0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/413 Thanks! 1 00:00:09,190 --> 00:00:11,619 Welcome to Talk Megacorp to Facility 2 00:00:11,620 --> 00:00:13,839 Gates, and in this talk, 3 00:00:13,840 --> 00:00:15,909 I will simply present what 4 00:00:15,910 --> 00:00:19,119 I did with this remote, um, 5 00:00:19,120 --> 00:00:21,639 it will be about electronics, 6 00:00:21,640 --> 00:00:23,469 about microcontrollers, about software, 7 00:00:23,470 --> 00:00:24,639 defined radio. 8 00:00:24,640 --> 00:00:26,769 But I won't go into details 9 00:00:26,770 --> 00:00:28,359 also because they are not a lot of 10 00:00:28,360 --> 00:00:30,219 details. It's just a simple level. 11 00:00:30,220 --> 00:00:32,109 So everyone should be able to understand 12 00:00:32,110 --> 00:00:34,299 it. And even if you didn't do any 13 00:00:34,300 --> 00:00:36,549 hardware hacking yet, this talk 14 00:00:36,550 --> 00:00:38,709 should emphasize you to do it because 15 00:00:38,710 --> 00:00:40,210 it doesn't have to be hard. 16 00:00:41,320 --> 00:00:42,909 Also, it's not a new attack. 17 00:00:42,910 --> 00:00:44,559 I will spoil it from beginning on. 18 00:00:44,560 --> 00:00:46,989 The remote is sending a fixed code 19 00:00:46,990 --> 00:00:48,789 and I just replay this code. 20 00:00:48,790 --> 00:00:50,409 So no new attack on there. 21 00:00:50,410 --> 00:00:52,539 But the way to achieve it, this 22 00:00:52,540 --> 00:00:54,399 was quite fun. 23 00:00:54,400 --> 00:00:56,679 So whenever if you ever wanted 24 00:00:56,680 --> 00:00:58,839 to make some electronics and 25 00:00:58,840 --> 00:01:00,939 you find that it is boring 26 00:01:00,940 --> 00:01:02,679 but you don't know what to do or if you 27 00:01:02,680 --> 00:01:04,089 wanted to play with software defined 28 00:01:04,090 --> 00:01:05,799 radio, but you think that software 29 00:01:05,800 --> 00:01:07,869 defined radio or radio transmission 30 00:01:07,870 --> 00:01:10,149 are complicated, which they are, 31 00:01:10,150 --> 00:01:12,040 then this is a perfect job for you. 32 00:01:14,710 --> 00:01:16,489 There is one woman who is happy, that's 33 00:01:16,490 --> 00:01:17,579 good, good one, happy people. 34 00:01:17,580 --> 00:01:19,039 So I looked at this remote. 35 00:01:19,040 --> 00:01:21,259 I was in the US for a 36 00:01:21,260 --> 00:01:22,909 couple of month and they gave me this 37 00:01:22,910 --> 00:01:24,909 remote to access my building. 38 00:01:24,910 --> 00:01:26,359 They gave it to everyone. 39 00:01:26,360 --> 00:01:28,459 And I wanted to know how secure 40 00:01:28,460 --> 00:01:30,619 is this access gates, the access 41 00:01:30,620 --> 00:01:32,239 gate to the building. So this remote is 42 00:01:32,240 --> 00:01:34,159 used for the garage in the US. 43 00:01:34,160 --> 00:01:36,019 You're almost forced to have a car 44 00:01:36,020 --> 00:01:37,699 because of public transport is not that 45 00:01:37,700 --> 00:01:39,289 good. So they give it to access to the 46 00:01:39,290 --> 00:01:41,659 garage, but also they give it to access 47 00:01:41,660 --> 00:01:42,709 the main entry. 48 00:01:42,710 --> 00:01:45,019 Nobody uses it, but it's still there. 49 00:01:45,020 --> 00:01:47,199 And what's important to give you 50 00:01:47,200 --> 00:01:49,069 to access to pool area? 51 00:01:49,070 --> 00:01:50,479 Don't ask me why it's fenced. 52 00:01:50,480 --> 00:01:52,219 I also find it a bit stupid, but it's 53 00:01:52,220 --> 00:01:53,689 fenced. You have the remote, you can 54 00:01:53,690 --> 00:01:55,849 access it and we will see that the 55 00:01:55,850 --> 00:01:58,219 hot step will play a very important part 56 00:01:58,220 --> 00:02:00,619 in it. The reason why I 57 00:02:00,620 --> 00:02:02,689 looked at it simply because there is this 58 00:02:02,690 --> 00:02:04,969 gate, you can jump over it, but it's 59 00:02:04,970 --> 00:02:06,610 a lot more fun to it, isn't it? 60 00:02:09,199 --> 00:02:11,389 So they provide you 61 00:02:11,390 --> 00:02:13,609 one remote, which is only 62 00:02:13,610 --> 00:02:15,409 for one part of the building, and you 63 00:02:15,410 --> 00:02:16,729 shouldn't have access to the other 64 00:02:16,730 --> 00:02:18,439 buildings. And as you can see, this 65 00:02:18,440 --> 00:02:20,539 complex, this facility complex has 66 00:02:20,540 --> 00:02:21,649 a lot of buildings. 67 00:02:21,650 --> 00:02:23,509 And this remote is not only used in this 68 00:02:23,510 --> 00:02:25,909 complex, it's used 69 00:02:25,910 --> 00:02:28,009 in a lot of complexes in California, 70 00:02:28,010 --> 00:02:29,569 or at least just by driving by. 71 00:02:29,570 --> 00:02:31,549 I could recognize some of the things. 72 00:02:31,550 --> 00:02:33,709 And if you have seen this remote 73 00:02:33,710 --> 00:02:35,150 and it's exactly the same system, 74 00:02:36,410 --> 00:02:38,779 but before starting to 75 00:02:38,780 --> 00:02:40,999 already disassemble the remote, 76 00:02:41,000 --> 00:02:42,739 it's important to find information, 77 00:02:42,740 --> 00:02:44,479 particularly if you're a beginner. 78 00:02:44,480 --> 00:02:46,789 If you already have done 79 00:02:46,790 --> 00:02:48,109 a lot of hardware hacking, then you can 80 00:02:48,110 --> 00:02:49,589 already disassemble it, look at it, 81 00:02:49,590 --> 00:02:51,709 figure out what component is what, what 82 00:02:51,710 --> 00:02:53,599 it does. If you already are software 83 00:02:53,600 --> 00:02:55,879 defined radio, you will probably find 84 00:02:55,880 --> 00:02:57,769 out which kind of modulation it uses in 85 00:02:57,770 --> 00:02:59,449 the beginning. But if you've never done 86 00:02:59,450 --> 00:03:01,279 it, it's pretty hard. 87 00:03:01,280 --> 00:03:04,009 So finding some documents about 88 00:03:04,010 --> 00:03:06,289 the remote will help you to indicate, 89 00:03:06,290 --> 00:03:08,389 OK, this is how it works, this is how 90 00:03:08,390 --> 00:03:09,709 it modulates and so on. 91 00:03:09,710 --> 00:03:11,929 And I can only infer that it will save a 92 00:03:11,930 --> 00:03:12,930 lot of time. 93 00:03:13,940 --> 00:03:15,979 Um, so we need to identify the remote. 94 00:03:15,980 --> 00:03:18,199 We can see on the front there's not 95 00:03:18,200 --> 00:03:20,509 a lot of information on the back, nothing 96 00:03:20,510 --> 00:03:22,699 written. There's even a sticker missing. 97 00:03:22,700 --> 00:03:24,949 And if you open it, you see 98 00:03:24,950 --> 00:03:26,989 that it doesn't have the electronic is 99 00:03:26,990 --> 00:03:28,429 pretty simple. It doesn't have a lot of 100 00:03:28,430 --> 00:03:30,469 components, but it doesn't tell you who 101 00:03:30,470 --> 00:03:32,719 is the vendor or what the product 102 00:03:32,720 --> 00:03:34,429 is on the back to. 103 00:03:34,430 --> 00:03:36,739 It doesn't tell you there even to stick 104 00:03:36,740 --> 00:03:38,179 with. I think it's the code which is 105 00:03:38,180 --> 00:03:39,739 transmitted, but they're never really 106 00:03:39,740 --> 00:03:41,839 figured out how they're encoded 107 00:03:41,840 --> 00:03:43,309 it, how they transmitted it. 108 00:03:43,310 --> 00:03:45,589 It's not too important, though, but 109 00:03:45,590 --> 00:03:47,569 we didn't find any information. 110 00:03:47,570 --> 00:03:50,209 Whenever there was a transmitter, 111 00:03:50,210 --> 00:03:51,439 there is a receiver. 112 00:03:51,440 --> 00:03:53,029 So you just run around the building and 113 00:03:53,030 --> 00:03:54,949 try to find the receivers to know if they 114 00:03:54,950 --> 00:03:57,139 have markings on the garage gate. 115 00:03:57,140 --> 00:03:58,789 The receiver is on top. 116 00:03:58,790 --> 00:03:59,869 It's just a black box. 117 00:03:59,870 --> 00:04:01,999 It doesn't tell you a lot on the 118 00:04:02,000 --> 00:04:02,989 pool. 119 00:04:02,990 --> 00:04:05,269 It's also just aluminum box, no markings 120 00:04:05,270 --> 00:04:07,249 on it. We still don't know at the main 121 00:04:07,250 --> 00:04:08,149 entry. 122 00:04:08,150 --> 00:04:10,489 This is where you find our fancy dial pad 123 00:04:10,490 --> 00:04:12,709 to contact the residence. 124 00:04:12,710 --> 00:04:14,989 And we see on the top it says it's 125 00:04:14,990 --> 00:04:16,129 from linnear. 126 00:04:16,130 --> 00:04:18,319 So at least we know the vendor probably. 127 00:04:19,640 --> 00:04:21,409 And after such hard work and running 128 00:04:21,410 --> 00:04:23,209 around the building, you enjoy the hot 129 00:04:23,210 --> 00:04:24,199 tub. 130 00:04:24,200 --> 00:04:26,059 And this is where you use the second 131 00:04:26,060 --> 00:04:28,249 skill, your social skills, simply 132 00:04:28,250 --> 00:04:30,979 because every resident has a remote. 133 00:04:30,980 --> 00:04:33,049 So you make the acquaintance, you're 134 00:04:33,050 --> 00:04:35,179 making friends, and you ask, please, 135 00:04:35,180 --> 00:04:36,410 can I have a look at your remote? 136 00:04:37,550 --> 00:04:39,439 And this one had the sticker. 137 00:04:39,440 --> 00:04:41,179 And it's particularly useful from the 138 00:04:41,180 --> 00:04:44,029 sticker we find the vendor is linnear 139 00:04:44,030 --> 00:04:46,249 and the product is 34 140 00:04:46,250 --> 00:04:47,179 certifiable. 141 00:04:47,180 --> 00:04:49,009 On the website we can find it so the 142 00:04:49,010 --> 00:04:50,989 product still exists. 143 00:04:50,990 --> 00:04:53,509 We know it operates on 318 144 00:04:53,510 --> 00:04:56,749 megahertz. It can send 1000000 codes, 145 00:04:56,750 --> 00:04:59,089 but the manual doesn't tell a lot and. 146 00:05:00,200 --> 00:05:01,769 We already know what frequency transmit, 147 00:05:01,770 --> 00:05:03,439 but we want to continue and find more 148 00:05:03,440 --> 00:05:04,440 information. 149 00:05:05,240 --> 00:05:06,859 Again, if we look at the remote on the 150 00:05:06,860 --> 00:05:09,139 top, you will see there is an FCC 151 00:05:09,140 --> 00:05:11,269 I.D. And this is one thing I know of in 152 00:05:11,270 --> 00:05:13,639 the US is that 153 00:05:13,640 --> 00:05:15,739 whenever a manufacturer 154 00:05:15,740 --> 00:05:17,239 wants to produce something which 155 00:05:17,240 --> 00:05:19,399 transmits radio, they have 156 00:05:19,400 --> 00:05:21,919 to comply to some regulations and 157 00:05:21,920 --> 00:05:24,349 they send test reports to the Regulation 158 00:05:24,350 --> 00:05:26,599 Authority FCC to show, OK, 159 00:05:26,600 --> 00:05:28,819 I transmit that power and it complies 160 00:05:28,820 --> 00:05:31,069 to FCC Part 15 for radio 161 00:05:31,070 --> 00:05:32,119 transmission. 162 00:05:32,120 --> 00:05:34,249 And the FCC shows you 163 00:05:34,250 --> 00:05:35,869 these documents and compared to the 164 00:05:35,870 --> 00:05:37,519 manual, the technical documents. 165 00:05:37,520 --> 00:05:39,739 So this is where we find I really 166 00:05:39,740 --> 00:05:41,869 need information and we can 167 00:05:41,870 --> 00:05:44,179 see that they provide a lot of 168 00:05:44,180 --> 00:05:46,159 data, although they don't have to provide 169 00:05:46,160 --> 00:05:48,259 so many so further the test reports 170 00:05:48,260 --> 00:05:50,479 to tell you what kind of transmission 171 00:05:50,480 --> 00:05:52,729 it uses. And he will see its 172 00:05:52,730 --> 00:05:55,129 amplitude modulation, something 173 00:05:55,130 --> 00:05:56,089 which is very simple. 174 00:05:56,090 --> 00:05:58,309 So to signal if it's strong or not, 175 00:05:58,310 --> 00:05:59,839 gives you the level. 176 00:05:59,840 --> 00:06:02,419 It's also a wendie. 177 00:06:02,420 --> 00:06:04,159 And if you look in Wikipedia in one 178 00:06:04,160 --> 00:06:06,469 instance for amplitude, one 179 00:06:06,470 --> 00:06:09,079 is just one channel, 318 megahertz defo 180 00:06:09,080 --> 00:06:10,189 digital, I think. 181 00:06:10,190 --> 00:06:12,379 So there's only two levels either 182 00:06:12,380 --> 00:06:14,009 on or off. 183 00:06:14,010 --> 00:06:15,139 Very simple transmission. 184 00:06:15,140 --> 00:06:17,539 And the data is probably 185 00:06:17,540 --> 00:06:19,789 call it in. Postposition 186 00:06:19,790 --> 00:06:22,279 even provides you some information about 187 00:06:22,280 --> 00:06:24,859 how the mega code code is sent. 188 00:06:24,860 --> 00:06:27,379 You have 24 frames, 189 00:06:27,380 --> 00:06:29,599 24 frames, each bit frames. 190 00:06:29,600 --> 00:06:31,459 It's six milliseconds long between each 191 00:06:31,460 --> 00:06:33,619 other and within each frame you 192 00:06:33,620 --> 00:06:34,999 have a one millisecond pulse. 193 00:06:35,000 --> 00:06:37,249 So you have a the remote goes on and just 194 00:06:37,250 --> 00:06:39,229 transmit very loud at this at this 195 00:06:39,230 --> 00:06:40,279 frequency. 196 00:06:40,280 --> 00:06:42,229 And there were so kind to provide with a 197 00:06:42,230 --> 00:06:44,299 timing diagram and everything just 198 00:06:44,300 --> 00:06:46,429 because after we found everything to 199 00:06:46,430 --> 00:06:48,659 the FCC and we almost already know 200 00:06:48,660 --> 00:06:49,549 it's encoded. 201 00:06:49,550 --> 00:06:51,769 So we spend a lot of time 202 00:06:51,770 --> 00:06:53,109 and as we can see, we have a snippet. 203 00:06:53,110 --> 00:06:55,969 So the remote, the receiver knows 204 00:06:55,970 --> 00:06:58,129 there's a signal like we recorded 205 00:06:58,130 --> 00:07:00,529 to twenty three twenty 206 00:07:00,530 --> 00:07:03,049 system code with the three data bits 207 00:07:03,050 --> 00:07:04,939 and then there's a blank cell before you 208 00:07:04,940 --> 00:07:06,379 next to send the next code. 209 00:07:07,490 --> 00:07:09,709 And as a written it, 210 00:07:09,710 --> 00:07:11,869 each bit frame is six milliseconds long, 211 00:07:11,870 --> 00:07:14,389 each pulse is one millisecond long. 212 00:07:14,390 --> 00:07:17,149 Now we know it transmits its data 213 00:07:17,150 --> 00:07:19,039 to play with software, defined radio and 214 00:07:19,040 --> 00:07:20,899 even for entry level, you have this chip 215 00:07:20,900 --> 00:07:22,999 out Celestia, which everyone speaks 216 00:07:23,000 --> 00:07:25,009 about only twenty dollars software 217 00:07:25,010 --> 00:07:26,010 defined radio. 218 00:07:27,740 --> 00:07:29,959 You look at the frequency here 219 00:07:29,960 --> 00:07:31,609 use as the range of your tuned to the 220 00:07:31,610 --> 00:07:33,709 frequency and this is on the left 221 00:07:33,710 --> 00:07:35,399 of frequency. On the top you can see a 222 00:07:35,400 --> 00:07:37,579 fast transformation which will 223 00:07:37,580 --> 00:07:39,049 tell you at which frequency. 224 00:07:39,050 --> 00:07:40,819 There is a strong signal and we see there 225 00:07:40,820 --> 00:07:43,279 is a peak at 380 megahertz. 226 00:07:43,280 --> 00:07:44,749 On the bottom you see a waterfall 227 00:07:44,750 --> 00:07:45,649 diagram. 228 00:07:45,650 --> 00:07:47,209 It's almost the same that on the top. 229 00:07:47,210 --> 00:07:49,309 But you have the timing component. 230 00:07:49,310 --> 00:07:51,259 So you can see over time how the signal 231 00:07:51,260 --> 00:07:53,989 is and you can clearly see the pulses 232 00:07:53,990 --> 00:07:55,309 every time on and off. 233 00:07:56,510 --> 00:07:58,579 Whenever there's a yellow peak, it's a 234 00:07:58,580 --> 00:07:59,580 it's a pulse. 235 00:08:00,500 --> 00:08:03,289 It seems to correspond to the to the 236 00:08:03,290 --> 00:08:05,029 specification. And that's that's good 237 00:08:07,460 --> 00:08:08,749 software. Defined radio can be 238 00:08:08,750 --> 00:08:11,179 complicated and no radio is complicated. 239 00:08:11,180 --> 00:08:13,279 And I don't I'm not a 240 00:08:13,280 --> 00:08:14,869 fan of it. Oh, I don't know how to use 241 00:08:14,870 --> 00:08:16,189 it. It's probably very good. But we want 242 00:08:16,190 --> 00:08:18,259 to keep things very easy and 243 00:08:18,260 --> 00:08:19,549 we know it's a modulation. 244 00:08:19,550 --> 00:08:22,009 So I just use a tool called RCL 245 00:08:22,010 --> 00:08:23,839 FM, which 246 00:08:25,460 --> 00:08:28,099 can do it for 247 00:08:28,100 --> 00:08:29,689 listening to audio using the software 248 00:08:29,690 --> 00:08:30,919 defined radio. So you tuned to the 249 00:08:30,920 --> 00:08:33,288 frequency. You tell it's a frequency, 250 00:08:33,289 --> 00:08:34,639 it's a modulation. 251 00:08:34,640 --> 00:08:36,739 You put it in a file and then 252 00:08:36,740 --> 00:08:39,079 you open the file using any audio editing 253 00:08:39,080 --> 00:08:41,329 tool. And here we can see again 254 00:08:41,330 --> 00:08:43,519 two times twenty four pulses. 255 00:08:43,520 --> 00:08:45,109 If we look at the details, we find of 256 00:08:45,110 --> 00:08:47,179 pulses are one milliseconds long and 257 00:08:47,180 --> 00:08:49,549 you have groups, you have bursts 258 00:08:49,550 --> 00:08:51,839 and you have big frames of six 259 00:08:51,840 --> 00:08:53,119 milliseconds. 260 00:08:53,120 --> 00:08:54,199 And we know the information. 261 00:08:54,200 --> 00:08:56,599 It's pulse position is quite useful 262 00:08:56,600 --> 00:08:58,009 because it's a bit frame. 263 00:08:58,010 --> 00:09:00,229 So there's only one frame and 264 00:09:00,230 --> 00:09:01,219 then there's a position. 265 00:09:01,220 --> 00:09:03,139 And if you look at it, if the verse is in 266 00:09:03,140 --> 00:09:04,639 the first half, it's zero. 267 00:09:04,640 --> 00:09:06,349 If it's a second half, it's a one. 268 00:09:06,350 --> 00:09:07,369 This is not the written in the 269 00:09:07,370 --> 00:09:09,109 documentation, but you figure it out 270 00:09:09,110 --> 00:09:11,359 pretty easily and 271 00:09:11,360 --> 00:09:12,619 we know it's encoded. 272 00:09:12,620 --> 00:09:14,869 So we wrote a program which just takes 273 00:09:14,870 --> 00:09:17,359 this demodulator 274 00:09:17,360 --> 00:09:19,549 data and finds out 275 00:09:19,550 --> 00:09:21,109 the code. It's pretty short. 276 00:09:21,110 --> 00:09:22,309 One hundred seven lines of code. 277 00:09:23,870 --> 00:09:25,489 It detects the address in groups to 278 00:09:25,490 --> 00:09:27,649 adjusting to pulses of one milliseconds, 279 00:09:27,650 --> 00:09:29,839 then it knows it groups 280 00:09:29,840 --> 00:09:31,879 to one millisecond processing group of 281 00:09:31,880 --> 00:09:33,919 twenty four and then it decodes it. 282 00:09:33,920 --> 00:09:36,019 And here we can see on the left the 283 00:09:36,020 --> 00:09:37,579 value which are recorded, the twenty four 284 00:09:37,580 --> 00:09:39,859 bits, the three bytes 285 00:09:39,860 --> 00:09:42,019 and we immediately see it's 286 00:09:42,020 --> 00:09:44,809 exactly the same code all the time. 287 00:09:44,810 --> 00:09:46,489 It's individual per remote but it's 288 00:09:46,490 --> 00:09:47,929 actually the same. So we have a replay 289 00:09:47,930 --> 00:09:50,149 attack if we can record it and we 290 00:09:50,150 --> 00:09:51,139 can send it. 291 00:09:51,140 --> 00:09:52,369 We have a clone of the remote 292 00:09:53,870 --> 00:09:56,479 only using this documentation 293 00:09:56,480 --> 00:09:57,829 which we have. 294 00:09:57,830 --> 00:09:59,529 Um so we have. 295 00:09:59,530 --> 00:10:01,669 We want to send it look again at 296 00:10:01,670 --> 00:10:03,759 the FCC, can we reflect on 297 00:10:03,760 --> 00:10:05,949 remote using our own code 298 00:10:05,950 --> 00:10:08,079 in electronics? You have a 299 00:10:08,080 --> 00:10:09,639 board layout which tells you which 300 00:10:09,640 --> 00:10:11,109 component is where. 301 00:10:11,110 --> 00:10:13,029 This was also provided you can see who 302 00:10:13,030 --> 00:10:15,309 footprints for putting a switch as 303 00:10:15,310 --> 00:10:17,559 one. And every component has a 304 00:10:17,560 --> 00:10:19,149 preference as one is for switched. 305 00:10:19,150 --> 00:10:21,249 You want is for the microcontroller and 306 00:10:21,250 --> 00:10:23,649 so on basics. 