About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Roll D.O.R Attacks - Getting permanent accesses in garages- 609

PenthertzPosted 4 Years Ago
  • This video is a demonstration of hacking a garage door remote. While trying to find out more about Penthertz, I stumbled upon their publications page which has dozens of other articles on hacking with radios. If you are looking to see hands-on radio hacking, this is an amazing place to be, since this guy is a wizard with GNU radio.
  • In real time, the creator of the video creates GNU radio flows to do a bunch of things. At the beginning, they use a QT Sink to show the data with the remote and slightly increases the frequency in the sink until the proper frequency is found. They use the max hold and waterfall view to see how the data is formed, which clearly gives away two main points that are binary encoded between the two points. Since there are two frequencies being used for this, it indicates that FSK or frequency shift keying is being used.
  • To decode the data, you can use the FM (frequency modulation) or the quadratic demodulator. The FM demodulator is simple and easy to use, but the author elects to use the quadratic demodulator to make the demoulation more precise. In this step, they also add an import block to add the math package in GNU radio, which I had no idea was possible!
  • With the timing changes and error that is inherit with technology, the author needed a way to decode this properly. As a result, the symbol sync which helps found the symbol rate. Additionally, there is a deviation factor to handle the clock drift, a squelch control (muting a channel with nothing on it) automatic gain control and a threshold block to handle the slight differences that are not caught from this block. At the end of this section, the author just turns on Inspetrum and universal radio hacker (which decoded the signal easily), since doing it automatically or by hand is easier than using GNU radio (lolz).
  • URH protocol features are nifty! It shows the comparison between the two recording, support for seperating parts of the protocol (header, footer, data, fixed, padding, etc.) and many other features that help with analyzing. From looking at the changes, the author notes that this is a rolling code, since some of the values are different between two different clicks of the same button.
  • Microchip based remotes use KeeLoq, which is an encryption block cipher used all over the place. By using a hopping code with some data encrypted over the wire with a unique counter, replay attacks are not possible. An additional technology is a challenge-response called IFF (Identify Friend or Foe).
  • Against Keyloq, there are a few known attacks though.
    • RollJam. There is no timestamp. As a result, an attacker can record the signal when sent but interfere with the signal going to the receiver. Since the signal was neve received, a replay will now work!
    • Cryptoanalysis
    • Extracting the key from the firmware.
  • DOR is a process for cloning remotes over the air. In practice, this passes the state in the rolling code to the remote. Of course, being able to sniff this code as an attacker is the dream, as this would allow for another remote to be created to put this onto another remote.
  • Can we do this with a remote? Yes we can! A recent project has came out called Kaiju for breaking rolling codes and generating rolling codes. In the demo, only a single capture was needed in order to get the next value in the rolling code for the device. Damn, that is terrifying! Keeloq does not feel secure against more advanced attackers. I feel like I'm missing something on why this attack works here.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed