 Welcome to my talk mega code to facilitate gates and in this talk I will simply present what I did with this remote It will be About electronics about microcontrollers about software defined radio, but I won't go into details Also because they are not a lot of details. It's a simple level So everyone should be able to understand it and even if you didn't do any hardware hacking yet This talk should emphasize you to do it because it doesn't have to be hard Also, it's not a new attack. I will spoil it from beginning on the remote is sending a fixed code And I just replay this code so no new attack on there, but the way to achieve it. This was quite fun so whenever if you ever wanted to make some electronics and You find that LEDs are boring But you don't know what to do or if you wanted to play with software defined radio But you think that software defined radio or radio transmission are complicated, which they are then this is the perfect talk for you Yeah, there's one which is who is happy. That's good one happy people So I looked at this remote. I was in the US for a couple of months and they gave me this remote to access my building They gave it to everyone and I wanted to know how secure is this access gates or the access gate to the building So this remote is used for the garage in the US You're almost forced to have a car because public transport is not that good So they give it to access the garage, but also they give it to access the main entry nobody uses it But it's still there and what's important. They gave you to access to pool area. Don't ask me why it's fenced I also find it a bit stupid, but it's fenced You have the remote you can access it and we will see that the hot tub will play in very important parts in in the Reason why I looked at it simply because there is this gate you can jump over it, but it's a lot more fun to hack it, isn't it? So they provide you one remote which is only for one part of the building You shouldn't have access to the other buildings and as you can see this complex this falsity complex has a lot of buildings And this remote is not only used in this complex. It's used In a lot of complexes in in California or at least just by driving why I could recognize some of the things and if you Have seen this remote and it's exactly the same system But before starting to already disassemble the remote It's important to find information particularly if you're a beginner if you already Have done a lot of hardware hacking then you can already disassemble it look at it figure out What component is what what it does if you already software defined radio? You will probably find out which kind of modulation it uses in the beginning, but if you've never done it It's pretty hard. So finding some documents about the the remote will help you to indicate, okay? This is how it works. This is how it modulates and so on and I can only in facet. It will save a lot of time So we need to identify the remote we can see on the front There's not a lot of information on the back nothing written there is even a sticker missing and If you open it you see that it doesn't have the electronic is pretty simply it doesn't have a lot of components But it doesn't tell you who is the vendor or what's the product is on the back to it doesn't tell you They're even to stick it with I think it's the code which is transmitted But they've never really figured out how they encoded it how they transmitted it. It's not too important though But we didn't find any information whenever there is a Transmitter there is a receiver So you just run around the building and try to find the receivers to know if they have markings on the garage gate The receiver is on the top. It's just a black box. It doesn't tell you a lot on the pool It's also just aluminium box no markings on it. We still don't know at the main entry this is where you find a fancy dial pad to Contact the resident and we see on the top. It says it's from linear so at least we know the vendor probably and after such hard work and running around the building you enjoy the hot tub and This is where you use the second skill your social skills simply because every resident has a remote So you make the acquaintance you make your friends and you ask please can have a look at your remote and This one had the sticker and it's particularly useful from from the sticker We find the vendor is linear and the product is act 34 B on the website. We can find it So the product still exists We know it operates on 318 megahertz it can send 1 million codes but the manual doesn't tell a lot and We already know with frequency in transmission, but we want to continue and find more information Again, if we look at the remote on the top you will see there is an FCC ID and this is one thing I know of in the US is that Whenever a manufacturer wants to produce something which transmits radio They have to comply to some regulations and they send test reports to the regulation authority FCC to show Okay, I transmitted that power and it complies to FCC part 15 for radio transmission and the FCC Shows you these documents and compared to the manual is a technical documents So this is where we find the really neat information and we can see that they provide a lot of Data, although they don't have to provide so many so first of the test reports to tell you what kind of transmission It uses and here we see its Amplitude modulation something which is very simple. So the signal if it's strong or not gives you the level It's also pulse position a 1d and if you look in Wikipedia a 1d stands for amplitude One is just one channel 380 megahertz D for digital I think so there's only two levels either on or off very simple transmission and the Data is probably coded in pulse position I even provide you some information about