307 00:10:23,650 --> 00:10:25,989 So you will learn how to read printed 308 00:10:25,990 --> 00:10:26,990 circuit boards. 309 00:10:27,790 --> 00:10:29,919 They also schematic schematics a bit more 310 00:10:29,920 --> 00:10:32,049 abstract way before you 311 00:10:32,050 --> 00:10:33,249 do your circuit board. 312 00:10:33,250 --> 00:10:35,469 You want to trust to know 313 00:10:35,470 --> 00:10:37,179 which component is connected to which 314 00:10:37,180 --> 00:10:39,369 other, where they are placed and how 315 00:10:39,370 --> 00:10:41,169 they're connected. You don't really care. 316 00:10:41,170 --> 00:10:42,489 You just want to find out how they're 317 00:10:42,490 --> 00:10:44,019 connected. This is what schematics are 318 00:10:44,020 --> 00:10:45,020 for. 319 00:10:45,370 --> 00:10:47,529 And if you get if you 320 00:10:47,530 --> 00:10:49,299 learn a bit how how they work, you will 321 00:10:49,300 --> 00:10:50,679 find out they are the switches on the 322 00:10:50,680 --> 00:10:52,779 left, a microcontroller in the middle, 323 00:10:52,780 --> 00:10:55,299 the clock just just behind it for 318 324 00:10:55,300 --> 00:10:57,909 megahertz and then the antenna. 325 00:10:57,910 --> 00:11:00,109 This is also what we see on the identify 326 00:11:00,110 --> 00:11:01,829 again on the board because we have the 327 00:11:01,830 --> 00:11:04,059 reference which tells us 328 00:11:04,060 --> 00:11:06,249 you one is the microcontroller 329 00:11:06,250 --> 00:11:07,389 look for you are on the board. 330 00:11:07,390 --> 00:11:09,189 You will find a microcontroller and you 331 00:11:09,190 --> 00:11:11,409 will find the plug to switch the antenna 332 00:11:11,410 --> 00:11:13,329 and on passive components. 333 00:11:13,330 --> 00:11:15,639 And even if you didn't do electronics, 334 00:11:15,640 --> 00:11:17,659 you already pretty much know how to read 335 00:11:17,660 --> 00:11:19,599 schematics, how to read boards and how to 336 00:11:19,600 --> 00:11:20,679 identify components. 337 00:11:22,210 --> 00:11:24,349 The problem with that one is that it uses 338 00:11:24,350 --> 00:11:27,129 a microchip to see microcontroller 339 00:11:27,130 --> 00:11:29,259 and this one is only 340 00:11:29,260 --> 00:11:30,489 one time programable. 341 00:11:30,490 --> 00:11:32,739 So you can look at the 342 00:11:32,740 --> 00:11:34,329 I know this because of the schematic. 343 00:11:34,330 --> 00:11:36,549 The schematic told me it uses this chip. 344 00:11:36,550 --> 00:11:38,739 And if you look for a microchip, which is 345 00:11:38,740 --> 00:11:41,109 a big microcontroller, 346 00:11:41,110 --> 00:11:43,299 very known for hobby projects, you'll 347 00:11:43,300 --> 00:11:44,559 find is only one time programable. 348 00:11:44,560 --> 00:11:46,719 So I cannot reflash to call on it. 349 00:11:46,720 --> 00:11:48,969 It also has code protection, so I cannot 350 00:11:48,970 --> 00:11:50,230 read the Fumo on it 351 00:11:51,250 --> 00:11:52,630 this way. I cannot flechette it. 352 00:11:52,631 --> 00:11:53,740 That's that's a bit of a shame. 353 00:11:54,910 --> 00:11:56,979 But the simple is so easy that 354 00:11:56,980 --> 00:11:58,509 probably somebody already did a 355 00:11:58,510 --> 00:11:59,889 compatible device. 356 00:11:59,890 --> 00:12:02,289 So you look, you use you Amazon 357 00:12:02,290 --> 00:12:03,909 and eBay skills, you look for a linear 358 00:12:03,910 --> 00:12:05,979 meerkat compatible remote and you 359 00:12:05,980 --> 00:12:08,019 find one which is not by the same vendor, 360 00:12:08,020 --> 00:12:10,029 it's by transmitter solutions. 361 00:12:10,030 --> 00:12:11,679 It's the monarch. 362 00:12:11,680 --> 00:12:14,019 Thirty one thirty eight 363 00:12:14,020 --> 00:12:16,389 twenty eight 364 00:12:16,390 --> 00:12:17,979 thousand three hundred eighty megahertz 365 00:12:17,980 --> 00:12:19,359 effect the same frequency. 366 00:12:19,360 --> 00:12:21,609 It's compatible with the linear activity. 367 00:12:21,610 --> 00:12:23,799 Mondi That's what we have and 368 00:12:23,800 --> 00:12:24,999 it's programable. 369 00:12:25,000 --> 00:12:26,499 That's interesting. The other one was not 370 00:12:26,500 --> 00:12:27,500 programable. 371 00:12:28,810 --> 00:12:30,549 The manual doesn't tell you how to 372 00:12:30,550 --> 00:12:31,119 program it. 373 00:12:31,120 --> 00:12:33,429 There's a small section telephone contact 374 00:12:33,430 --> 00:12:35,529 your manufacturer, but there's the FTTH 375 00:12:35,530 --> 00:12:37,749 on the right and we've seen the FCC 376 00:12:37,750 --> 00:12:39,159 is pretty interesting. 