Thanks. I’m having fun learning all this stuff. Trying to not have videos be too long, I can continue adding more details in two weeks. 😀I hope to also improve wiki tab on my GitHub. I’ll probably write a bunch more this week, so check that out too. I think links are in my about page?
Fantastic series, sir! This is the Flipper Zero content I've been looking for. We live in a world where too many dishonest people want what the honest people have, and the reason I bought my flipper was to ensure my security is top notch. Off to test my garage door opener.
Thanks! For garage/gate receivers that you own, I think replay attack is safe to do. If you don't know (e.g. you can't resync the device) then you shouldn't mess with it. I was surprised/disappointed that 2 of the 3 allowed replay. I'd also recommend one of the unofficial firmware (like Xtreme, RM, Unleashed) as they have more ability to replay codes - assuming it's legal in your region. In general, if the Flipper can decode it, then someone can likely write code to encode it. Keeloq with "Unknown MF" seems the most secure to me, especially if the key is based on a seed that is exchanged during pairing. If you have any questions, let me know in Discord - discord.com/invite/NsjCvqwPAd or start a new UA-cam comment. Thanks again for watching my videos.
@@MrDerekJamison I loaded the unleashed firmware almost first thing, and went in to attacking my garage doors knowing I'd more than likely have to wipe them out and resync them. Luckily both of them were safe to the replay though and no resyncing was needed.
Thanks. It's crazy that the replay attacks actually worked. Without a Flipper Zero, I would have assumed that it was secure (since it also responded correctly to a rolling code remote). I guess the lesson is a receiver is compatible with many manufacturers, be more suspicious that it might have a replay attack flaw (because maybe they don't know the actual "MF secret code" and so are only checking the FIX and Button are correct).
If it is Security+1.0, Security+2.0, CAME or KeeLoq with a known MF then record a signal and play the next signal is easy attack. If it is a 9/12 DIP switch, then brute force is possible as well (but it takes a while). I was surprised that inexpensive rolling code openers have replay attack; but it makes sense since they don't actually decode the signal - they just check the 'fix' portion to validate the serial number.
Hi, Derek I've been having a question for a while now. Can you tell if flipper Zero firmware swap can damage it? For example switch it to Xtreme ! I tried looking for this in forums and didn't find much. Again, sorry my English, I'm using translator !
Swapping the firmware should be safe. I'm always installing new firmware, either one of the custom distributions, or a firmware where I have made my own changes. From blog.flipper.net/new-firmware-update-system/#dfu-mode "The bootloader code is located outside the main flash memory zone and is protected from writing or erasing. It cannot be damaged when updating the firmware, the disadvantage of this is that we do not have the opportunity to modify it." I have had to use "OK+BACK button for 30-seconds" method when switching from a bad custom build back to official, but it worked great. Follow these steps if you think you broke your Flipper and things will be working fine again... docs.flipper.net/basics/firmware-update/firmware-recovery#tSOGv I've had the SD Card fail on me and no longer read. I don't know if that was because of bad custom firmware or something else? I put in a new SD Card and everything worked fine again. shop.flipperzero.one/pages/warranty-policy says "unauthorized repairs or modifications (either hardware or firmware)". The word "unauthorized" is not clear. Perhaps it is no longer covered under warranty once you install a custom firmware or connect something to the GPIO pins?
Can I somehow make it so that the flipper can send the correct rolling code if I have full access to the remote, came 433 mhz? I understand that this is most likely impossible
There are few different Came protocols. If you are asking about Came Atomo, then official firmware doesn't support it. There are many steps involved in adding it, but it is possible. You would have to fill out the code here... (github.com/flipperdevices/flipperzero-firmware/blob/940ec36a0b8e61b1a481e33980a675173e1aaae5/lib/subghz/protocols/came_atomo.c#L59) and that will send you down the path of adding new features to your firmware like furi_hal_subghz_get_rolling_counter_mult. I'm not sure if the rainbow table covers all Came devices, as I haven't looked at the protocol fully yet github.com/flipperdevices/flipperzero-firmware/blob/dev/assets/resources/subghz/assets/came_atomo The easiest way for allowing Save/Send for something like Came Atomo is to install a firmware like RogueMaster - if that is allowed in your region?
The remotes that work with the 850LM transmit on 3 frequencies at the same time, I’ve used a spectrum analyzer and have seen it, anyone know why? Thanks.
Very helpful clip. But I'm curious, some guys said those remotes are encoded and can be cracked for the next code, but the remotes for car key fobs are encrypted, which makes impossible to predict the counter. Can you do in the future a video explaining how one is more secure than the other? I'd really appreciate it
Yes, I'm still working on the series. The next video I'm creating is about a KeeLoq app I'm writing, which helps you practice key concepts. I'll continue to do more videos about protocols, such as Security+ 2.0 and other protocols that I currently know nothing about. Summary is if the algorithm is known & the key is known (or there is no key)... you can decode the data, increment the count, and reencode the data. If key is unknown, then it depends on how the algorithm works and what other flaws exist in the receiver. In this video, we were only looking at "replay attack". There are other attacks as well. My Flipper Zero knows those protocols and keys, so I should be able to open LM850 too (but at least it defends against replay).
I'd recommend `Sub-GHz` app and then choosing `Frequency Analyzer` to see what frequency your remote is. Then choose `Read` (and left button to Config to same frequency). Then press button on your remote to see what protocol it uses. Then choose `Add Manually` and choose the same protocol/frequency from the previous steps. You can then use `Saved` to reload the file. Press the "Learn" button on your receiver and then Send (once or twice) from the Flipper, and hopefully learn light stops blinking. At that point, your receiver should open whenever the Flipper sends the signal. If you have a remote you will no longer use, you can use `Read` then `Save` in custom firmware instead of `Add Manually`. But your original remote will be out-of-sync. If your remote uses "KeeLoq (KL) with MF: Unknown" then you cannot play the next signal. If you have a cheap receiver (like I did in this video) you may be able to still use "Read RAW" to capture the signal, Save it, then load saved file and replay it. If still have questions, feel free to join my Flipper Discord server: discord.com/invite/NsjCvqwPAd
Thanks for this, I’m curious if the code spectrum is so small and there’s not that many how come In a full car park we never hear our own fob set another car lock on or off etc? What prevents this ? And especially before rolling codes ?
Great question. The "fix" part of the code (without button) that specifies which receiver the signal is for is 7 hex digits (or 16^7 = 268 million possible values). The "rolling" part also has lots of combinations that are considered invalid (like only 16 out of 4 billion in theory are correct, but due to encryption this value may be much lower.) I have another video in the "rolling codes" playlist that talks about "Brute Force" which shows it's possible, but not likely (in that video I was using the correct "fix" value & just trying to guess the remainder of the key). Before rolling codes, it was possible sometimes. But it is still really rare if the protocol uses enough bits. Even something like Princeton 24-bit has 16 million combinations (but if you reserved 4 bits for the button value [start/open/panic/etc.] then you would be down to 1 million codes). My Saturn SL2 remote opened another Saturn SL2 once. I clicked it a few times to prove it wasn't a fluke. It was super confusing at first & then kind of exciting. I wish we had cell phone cameras back then because I'm sure I would have taken video.
@@eldean0In this video, the problem was two of the three manufactures had rolling code support but ALSO allowed replaying the previous codes. It's nice that the Flipper Zero allows us to check for flaws, because otherwise we would have to trust that it was secure. The other door to my garage is protected by a KW1 physical key, which a bump key, Leshi tool, or probably a rake tool can easily get pass in a few seconds; so maybe it doesn't really matter. 🤦♂
Thanks for a great video! What I didn't get is, until which number can the counter go? Simply speaking, if it goes to max 1000 (which is, of course, too low), and you sniff the "previous" code, you obviously can't reply it, but you just need to click another 1000 times with a "captured" signal to activate the lock. Thanks in advance for answering.
For a replay attack, we have a "FIX" and a "HOP". The "FIX" needs to match the remote (which we see the same fixed value every time someone sends a signal). The "HOP" is encrypted data, which decrypts to a "Count", "end of serial number", and a few other things. For most KeeLoq codes - the decrypted count (needs to be within 15 of the previous count) or the decrypted "future" count needs to be within 16000 of the previous count+another decrypted count within 3 of the last "future" count. The problem is the code we are guessing is the encrypted value, so we don't know how that relates to the decrypted count. For example, "ENC:1000" might decrypt to "24,123" and then "ENC:1001" might decrypt to "8,001", and "ENC:1002" might not be for a matching serial number, so it is an invalid count. If that doesn't make sense, feel free to join my Discord and someone can help explain in more detail. discord.com/invite/NsjCvqwPAd
@@MrDerekJamison Now it makes much more sense, thx for the reply.
Рік тому
Could you elaborate a bit on how can the receiver be damaged? I am afraid that such statement without explanation is what causes people to have the idea that touching a computer will damage them hence they rather stay away Besides (I know not every system is compliant yet) aren't devices supposed to be resilient to interfere?
In general, my channel is trying to encourage people to explore. I still recommend buying hardware rather than experimenting on systems I rely on. The same way that for lockpicking I'll tell you to buy a KW1 & MasterLock from Home Depot instead of trying to pick a lock you rely on. There is a probably only a small chance you are actually going to damage the lock. There are so many different devices, that it really depends on the device as to the potential damage. It's likely a small risk too, and in the video I tested against $120USD of hardware, but if any/all of it broke I was okay with that risk. I later went on to buy a Genie device for $65USD and wrote an app to extract 64K codes from the receiver (not knowing if OVR bits would make the remote useless), but at least for my model it worked great (ua-cam.com/video/HLNC2vvCBhI/v-deo.html). I was fairly confident that the Genie receiver would still work, even if it meant I needed to pair it with another remote. I've heard stories from multiple people that desync their vehicle remote and could no longer use their keyfob to open the car (and were asking for help on how to fix it). I personally was doing replay attacks with some device I owned, and the original fob no longer worked until I cleared all synced devices and then followed the pairing procedure. The procedure for resyncing isn't universal across manufactures. It's not interference when all the checksums/parity is correct, but it's an actual attack (other devices ignored the attack, and yet other devices changed the window of accepted codes from 15 to 3). I don't think you are going to damage the receiver from a replay attack, you just might make it so the transmitter you own is useless. When you do signal fuzzing, this is where you are trying to manipulate the signal to create some state that the receiver was never designed for. In my Infrared videos, we fuzz signals that are similar to a received signal and discovered new weapon strengths on our LaserTag game, new signals that jumped directly to an input on our TV, etc. In Sub-GHz fuzzing works the same way, where you are sending similar codes to the original (or change the speed of the code, the modulation, the preamble, etc.) I had a device where button 0x08 triggered a motor providing +12V and where button 0x01 triggered the same motor providing -12V. It was only ever designed for those two button codes to be received; but when you sent button 0x09 it caused a malfunction (huge current draw + some smoke) and ended up with the receiver doing a permanent short to the +12V rail, even when no signal is detected. This kind of failure is rare, but the design only expected 0x08 or 0x01 but never both at the same time. It's similar failure to how before I created the ua-cam.com/video/NWxsKqPtEHw/v-deo.html circuit, it was possible for two of the traffic lights to be on at the same time. Basically, when you are sending unexpected inputs, the circuit could malfunction. It's rare, but it can happen. If you can't afford to fix the thing that breaks or go without it, then you probably shouldn't be doing fuzzing. At the same time, fuzzing can be really rewarding when you get the device to do something it wasn't intended for, so if you can afford to fix it and you don't rely on it, then I recommend it. I was able to slow down a Princeton signal, so that the remote outlet still turns on/off but another Flipper doing "Sub-GHz Read" is no longer able to decode the signal (but they still can do a replay attack using Sub-GHz Read-RAW if they know when to record the signal).
Рік тому
@@MrDerekJamison thanks for such great explanation. Also I think that distinction between interference and attack is key and I was treating it as analogous
That's too bad. Not every protocol is supported. You need to be on the proper frequency and modulation. And the Sub-GHz app doesn't support every modulation (like if the amplitude is part of the signal or if it uses 4-FSK). Still, it works for a lot of devices. If your remote has an FCC ID, then you can look that up and often learn the frequency.
Trying to just get my door to go up. I've tried reading raw and saved 5 clicks. At frequency 433.92 which seems ok. Tried all AM and the door still won't open.
Are you sure 433.92 is the proper frequency for your remote? If you record the signal (out of range of the door) then play it back, it should open. Some fixed code remotes don't use OOK/ASK for modulation, they actually vary the signal strength as an analog code, which I don't think will be possible to replay using the Flipper Zero, so that could be the problem too.
@MrDerekJamison thank you. I'll have to do a bit of digging. The remote is B&D an Australian company I believe. I have tried multiple times when out of range with our door. Still no luck. I may have to try different frequencies as it can vary from 433.92, however 60% of the time through the analyser it is 433.92.
Ok. Next Saturday I'll try to make a video to see what it takes to bruteforce my Genie garage door opener that is using Keeloq with an unknown MF code. I'll try both scan forward and random seek. We will assume that we can capture the fixed code, since that's easy to do if anyone ever uses their remote and you are in range.
I really like Momentum too. Willy has done some amazing work adding features. RogueMaster is also sometimes interesting to run (he always manages to find apps that I've never heard of -- once you know about them, it's typically easy to add those to your Momentum firmware too).
Thank you ! Best content in UA-cam about technicall aspects.
Thanks. I’m having fun learning all this stuff. Trying to not have videos be too long, I can continue adding more details in two weeks. 😀I hope to also improve wiki tab on my GitHub. I’ll probably write a bunch more this week, so check that out too. I think links are in my about page?
Fantastic series, sir! This is the Flipper Zero content I've been looking for. We live in a world where too many dishonest people want what the honest people have, and the reason I bought my flipper was to ensure my security is top notch. Off to test my garage door opener.
Thanks! For garage/gate receivers that you own, I think replay attack is safe to do. If you don't know (e.g. you can't resync the device) then you shouldn't mess with it. I was surprised/disappointed that 2 of the 3 allowed replay. I'd also recommend one of the unofficial firmware (like Xtreme, RM, Unleashed) as they have more ability to replay codes - assuming it's legal in your region. In general, if the Flipper can decode it, then someone can likely write code to encode it. Keeloq with "Unknown MF" seems the most secure to me, especially if the key is based on a seed that is exchanged during pairing.
If you have any questions, let me know in Discord - discord.com/invite/NsjCvqwPAd or start a new UA-cam comment. Thanks again for watching my videos.
@@MrDerekJamison I loaded the unleashed firmware almost first thing, and went in to attacking my garage doors knowing I'd more than likely have to wipe them out and resync them. Luckily both of them were safe to the replay though and no resyncing was needed.
Thank you for your videos. You explain it very clearly and easily, it's nice to look away.
Keep it up, I'll keep watching.
Thanks. It's crazy that the replay attacks actually worked. Without a Flipper Zero, I would have assumed that it was secure (since it also responded correctly to a rolling code remote). I guess the lesson is a receiver is compatible with many manufacturers, be more suspicious that it might have a replay attack flaw (because maybe they don't know the actual "MF secret code" and so are only checking the FIX and Button are correct).
Thank you. I learned new things today! I enjoyed all 3 videos in the serie
Awesome! I'm glad you enjoyed them. Let me know if there are other topics you are interested in me trying to cover.
Thank you for proving this is factual information! My system was hacked months ago by a “neighbor”.
If it is Security+1.0, Security+2.0, CAME or KeeLoq with a known MF then record a signal and play the next signal is easy attack. If it is a 9/12 DIP switch, then brute force is possible as well (but it takes a while).
I was surprised that inexpensive rolling code openers have replay attack; but it makes sense since they don't actually decode the signal - they just check the 'fix' portion to validate the serial number.
Hi, Derek I've been having a question for a while now. Can you tell if flipper Zero firmware swap can damage it? For example switch it to Xtreme ! I tried looking for this in forums and didn't find much. Again, sorry my English, I'm using translator !
