This article aims to open the garage electric rolling shutter door by radio remote control without using the original key. It conducts an in-depth study of ASK/OOK encoding/decoding, and uses a Raspberry Pi + a five-yuan transmitter module to realize various postures for opening the garage door. This article applies to mainstream 315/433MHz radio frequency remote control.

Background

The garage is equipped with an electric rolling shutter door. In order to understand its safety and to control it independently, we studied its remote control principle. In fact, during this process, I tested almost all cordless remote controls in my home, including electric curtains, projection screens, electric clothes hangers, and car keys. Except for the car key, everything else is similar, that is, ASK/OOK encoding.

ASK, simply understood, is amplitude modulation, using different amplitudes to represent different information. OOK is a special case of ASK, because there are only 0 and 1 to represent. You can use carrier to represent 1 and no carrier to represent 0. But in fact it is not so direct. Pulse width modulation (PWM) is usually added to improve the anti-interference ability.

Use HackRF to determine feasibility

It is said that some garage doors have rolling codes (the codes change). We can first use HackRF to do a simple replay attack test.

Record 2 seconds of signal and play back:

hackrf_transfer -f 433920000 -s 2000000 -a 1 -r capture.raw -n 4000000 -g 40 -l 16
hackrf_transfer -f 433920000 -s 2000000 -a 1 -t capture.raw -x 40

Some operating tips:

call hackrf_set_sample_rate(2000000 Hz/2.000 MHz)
call hackrf_set_hw_sync_mode(0)
call hackrf_set_freq(433920000 Hz/433.920 MHz)
call hackrf_set_amp_enable(1)
samples_to_xfer 4000000/4Mio
Stop with Ctrl-C
 3.9 MiB / 1.000 sec = 3.9 MiB/second
 3.9 MiB / 1.000 sec = 3.9 MiB/second
 0.3 MiB / 1.000 sec = 0.3 MiB/second
Exiting... hackrf_is_streaming() result: streaming terminated (-1004)

The recorded signal used for actual measurement can be controlled (if not, pay attention to adjusting the gain of the HackRF amplifier). But this does not have much technical content, and the cost is high and the amount of data is large. Our goal is to decode and then re-encode/play back.

Use GNU Radio to record signals

Use GNU Radio to build a simple receiving block diagram. On the one hand, the received signal is saved to a file, and on the other hand, the signal is displayed in a waterfall chart as a real-time feedback. Because the remote control signal is 433.92MHz, the center frequency can be set near this; the sampling rate of 2M is enough.

The following picture is a waterfall chart during operation, in which the remote control is pressed 5 times.

Use Inspectrum to decode manually

Use apt-get to install inspectrum, or download the latest Inspectrum code and compile it yourself according to the documentation. I\’ve tried it on Debian and Mac and it works fine (using MacPorts on Mac requires a bunch of dependencies to be installed). Not much to say about compilation, the following are the main steps of decoding:

1. Open the previously recorded file with Inspectrum, and set the sampling rate to the sampling rate during recording (2M);
2. Drag horizontally to find the area with signal;
3. Right-click on the original signal, Add derived plot => Add sample plot;
4. At this time, two horizontal lines will appear on the original signal. Drag with the mouse to adjust the position and width of the center frequency;
5. On the original signal Right-click, Add derived plot => Add amplitude plot;
6. Right-click on the Amplitude plot, Add derived plot => Add threshold plot;
7. Check \”Enable cursors\”, two vertical lines will appear;
8. Zoom enlarges the signal diagram and moves the two vertical lines so that their width contains one symbol. Note that the leading high and low levels (start1, start0) are skipped. Data is usually pulse width encoded, and a pair of high and low levels represents a bit: a wider high level represents a 1, and a wider low level represents a 0. You should be able to see this pattern from the picture.
9. Change the number of symbols to include the entire signal area (65 symbols in the picture, which is equivalent to a complete key), and adjust the head-to-tail alignment (there is usually a longer low level at the end), At this time, the symbol rate can be obtained, that is, the baud rate (for OOK, it is actually equivalent to the bit rate).

Finally, right-click on the Amplitude plot or Threshold plot respectively and Extract symbols (to stdout) to get the decoded data. The former is equivalent to an analog signal, a simple understanding: positive numbers represent 1, negative numbers represent 0; the latter is the bit stream we want.

To confirm that the decoding is correct, you can select another signal area and do the same operation to see if the results are consistent. After all, ASK is not strong in anti-interference and may sometimes be poor. One or two bits. Usually, press the remote, same. The data will be sent several times.

Remote control signal encoding analysis

Based on the previous decoding and the analysis of more remote controls, a model can be summarized. The following parts (parameters):

• start1: The starting high-level time length;
• start0: The starting low-level time length;
• stop0: The ending low-level time length;
• period: The period of each bit. In PWM coding, each bit corresponds to a pair of high/low levels, and they are always high first and then low;
• duty: Duty cycle, for example, the duty cycle is 75%, which means that if about 75% of a cycle is high level, it represents 1; and about 75% of it is low level, it represents 0;
• bits: The actual bit stream.