how the mega code code is sent you have 25 bit frames 24 bit frames each bit frames it's six milliseconds long between each other and within each bit frame You have a one millisecond pulse So you have a the remote goes on and just transmit very loud at this at this frequency And they were so kind to provide with a timing diagram and everything just because of the you we found everything to the FCC ID and we almost already know how it's encoded. So we spared a lot of time And as you can see we have a sync bit so the remote receiver knows, okay, there's a signal I record the 23 20 bit system code bits the three data bits And then there's a blank cell before you next to send the next code And as I written is each bit frame is six milliseconds long each pulse is one millisecond long now we know how it transmits it start to To play with software defined radio and even for entry level you have this cheap RTL STR Which everyone speaks about only $20. It's nice software defined radio You look at the frequency here used as the range love you tune to the frequency and This is on the left of frequency on the top You can see a fast free transformation which will tell you at which frequency there is a strong signal and we see There's a peak at 318 megahertz on the bottom. You see a waterfall diagram It's almost the same that on the top, but you have the timing component So you can see over time how the signal is and you can clearly see the pulses every time on and off Whenever there's a yellow peak, it's a it's a pulse It seems to correspond to them to the Specification and that's that's good Software defined radio can be complicated and canoe radio is complicated and I don't I'm not a fan of it Oh, I don't know how to use it. It's probably very good But we want to keep things very easy and we know it's a m modulation. So I just use a tool called RTL FM which Cannot do a m modulation. It's thought for Listening to audio using the software defined radio. So you tuned your frequency you tell it a m frequency It's a m modulation You put it in a file and then you open the file using any audio editing tool and here we can see again Two times 24 pulses if we look at the details We find the pulses are one many seconds long and you have groups You have bursts and you have bit frames of six milliseconds and we know the information It's pulse position. It's quite useful because it's a bit frame So there's only one bit per frame and then there's a position and if you look at it If the burst isn't the first half, it's a zero if it's a second half It's a one. This is not written into documentation, but you figure it out pretty easily And we know it's encoded so we route a program which just takes this Demodulated data and finds out the code. It's pretty short hundred seven lines of code It detects the edges it groups the edges into pulses of one milliseconds Then it knows it groups the one millisecond pulses in group of 24 and then it decodes it and here we can see on the left the value which are decoded the 24 bits this three bytes and We immediately see it's exactly the same code all the time It's individual per remote, but it's actually the same So we have a replay attack if we can record it and if we can send it we have a clone of the remote Only using this documentation which we have So we have we want to send it Look again at the FCC ID. Can we reflash the remote using our own code in electronics? You have a Board layout which tells you which component is where this this was also provided You can see footprints for putting a switch as one and every component has a Reference as one is for switch you one is for the microcontroller and so on basics of So you will learn how to read printed secret boards There are also schematics schematics a bit more abstract way Before you do your secret board you want to Just to know which component is connected to which other where they are placed and how they're connected You don't really care. You just want to find out how they're connected. This is what schematics are for And if you get if you learn a bit how how they work You will find out there the switches on the left the microcontroller in the middle The clock just just behind it for 380 megahertz and then the antenna This is also what we see on the identify again on the board because we have the reference which tells us U1 is the microcontroller Look for you one on the board You will find the microcontroller and you will find the clock to switch the antenna and some passive components And even if you didn't do electronics, you already pretty much know how to read schematics How to read boards and how to identify components The problem with that one is that it uses microchip pick 12c microcontroller and This one is only one time programmable So you can look at the I know this because of the schematic the schematic told me it uses this chip And if you look for microchip, which is a big Microcontroller very known for hobby projects. You'll find is only one time programmable So I cannot reflash the code on it. It also has code protection. So I cannot read the firmware on it This way I cannot flash it. That's that's a bit of a shame But the simple is so easy that probably somebody already did a compatible device So you look you use you Amazon and eb skills you look for linear mega code compatible remote and you find one which is not by the same Vendor it's by transmitter solutions. It's the Monarch 31 30 18 lip w1k It tells you 318 megahertz perfect the same frequency. It's compatible with the linear act 31b That's what we have and it's programmable. That's interesting. The other one was not programmable The manual doesn't tell you how to program it. There's a small section tell Contact your manufacturer, but there's the fccid on the right and we've seen the fccid is