Me and my colleagues are performing penetration have taken on a HackRF project for university, using HackRF One. One of the targets is garage door controllers.
We own two controllers with DIP switches for the same door, one has 10 switches while the other one has 12.
The controller has a PIC16C54 chip, broadcasting at 27.015Mhz.
Using hackrf and Universal Radio Hacker we were able to obtain signals from both controllers (top is 10 switches, bottom is 12):
We can easily recognize that there is a long wait period after every signal. The DIP switches are
0000111110000 on the 10-switch and 12-switch controller respectively.
We were able to notice that the long parts of the signal correspond to 0s and the short bursts (probably including some of the ‘silence’ after them in order to be the same length) are 1s. At this point I am expecting the signal to be like this:
0 1111 0 1111 0 1111 0 1111 0 1100 0 1100 0 1100 0 1100 0 1100 0 1111 0 1100 0 1100
1111 is a dip switch set to 0 and
1100 is a dip switch set to one.
Our efforts to replay the signal for the garage door have been futile. We tried to import the data in Audacity and normalize the signal in order to get the most power out of it but Universal Radio Hacker does not import it properly from a RAW 8-bit unsigned PCM 48KHz format.
Despite not succeeding in the replay attack with the captured signal from URH without using audacity, the following questions arose:
- Why are there two short burst (1s) instead of the expected zeroes in the end of the signal?
- The 10 switches controller has a signal without the two zeroes at the start. The garage code should be 10bit then (?)
- Why does setting the 12 switch controller’s last 2 switches to 1 instead of 0 not open the door?
Are we missing something even more important here?