Most smart home and IoT devices today are controlled over network connections like WiFi, Bluetooth, LoRa, or even cellular. But in the past it was common for them to be controlled by simple radio signals. For example, there is a good chance your garage door opener remote just sends out a radio signal. To keep from opening your neighbor’s garage door, a series of DIP switches are often used to set a “unique” code. This setup is, however, incredibly unsecure, which means that it’s easy to reverse-engineer and reproduce a remote as demonstrated by Justin of pseudo-server.com.
In this guide, Justin is reverse-engineering a RF (radio frequency) remote for a gate opener, but the process will be the same for virtually all RF remotes that don’t implement some additional level of security. This takes advantage of a very popular technique called a “replay attack.” A replay attack is about as basic as hacking gets, and you can perform one by simply recording a message and then playing it back when needed. It’s a bit like if you recorded someone’s voice when they spoke to their bank, and then later played that recording to answer the security questions and access their account.
In the case of RF remotes, you’re recording and playing back the radio signal that is sent when you push the button on the remote. Justin achieved that by first recording the radio signal using SDRSharp software set to about 295MHz. The frequency for your remote may be different, but they’re usually within a small government-mandated range. He then used Audacity audio editing software to “zoom in” on the recorded signal and determine how much time had passed between each blip that represents a bit being sent.
That’s all the information that is needed to reproduce the signal. To send it, Justin used a cheap 315MHz RF module that was retrofitted with the 295MHz resonator from the original remote. That normally isn’t necessary, but Justin wasn’t able to find a new 295MHz RF module that was affordable. The RF module is controlled by a Microchip ATtiny85 microcontroller, which was programmed with an Arduino Uno development board. The code is very simple, and just sends out bits at the correct intervals via the RF module. The ATtiny85, RF module, a 9V battery, and a 3.3V regulator are all housed within a basic plastic case to make the whole setup portable. Now Justin can open his gate with the homemade RF remote!