Forum: GNU Radio Car alarms and garage door openers

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
3596cfe1d579c65b9babd35e8787977c?d=identicon&s=25 Matt Ettus (Guest)
on 2006-06-05 22:31
(Received via mailing list)
After the Wired article today, I've received a couple of email from
people who are concerned that the USRP could be used to clone their
keyfob transmitters for car alarms and garage doors.  I'm not concerned,
since there are already many ways to do this (just check the back of
pupular science magazine).  However, I am curious about it.  I know that
we can capture and play back any rf signal.  The question is whether
that replayed signal would result in the door being unlocked.  I was
under the impression that most of those systems allow an unlock code to
only be used once, but does anyone out there know for sure?

Matt
63d6de710dcc83e3c19af98ab6c401d7?d=identicon&s=25 Marcus Leech (Guest)
on 2006-06-05 22:40
(Received via mailing list)
Matt Ettus wrote:
> know for sure?
>
> Matt
Most, but not all, such devices now use a "rotating code sequence",
based on a not-very-long pseudo-random sequence.
  Certainly for the impatient burglar, merely replaying won't work in
most cases.  I don't know how they maintain
  synchronization between the key and the lock, and it's likely that
there are weaknesses there.
C7587810780b7d714e062e93c6955868?d=identicon&s=25 Daniel O'Connor (Guest)
on 2006-06-05 23:28
(Received via mailing list)
On Tuesday 06 June 2006 05:59, Matt Ettus wrote:
> After the Wired article today, I've received a couple of email from
> people who are concerned that the USRP could be used to clone their
> keyfob transmitters for car alarms and garage doors.  I'm not concerned,
> since there are already many ways to do this (just check the back of
> pupular science magazine).  However, I am curious about it.  I know that
> we can capture and play back any rf signal.  The question is whether
> that replayed signal would result in the door being unlocked.  I was
> under the impression that most of those systems allow an unlock code to
> only be used once, but does anyone out there know for sure?

"It depends"
Some car systems are pretty sophisticated and cycle through codes to
prevent
replay attacks.

AFAIK most garage door openers are pretty simple, although I guess it
would be
fairly easy to check by listening to one and seeing what, if anything,
changes from press to press.

Microchip make a tx/rx pair that has funky crypto (although I haven't
looked
at how good it really is).

Don't forget dorbells! I have a 433MHz wireless doorbell which could be
cloned
8-)
74eb8f0b6d033d0fc97b3c33f43dc2c2?d=identicon&s=25 Michael Milner (Guest)
on 2006-06-06 19:36
(Received via mailing list)
> Matt
I just took a look at my car's keyfob with the USRP RFX400 board (it
seems
to transmit around 433.923MHz.  It is using FSK modulation, a few tens
of
kilohertz deviation.  It demodulates pretty well, but the centre
frequency
isn't very stable (Is there any way to automatically detect the centre
frequency within a range?)

Just eyeballing the data with the scope, it seems to change with every
keypress.  It's hard to really see what the data is.  Is there anything
in
GnuRadio that will let me measure the pulse widths?

Mike
3596cfe1d579c65b9babd35e8787977c?d=identicon&s=25 Matt Ettus (Guest)
on 2006-06-06 20:38
(Received via mailing list)
Michael Milner wrote:

>>Matt
>keypress.  It's hard to really see what the data is.  Is there anything in
>GnuRadio that will let me measure the pulse widths?
>
>
Thanks for looking into this.  I think that most keyfobs use SAW
oscillators instead of crystals to save money.  This results in very bad
frequency drift, which the receiver will need to compensate for.

