• Stars
    star
    833
  • Rank 54,737 (Top 2 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created over 9 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OpenSesame attacks wireless garages and can open most fixed-code garages and gates in seconds using a Mattel toy

OpenSesame

OpenSesame is a device that can wirelessly open virtually any fixed-code garage door in seconds, exploiting a new attack I've discovered on wireless fixed-pin devices. Using a child's toy from Mattel.

Update to attack rolling codes: I've demonstrated a new tool, RollJam, which additionally attacks rolling codes of garages and vehicles, presented here at DEFCON 23.

Follow me on Twitter or join my mailing list to hear about future projects and research.

By @SamyKamkar

Live demonstration and full details available in the video: OpenSesame

Released June 4, 2015

Source code: https://github.com/samyk/opensesame

Prevention: If you are using a gate or garage which uses "fixed codes", to prevent this type of attack, ensure you upgrade to a system which clearly states that it's using rolling codes, hopping codes, Security+ or Intellicode. These are not foolproof from attack, but do prevent the OpenSesame attack along with traditional brute forcing attacks. Suggested vendors: current products from LiftMaster and Genie.

Criminals: The code I've released is bricked to prevent you from abusing it. It almost works, but just not quite, and is released to educate. If you are an expert in RF and microcontrollers, you could fix it, but then you wouldn't need my help in the first place, would you.


(U) Capabilities

OpenSesame

OpenSesame exploits not only the limited key space of most fixed pin wireless garages and gates, but employs a new attack I've discovered reducing the time it takes to open any garage by over 95%. This means most garages will take only seconds to open.

OpenSesame uses the Radica Girltech IM-ME texting toy from Mattel, as it sports all the equipment we need to pull off the attack -- an effective TI CC1110 sub-GHz RF chip, an LCD display, keyboard, backlight, and more. And it's pink.

This tool builds off of the shoulders of giants, including the original opensesame by Michael Ossmann, IM-ME code & goodfet.cc by Travis Goodspeed, IM-ME LCD reverse engineering by Dave, and effective ideas from Mike Ryan. Additional links and resources included at the end.

Note, this will not open garages using rolling codes. Garages with rolling code technology (often called "Intellicode", "Security+", ""hopping codes", etc) are much more secure than fixed-pin garages but are susceptible to other attacks.

OpenSesame


(U) Primary Issues

See The OpenSesame Attack section below for the new attack.

The simple, less-interesting vulnerability in fixed code systems is the clear fact that their key space is extremely limited. For example, a 12-bit (12 binary dip switch) garage/remote supports 12 bits of possible combinations. This is essentially a fixed password that opens your garage. Since it's binary and 12 bits long, that's 2**12, which is 4096 possible combinations.

A 2-character password on a website is more than twice as hard to solve than to brute force the 12-bit binary dip switch garage. This is a basic (and sadly long-standing) issue that we exploit, but the exciting attack is in The OpenSesame Attack section.

Now in a common garage and clicker, we're going to be using between an 8-12 bit code, and we see a single click sends the same code 5 times, and we see each "bit" takes 2ms to send, with a 2ms wait period per bit after the entire code is sent. So a single 12-bit combination takes (12 bits * 2ms transmit * 2ms wait * 5 times = 240ms). To brute force the entire 8, 9, 10, 11 and 12-bit key space, that's:

(((2 ** 12)*12) + ((2 ** 11)*11) + ((2 ** 10)*10) + ((2 ** 9)*9) + ((2 ** 8)*8)) = 88576 bits

88576 bits * 4ms * 5 transmits = 1771.52 seconds = 29 minutes

So it takes 29 minutes to open an (8-12)-bit garage (assuming you know the frequency and baud rate, both of which are pretty common.) If you have to attempt a few different frequencies and baud rates, then the time it takes is a multiple of 29 minutes.

This is not bad, but we can do better.


(U) Initial Reduction

The first attempt at reduction is pretty obvious and is to remove the retransmission. Instead of transmitting the signal 5 times each time, only transmit it once. It's transmitted multiple times to help the receiver detect it in case of interference, but assuming there's no interference or issues receiving, this reduces the time by 5!

1771.52s / 5 = 354.304 seconds = ~6 minutes

Nice.

Now while initially testing basic brute forcing on garages, I was chatting with some #ubertooth people, and mikeryan suggested I remove the wait period between sending each full code and see if I can send each code back-to-back. So instead of sending "111111000000[wait for 12 bits]111111000001", I would send "111111000000111111000001".

This worked, and reduced the entire time to transmit all codes by 50%! Incredible.

1771.52s / 5 / 2 = 177.152 seconds = ~3 minutes

This is not bad, but we can do better.


(U) The OpenSesame Attack

De Bruijn

Here's the kicker. When looking at the data we're sending, we're now sending a continuous stream of bits. For example:

  • (code #1) 000000000000
  • (code #2) 000000000001
  • (code #3) 000000000010
  • (code #4) 000000000011 and so on, which looks like: 000000000000000000000001000000000010000000000011

The question is, how does the garage receiver look at these bits? What if it's using a bit shift register?

