Grand Theft Auto – RF Locks Hacking Flipper-Zero Edition Part 1
0x00. INTRODUCTION
I believe that when people are new to hacking RF lock systems, one of the most common questions they ask is which tools they need. Usually, I would say that HackRF is a must-have tool. Recently, the Flipper-Zero has become one of the most popular gadgets among RF hackers. To be honest, the first time I heard about Flipper-Zero, I wasn't very impressed. I already owned a bunch of wireless hacking tools, such as Proxmark3, Yardstick1, and HackRF-Portapack. Why should I get another tool that provides similar functions? Soon, I realized I was wrong. For instance, besides its rich wireless capabilities, the Flipper-Zero also offers extendable external modules through GPIO ports. This feature makes the Flipper-Zero a kind of LEGO for hackers.
(After 2-hours long wait in the queue, I finally got one at DEFCON31)
This article serves as a beginner’s guide to RF lock system hacking, using Flipper-Zero and other RF hacking tools. I hope each case study will help readers gain a better understanding of the tools and techniques needed for hacking RF locks.
0x01. SIGNAL JAMMING
One of the easiest yet most effective RF attack techniques is signal jamming. In this method, the attacker continuously sends noise signals on the same frequency channel as the target, aiming to interfere with the original signal. Jamming disrupts communication between devices by overpowering the intended signals. The key is not what is being transmitted, but simply that the noise prevents the legitimate signals from being heard.
(Jamming signals on the spectrum diagram)
Jamming attacks are also a popular method among thieves targeting car locks. Criminals use hidden jamming equipment to prevent car owners from locking their vehicles. Once the owners leave, the thieves can easily open the car door and steal any belongings left inside. While signal jamming is not a new concept, its popularity among criminals continues to grow as the technology becomes more sophisticated and accessible.
Below is a video demonstration of a car jamming attack using HackRF. The video illustrates how effective the attack can be. Please ensure that your car door is securely locked before you leave.
Although Flipper Zero comes with regional and frequency restrictions, installing a custom firmware (Xtreme) can bypass these limitations. This makes Flipper Zero ideal for experimenting with jamming attacks.
(Source from @McSHUR1KEN)
0x02. SIGNAL REPLAY BLINDLY
Of course, it would be even cooler if we could control the target. The replay attack is one of the oldest tricks that can achieve exactly that. Since most RF lock systems operate at 315 MHz or 433 MHz and some still use fixed-code mechanisms, we can simply leave a capture device near the target and wait patiently. If we're lucky, we might catch the unlock signal for later replay.
This is a lot like fishing, but the reward is an unlock signal instead. Below is a video demonstration of the replay attack with HackRF. As you can see in the video, it works like a charm.
Interestingly, Tesla’s charging port still uses a fixed-code mechanism. People can download pre-recorded Tesla charge port files to the Flipper-Zero and mess with other Tesla vehicle owners without knowing what is really going on behind the scenes.
(Source from @takeapart)
0x03. SIGNAL REPLAY ANALYZE
Simply replaying the signal blindly won't satisfy hackers. Unlike jamming attacks, if we want to understand our target better, we need to identify details like the target frequency, encoding method, chip model, etc. For example, we can determine the operating frequency using the Frequency Analyzer application provided by the Flipper-Zero.
Alternatively, you can use the old-school method of disassembling the keyfob and examining the PCB. For instance, in an E-Scooter keyfob, we see the IC chip model (CMT2150L) and a component crystal (26.250M). By checking the datasheet, we can find the operating frequency and determine that the encoder is 1527. Most importantly, the datasheet provides the pinout diagram for the CMT2150L chip.
Once we connect the correct pins on the IC to an oscilloscope and press the unlock button on the keyfob, the data pulse of the unlock signal will appear. To simplify the analysis, we can use a software called RTL_433 to capture the raw data transmitted by the E-Bike keyfob wirelessly.
Since the lock system of this E-Scooter relies on a fixed code, we can easily unlock it using the Flipper-Zero, as demonstrated in the video below.
0x04. SIGNAL REPLAY BRUTEFORCE
Have you ever wondered if fixed-code lock systems are brute-forceable? Here's an interesting example: a lock with 8 DIP switches on both the lock and keyfob. You can set each switch to one of three positions—up, center, or down—creating different combinations.
By using the Flipper-Zero, we can determine that this lock is based on Princeton. We can also use the Pulse Plotter app from Flipper-Zero to analyze the signal. However, I recommend using a software specifically designed for reversing wireless signals called Universe Radio Hacker (URH). URH is a comprehensive suite for wireless protocol investigation. It allows for easy demodulation of signals and automatic detection of modulation parameters, making it straightforward to identify the bits and bytes transmitted over the air.
After capturing the unlock signal from the keyfob, the fixed code contents can be easily analyzed with URH. Since the DIP switch only 3^8 combination. It is very easy to brute force all 6561 combinations through the Fuzzing function of URH. As you can see in the video below.
A person named Hong5489 has implemented brute-force sub-files for the Flipper-Zero, which you can find on his GitHub. However, be cautious: when he used the brute-force tool on his own gate, he accidentally opened his neighbor’s gate.
0x05. SUMMARY
In this article, we’ve explored common methods for hacking RF locks. In Part 2, we’ll delve into more advanced and intriguing RF lock hacking techniques. Stay tuned.