377 00:12:40,800 --> 00:12:42,989 So you 378 00:12:42,990 --> 00:12:45,119 look at if you don't find 379 00:12:45,120 --> 00:12:47,159 as much information as the previous one, 380 00:12:47,160 --> 00:12:48,959 but at least you have a picture of the 381 00:12:48,960 --> 00:12:51,299 interior and you will almost 382 00:12:51,300 --> 00:12:52,979 immediately see that on the top, there 383 00:12:52,980 --> 00:12:55,079 are some Pineta, which is on Soldat, 384 00:12:55,080 --> 00:12:56,879 and this indicates that this is the 385 00:12:56,880 --> 00:12:58,829 programing header which you should 386 00:12:58,830 --> 00:13:00,119 connect to program it to. 387 00:13:01,380 --> 00:13:03,509 We bided the programing it had is the 388 00:13:03,510 --> 00:13:06,059 same. We can read from the top markings 389 00:13:06,060 --> 00:13:08,529 on the chip with kind of microcontroller. 390 00:13:08,530 --> 00:13:10,449 It is. And this one is flushable. 391 00:13:10,450 --> 00:13:12,509 It's again a microchip pick 392 00:13:12,510 --> 00:13:14,489 microcontroller from but it's based on 393 00:13:14,490 --> 00:13:15,629 Flash and I can program. 394 00:13:15,630 --> 00:13:17,729 It's the next 395 00:13:17,730 --> 00:13:18,749 kill will be soldiering. 396 00:13:19,980 --> 00:13:22,019 Even if you never did any hardware, you 397 00:13:22,020 --> 00:13:23,939 just have to shoulder the pins on the 398 00:13:23,940 --> 00:13:26,189 right side so you can connect 399 00:13:26,190 --> 00:13:28,170 your programmer and program the chip 400 00:13:29,400 --> 00:13:30,899 for entry level. 401 00:13:30,900 --> 00:13:32,039 It's altering. 402 00:13:32,040 --> 00:13:32,999 It's pretty good. 403 00:13:33,000 --> 00:13:34,110 It's pretty easy to make. 404 00:13:36,560 --> 00:13:39,019 We also want to know how 405 00:13:39,020 --> 00:13:40,309 the things are connected this time, they 406 00:13:40,310 --> 00:13:41,749 didn't provide the schematic, but we 407 00:13:41,750 --> 00:13:44,059 learn a bit how to read polls. 408 00:13:44,060 --> 00:13:46,339 We can find a of Motorola the clock when 409 00:13:46,340 --> 00:13:48,989 Ali went straight to programing header. 410 00:13:48,990 --> 00:13:50,869 And if you check with the multimeter how 411 00:13:50,870 --> 00:13:53,059 they're connected, you find the schematic 412 00:13:53,060 --> 00:13:55,099 again and you can write your own 413 00:13:55,100 --> 00:13:57,559 schematic this time, microcontroller 414 00:13:57,560 --> 00:13:59,839 clocks, which pretty simple, actually 415 00:13:59,840 --> 00:14:01,999 even simpler than any Arduino 416 00:14:02,000 --> 00:14:04,099 or things like that. 417 00:14:04,100 --> 00:14:06,469 So even if you didn't use Arduino, 418 00:14:06,470 --> 00:14:08,899 you can use this as an entry programing. 419 00:14:10,520 --> 00:14:11,599 We figured out how everything is 420 00:14:11,600 --> 00:14:13,699 connected. We know how the signal is 421 00:14:13,700 --> 00:14:15,619 modulated, how you have to send it. 422 00:14:15,620 --> 00:14:17,779 So it's time to write our own firmware 423 00:14:17,780 --> 00:14:20,009 and just enabled the clock and 424 00:14:20,010 --> 00:14:22,189 the transmission at one one 425 00:14:22,190 --> 00:14:24,229 millisecond long every six milliseconds. 426 00:14:24,230 --> 00:14:26,089 And we know the pattern. 427 00:14:26,090 --> 00:14:28,100 And if you could switch to to the camera. 428 00:14:29,630 --> 00:14:31,189 So so you wrote the program. 429 00:14:31,190 --> 00:14:32,190 It's pretty simple. 430 00:14:33,170 --> 00:14:35,299 Five lines of code and this way I can 431 00:14:35,300 --> 00:14:37,070 flash my code on it. 432 00:14:38,780 --> 00:14:39,780 But 433 00:14:41,570 --> 00:14:42,570 this. 434 00:14:54,570 --> 00:14:56,819 Where is my terminal? 435 00:14:56,820 --> 00:14:57,820 Oh, he doesn't. 436 00:14:58,890 --> 00:15:01,139 Can you show the camera OK? 437 00:15:01,140 --> 00:15:02,399 They will. Well, they do it. 438 00:15:02,400 --> 00:15:03,959 I will just start the software defined 439 00:15:03,960 --> 00:15:05,909 radio so we can really see the 440 00:15:05,910 --> 00:15:06,910 transmission 441 00:15:07,980 --> 00:15:10,559 and which terminal is its software 442 00:15:10,560 --> 00:15:12,869 as the original. So here we have the 443 00:15:12,870 --> 00:15:15,149 software defined with the remote, 444 00:15:15,150 --> 00:15:16,769 with the antenna. 445 00:15:16,770 --> 00:15:19,160 The remote is here. 446 00:15:20,340 --> 00:15:23,129 Now we enable 447 00:15:23,130 --> 00:15:25,379 it. And if I press on it, 448 00:15:25,380 --> 00:15:27,449 you see the the 449 00:15:27,450 --> 00:15:29,579 transmission which is made and you see 450 00:15:29,580 --> 00:15:31,700 it's on or you don't see it anymore. 451 00:15:36,340 --> 00:15:38,499 This is the this is a civil talk about 452 00:15:38,500 --> 00:15:41,109 later, and if you see on the side, 453 00:15:41,110 --> 00:15:42,939 whenever the code is transmitted, the 454 00:15:42,940 --> 00:15:43,909 light stays on. 455 00:15:43,910 --> 00:15:45,999 So it means this transmitter 456 00:15:46,000 --> 00:15:47,829 will react to this court normally to 457 00:15:47,830 --> 00:15:49,569 blink blue. So I will do it by hand. 458 00:15:49,570 --> 00:15:52,239 It's somehow broken, like always demo. 459 00:15:52,240 --> 00:15:53,679 So it will be. 460 00:15:53,680 --> 00:15:55,779 It only works 461 00:15:55,780 --> 00:15:57,429 with this remote. 