RF Remote Cloning with URH

cool hello i'm uh jordan bush and uh you can find me on casey discord is mr barr i'm going to be able to talk about universal radio hacker how you can clone remotes replay the remotes and kind of go into a little detail on how you can analyze them you know like fuzzy so here's a disclaimer i don't think that uh you can just clone all willy-nilly there are some consequences if you're not careful everything is listening on that frequency so it's not just your own device so say you're trying to make your fan go a faster speed well you're transmitting too high and you just blow up your neighbor's garage door opener or something because you're buzzing so be

careful everything i say here don't like take it word for word and blame me for something you do all right what is your crystal radio hacker it's essentially a tool that allows you to use software to find radios to listen in uh dissect radio signals that are broadcast on ism bands i mean probably you can use other bands too but that's what it's known for it can decode a common modulation frequencies like phase shift keying on off or yeah on-off shift keying and frequency shift keying there's a github all the link in the slide deck too uh oh i got ahead of myself but essentially what i just talked about here it can do uh so here is what i'm planning on doing

i'm going to take that sky projector there that has lasers and a cool light effects i actually found it at one of those amazon liquidation places you know they have those big bins you can find a lot of random craft uh but they go about 50 bucks on amazon it runs on 433 megahertz and i opened it up there was basically unlabeled chips and uh i couldn't find any fcc listings which i mean it's ism part 15 but i believe it has to have sec listings so i couldn't go on and look up the board um and then from my setup i got a thinkpad i got a hacker app and i've got universal radio hacker 2.9 so if you're

watching this in the future using frequent whatever it might be a little different keep that in mind uh so usually if you're looking at fcc listings you can find a lot of information about your products so say you have your phone well your phone has an fcc listing it'll list out all the frequencies that your phone will listen on and sometimes transmit as well depending on what it is uh you can also get internal photos of devices you don't have to open up something to find out hey it has the serial port you want to jack into for example routers that is a very useful treasure trove and also sometimes you'll find like modulation documents or test

reports which can also kind of give you an idea of how much power a device uses or what kind of modulation the device uses which can help you figure out what kind of software you need to use to decode it and there's a useful website uh you can pretty much type any fcc id into it and you'll get a lot of pictures and information so here's the bands that most likely you'll find devices on even if you can't find your device there you go 27 to 49 that's commonly used in like rc cars and other older devices so if you're trying to find like a little cheap car that you're you know messing around with

check their key fobs remotes so like your car and stuff you'll have a 315 or 433 um i will tell you you cannot easily duplicate a car key i mean i think there was a subaru that had exploit where you could find their role code but most devices like that you can't just easily get into because of that uh there are ways to capture the thing and then replay later if the car didn't hear it so you can actually intercept and you know do it that way i'm not going to get into that then you have 900 megahertz commonly found made monitors and monitoring equipment that kind of such 2.4 gigahertz you'll find wi-fi bluetooth and a lot of other kind

of devices that need a higher amount of bandwidth and are not just like simple remotes guarantee you've used at least one of these vans in the past couple days probably today but anyway this is what my device looks like um if you look carefully you can kind of see the spectrum so it's an on off frequency key and you can see how it kind of has like the on off bits i'll get a better picture for later um but essentially your weight will look different depending on the modulation frequency you use so that's mine and you can see it is at 433.9 megahertz um and then here is universal radio hacker universal radio hacker has this nice gui

you can record your signals in and when i give a demo for it later you'll see how that works uh at this time i used alignments dr found out i wanted to change it so you'll notice it says lime sdr up there but uh using the record signal you can record it and then you want to you can play it back right afterward i'll show that in the demo later but it gives you a very easy gui to capture your signal you tighten the frequency and all that and it shows up right there and then again you can replay it and it works like that so if you want to actually do something cool with your signal kind of learn how

it works we can use the analysis tools that universal radio hacker gives us now this is the default settings that universal radio hacker has it is not going to work right away so if you look down here it should be a constant signal but no it isn't it's got a lot of ones and zeroes ones so you need to have these settings up here and uh once you adjust that fine tune that it'll look nice and neat and you can actually see my signal right here and i've actually uh well looks like it's got a little jungled up but you can see the one zero one one one zero zero zero zero you can see that signal right

there and that's a ask modulation so it's really easy to see on a spectrogram so if we actually want to look deeper we can actually see i've got a three different kinds of signals now if you see here everything is constant up to this point and you got these last four or five bits you can see there's a little difference there's a one right here there's one right there and there's a zero right there that's a different command for each kind of uh button that i have so you can actually easily find out what's different because they give you an option to mark the differences in each command that's sent to the device um then you can fuzz data uh universal

radio hacker allows you to quickly generate like a thing to fuzz and find out what you're looking at um for this demo i'm not going to go into that because we'll spend too much time but uh essentially that's how you can try to find hidden commands or you know break your neighbor's garage door opener or something and then yeah that's what uhr urh is uh this little idea of what you can do with it and now i'd like to uh go ahead and give you an idea what it does with a demo so i got my hacker f here um so we're going to hook that up to my computer and we're going to find the

remote and if i can hold it up right we're going to uh show you what it looks like live on a frequency we'll see how that looks so i'm just going to hook it up

