One of these fell off the wall and I opened it up to see what was inside and turns out it runs on radio signals.
Can I make a device that cycles through different frequencies to brute force them to open for me without hitting the button?
One of these fell off the wall and I opened it up to see what was inside and turns out it runs on radio signals.
Can I make a device that cycles through different frequencies to brute force them to open for me without hitting the button?
Yes
No
Maybe
I don’t know
They use multiple, 2048-bit rotating vedonic codes with multiple nulls.
> brute force
You could just push the button.
> fell-off
I hope you remembered to cover your face and tats , and didn’t leave your tire-iron you used to remove it covered in fingerprints at the scene.
Impossible to say without actually experimenting with the hardware, or finding documentation for it (got a manufacturer name?).
But it almost certainly has some way to disambiguate between transmitters and receivers. After all, it's not uncommon to have two layers of doors on buildings, so the button can't rely on transmission power as a filter.
If you are lucky, the disambiguation is just it broadcasting a cleartext identifier. In which case, you just need to observe it once and then play it back in the future.
If you are unlucky, the disambiguation is either an public-private key challenge, or just a signaling protocol that inherently has encryption (like most Bluetooth).
Chip had 1249 in sharpie
Well, there you go. It's a ClearPath CP-TX. You can google it.
My guess (made up on the spot) is the 12 switches just set a pattern that is broadcast to the receiver, possibly just via amplitude or frequency modulation around the baseband (as selected by the 3 position switch). However there might be additional components to the signal, rather than simply a 12-bit number, like a prefix or suffix.
I'd take a radio receiver tuned to the baseband, record the transmission (possibly a few times in a row, just to check for variations), and then look for pulses representing the 12-bit number.
4096 possible combinations of security code, but it probably only takes a few milliseconds for each attempt (otherwise the door would feel super "laggy" from the button press).
To refine things a bit more, it looks like this type of system is called "multicode" or "dip switch" and it's more commonly used on old garage door openers.
So google resources for hacking garage door openers.
But I've satisfied my curiosity, the rest is up to you since you actually have access to the hardware.
Here's the patent explaining how it works.
https://patents.justia.com/patent/7545833
It uses 300 and 390 MHz, which is in the range of both the HackRF One and the Flipper Zero.
can you repeat the question?
You’re not the boss of me now.
Why would this even have security? Anyone can press the button. Seems like the dip switches are probably there so there can be multiple door/switch pairs in range of each other without causing interference with each other.
Someone could
They're just glorified garage door opener remotes
Based on your question, you likely can't .. at your present level of understanding
But here's some terms and a process for you to investigate and learn:
- frequency counter
- RTL-SDR
- wireless replay attack
https://threatpost.com/using-a-toy-to-open-a-fixed-code-garage-door-in-10-seconds/113146
by the sounds, you probably could knock up a universal opener
It won't do anything if the door is locked.
If the door isn't locked, just push the button.
Get sdr
Push button
Record signal
Decode signal
replay signal
You can diy yourself a flipper clone. Record the frequency that button gives off and repeat it.