The duty cycle here must be greater than 50%, usually around 75%, which can separate the two voltages (in each cycle) The ratio difference between levels can reduce misjudgments at the receiving end; it can also ensure that two levels can be sampled during reception, which is also for In order to reduce bit errors. Imagine that for a duty cycle of 99%, the level of 1% period may not be sampled by the receiving end, resulting in the same level of 199% (or even longer) period being sampled, so that when decoding

Launch module

Initially, I wanted to use GNU. Radio performs ASK/OOK encoding and transmission. The versatile HackRF and SDR are supposed to handle this small case.

After researching, I found that this is not an easy task and requires the use of many modules. This might be a good GNU Radio practice questions. But I decided to see if there was an easier way first.

Then I drooled over TI’s EZ430-Chronos watch and looked for a “cheap” RFcat, but found that it was not easy to buy. Arrived. Finally, I found the real cheap one on the all-purpose fake store. Dongdong: It’s only 5 yuan! (You can’t suffer a loss or be cheated.)

This module is very simple. It modulates/transmits the input signal with a 433/315M carrier. level, just press the high level amplitude modulation output (please note that what is modulated here is the level, not theIt\’s data. In other words, this module doesn\’t care how long the data \”1\” corresponds to high level or low level – these are things that the encoding module has to deal with).

Coding in Python

In order to modularize the code and reduce the amount of calculation during launch, we encode first and then send plan. According to the model of the ASK signal established earlier, this signal is encoded into a waveform of alternating high and low levels and represented by an array. Each element in the array stores the corresponding timestamp when the high and low levels are switched. The waveform always starts with a high level.

Theoretically, parameters such as the start/end level duration and duty cycle do not need to be strictly accurate, but this depends on the tolerance of the receiving end, so we try to be faithful to the original signal.

The following is the core Python code snippet, where ts is the timestamp array.

 def encodePWM(self, ts):
 t=0
 ts.append(t)
 t += self.start1
 ts.append(t)
 t += self.start0
 ts.append(t)
 for i in range(0, self.bits.len):
 w = self.duty if self.bits[i] else 1 - self.duty
 ts.append(t + self.period * w)
 t += self.period
 ts.append(t)
 ts[-1] += self.stop0

Send with Raspberry Pi

The sending work is very simple: connect the DATA pin of the transmitting module to a GPIO of Raspberry Pi, and use the power supply directly from Raspberry Pi. ;

Then flip the corresponding GPIO alternately according to the timestamp. The following is the core code of Python.

 def send(self, ts). :
 b = 1
 t1 = time.time()
 GPIO.output(self.pin_tx, b)
 t1 -= ts[0]
 for t in ts[1:-1]:
 b = 1 - b
 wait = t1 + t - time.time()
 if wait > 0:
 time.sleep(wait)
 GPIO.output(self.pin_tx, b)
 wait = t1 + ts[-1] - time.time()
 if wait > 0:
 time.sleep(wait)

Although there is a certain error in using sleep to control the time, and the script language does not run that fast, it is sufficient in actual testing. The picture below is the waveform diagram of the DATA pin seen on the oscilloscope (both channels are connected to the DATA pin).

To facilitate observation, I set the encoding period to 1ms, which corresponds to the 1ms/div of the oscilloscope interface. The measured spacing in the picture is 2.78ms (expected is 2.75ms), the deviation is acceptable.

Open the garage door with multiple postures

Put the transmitting device in the garage and connect it to the network. We can control the opening/closing of the garage door independently without a key.

Mobile phone opens and closes the door

h1>

You don’t need to write the app yourself. You can log in with the ssh terminal key and execute the command. You can open/close the door with one click on your mobile phone and control it remotely.

Automatically open and close the door

Use the designated mobile phone as the key. When you hold the mobile phone near the garage (actually after connecting to the garage WiFi), Automatic door opening. The general process is:

1. Remotely execute the router\’s iwinfo command (as shown below) to detect the device connected to it;
2. If the MAC of the mobile phone used as the key is in the list, and the signal If the strength (SNR) exceeds the set value, it is counted as a valid connection. When the number of connections changes from 0 to non-0, the door will be opened automatically.
3. If the number of valid connections on the key phone drops to 0, the door will be closed automatically.

ssh [email protected] \'iwinfo ra0 assoclist && iwinfo rai0 assoclist\'

The advantage of automatically closing the door is that it can prevent people from forgetting to close the door after leaving (it really happened in my house).

Open Sesame

Theoretically it can be done, but it requires reliable voiceprint recognition. Forget it. .

Lock the garage door

Set the GPIO corresponding to the transmitting module to high level. Since the transmitting module signal is strong and the distance is close, the receiving end always receives 1, resulting in No real key can open the door.

Conclusion

Garage doors that do not use rolling codes are actually not safe at all. Whether it is simple replay of the original signal or replay after decoding and then encoding, it is relatively easy to implement. But we can use this insecurity to our advantage, allowing us to open and close our doors more flexibly. In addition, using the transmitting module to emit high-level signals can interfere with the key\’s signal and achieve the effect of locking the garage door.

But if it is not by monitoring the signal of the key, it is not that easy to crack the Key with brute force. Because in addition to data matching and the same carrier frequency, ASK encoding also requires the data encoding rate and even the duration of the start and end levels to be consistent.

Using a cheap hardware transmitter module with a Raspberry Pi (or microcontroller) can encode/transmit ASK/OOK signals at low cost, which is simple and easy. However, HackRF plus Inspectrum decoding is only suitable for experimentation and debugging, and has low practical value. In the future, we will try automatic decoding of ASK/OOK (you know what decoding can be used for).