According to Wikipedia:

In digital circuits, a shift register is a cascade of flip flops, sharing the same clock, in which the output of each flip-flop is connected to the "data" input of the next flip-flop in the chain, resulting in a circuit that shifts by one position the "bit array" stored in it, shifting in the data present at its input and shifting out the last bit in the array, at each transition of the clock input.

If this is the case, what this means is that if you prepend the real code with any amount of bits before or after, the garage won't care and will open.

Let's say our garage pin is 111111000000. If the garage uses a shift register, and we send 13 bits, "0111111000000", the garage will first test: 011111100000 (incorrect).

We would assume it will then move onto the next 12 bits (even though there is only one bit left). But no! A shift register only removes 1 bit, then pulls in the next bit.

So the garage actually tests: 011111100000 (incorrect) (chops off the first bit, then pulls in the next bit) 111111000000 (correct!)

Meaning we sent 13 bits to test two 12-bit codes instead of sending a full 24 bits. Incredible!

What's even more beautiful is that since the garage is not clearing an attempted code, a 12 bit code also tests five 8 bit codes, four 9 bit codes, three 10 bit codes, two 11 bit codes, and of course one 12 bit code! As long as we send every 12 bit code, the 8-11 bit codes will all be tested simultaneously.

Now, there must be an algorithm to efficiently produce every possible code, with overlap (to exploit the shift register) in as few bits as possible.

My main man, De Bruijn.

Nicolaas Govert de Bruijn was a Dutch mathematician who discovered just this, dubbed the De Bruijn sequence.

OpenSesame implements this algorithm to produce every possible overlapping sequence of 8-12 bits in the least amount of time. How little time?

To test every 8 through 12 bit possibility: ((2 ** 12) + 11) * 4ms / 2 = 8214ms = 8.214 seconds

We went from 1771 seconds down to 8 seconds. Even our most efficient implementation with the other reductions but without De Bruijn was at 177 seconds, more than 20 times longer. Awesome!


(U) Hardware

IM-ME

The IM-ME from Mattel is a defunct toy no longer produced, but constantly appearing on Amazon and eBay with varying prices from $12 to $100. To my knowledge, much of the reverse engineering of the LCD and keyboard is by Dave, then tools and more work on it from Travis Goodspeed including support in GoodFET, and more awesome work, including my favorite spectrum analyzer, from Michael Ossmann.

It is originally intended as a toy to communicate with friends. It uses the CC1110, a sub-GHz RF SoC, and sports an LCD display, backlight, keyboard, and is battery powered, all extremely useful for a hacker on the road texting her (or his) friends. Or hacking her (or his) friends. Hopefully both.

Now we could have built our own device, but the beauty of this is that it's all already packaged up for you, inexpensive, and is my favorite color.

GoodFET

I use Travis Goodspeed's GoodFET device to program the IM-ME as he's built a tool to program it for us!

GoodFET

GIMME

I ghetto-rigged some wire to the test pads and superglued the ends to always connect properly to the GoodFET, but you can also use the GIMME from Michael Ossmann for a more convenient connector.

OpenSesame Internals


(U) Software

OpenSesame

OpenSesame source code can be obtained in entirety from my github: https://github.com/samyk/opensesame

It is originally based off of Michael Ossmann's opensesame which is specifically built for a fixed code on his garage, and the perfect example for a working OOK/ASK transmitter, handling most of the hardware work for us already. Also, the name was so great I had to use it, I hope Mike doesn't mind.

If you haven't, check out his spectrum analyzer for the IM-ME as I have a secondary IM-ME device loaded with that and it's the perfect portable, inexpensive spectrum analyzer.

goodfet.cc

As mentioned in the hardware section, we use GoodFET to load the code, and goodfet.cc specifically to load onto our Chipcon device (TI CC111x = Texas Instruments Chipcon111x)


(U) Frequencies, Modulations, Encoders

Frequencies

The immediate assumption is that these fixed pin garages and gates span a wide range of frequencies. For example, Wikipedia suggests these wireless devices span 300MHz - 400MHz, requiring us to send the same signal to 100 additional frequencies. However, after pulling the FCC docs of all of the fixed transmitters I could find, we see only a handful of frequencies are ever used, primarily 300MHz, 310MHz, 315MHz, 318MHz and 390MHz.

Additionally, most of these receivers lack any band-pass filter, allowing a wider range of frequencies to pass through, typically at least covering an additional 2MHz in my testing.

Modulation

You'll find that virtually all of these transmitters use ASK/OOK to transmit. Additionally, many of the receivers support interoperability by using the same OOK signaling. This can be confirmed by testing several garage door openers, going over the FCC documents for several transmitters, and noting the supported models in various garage door openers.

