Chaos-Sec-Lab
Last updated
Last updated
0x00. INTRODUCTION
I believe when people are new to hacking RF locks system. One of the most common questions they will ask is which tools they will need. Usually I would say HackRF is a must to have tool. Up recently, the Flipper-Zero became one of the most popular gadgets among RF hackers. To be honest, the first time I heard about Flipper-Zero, I was not that impressed. I already owned a bunch of wireless hacking tools, such as Proxmark3, Yardstick1 and HackRF-Portapack. Why should we get another toy that provides similar functions? Soon I learned that I was wrong about it. For instance, other than its rich wireless capability, Flipper-Zero has also provided extendable external modules through the GPIO ports. This feature made the Flipper-Zero become a LEGO of hackers ;)
(After 2-hours long wait in the queue, I finally got one at DEFCON31)
This article serves as a beginner’s RF lock system hacking journey, performing lock hacking with Flipper-Zero and other RF hacking tools. I hope each case study will help people get a better idea of what they would need for hacking RF locks.
0x01. SIGNAL JAMMING
One of the easiest yet effective RF attack techniques called signal jamming. The attacker is constantly sending noise signals at that same frequency channel as the target, hoping to jam the original signal to achieve interference. Jamming essentially disrupts communication between two or more devices by shouting louder. It does not matter what to shout, as long as others cannot hear you.
(Jamming signals on the spectrum diagram)
Jamming attacks against car locks are also one of thieves' favorites. Criminals use hidden jamming equipment to prevent car owners from locking their cars. Once car owners leave, they can easily open the car door and steal the belongings left inside the car. Although signal jamming is not a new concept, it continues to grow in popularity among criminals, as the technology used becomes more sophisticated and easily accessible.
Below is a video demonstration of the car jamming attack with HackRF. As you can see in the video below how effective the attack is. Please ensure the car door is securely locked before you leave.
Although Flipper Zero comes with certain regional and frequency restrictions, by installing a custom firmware (Xtreme) can bypassed this limit. This made Flipper-Zero perfect for experimenting with the jamming attack.
(Source from @McSHUR1KEN)
0x02. SIGNAL REPLAY BLINDLY
Of course, it would be cooler if we can control the target. The replay attack is one of the oldest tricks from the book that can achieve exactly that. Since most RF lock system operating frequency is at 315 MHz or 433 MHz range, and some of them still use fixed-code mechanism. Meaning we can just leave the capture device near the target and wait patiently. If lucky enough we will be able to catch the unlock signal for a later replay.
This is a lot like fishing, but the reward is unlock signal instead. Below is a video demonstration of the replay attack with HackRF. As you can see in the video below, it works as a charm.
Interestingly for Tesla’s charging port, it still uses a fixed-code mechanism. People can download the pre-recorded Tesla Charge Port files to the Flipper-Zero, and messing with other Tesla vehicle owners, yet not knowing what is really going on behind the scenes.
(Source from @takeapart)
0x03. SIGNAL REPLAY ANALYZE
Only blindly replaying the signal is not going to satisfy the Hackers. Unlike the jamming attacks, if we like to get to know our target better, we need to find out the target frequency, encoding method, chip model, etc. For example, we can learn the operating frequency by using the Frequency Analyzer application provided by Flipper-Zero.
(Source from a good amigo)
0x04. SIGNAL REPLAY BRUTEFORCE
Have you ever wondered if those fixed-code lock systems are bruteforceable? Here is an interesting lock; it comes with 8 DIP switches on both the lock and keyfob side, we can switch up, center and down to have different combinations.
0x05. SUMMARY
In this article, we have looked at the common methods of RF Locks hacking. In Part2, we are going to look at more advanced and interesting RF Locks hacking techniques. Stay tuned.
Alternatively, do an old school way by disassemble the keyfob and investigating the PCB. Here we see the IC chip model (CMT2150L) and a component crystal (26.250M) on an E-Scooter Keyfob. By checking the datasheet, we can found the operating frequency. The encoder is 1527. Most importantly the pinout diagram of the CMT2150L chip. Once we connect the correct pins on IC to an oscilloscope and press the unlock button on the keyfob, the data pulse of the unlock signal will be present in front of us. To make analyzing jobs easier, we can use a software called RTL_433 to capture the raw data generated by this E-Bike keyfob by wireless. Since the lock system of this E-Scooter again relies on the fixed-code, we can simply use Flipper-Zero to unlock it as you can see in the video below.
By using the Flipper-Zero we are able to tell this lock is based on Princeton. We also can use app Pulse Plotter from Flipper-Zero to analyzing the signal. However, I would like to recommend a software designed for reversing wireless signal called Universe Radio Hacker to do the job. URH is a complete suite for wireless protocol investigation. URH allows easy demodulation of signals combined with an automatic detection of modulation parameters making it a breeze to identify the bits and bytes that fly over the air. After capturing the unlock signal from the keyfob, the fixed code contents can be easily analyzed with URH. Since the DIP switch only 3^8 combination. It is very easy to brute force all 6561 combinations through the Fuzzing function of URH. As you can see in the video below. A person called Hong5489 has implemented the brute force sub files for Flipper-Zero. You can get sub files from his github. One thing need to be careful though is that when he tries to brute force his own gate, accidentally opens the neighbors gate.