Hak5: Hacking Wireless Doorbells and Software Defined Radio tips

On this weeks episode of Hak5, a popular electronics and hacking YouTube show, the presenters talk about reverse engineering and performing replay attacks on wireless devices such as a doorbell. They also talk about using the recently released Yardstick One which is a PC controlled wireless transceiver that understands multiple modulation techniques (ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK) and works on multiple bands (300-348 MHz, 391-464 MHz, and 782-928 MHz), but is not a software defined radio.

Finally they discuss how to use the RTL-SDR and GQRX to stream received audio over a UDP network connection using netcat in Linux.

Hacking Wireless Doorbells and Software Defined Radio tips - Hak5 1910

If you are interested in the Yardstick one, Hak5 also uploaded two earlier episodes this month showing how to use the Yardstick one, and how to hack wireless remotes by using the RTL-SDR to do the initial reverse engineering, and then using the Yarstick One to do the transmitting.

How to begin hacking with the YARD Stick One - Hak5 1908

How to Hack Wireless Remotes with Radio Replay Attacks - Hak5 1909

Notify of

Inline Feedbacks
View all comments

My replay attacks on wireless devices such as a doorbell, https://www.youtube.com/watch?v=AcH6VGdqCio


It has to be the end of RTL-SDR.com . Two hak5 videos in one post. Darren “the alcoholic” Kitchen world renowned wannabe script kiddie and prospect wannabe hacker shows you how to do things. Shannon’s hotness is the only reason i watch their videos.


So how could the hack the rolling code?


It depends on what the rolling code actually is.

If it is something weak like a Pseudorandom number generated using a LFSR (https://en.wikipedia.org/wiki/Linear_feedback_shift_register) collect a few, the pattern can found (not easily) and the next code can be predicted.

But if it is something like, for example, taking the number of seconds since midnight on the 1st January 1970, XOR that with a shared secret key and put the result through a cryptographically strong hashing algorithm (e.g. SHA256) then you can forget about predicting the next code, without having the shared key.


for example Car Keys 99,99% all Radio Keys using Rolling Code for.
I search over a long time for good Software to see “plaintext”. I could find nothing.
Some Software are avaiable but the have nothink in there who is practicality used.


OK so car key rolling codes, probably not going to happen, the current algorithm used is extremely strong, especially when compared to the weak insecure ones used in the past.
There are still probably some old cars with the weak 32-bit LFSR seed value, no cryptographic hashing algorithm and no continually incrementing counter out there.