pretty interesting So you Look at the fcid you don't find as much information as the previous one But at least you have a picture of the interior and you will almost immediately see that on the top There are some pin header which is on soldered and this indicates that this is the programming header Which you should connect to program it to? We buy it the programming it had is the same We can read from the top markings on the chip with kind of micro controller it is and this one is flashable It's again a micro chip pick micro controller from but it's based on flash and I can program it The next skill will be soldering If you're even if you never did any hardware you just have to solder the pins on the right side So you can connect your programmer and program the chip And for entry level is soldering. It's pretty good. It's pretty easy to make We also Want to know how the things are connected this time They didn't provide the schematic, but we learn a bit how to read boards We can find the micro controller the clock one LED one switch the programming header And if you check with the multimeter how they are connected you find the schematic again And you can write your own schematic this time Microcontroller clock switch pretty simple board actually even simpler than any Arduino Things like that. Oh, so even if you didn't use Arduino, you can use this as an entry programming We figured out how everything is connected. We know how the signal is modulated how you have to send it So it's time to write our own firmware and just enable the the clock and the transmission at one One millisecond long every six milliseconds, and we know the pattern And if you could switch to to the camera here, I'll show so yeah, you wrote the program It's pretty simple 125 lines of code and this way I can flash my code on it Oh Where is my terminal? Ah, here does some Can you show the camera? Okay, they will while they do it I will just start to software define radio so we can really see the transmission Which terminal is it software as they range love so here we have to software find you with the remote with antenna the remote is here now we enable It and if I press on it You see the the transmission which is made and you see it's on. Oh, you don't see it anymore This is the this is a receiver. I'll talk a bit later. And if you see on the side Whenever the code is transmitted the lad stays on so it means This transmitter will react to this code normally should blink blue. So I will do it by hand. It's somehow broken Like always demo so it will blink blue. It only Works with this remote. It does not work with this remote as you can see it doesn't do anything for now. Oh Yeah, that's So we've identified the frequency well just quit it and stand we just use the decoder which we had press on the remote a Couple of times You exit and here we see the value which we decoded on the left side We know which value it uses and if we look at the other remote which is here Triton I think I have to enable it Yeah make on Operation succeeded if I transmit this one So here you can see that it transmits using the LED I'll find that it uses another code Now I will simply edit the EEPROM With this code which is 218 a Flash it on it. So you use a standard. I use a picture to Program, I this is generally what you used to flash this micro This these microcontrollers Please flash please No picnic to found The USB is here Connected directly here. That's not USB. This is USB flashing flash EEPROM make on So now the thing is open and if we look Here again, and if we send the code Then we see that it showed open the gate And this is how we remote we clone codes Back to the presentation if I find it here, I didn't stop at I didn't stop at just cloning the remote I We have one code for one remote. We want to have even more How about getting codes from other remotes? You can do it with software defined radio again But it gets so the stimulator which you have is very central of frequency and the bandwidth is not It's very narrow. So with using software defined radio is quite complicated to record far away one signal You have to play with the and Gain and so on. I'm not good at software defined radio I'm a bit better electronics. So when there's a sender, there's a receiver just buy a receiver online for me They make a code look at the receiver open it you see again, not a lot of components and We already learned how to identify them. You have microcontroller the antenna Radio filter the voltage then some memory which memory where we you can store codes and generally This is the memory which is used to read out which code is allowed or not It's a single layer design so on the back you will see all the connections to all the other pins you can read them visually and Using you the components which you can identify in the path. You can already figure out who is connected to what he recreated the schematics again It uses a pick which is only one time programmable. We don't want that So we on solder the chip. That's your next skill which you will learn Not too hard vacuum just vacuum pop or solder wake and they're pretty resistant to this chip It's hard to break you put your own chip which is the same but just flashable The name is a theme you program everything you want You already know how the modulation works and you already wrote code for demodulating you already wrote code for the microcontroller So you do exactly the same, but just on a microcontroller on this microcontroller and then you put it just next to a garage door and You power it over USB and you wait until lots of people go home and go and go back and record lots of codes So you can impersonate anyone you want Just because you have the code and they are fixed but another problem is that you know when they leave home And you know where