#ALCHNL #ARDUINO #ATTINY #RTLSDR #SDR
Tags :
car hacking , hack a car , car key jammer , car relay attack , car rolljam attack , attiny13 , 433 MHz , 315 MHz , attiny85 , arduino key clone , rf jammer , DIY jammer , wireless kry clone , car theft protection , key fob jamming , key fob cloning , wireless key copying , wireless car key,
hack keys, hack a car , roll jam device , roll jam attack , car hack , car key blocker , arduino car jammer , arduino jammer , car hacking with arduino , vehicle key jammer , rf hacking , hackrf
Thank you very much friend for the explanation, making the Arduino program available, very grateful. I tell you, you can measure the pause directly in the schedule by zooming in (to obtain more precision) and marking the interval to be measured with the mouse, this way we do without the calculator. Greetings
thanks !
Thank you so much for this video!
I tried before to built an opener for two door garage in the house that I live in but miserably failed.
But with your video and code I finally could built something that actually works.
The main problem was to decode the very vintage SKX1MD transmitter with URH. If someone else is struggling with those very vintage but in older houses still common transmitters, just let me know 🙂
My working prototype is based on an Arduino Uno R3, which works great.
I now will build a smaller version using an Arduino nano and attach it to the USB port of my Vespa Primavera - no more fiddling with keys and searching for remotes which don't work with gloves anyway.
Try that with a Flopper-Zero 😄
I really gave up on this until I found your youtube channel. Thank you!
check my newest project here ruclips.net/video/mdkEK_wmWJA/видео.html
and here ruclips.net/video/iPVckkTjsd0/видео.html
you will have the Master Key !
i have a question, but the MX-5V reciver can recive key fob signal?
yes MX-RM-5V is a receiver compatible with FS1000A. It can receive keyfob signal but you need the program to record it. Unfortunatelly you cannot use Universal Radio Hacker
Hi, your work is very nice, I have been following you for a long time. With Arduino and 433mhz receiver, I copied the fix code and opened my door immediately. But is it possible to make a project that can flow rolling/hopping codes and write to the LCD screen with Arduino and cc1101 or other RF modules? I can do this as a project for my son at university. I want to have it done.sadece garage door or barrier
..not for car key.At least I have a rolling code, which RF module can I use to read the code of the remote control? Without using sdr/rtl. Thanks.
try to build my latest cc1101-tool. it can record few keypresses of original key. I do not plan to add lcd sceeen because a smartphone can be used to store sequences in some notepad
Wow, very nice! This seems more automated than doing the decoding visually, using inspectrum etc. What kind of signals (frequencies?) don't work with URH, and must be done some other way?
For example, if the car uses rolling keys, that means you would have to generate a unique key every time, or could you just toggle thru a set of valid keys?
Any plans to use an SDR for the transmission part? I've seen some low(ish) cost SDRs.. for example, the $70 Caribou (a hat for the RPi), or the LimeSDR.
The limitation ( if any ) comes from RTL-SDR dongle used especially in terms of frequency range that can be monitored / decoded. The URH software actually supports most of modulation types like FSK, AAK/OOK, GMSK and most SDR devices... You may also want to go through the manual github.com/jopohl/urh/releases/download/v2.0.0/userguide.pdf
Most of cars are using not only rolling code but pseudorandom seed for code generation
en.wikipedia.org/wiki/Remote_keyless_system - that's why replay attack is not working for them, only rolljam attack.
I do not have SDR for the transmission part. But If you are considering transmitting spoofed radio data I would suggest to use combination of two boards CC1101 + Arduino Pro Micro (3.3V / 8 MHz version ) as I am doing in my 10$ CC1101 jammer here in my video ruclips.net/video/vZcGP-O2GvQ/видео.html
You do not need specialized devices like Evilcrow RF or Yardstick One or Hack RF for transmission actually...