Encoders

Here's a list of encoders being used by most of these systems:

PT2262, PT2264, SC2260, CS5211, PT2282, PT2240, eV1527, RT1527, FP527, HS527, SCL1527, MC145026, AX5326, VD5026, SMC926, SMC918, PLC168, HCS300, HCS301, HCS201


(U) Resources

There are a number of resources and tools, many of which I've learned from and that you can learn more on this and similar topic too. Suggested reading / tools in the area:


(U) Contact

Point of Contact: @SamyKamkar

You can see more of my projects at https://samy.pl or contact me at [email protected].

Follow me on Twitter or join my mailing list to hear about future projects and research.

Thanks!

More Repositories

1

poisontap

Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.
JavaScript
6,195
star
2

evercookie

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.
JavaScript
4,320
star
3

magspoof

A portable device that can spoof/emulate any magnetic stripe, credit card or hotel card "wirelessly", even on standard magstripe (non-NFC/RFID) readers. It can disable Chip&PIN and predict AMEX card numbers with 100% accuracy.
C
3,888
star
4

pwnat

The only tool/technique to punch holes through firewalls/NATs where multiple clients & server can be behind separate NATs without any 3rd party involvement. Pwnat is a newly developed technique, exploiting a property of NAT translation tables, with no 3rd party, port forwarding, DMZ, DNS, router admin requirements, STUN/TURN/UPnP/ICE, or spoofing.
C
2,846
star
5

slipstream

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim’s NAT/firewall, just by anyone on the victim's network visiting a website
Perl
1,887
star
6

skyjack

A drone engineered to autonomously seek out, hack, and wirelessly take full control over any other Parrot or 3DR drones within wireless or flying distance, creating an army of zombie drones under your control.
JavaScript
1,636
star
7

usbdriveby

USBdriveby exploits the trust of USB devices by emulating an HID keyboard and mouse, installing a cross-platform firewall-evading backdoor, and rerouting DNS within seconds of plugging it in.
Arduino
1,230
star
8

keysweeper

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
Eagle
1,084
star
9

samytools

Simple tools to make reverse engineering and console cowboying easier, primarily by data translation and manipulation + file handle piping. Mostly *nix tools with an emphasis on macOS.
Perl
555
star
10

webscan

Browser-based network scanner & local-IP detection
JavaScript
418
star
11

proxygambit

Anonymize and fracture network traffic/Internet access over a point-to-point wireless link or through TCP->GSM->wifi tunnel (advanced resurrection of ProxyHam)
Arduino
352
star
12

combobreaker

Motorized, portable, 3D printed, Arduino-based combination lock cracker
C++
231
star
13

dingdong

Digital Ding Dong Ditch -- RTL-SDR + Arduino + GSM/SMS/FONA + RF + GQRX to hack a wireless doorbell from a text message
C++
229
star
14

quickjack

Quickjack is a point-and-click tool for intuitively producing advanced clickjacking and frame slicing attacks.
JavaScript
227
star
15

frisky

Instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS and macOS
C++
198
star
16

glitchsink

Voltage glitcher to bypass instructions/bootloader protections *without* target modification
C++
115
star
17

jiagra

Javascript/Website Performance Enhancement
JavaScript
108
star
18

easel-driver

Easel driver for Linux, Mac, Windows, ARM, Raspberry Pi, Intel, FTDI, CH340, CH341, CP210x, FTDI clones, local, and remote access to GRBL-based CNC controllers
Shell
93
star
19

myo-osc

OSC bridge for the Thalmic Myo gesture control armband (cross-platform)
C++
80
star
20

BPL

The Blind Public License is a restrictive license that does not allow any person to read, view, interpret, emulate, debug, disassemble, reverse engineer, or execute ("Observing") any included code, schematics or engineering diagrams (the "Technology").
56
star
21

samyk

54
star
22

sqlpp

feature-rich, multi-database interfacing, multi-connection, colorful console-based SQL client
Perl
53
star
23

bgrid

wireless balloon LED network w/ATtiny24 + nRF24L01+ (PCB + firmware + TouchDesigner)
C++
46
star
24

buspirate

Bus Pirate (cross-platform, cleaned up for OS X)
C
42
star
25

crak

Crash Royale Attack Kit
JavaScript
39
star
26

openrTMS

Open rTMS (Transcranial Magnetic Stimulation)
C++
26
star
27

amazonshelper

TamperMonkey script (browser extension) for Amazon to add price by volume for materials and to hide useless UI elements
JavaScript
24
star
28

lcventilator

Low cost ventilator based on Dr. Jeffrey Ebin's design
C++
21
star
29

specs

Public specifications for easy accessibility
19
star
30

pinning

#PINNING is a browser extension (currently TamperMonkey script) to improve Pinterest's desktop browsing UX
JavaScript
15
star
31

glitchisnk

Voltage glitcher to bypass instructions/bootloader protections without target modification
14
star
32

microscopy

files for (ΞΌ)scope projects
11
star
33

motoaudio

Inspecting the Moto Audio application running on Motorola Android devices
9
star
34

testimg

chrome blocks downloading images from my github :(
9
star
35

openraman

Low cost, high performance open source Raman spectrometer
C++
6
star
36

mains-logs

log files for mains project
2
star
37

mains

monitoring mains line voltage
Perl
1
star