they come back its individual code So you probably could go home and then steal everything and have enough time to to leave back The pool again. This is the last piece of information Very important simply because the pool is fence at 10 o'clock. They kick you out So they have a security guard which comes in at 10 o'clock triggers his remote I wait with my decoder. I record the security code and I have the security code and and enjoy the hot water And with the security code, I can access the pool after 10 o'clock I can access every building and you could access the security room with all the all the TV and If you don't want to wait for security You take one working code you flip the bit you flash it you test if the gate still opens and this way you Find which bit is important which bit isn't which business are relevant and from the 24 bits you have only 15 bits Which are relevant so you could write exact you could write a firmware on this remote Which just starts brute-forcing the code and you don't have to find one code you have thousands of residents So with 15 bits of thousands of residents. It's pretty easy to find the right code to to enter the same building But because we're not evil hackers we tell the vendor and as always the vendor just doesn't care even if they provide security products and I also Don't I'm not I also show this talk because solutions to it are quite easy. They're called rolling codes where the code changes all the time But you have a fixed seed If you do such a system you should use rolling code. So it's therefore if they don't do it What we've learned is that It's not hard to do hardware hacking we reverse engineer a real device used if for security for gates We improved how we search for documents if you see we've made new friends at hot tub We know how to program easy microcontroller. There are lots of code examples, which will help you to program this one. It's really Very well documented. We use software define radio. It's at this level. It's not voodoo. It works We know how to solder and desolder. We had fun and if you want money info, there's Wiki there are two videos which go more in the details and the source code is also available and with that I hope much for questions Thank you very much for this great talk. So any questions, please line up behind the microphones. Oh, yeah, number four, please Hello, I work at a research facility. It's an accelerator facility and I've got access to my laboratory rooms with this stuff and There are really expensive Equipment behind the doors. So the first thing I'm gonna find out is if this works If it doesn't what what you mentioned this rolling codes So if it doesn't work like that, what is rolling cold and is it easy to break or is it's no Their solution for not cloning remotes and this is partly important. For example, if you have a car Because you don't want everyone to steal the car and you have cars on remote the car industry I'll use a lot of time rolling codes and how it works is that you have one seed in the In the remote and every time you press on the button It's generates and it calculates a hash some kind of a hash of the seed and every time it changes because the counter increments And so under in the car, it has exactly the same seed. It knows this remote has this seed So I know which code will be next and the code every time will be completely random So you don't know for which come from you don't know the seed and if you have a central building then you have a central remote system Which we which knows where? Which knows which code is transmitted So you should they should use rolling codes if they have central system If they don't have central system, it's a bit harder because you need to synchronize the two But yeah, try to find one with rolling codes and you can using software find radio You can see easily if it's uses rolling code or not Okay, thank you The internet has a question Okay, yeah, the internet wants to know Or somebody on the internet wants to know be why you didn't get Into or if you did to get into any kind of trouble because of you breaking into the hot tub or like Well act being able to open any of them doors I've I haven't been to the security room because I'm not interested in the security room I'm interested in relaxing and also in this building It's not really important to have a remote and to have all this hassle of reverse engineering because you see in the hot tub Barry is pretty low so you jump over it and around the building you will always find a door which is open So you can always come in the building and I had no problem even with the security I mean, they don't see if it's a clone remote or not one more question from the internet, please Yeah, somebody wants to know About if it's possible to open cars with this No, not not new cars new cars use rolling codes and still have strong stronger encryption. So If your car uses this you should sue them But generally cause have rolling cars have rolling codes and you can use not use this technique So it's a lot more advanced in cars try to have use something which is less attacked Okay, thank you So I guess we have time for one more question from the internet once more well Okay, I was going to say that there's none, but there's one now And that is what other stuff can I open with your method? Well, we've did it for one Garbage remoto and generally garage remoto's are not very secure try to find another one This is just one one product from one company which is in California in Europe They probably will use for something completely differently So look at together at your garage door or the garage door of your neighbor things like that Okay, so very very simple devices when they achieve generally they are simple so look at that Okay, thank you Thank you very much. Thank you