Replay the remote control signal of small toys with HackRF

Author: Jimmy Tian | Time: February 25, 2021| Classification: evaluating , course | 6 comments

Have you ever thought that all kinds of common objects in life can be attacked?

Air conditioners using infrared remote control, toys using wireless remote control, and even mobile phones using base stations?

Today, we use HackRF to attack games Remote control of the.

preface

The most common remote control is the infrared remote control, which transmits a series of flashes through the infrared LED to represent 0 and 1, so as to transfer data.

But what should we do if we want to transmit signals over a longer distance? The signal may be blocked by human body, trees, buildings, etc. in the transmission path. How can we penetrate these objects?

The answer is simple, radio frequency.

Most common remote controls in your life basically work at about 433Mhz. For example, some toy remote controls, garage door remote controls, electric car lock remote controls, etc.

As for why it is this frequency, we also checked:

Check first Radio Frequency Division Table , didn't mention it. After all, it is a low-power transmitting device, and it is a license free frequency band, so it is normal not to mention it.

Finally, we found the Catalogue and Technical Requirements of Micro power Short range Radio Transmission Equipment by following the steps of the vine. Since the policy was updated in 2019, we skipped the pile of documents in 2005 and looked at the current one.

MIIT issued No. 52 at the end of 2019 file Ministry of Industry and Information Technology issues relevant announcements on micro power short-range radio transmission equipment ), which mentioned:

"The production or import of radio transmission equipment that is listed in and conforms to the Catalog for sale and use in China does not need to obtain a radio frequency use permit, a radio station license, or a radio transmission equipment model approval..."

Then let's look at the table of contents:

As long as the transmission power is less than 10mW, it can be used directly. However, it clearly states that "it cannot be used for wireless control toys". I think most manufacturers may not have found these documents, and it took me half an hour to find them.

Manufacturer: "We are wireless intelligent fitness, exercise and rehabilitation equipment, not toys" (fog)

Well, we just need to know that this frequency can be used legally.

Determine frequency

Here, I use a HackRF One SDR development board. Its performance is a little inferior today, but it is still sufficient to deal with this scenario. After all, bladeRD and LimeSDR are not a little expensive.

If you are using HackRF for the first time, you need to simply configure the environment

Ubuntu

 sudo apt install gqrx-sdr libhackrf-dev libhackrf0 gnuradio inspectrum

MacOS

 brew install hackrf gqrx gnuradio

If HackRF is used in a virtual machine, it seems that RX fails for the second time, but it can work normally for the first time. It seems that at present Still not resolved , so you can only press RST several more times. But there is no problem to use it directly on the real machine.

First, we use Gqrx to confirm the approximate frequency range. Through further searching, we determine that the frequency is 433.950Mhz.

If you have a walkie talkie, you can also hear the sound from the remote control.

It's easy to find the frequency. Take out the Swiss army knife in the radio industry: GNU Radio.

Capture signal

GNU Radio represents the process in the form of a block diagram. You can select the functions you need from many modules. Finally, GNU Radio will automatically generate the corresponding code according to your settings.

Let's create a scene to capture signals. Then run it. At the same time, the remote control transmits the signal and records the original data of the signal in the file we need.

Then we will create a scene to transmit the signal.

While there is a response on the spectrum, the toy also works as expected.

If you just need to replay the signal, there is a simpler way: use HackRF Tools

 hackrf_transfer -r toy.raw -f 433950000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000 #Receive signal hackrf_transfer -t toy.raw -f 433950000 -g 16 -l 32 -a 1 -s 8000000 -b 4000000 #Transmit signal

The parameters are very simple. If you don't understand them hackrf_transfer -h once.

Analyze signal

In theory, we can obtain the most original 1 and 0 data by analyzing the recorded signal.

The simplest way: throw data into Audacity, a short and pithy open source audio processing software.

Here you can see the 0 and 1 represented by high and low levels. If you have a writing wheel eye, you can even read 0 and 1 directly.

However, considering that we should be better at our own eyes, we can use the tool, Inspectrum.

You can read each byte more easily. Here, we usually check the chip's data manual to see how many 01 signals are sent in each frame signal, and directly fill in the software to facilitate the establishment of reference values.

However, the chip on our remote control has no silk screen, so things are troublesome.

You need to manually and slowly try to determine how many 01 signals are included in a frame. To be honest, we were right for a long time, but we were not right.

If you can successfully export the original data of 0 and 1 in the end, you can also use HackRF to directly transmit the original data.

Even, you can make a gadget to constantly transmit the signals you want to transmit to achieve the desired results.

For example, open several toys around you at the same time. The specific application depends on your imagination (x

*Seriously: The toy mentioned above is a toy car.

label: ham HackRF

6 comments
  1. Lexsion Lexsion

    Ok, the boss has updated again! This time, the big guy brought back the remote control signal of small toys. Anyway, the small toy controlled by the remote control is not like a small toy car. 😏

    1. Jimmy Tian Jimmy Tian

      Hum, what we say is what 😆

    2. Lack of electricity Lack of electricity

      It is not difficult to build a remote control car with the same frequency after learning this? (Escape

  2. vvve vvve

    How do you think the remote control is very similar to the vehicle barrier in my community

  3. spare parts spare parts

    Stare at——

  4. Six thousand li Six thousand li

    Hello, blogger, can you imitate some railings at the entrance of the community

Add a new comment

label

Latest articles
Move mail service providers to Fastmail and Migadu [Foreign] Move the mail service provider to Fastmail and Migadu Solution to the failure of Bank of China to bind Apple Pay Strange bug of running XP on VirtualBox Xiaomi bracelet 6 NFC start: not the end, but the starting point Replay the remote control signal of small toys with HackRF Surface Go Do something fun: use Type-C USB to serial port Mi's gadget - fire mini box opener An Experience of Buying Sony XZ1 Car Rollover

Recent replies
Zzz: Worship the boss -: Quick memory: F1: F1+lower; F2: F2+upper Should I PiCpo: 5.19 Nanjing has passed, and this guide is really good Jiyouzhan: This article is written in simple terms, which makes me understand! LuMKFs BD4WME Yzxxsfyy: The exam was held on April 20, 2014, and it was a primary school student Liuqianli: Hello, blogger. Can you imitate some railings at the entrance of the community An Yixuan: What is this? Sweep Spark: Come to cram for the exam on December 23, 2013 Noahhhh: The picture is hung

file
2022 2021 2020 2019 2018 2017 2016 2015

other
Article RSS Comment RSS