UPDATE: Version 2 of RPiTX renders this tutorial obsolete, as it is now very easy to copy and replay signals using the RPiTX GUI and an RTL-SDR. The tutorial is still valid for the overall concept.
With an RTL-SDR dongle, Raspberry Pi, piece of wire and literally no other hardware it is possible to perform replay attacks on simple digital signals like those used in 433 MHz ISM band devices. This can be used for example to control wireless home automation devices like alarms and switches.
In this tutorial we will show you how to perform a simple capture and replay using an RTL-SDR and RPiTX. With this method there is no need to analyze the signal, extract the data and replay using a 433 MHz transmitter. RPiTX can replay the recorded signal directly without further reverse engineering just like if you were using a TX capable SDR like a HackRF to record and TX an IQ file.
Note that we've only tested this replay attack with simple OOK 433 MHz devices. Devices with more complex modulation schemes may not work with this method. But the vast majority of 433 MHz ISM band devices are using simple modulation schemes that will work. Also replay attacks will not work on things like car keys, and most garage door openers as those have rolling code security.
A video demo is shown below:
RPiTX is open source software which allows you to turn your Raspberry Pi into a general purpose transmitter for any frequency between 5 kHz to 500 MHz. It works by using square waves to modulate a signal on the GPIO pins of the Pi. If controlled in just the right way, FM/AM/SSB or other modulations can be created. By attaching a simple wire antenna to the GPIO pin these signals become RF signals transmitted into the air.
Of course this creates an extremely noisy output which has a significant number of harmonics. So to be legal and safe you must always use bandpass filtering. Harmonics could interfere with important life critical systems (e.g. police/EMS radio, aircraft transponders etc).
For testing, a short wire antenna shouldn't radiate much further than a few meters past the room you're in, so in this case you should be fine without a filter. But if you ever connect up to an outdoor antenna or amplify the signal then you absolutely must use adequate filtering, or you could find yourself in huge trouble with the law. Currently there are no commercially made 433 MHz filters for RPiTX available that we know of, so you would need to make your own. Also remember that you are still only allowed to transmit in bands that you are licensed to which for most people will be the ISM bands.
In the past we've seen RPiTX used for things like controlling an RC car, building a home made FM repeater, creating a ham transceiver and transmitting WSPR (via a well made filter). We've also seen people perform replay attacks using the cleaner but harder way by reverse engineering a 433 MHz signal, and then generating the RPiTX OOK modulation manually.
In this tutorial we will show how to perform replay attacks on simple OOK modulated 433 MHz ISM band devices using an RTL-SDR dongle and RPiTX. The RTL-SDR will be used to record an AM audio file of the signal, and then RPiTX will do it's magic to transform that recording into a file that can be transmitted back on the same frequency via one of the Raspberry Pi's GPIO pins.
Installation instructions are available on the RPiTX GitHub page at https://github.com/F5OEO/rpitx. It's very simple to install as all you need to do is clone the repo, and then run an automated install script.
Install the latest Keenerd version of RTL-SDR
We need the Keenerd version of RTL-SDR as his version provides an option which allows us to output rtl_fm data with a WAV header, allowing us to record directly to a wav file using sox.
git clone https://github.com/keenerd/rtl-sdr cd rtl-sdr/ mkdir build cd build cmake ../ -DINSTALL_UDEV_RULES=ON make sudo make install sudo ldconfig
sudo apt-get install sox
Recording the Data
Using receiver software with a visual spectrum analyzer and/or waterfall like SDR#, GQRX, HDSDR or SDR-Console determine the exact frequency and bandwidth of the digital signal that you want to copy. For example in the image below the center frequency of the signal is 433.897 MHz, and the bandwidth is about 10000 Hz (10 kHz). Also you may want to determine the optimum RF gain settings.
Be aware that many cheap remotes are not particularly frequency accurate and the frequency can change slightly just by the position of your hand on the remote. So be consistent with the way that you handle the remote to ensure that you're always on frequency.
When ready, run the following command on your Pi, press the button on your remote, and then press CTRL+C on the keyboard to stop the recording. Make sure to change the frequency (-f), bandwidth (-s) and gain (-g) to what you determined earlier. This command will record an AM 48 kHz wav file of your keyfob signal. 48 kHz is what RPiTX expects.
rtl_fm -M am -f 433.897M -s 10k -g 20 -E wav -F 9 - | sox -t wav - myrec.wav rate 48k
Normalize the Audio
Normalizing the audio brings the volume up to the loudest it can be without distorting the waveform. This must be done otherwise the RPiTX output will be weak. Use the following sox command to create the myrec_n.wav normalized wav file.
sox --norm=-3 myrec.wav myrec_n.wav
If you have speakers plugged into your Pi or the HDMI monitor attached to your Pi, you can optionally use the following command to test the recorded audio. You should be able to hear the signal audio playback.
Create an RFA File
This step converts the wav file into an RFA file, which is a file format used by RPiTX when transmitting. The RFA file format seems to work much better than the IQ options for AM OOK signals.
piam myrec_n.wav myrec.rfa
Transmit with RPiTX
Use the following command to transmit with RPiTX, ensuring that you set the frequency to the correct value for your wireless device.
sudo rpitx -m RFA -i myrec.rfa -f 434004
If it doesn't work first time try these steps:
- Make another longer recording with the button pressed down for longer.
- Play with the normalization, e.g. try --norm=0 vs --norm=-3.
- Ensure that you have a wire attached to the correct pin.
- Try the alternative RPiTX pin with the '-c 1' flag.