Swapping the firmware should be safe. I'm always installing new firmware, either one of the custom distributions, or a firmware where I have made my own changes.
From blog.flipper.net/new-firmware-update-system/#dfu-mode "The bootloader code is located outside the main flash memory zone and is protected from writing or erasing. It cannot be damaged when updating the firmware, the disadvantage of this is that we do not have the opportunity to modify it."
I have had to use "OK+BACK button for 30-seconds" method when switching from a bad custom build back to official, but it worked great. Follow these steps if you think you broke your Flipper and things will be working fine again... docs.flipper.net/basics/firmware-update/firmware-recovery#tSOGv
I've had the SD Card fail on me and no longer read. I don't know if that was because of bad custom firmware or something else? I put in a new SD Card and everything worked fine again.
shop.flipperzero.one/pages/warranty-policy
says "unauthorized repairs or modifications (either hardware or firmware)". The word "unauthorized" is not clear. Perhaps it is no longer covered under warranty once you install a custom firmware or connect something to the GPIO pins?
rogue master is weayyyy batter, the also include sub ghz nfc if ir for almost anything
Can I somehow make it so that the flipper can send the correct rolling code if I have full access to the remote, came 433 mhz? I understand that this is most likely impossible
There are few different Came protocols. If you are asking about Came Atomo, then official firmware doesn't support it.
There are many steps involved in adding it, but it is possible. You would have to fill out the code here... (github.com/flipperdevices/flipperzero-firmware/blob/940ec36a0b8e61b1a481e33980a675173e1aaae5/lib/subghz/protocols/came_atomo.c#L59) and that will send you down the path of adding new features to your firmware like furi_hal_subghz_get_rolling_counter_mult.
I'm not sure if the rainbow table covers all Came devices, as I haven't looked at the protocol fully yet github.com/flipperdevices/flipperzero-firmware/blob/dev/assets/resources/subghz/assets/came_atomo
The easiest way for allowing Save/Send for something like Came Atomo is to install a firmware like RogueMaster - if that is allowed in your region?
just remove region thing@@MrDerekJamison
The remotes that work with the 850LM transmit on 3 frequencies at the same time, I’ve used a spectrum analyzer and have seen it, anyone know why? Thanks.
Very helpful clip. But I'm curious, some guys said those remotes are encoded and can be cracked for the next code, but the remotes for car key fobs are encrypted, which makes impossible to predict the counter. Can you do in the future a video explaining how one is more secure than the other? I'd really appreciate it
Yes, I'm still working on the series. The next video I'm creating is about a KeeLoq app I'm writing, which helps you practice key concepts. I'll continue to do more videos about protocols, such as Security+ 2.0 and other protocols that I currently know nothing about.
Summary is if the algorithm is known & the key is known (or there is no key)... you can decode the data, increment the count, and reencode the data. If key is unknown, then it depends on how the algorithm works and what other flaws exist in the receiver.
In this video, we were only looking at "replay attack". There are other attacks as well. My Flipper Zero knows those protocols and keys, so I should be able to open LM850 too (but at least it defends against replay).
What program did you use to pair your flipper with your garage door opener? I would like to use my flipper as my own garage door opener haha
I'd recommend `Sub-GHz` app and then choosing `Frequency Analyzer` to see what frequency your remote is. Then choose `Read` (and left button to Config to same frequency). Then press button on your remote to see what protocol it uses. Then choose `Add Manually` and choose the same protocol/frequency from the previous steps. You can then use `Saved` to reload the file. Press the "Learn" button on your receiver and then Send (once or twice) from the Flipper, and hopefully learn light stops blinking. At that point, your receiver should open whenever the Flipper sends the signal.
If you have a remote you will no longer use, you can use `Read` then `Save` in custom firmware instead of `Add Manually`. But your original remote will be out-of-sync.
If your remote uses "KeeLoq (KL) with MF: Unknown" then you cannot play the next signal. If you have a cheap receiver (like I did in this video) you may be able to still use "Read RAW" to capture the signal, Save it, then load saved file and replay it.