462 00:15:57,430 --> 00:15:59,289 It does not work with this remote. 463 00:15:59,290 --> 00:16:01,839 As you can see, it doesn't do anything 464 00:16:01,840 --> 00:16:02,840 for now. 465 00:16:03,610 --> 00:16:04,929 Oh yeah. That's. 466 00:16:08,130 --> 00:16:10,289 Um, so we 467 00:16:10,290 --> 00:16:11,609 identify the frequency. 468 00:16:11,610 --> 00:16:13,769 Well, just quit it and 469 00:16:13,770 --> 00:16:15,839 then we just use the decoder, which we 470 00:16:15,840 --> 00:16:16,840 had. 471 00:16:18,280 --> 00:16:19,280 Press on the remote. 472 00:16:20,450 --> 00:16:21,450 A couple of times 473 00:16:22,670 --> 00:16:24,379 you exit and here we see the value which 474 00:16:24,380 --> 00:16:26,629 we recorded on the left side, 475 00:16:26,630 --> 00:16:27,889 we know which value it uses. 476 00:16:27,890 --> 00:16:30,259 And if we look at the other remote, which 477 00:16:30,260 --> 00:16:31,260 is here 478 00:16:33,190 --> 00:16:35,569 at home, I think you have to 479 00:16:35,570 --> 00:16:36,570 enable it. 480 00:16:38,000 --> 00:16:40,189 Yeah, make 481 00:16:40,190 --> 00:16:42,430 on operation succeeded. 482 00:16:48,270 --> 00:16:49,980 If I transmit this one 483 00:16:51,270 --> 00:16:53,399 so he can see that it transmits 484 00:16:53,400 --> 00:16:54,400 using the energy. 485 00:16:57,600 --> 00:16:59,279 I will find that it uses another code 486 00:17:00,570 --> 00:17:02,879 now, I will simply 487 00:17:02,880 --> 00:17:04,829 edit the EPROM 488 00:17:06,750 --> 00:17:08,579 with this code, which is 489 00:17:11,520 --> 00:17:13,769 21 eight A. 490 00:17:31,770 --> 00:17:33,939 Flush it on its so 491 00:17:33,940 --> 00:17:36,579 you use a standard, I use a big chip 492 00:17:36,580 --> 00:17:37,919 to program. 493 00:17:37,920 --> 00:17:39,969 This is generally what you use to flush 494 00:17:39,970 --> 00:17:41,559 this, Michael. 495 00:17:41,560 --> 00:17:43,299 This these microcontrollers. 496 00:17:45,930 --> 00:17:47,459 Please, first, please. 497 00:17:54,150 --> 00:17:55,150 No picture to 498 00:17:57,510 --> 00:17:59,400 try to turn the USB here 499 00:18:00,930 --> 00:18:02,099 connected directly here. 500 00:18:08,210 --> 00:18:09,109 That's not your speed. 501 00:18:09,110 --> 00:18:10,110 This is your speed. 502 00:18:14,770 --> 00:18:15,770 Fleshy. 503 00:18:19,080 --> 00:18:20,080 Flush 504 00:18:21,460 --> 00:18:22,529 it from. 505 00:18:34,610 --> 00:18:35,750 Make on. 506 00:18:37,390 --> 00:18:39,529 So now the thing is 507 00:18:39,530 --> 00:18:41,779 open and if we look 508 00:18:41,780 --> 00:18:43,670 here again and if we send a code. 509 00:18:46,310 --> 00:18:48,379 Then we say that it should open 510 00:18:48,380 --> 00:18:50,659 the gate and this is our remote, 511 00:18:50,660 --> 00:18:52,849 we cloned called. 512 00:19:01,520 --> 00:19:03,320 Back to the presentation in front of you. 513 00:19:04,370 --> 00:19:06,419 I didn't stop it and I didn't stop at 514 00:19:06,420 --> 00:19:08,789 just cloning the remotes. 515 00:19:08,790 --> 00:19:10,999 I we have one called for one 516 00:19:11,000 --> 00:19:13,189 remote. We want to have even more. 517 00:19:13,190 --> 00:19:15,049 How about getting quotes from other 518 00:19:15,050 --> 00:19:16,069 remotes? 519 00:19:16,070 --> 00:19:17,809 You can do it with software defined radio 520 00:19:17,810 --> 00:19:20,059 again, but it gets 521 00:19:20,060 --> 00:19:22,129 so the stimulator which you have is 522 00:19:22,130 --> 00:19:24,319 very central frequency and the bandwidth 523 00:19:24,320 --> 00:19:26,719 is not is very narrow. 524 00:19:26,720 --> 00:19:28,309 So we're using software defined radio is 525 00:19:28,310 --> 00:19:30,619 quite complicated to record far away 526 00:19:30,620 --> 00:19:33,469 one signal you have to play with and 527 00:19:33,470 --> 00:19:34,999 to gain and so on. 528 00:19:35,000 --> 00:19:37,459 I'm not sure the software defined radio. 529 00:19:37,460 --> 00:19:39,299 I'm a bit better electronics. 530 00:19:39,300 --> 00:19:40,789 So when there's a center, there's a 531 00:19:40,790 --> 00:19:43,099 receiver, just a receiver 532 00:19:43,100 --> 00:19:45,199 online. Formerly Demnig, I could look 533 00:19:45,200 --> 00:19:46,909 at the receiver, open it. 534 00:19:46,910 --> 00:19:49,609 You see again, not a lot of components 535 00:19:49,610 --> 00:19:51,559 and we already learned how to identify 536 00:19:51,560 --> 00:19:53,119 them. You have microcontroller the 537 00:19:53,120 --> 00:19:55,439 antenna, radio filter the voltage, 538 00:19:55,440 --> 00:19:57,799 then some memory, which memory where 539 00:19:57,800 --> 00:19:59,659 you can store codes. And generally this 540 00:19:59,660 --> 00:20:01,729 is the memory which is used to read out 541 00:20:01,730 --> 00:20:03,049 which code is allowed or not. 542 00:20:04,340 --> 00:20:05,689 It's a single area design. 