If you look into my Arduino sketch here : raw.githubusercontent.com/mcore1976/cc1101-jammer/main/arduino-pro-micro-cc1101-jammer-v2.ino
you will see that you can do all of it in very easy way with any type of required modulation , frequency , preamble, encoding etc... by setting those values with few commands on the beginning of the code
and putting your sequence to be send in the command :
// send these data to radio over CC1101
ELECHOUSE_cc1101.SendData("my decoded key values!!!");
Good Luck!
thanks
Hi everyone,
I would like to be able to receive the signal from a controller with an HCS301 (MICROCHIP KeeLoq) in the transmitter and with a PICxxx or an ATMELxxx in the receiver.
There is a library for ARDUINO about receiving
Hello very good video however I did not understand how you activate the remote control I see that the remote control is connected with a power bank for the power supply but did you configure a push button on the arduino to launch the code or the simple fact plugging in the arduino starts the code?
Hi. For simplicity there was no push button. It activates when connected to 5V usb powerbank. Arduino bootloader starts the code and sends radio signal immediately.
I thought garage door openers rotated their codes each time you press the button. Your opener seems to use a static code each time. Is that common?
There are different models of garage openers. Yes, the one I have uses static code. However this method of hacking can be used also for rolling codes. You would need to record more sequences to discover the algorythm of code generation. The URH tool is helping with reverse engineering of the coding
Hey can have your email adem thnks
@@justanengineer5599 is this some of the Aluprof remotes?
@@justanengineer5599 Very Nice job, may be another tutorial with rolling code ? ; )
@@justanengineer5599 Wow... Can you show it in a video, how to reverse rolling code with the URH? It would be exciting... 😉 Please.
merci Adam. est-ce qu'il existe des fs1000a en 868Mhz. Tuto très intéressant continue
Le module 433,92 MHz FS1000A fonctionne très bien à sa deuxième fréquence harmonique 868 MHz
Hi Adam,
Thanks for you tuto. I've a 867 MHz key that I would like to clone for educational purpose. What would be the associated module as you are using 1 x FS1000A module for 433 MHz freq ? I have already save the *.wav with my remote impulses ...
Hi. I can not find FS1000A supporting 868/867 MHz , there are only CC1101 based modules supporting it You need to look for something that supports OOK / ASK modulation with single DATA INPUT pin without SPI bus. Alternatively you may use CC1101 based module and the library from Litle s@tan for CC1101 (the one I am using to build the jamer)
@@justanengineer5599 can i run the code with arduino leonardo?
Second question?
void setup()
{
}
void loop()
{
tone(8, 15000); // generate square wave
}
Does it work too? For me no
In my case, the way works but one-time, because I have rolling keys. Now I have recorded several sequences. Where can I find information on how to analyze the algorithm in URH?
I would suggest to look into this document here github.com/jopohl/urh/releases/download/v2.0.0/userguide.pdf
Hello. This is a perfect video thanks. It helps me... But I have a problem with showing the sample rate... It shows only Pause: the time in ms. How can I change this for showing samples?
Sorry... I have the solution. The samples are the summary of each Bit in the row per sequence... It doesn't show me automatically, I have to mark all the bits and then I see the summary.
hi
You can see that it works with the RF transimitter 315Mhz-green.
I have a question here.
I wonder if this project is possible with the NRF24L01 module I have.
I am trying to upload a program to Arduino by sniffing the automatic door.
this code will not work with NRF24L01 however I am thinking how to adopt this design to work with this module and jam the drones and other devices operating on wifi frequency
@@justanengineer5599 could just do that with Aircrack. Does this program work with the HackRF One?
@@justanengineer5599Hey can we use NRF24L01 with esp32 instead of Arduino?
Hi man, if i using a CC1101 to copy and replay the signal. It's posible? thnks!
it is possible. I will be doing such video
@@justanengineer5599 Oh brother, thank you very much!! your channel is incredible, congratulations :)
What if we record multiple times , can u show how to analyze multiple attemps(key fob presses) or is it the same process!?!?