If still have questions, feel free to join my Flipper Discord server: discord.com/invite/NsjCvqwPAd
Thanks for this, I’m curious if the code spectrum is so small and there’s not that many how come In a full car park we never hear our own fob set another car lock on or off etc? What prevents this ? And especially before rolling codes ?
Great question. The "fix" part of the code (without button) that specifies which receiver the signal is for is 7 hex digits (or 16^7 = 268 million possible values). The "rolling" part also has lots of combinations that are considered invalid (like only 16 out of 4 billion in theory are correct, but due to encryption this value may be much lower.) I have another video in the "rolling codes" playlist that talks about "Brute Force" which shows it's possible, but not likely (in that video I was using the correct "fix" value & just trying to guess the remainder of the key).
Before rolling codes, it was possible sometimes. But it is still really rare if the protocol uses enough bits. Even something like Princeton 24-bit has 16 million combinations (but if you reserved 4 bits for the button value [start/open/panic/etc.] then you would be down to 1 million codes).
My Saturn SL2 remote opened another Saturn SL2 once. I clicked it a few times to prove it wasn't a fluke. It was super confusing at first & then kind of exciting. I wish we had cell phone cameras back then because I'm sure I would have taken video.
@@MrDerekJamison thank you, oh interesting, I must of misunderstood in the previous video, thanks for sharing
@@eldean0In this video, the problem was two of the three manufactures had rolling code support but ALSO allowed replaying the previous codes. It's nice that the Flipper Zero allows us to check for flaws, because otherwise we would have to trust that it was secure. The other door to my garage is protected by a KW1 physical key, which a bump key, Leshi tool, or probably a rake tool can easily get pass in a few seconds; so maybe it doesn't really matter. 🤦♂
Thanks for a great video!
What I didn't get is, until which number can the counter go? Simply speaking, if it goes to max 1000 (which is, of course, too low), and you sniff the "previous" code, you obviously can't reply it, but you just need to click another 1000 times with a "captured" signal to activate the lock. Thanks in advance for answering.
For a replay attack, we have a "FIX" and a "HOP". The "FIX" needs to match the remote (which we see the same fixed value every time someone sends a signal). The "HOP" is encrypted data, which decrypts to a "Count", "end of serial number", and a few other things.
For most KeeLoq codes - the decrypted count (needs to be within 15 of the previous count) or the decrypted "future" count needs to be within 16000 of the previous count+another decrypted count within 3 of the last "future" count. The problem is the code we are guessing is the encrypted value, so we don't know how that relates to the decrypted count. For example, "ENC:1000" might decrypt to "24,123" and then "ENC:1001" might decrypt to "8,001", and "ENC:1002" might not be for a matching serial number, so it is an invalid count.
If that doesn't make sense, feel free to join my Discord and someone can help explain in more detail. discord.com/invite/NsjCvqwPAd
@@MrDerekJamison Now it makes much more sense, thx for the reply.
Could you elaborate a bit on how can the receiver be damaged?
I am afraid that such statement without explanation is what causes people to have the idea that touching a computer will damage them hence they rather stay away
Besides (I know not every system is compliant yet) aren't devices supposed to be resilient to interfere?
In general, my channel is trying to encourage people to explore. I still recommend buying hardware rather than experimenting on systems I rely on. The same way that for lockpicking I'll tell you to buy a KW1 & MasterLock from Home Depot instead of trying to pick a lock you rely on. There is a probably only a small chance you are actually going to damage the lock.
There are so many different devices, that it really depends on the device as to the potential damage. It's likely a small risk too, and in the video I tested against $120USD of hardware, but if any/all of it broke I was okay with that risk. I later went on to buy a Genie device for $65USD and wrote an app to extract 64K codes from the receiver (not knowing if OVR bits would make the remote useless), but at least for my model it worked great (ua-cam.com/video/HLNC2vvCBhI/v-deo.html). I was fairly confident that the Genie receiver would still work, even if it meant I needed to pair it with another remote.
