
Reverse engineering an ancient wireless security keypad using RTL-SDR - ursusarcanum
http://fatsquirrel.org/oldfartsalmanac/random/reverse-engineering-a-vintage-wireless-keypad-with-an-rtl-sdr/
======
flashman
You can use a similar technique to clone a garage door remote control. You
simply have to record the transmission using the techniques mentioned in this
post, then rebroadcast it on the same frequency.

Broadcasting FM is as simple as loading a Raspberry Pi up with PiFM[0]. Or, if
you don't have the original remote (but are a bit more technical), you can
just brute force the combination; most remotes only use a 12-bit DIP switch
(4096 combinations)[1].

[0]
[https://github.com/CodyJHeiser/PiStation](https://github.com/CodyJHeiser/PiStation)
[1] [http://samy.pl/opensesame/](http://samy.pl/opensesame/)

~~~
jbergknoff
Nice. I have a 30 year old garage opener but I don't have a remote. I know the
combination because I set the DIP switches, and I think I even dug up the
trasmission frequency when I looked into it a few months ago. I don't know
what sort of transmission the opener wants to receive, though. Any resources
you can point me to on that topic?

~~~
flashman
One thing I don't know how to do is encode information in pulses. That's why I
use the record/replay method. There is probably a program that will convert a
binary string to pulsed data (I believe 2ms chirps with 2ms gap between them?)
but I don't know of it.

There is a little more information on the opening signal here:
[http://andrewmohawk.com/2012/09/06/hacking-fixed-key-
remotes...](http://andrewmohawk.com/2012/09/06/hacking-fixed-key-remotes/)

------
Sanddancer
That is some brutal power sag going on. Those waveforms would probably look a
good bit different with the capacitors replaced. Thirty years is a long time
for electrolitic caps, and the tantalums are probably not much better.

~~~
cnvogel
Probably it's just the general stability of the oscillator circuit. It seems
to drift around 300 kHz around its center frequency of 340 MHz, so about
+/-1‰. For such a very simple transmitter that's likely demodulated with an
equally simple LC-filter and an envelope detector, it could just be be right
"up to spec": [http://imgur.com/l47Nm4B](http://imgur.com/l47Nm4B)

Edit: % -> ‰

------
c54
Remarkably simple example of using the RTL-SDR for something. Thank you old
school electronics :D

------
zxcvgm
i hope the author is not going to use this panel as-is because it send
everything in clear. i would keep the front panel but retrofit a
microcontroller in there to encrypt keypresses before it is sent.

~~~
roel_v
Technically you're right, but this is a problem that comes up a lot in
wireless home automation. Thing is, what is the attack vector you want to
protect against? How many burglars are going to be sitting outside your house
(I'm imagining: in a black van with 'Bob's plumbing' written on the outside)
analyzing RF patterns when someone comes in, reverse engineer it, then
burglarize you home? My estimate is 0, even when not weighed against the
alternative: if someone really thinks your house is so interesting so as to
warrant several hours of waiting/observation, they'll just put a knife to your
wife's throat and say 'turn off the alarm and show us the valuables'.

The vast majority of garage door openers out there use unencoded RF tech, and
it's very seldom a problem. And the other side: there was a recent string of
thefts of BMW and VW cars in my area. Reason? They had an inside man at the
main office who slipped them copies of the remotes.

The tech is very, very rarely the weak link.

~~~
mkesper
Except for the keyless car openers. A simple amplifying transceiver seems to
be enough to let your car be stolen.
[https://news.ycombinator.com/item?id=9381792](https://news.ycombinator.com/item?id=9381792)

------
late2part
Awesome article! I just got an SDR and now I'm hunting for old RF things to
interrogate - thanks for the ideas!

~~~
viraptor
I recommend scanning your 300-440 MHz range - there's an amazing number of
devices working in it. Garage remotes, car remotes, smart power meters, ACs,
weather stations, tire pressure monitors, I can see 3 periodic signals at home
and I don't even know what 2 of them are. (maybe picking up something from
neighbours)

~~~
Vexs
Don't forget the 900mhz range! Plenty of cool stuff going on there. Oh, and
you could make a searching antenna pretty easily- basically a shitty antenna
that you can use to find signal strength easily, because it picks up so
poorly.

------
userbinator
The main chip appears to be an Exar custom gate-array IC dated week 4, 1987.
It probably contains a 4x4 keypad scanner (note there are 15 buttons on the
keypad) with baseband output. The RF section is all discretes. The HCF4069
near the battery is being used as an oscillator to drive the piezo buzzer.

------
monochromatic
> I’d envisaged the former owner being some sort of back-woods buck-toothed
> survivalist who spent his life protecting his family from the oppressive
> government until he got sick and had to sell his house, guns and alarm
> system to pay for his medical bills.

I love the casual elitism of this Brit expat. Cool post otherwise though.