Yes it is the same process. Multiple recordings are actually needed if you have rolling code in the keys
How did you manage to setup the exact required frequency during the transmission?
the FS1000A always sends on the same frequency as builtin SAW generator module (433.92 in my case). For wireless keys same set of band is used in many countries - either 433.92 or 315MHz see here en.m.wikipedia.org/wiki/Remote_keyless_system .
Anyway if you wish to tune to different frequency and have more flexibility you would have to use CC1101 instead like I am showing in my recent video for the jammers. On my github you may find CC1101 projects using SmartRC library which you can easily adopt in order to clone any type of wireless key
Please watch this video : ruclips.net/video/vZcGP-O2GvQ/видео.html
and see this Arduino script :
github.com/mcore1976/cc1101-jammer/blob/main/arduino-pro-MINI-cc1101-jammer-v2.ino
You may set any modulation frequency encoding and payload there according to what you decoded with Universal Radio Hacker tool. Good Luck !
@@justanengineer5599 Thanks and I have a bonus question. Whenever I try to find the pulse length on my signal it is different for 0 and 1. 0 has a pulse length between 343 and 350 us and 1, between 400 and 420. It also varies slightly when I analyse the preamble and the payload. Is that a significant difference or should I just stick to one pulse length for all my calculations?
basically symbol lengths should be constant for ASK/OOK modulation. It is possible that additional Manchester encoding is in use that causes some distraction in URH decoder. Try to decode the signal by selecting different type of modulation
@@justanengineer5599 You know, honestly I think it's just some type of protocol of rolling code. I will try to find mine and will get back to you if I succeed. Thanks for the replies.
How do you get the "pulse" value?
well you need to count as I am doing it in my video
Does this method work with car keys?
yes but for old cars, only for wireless keys that Do Not have rollover code
Hola a tod@s,
Me gustaría poder recibir la señal de un mando con un HCS301 (KeeLoq de MICROCHIP) en el emisor y con un PICxxx o un ATMELxxx en el receptor.
Hay una librería para ARDUINO sobre recibir la señal de un HCS301 y otra para emitir la señal de un HCS301, pero no lo encuentro... sigo a la búsqueda.
Un saludo a todos
what device is this to activate the digispark...
Normal PC (with Linux Mint in my case, but it can be also Windows PC) is used to program the Digispark unit. Digispark has connected the FS1000A module as 433MHz ASK transmitter. The URH is using the RTLSDR USB dongle to capture and decode wireless keyfob, then I am able to re-write the code for Arduino / Digispark to send appropriate radio sequence to open garage doors.
@@justanengineer5599 I ask at the end of the video to activate the digispark, it's a normal charger...
Yes, it is a normal 5Volts usb powerbank/charger with ON/OFF switch and LED indicator
jak skopiować klucze do Flippera Zero
Nie mam tego narzędzia, kosztuje az 2 tysie. Ale z tego co widzę w środku ma chip cc1101 albo ekwiwalent więc pewnie ma tryb nagrywania komunikacji jednak musisz za pomocą Universal Radio Hacker dowiedziec sie co to za czestotliwosc modulacja itd
Can you steal the car key sign??
with URH yes you can record it. But remember that car keys are using rolling codes
@@justanengineer5599 So how is the solution?
yardstick one
Can we make this with Arduino.
ruclips.net/video/-X2S7yqZnbY/видео.html
.....
It is made with arduino digispark. You can make it with any arduino.
@@justanengineer5599 I don't know the code
The code is available on github. Have you checked the description of the video? The link is there :
Link to my example sketch : github.com/mcore1976/urh-arduino-cloning-keys
Link to the tool : github.com/jopohl/urh
@@justanengineer5599 ruclips.net/video/P28NcPvIWhk/видео.html
Do you know to make this
how about flipper zero
if you have 500 usd go ahead. this clonnig costs 5 usd
@@justanengineer5599 ziom kupiłem na joomie za 900 zł, Polacy sprzedają dwa razy drożej
for the same price? i'm in!