I've heard stories from multiple people that desync their vehicle remote and could no longer use their keyfob to open the car (and were asking for help on how to fix it). I personally was doing replay attacks with some device I owned, and the original fob no longer worked until I cleared all synced devices and then followed the pairing procedure. The procedure for resyncing isn't universal across manufactures. It's not interference when all the checksums/parity is correct, but it's an actual attack (other devices ignored the attack, and yet other devices changed the window of accepted codes from 15 to 3). I don't think you are going to damage the receiver from a replay attack, you just might make it so the transmitter you own is useless.
When you do signal fuzzing, this is where you are trying to manipulate the signal to create some state that the receiver was never designed for. In my Infrared videos, we fuzz signals that are similar to a received signal and discovered new weapon strengths on our LaserTag game, new signals that jumped directly to an input on our TV, etc. In Sub-GHz fuzzing works the same way, where you are sending similar codes to the original (or change the speed of the code, the modulation, the preamble, etc.) I had a device where button 0x08 triggered a motor providing +12V and where button 0x01 triggered the same motor providing -12V. It was only ever designed for those two button codes to be received; but when you sent button 0x09 it caused a malfunction (huge current draw + some smoke) and ended up with the receiver doing a permanent short to the +12V rail, even when no signal is detected. This kind of failure is rare, but the design only expected 0x08 or 0x01 but never both at the same time. It's similar failure to how before I created the ua-cam.com/video/NWxsKqPtEHw/v-deo.html circuit, it was possible for two of the traffic lights to be on at the same time. Basically, when you are sending unexpected inputs, the circuit could malfunction. It's rare, but it can happen.
If you can't afford to fix the thing that breaks or go without it, then you probably shouldn't be doing fuzzing. At the same time, fuzzing can be really rewarding when you get the device to do something it wasn't intended for, so if you can afford to fix it and you don't rely on it, then I recommend it. I was able to slow down a Princeton signal, so that the remote outlet still turns on/off but another Flipper doing "Sub-GHz Read" is no longer able to decode the signal (but they still can do a replay attack using Sub-GHz Read-RAW if they know when to record the signal).
@@MrDerekJamison thanks for such great explanation. Also I think that distinction between interference and attack is key and I was treating it as analogous
sad that FZ analyzer cannot read the signal of my garage door remote even in RAW mode
That's too bad. Not every protocol is supported. You need to be on the proper frequency and modulation. And the Sub-GHz app doesn't support every modulation (like if the amplitude is part of the signal or if it uses 4-FSK). Still, it works for a lot of devices.
If your remote has an FCC ID, then you can look that up and often learn the frequency.
Trying to just get my door to go up. I've tried reading raw and saved 5 clicks. At frequency 433.92 which seems ok. Tried all AM and the door still won't open.
Are you sure 433.92 is the proper frequency for your remote? If you record the signal (out of range of the door) then play it back, it should open.
Some fixed code remotes don't use OOK/ASK for modulation, they actually vary the signal strength as an analog code, which I don't think will be possible to replay using the Flipper Zero, so that could be the problem too.
@MrDerekJamison thank you. I'll have to do a bit of digging. The remote is B&D an Australian company I believe. I have tried multiple times when out of range with our door. Still no luck. I may have to try different frequencies as it can vary from 433.92, however 60% of the time through the analyser it is 433.92.
Great video!
Thank you. I’ll try to release the next video in this series next week.
show bruteforce
Ok. Next Saturday I'll try to make a video to see what it takes to bruteforce my Genie garage door opener that is using Keeloq with an unknown MF code. I'll try both scan forward and random seek. We will assume that we can capture the fixed code, since that's easy to do if anyone ever uses their remote and you are in range.
@@MrDerekJamison btw your videos have been amazing!
U know without flipper ,im superman,,but wit my flipper and momentum,,im am now BLACK ADAM,,, nothing can stop me.... let's get started.....
I really like Momentum too. Willy has done some amazing work adding features. RogueMaster is also sometimes interesting to run (he always manages to find apps that I've never heard of -- once you know about them, it's typically easy to add those to your Momentum firmware too).
Thank you!
You're welcome! Next video in series is Sept 2nd.
Ty Derek/