Unlock Cars with a Raspberry Pi And SDR – Replay attack
This is a write up from an old YouTube video, but the content, and method is all relevant and still working.
If you follow my work, you know I like to work with what I have, and I’m always on the lookout for a cheap “hack”. Considering all you need for this is an RTL-SDR(37$), and an Raspberry-Pi, (38$) this was the perfect project.
What do you need?
Installing the software
This text is not going to cover installing an operating system on your raspberry pi. You need to have Raspbian installed however before proceeding.
If you need assistance installing Raspbian, please follow this guide:
The next thing you need to install is the software that tells the Raspberry Pi how to communicate with the rtl-sdr. Open a terminal and issue the following commands:
git clone https://github.com/keenerd/rtl-sdr cd rtl-sdr/ mkdir build cd build cmake ../ -DINSTALL_UDEV_RULES=ON make sudo make install sudo ldconfig
Next we need to install the software that will allow up to transmit from the Raspberry Pi.
This is done by creating a square wave output on pin 4 of the raspberry pi. If you attach a wire to this pin, it will act as an antenna and help transmission of digital data that we will be recording with the RTL-SDR.
To install RPITX:
sudo apt-get update sudo apt-get install git git clone https://github.com/F5OEO/rpitx cd rpitx ./install.sh
Getting the Freq
Once your software is installed, its time to test things out.
The last element we need is your car keys frequency. There are a few ways to get it, but the easiest means finding the “FCC ID” on the device, and simply searching for it on this website:
Doing so will most often times tell you the devices operating frequency. You can also use the RTL-SDR with a waterfall program such as SDR#, and browse the region around 315 or 433 MHz. Press your car keys and see if you can locate the spike on the frequency spectrum.
Putting it all together
The first thing you will want to do is record your car key unlock, lock, alarm etc transmission
(after all this is a replay attack).
To do this, simply have your car key fob near your rtl-sdr antenna, and issue the following command on the RaspberryPi, obviously replacing “315.012” with your car fobs operating frequency.
rtl_sdr -s 25000 -g 35 -f 315.0125e6 filename.iq
Press your desired key a few times and once you feel as if you have an good sample, press Ctrl+C on the raspberry pi to stop recording.
The next step is replaying the transmission. RPITX reads the data within the file you have just created from your sample, and re-transmits it to preform the desired result, without the key.
Obviously again, you should replace the frequency with yours.
sudo ./sendiq -s 25000 -f 315.0125e6 -t u8 -i filename.iq
If all is well, you should hear that sweet sound of your car unlocking. Let me know down below if you think of an easier way to do what I’ve done here.