we're going to go into gqrx which is a software defined radio application

so we're going to go down to what we know the frequency is probably going to be

and here we are so we know we're looking for the frequency on roughly 433 right around here yeah oh it shouldn't matter shouldn't interfere so i'm going to hit a button on here we'll see that thing turn on as well you can see my remote is right there now i'm going to click on it and we'll be able to get a precise idea of what frequency that is it's about 433.896 so i'd like to go into a universal radio hacker and try to clone that signal so we're going to open it up command line just going to drag that over i'm going to make a recording it's really fun to monitor here i'm going to select the hacker

type in roughly what we saw now i can differ a little bit and that has something to do with how the remotes made what like orientation the antennas are so you know antennas are meant to go straight up if it's slightly crooked sometimes it can deviate your signal so i'm gonna go ahead and uh

and now we're recording so that's just without any data going through i want to turn it on that's my signal we're going to save that

and here we are in the analysis i'm going to go ahead and remove any extra data just get us down to the message and now i'm going to attempt to perform a replay attack and you should see this thing right over here will light up uh just to prove that i'm not hitting the remote or something goes right there we're going to go ahead and go over here to the replay button and shoot don't you love technology uh we're going to go to i'm gonna hit the start button and hopefully we will see that device turn on

i successfully cloned that remote and it's really easy but now let's go deeper let's actually analyze the signal and see if we can make a sense of all this uh jumbled bit um for this example i've already kind of figured out what we need to type in just because uh you can't spend probably 10 minutes or so trying to figure out what you need to type in it does have this auto detect parameter but as you can see it just messed it up so i'm not going to use that so i know i have roughly 2 000 samples per simple um for this i'm just going to remove extra repeated symbols just to kind of

get us where we need to go um so i'm gonna adjust the thing here

a little more

and i hope at this point i should be able to just you know get an idea i should be able to see one zero one one one i don't know if you can see it but like right here yeah that's a lot better it just kind of shows you what it is uh again for this demo i'm not going to go too deep because you realize there is a zero there and i probably need to go tweak this uh tweak the numbers for a bit and that's just going to take too long so i don't want to keep you here until like five o'clock anyway uh we got our signal here um that extra data shouldn't matter too much

in terms of uh trying to show you how this works so i'm gonna go record another signal for a different button now i mean there will be a little difference with consistency so hope that i get that correct but i want to go record i'm going to record another button and we'll be able to see the differences between the two signals

and we're just going to narrow it down again

now it doesn't matter which one i pick from here um they're all the same message just

and for this case it should be about the same parameters as we recorded in the same environment whatnot so we got a very similar signal before going to the analysis tool uh looks like we have a couple zeros at the end which shouldn't be there so i'll just uh trim them off and yeah it's just blank data and here is our two signals didn't get it all whatever if you can see they all look very similar we got the one zero one one we got the one zero one but you got some difference here you see the one isn't there so we got a different signal here we know that's a difference so what i can do is i can hit this

analyze protocol button and we'll start to see some magic happen sometimes it doesn't always work exactly how we want it we have to manually define messages but it will give you a quick idea of what you're looking at it's not perfect but it does work pretty well now i'm going to turn on the show differences feature and immediately you can see that zero is now marked red now what i can do here is uh i know this is probably likely my data bits i can mark it oops uh determine where i go uh but i can mark it somewhere oh yeah okay nevermind i forgot you can mark it here as a data bit and we can go fuzz that

for the example here i'm not actually going to fuzz the data just because i don't want to try to interfere with any other devices here but we'll take the signal a little bit of buzzing and select the data here

we're going to tell it that we want to fuzz just pretty much anything a range of values go back here there now we have probably a lot more buttons that we can hit i can send this data back and it'll probably do something crazy however for this demo and for possibly anything else that might be out there i'm not going to do that that's kind of an idea of how universal radio hacker works so i'm going to go ahead and pop up the slide where you can find more information and thank you for viewing my presentation what would be a good way to test that at home about uh is there a way to shield it without like

everything or lower the power so you can lower your power in the tool um i just kind of picked the middle ground for power because i don't want to fiddle with that sure you could also try to make a short antenna that's not going to be too efficient but you know you'll have a little bit of range out of it or you can just put it right next to the radio i would not recommend using your raid without an antenna that is something you don't ever do you can also get a dummy load which i didn't bring with me today but you got options but typically just lower your power and until you can reach it late you can

probably test with lowest power go up like that back where you were adjusting the settings for the signal and the bits device whatever um was that just a matter of just tinkering with it to find the right values or yeah is there an easier way rather than doing the auto detect so the auto detect thing works on certain modulations i've noticed from my signal it doesn't work too well sure but i've done things with other remotes like the car remote and the auto tech work just fine a lot of digital like oscilloscopes let you put time markers right to do big counting does it have the same feature i don't believe so it just tells you

what the data received was yes so what is the device that just find you connected to your laptop so this is a hacker f1 with a quarter pack attached to it it's a software defined radio that can go from 30 megahertz to 6 gigahertz you can receive a lot a large range of spectrum he's got a box right there i've got the porta pack attached to it which is a device that adds a screen to your hacker and it runs a portable radio suite basically and it runs all in the chip allows you to receive a lot of different kind of modulated frequencies and it's really useful on the go or in the field you have a headphone jack on

the bottom that allows you to really just uh listen or transmit on radio just out where you are so i think it's really nice it only costs about 300 bucks is what kind of computer is actually it's just a hacker ref has a yeah and it has like gpio hooked up to it running a custom firmware yes any other questions all right there's my information that qr code leads to the sec kc discord where you can find me often in the ham radio channel um i'm glad you listened to my presentation thank you