Matt
63d6de710dcc83e3c19af98ab6c401d7?d=identicon&s=25 Marcus Leech (Guest)
on 2006-06-06 20:44
(Received via mailing list)
Matt Ettus wrote:
> Thanks for looking into this.  I think that most keyfobs use SAW
> oscillators instead of crystals to save money.  This results in very
> bad frequency drift, which the receiver will need to compensate for.
>
> Matt
>
Many of these systems use OOK (On/Off Keying) of the SAW-based
transmitter.  The receiver is a wideband
  TRF design, with square-law detector and post-detector gain.   The
fact that the transmitter drifts is of little
  consequence, since the receiver has a large bandwidth.  Since each
receiver has a "unique" address code
  that it responds to, the fact that there may be other transmitters in
the vicinity doesn't seem to matter that
  much.
Cec0a4bf0e0575f3a3171892e6097e59?d=identicon&s=25 Johnathan Corgan (Guest)
on 2006-06-06 22:07
(Received via mailing list)
Michael Milner wrote:

> I just took a look at my car's keyfob with the USRP RFX400 board (it seems
> to transmit around 433.923MHz.  It is using FSK modulation, a few tens of
> kilohertz deviation.  It demodulates pretty well, but the centre frequency
> isn't very stable (Is there any way to automatically detect the centre
> frequency within a range?)
>
> Just eyeballing the data with the scope, it seems to change with every
> keypress.  It's hard to really see what the data is.  Is there anything in
> GnuRadio that will let me measure the pulse widths?

I looked up the FCC ID for mine.  It's allocated for use between 314.5
and 315.5 MHz, which is I'm sure to allow cheap oscillators to be used.

Found it with the TVRX at 314.875 MHz.  Looks like OOK with a minimum
pulse width of 250us.  Like yours the sequence seems to change with each
key press.  See attached JPEG.

-Johnathan, AE6HO
Cec0a4bf0e0575f3a3171892e6097e59?d=identicon&s=25 Johnathan Corgan (Guest)
on 2006-06-06 22:10
(Received via mailing list)
Johnathan Corgan wrote:

> I looked up the FCC ID for mine.  It's allocated for use between 314.5
> and 315.5 MHz, which is I'm sure to allow cheap oscillators to be used.

Woah...the FCC search has a "detail" option that comes up with a list of
PDFs describing the whole key fob (URL will wrap I'm sure):

https://gullfoss2.fcc.gov/prod/oet/cf/eas/reports/...

In my case:

                          CIRCUIT DESCRIPTION
TRANSMITTER

The hand-held RF transmitter consists of the housing, three or four
control buttons, microcontroller, an UHF oscillator (Colpits
configuration) and a 3 volt battery. The microcontroller uses an
internal oscillator running at 4.0 MHz, and the RF oscillator uses a SAW
based oscillator to resonate at 315.0 MHz. The modulation format used
will be ASK, with a Rolling/Manchester code data format. Once the user
presses a button power is applied to the microcontroller which turns the
RF oscillator on and off at the rate of the Rolling/Manchester code data
being sent. The signal is then sent to the receiver module via RF data
transmission. The module will then act upon the RF data received and
will perform certain functions in correspondence to which transmitter
button is pressed.


-Johnathan, AE6HO
Aecde01f366a81c6a9f89f065f30e928?d=identicon&s=25 Jaap Stolk (Guest)
on 2006-06-06 22:19
(Received via mailing list)
On 6/6/06, Johnathan Corgan <jcorgan@aeinet.com> wrote:
> .....  the sequence seems to change with each
>  key press.  See attached JPEG.

I sure hope it changes every time. or you just posted your car keys
on-line :-)
D3cc279f8f85b552f33033efbfb296e8?d=identicon&s=25 Rick Parrish (Guest)
on 2006-06-07 03:07
(Received via mailing list)
Michael Milner wrote:

>I just took a look at my car's keyfob with the USRP RFX400 board (it seems
>to transmit around 433.923MHz.  It is using FSK modulation, a few tens of
>kilohertz deviation.  It demodulates pretty well, but the centre frequency
>isn't very stable (Is there any way to automatically detect the centre
>frequency within a range?)
>
>
Might be one of these ...

http://pdfserv.maxim-ic.com/en/an/AN3765.pdf

The older SAW filter designs would "wiggle" the TX frequency to
compensate for any slight mismatch between the TX and RX filters.

-rick
This topic is locked and can not be replied to.