543 00:20:05,690 --> 00:20:07,159 So on the back you will see all the 544 00:20:07,160 --> 00:20:08,509 connections to all the other pins. 545 00:20:08,510 --> 00:20:11,119 You can read them visually and 546 00:20:11,120 --> 00:20:13,309 using you the components which you can 547 00:20:13,310 --> 00:20:14,959 identify in the path. 548 00:20:14,960 --> 00:20:16,879 You can already figure out who is 549 00:20:16,880 --> 00:20:17,779 connected to what. 550 00:20:17,780 --> 00:20:19,519 Huey created the schematics again. 551 00:20:20,720 --> 00:20:22,969 It uses a pick which is only 552 00:20:22,970 --> 00:20:24,289 one time programable. 553 00:20:24,290 --> 00:20:25,219 We don't want that. 554 00:20:25,220 --> 00:20:27,679 So we ansaldo the chip. 555 00:20:27,680 --> 00:20:30,199 That's your skill, which you will learn 556 00:20:30,200 --> 00:20:32,569 not to vacuum, just vacuum 557 00:20:32,570 --> 00:20:34,369 the week. And they're pretty resistant 558 00:20:34,370 --> 00:20:36,139 this trip. It's hard to break. 559 00:20:36,140 --> 00:20:38,239 You put your own chip, which is 560 00:20:38,240 --> 00:20:40,669 the same, but just flushable. 561 00:20:40,670 --> 00:20:41,869 The name is the same. 562 00:20:41,870 --> 00:20:43,009 You program everything. 563 00:20:43,010 --> 00:20:44,269 You once you already know how the 564 00:20:44,270 --> 00:20:46,549 modulation works and your reward code 565 00:20:46,550 --> 00:20:47,809 for demonstrating. 566 00:20:47,810 --> 00:20:48,949 You already wrote code for the 567 00:20:48,950 --> 00:20:51,199 microcontroller, so you do exactly 568 00:20:51,200 --> 00:20:53,269 the same. But just on a microcontroller, 569 00:20:53,270 --> 00:20:55,429 on this microcontroller and 570 00:20:55,430 --> 00:20:56,839 then you put it just next to a government 571 00:20:56,840 --> 00:20:59,059 store and you power to a USB 572 00:20:59,060 --> 00:21:01,189 and you wait until lots of people go home 573 00:21:01,190 --> 00:21:03,529 and go and go back and record lots 574 00:21:03,530 --> 00:21:05,839 of codes so you can impersonate 575 00:21:05,840 --> 00:21:06,840 anyone you want. 576 00:21:07,900 --> 00:21:09,219 Just because you have the call and they 577 00:21:09,220 --> 00:21:11,289 are fixed, but another problem is 578 00:21:11,290 --> 00:21:13,479 that, you know, when they leave home 579 00:21:13,480 --> 00:21:15,489 and you know, when they come back, it's 580 00:21:15,490 --> 00:21:16,389 individual code. 581 00:21:16,390 --> 00:21:18,639 So you probably could go home 582 00:21:18,640 --> 00:21:19,869 and stand still everything and have 583 00:21:19,870 --> 00:21:21,630 enough time to to leave back. 584 00:21:23,730 --> 00:21:25,589 The pool, again, this is the last piece 585 00:21:25,590 --> 00:21:26,590 of information, 586 00:21:27,720 --> 00:21:30,179 very important, simply because 587 00:21:30,180 --> 00:21:32,219 the pool fence at 10:00, they kick you 588 00:21:32,220 --> 00:21:34,229 out so they have a security guard which 589 00:21:34,230 --> 00:21:36,479 comes in at 10:00, triggers 590 00:21:36,480 --> 00:21:37,499 his remotes. 591 00:21:37,500 --> 00:21:39,659 I wait with my recorder, I record 592 00:21:39,660 --> 00:21:41,759 the security code and 593 00:21:41,760 --> 00:21:44,229 I have the security code and enjoyed 594 00:21:44,230 --> 00:21:45,599 the hot water. 595 00:21:45,600 --> 00:21:47,789 And with the security code, I can access 596 00:21:47,790 --> 00:21:50,159 the pool. After 10 o'clock, I can access 597 00:21:50,160 --> 00:21:52,679 every building and you could access 598 00:21:52,680 --> 00:21:55,469 the security room with all the 599 00:21:55,470 --> 00:21:56,470 other TV. 600 00:22:03,380 --> 00:22:04,609 And if you don't want to wait for 601 00:22:04,610 --> 00:22:06,679 security, you 602 00:22:06,680 --> 00:22:08,539 take one more thing, could you flip the 603 00:22:08,540 --> 00:22:10,819 bit, you flush it, you test if Target 604 00:22:10,820 --> 00:22:13,009 still opens and this is where you find 605 00:22:13,010 --> 00:22:15,109 which is important, which isn't 606 00:22:15,110 --> 00:22:16,429 which pieces are relevant. 607 00:22:16,430 --> 00:22:18,559 And from the 24 bits, you have only 608 00:22:18,560 --> 00:22:20,689 15 bits which are relevant. 609 00:22:20,690 --> 00:22:22,639 So you could read exact you could write a 610 00:22:22,640 --> 00:22:24,709 framework on this remote which 611 00:22:24,710 --> 00:22:26,899 just starts brute force the code and 612 00:22:26,900 --> 00:22:28,129 you don't have to find one code. 613 00:22:28,130 --> 00:22:29,899 You have thousands of residents. 614 00:22:29,900 --> 00:22:31,819 So with 15 bits of thousands of 615 00:22:31,820 --> 00:22:33,889 residents, it's pretty easy to find the 616 00:22:33,890 --> 00:22:35,449 right codes to to enter the same 617 00:22:35,450 --> 00:22:36,559 building. 618 00:22:36,560 --> 00:22:38,779 But because we are not evil hackers, we 619 00:22:38,780 --> 00:22:41,059 tell the vendor and as always, the vendor 620 00:22:41,060 --> 00:22:43,249 just doesn't care even if they provide 621 00:22:43,250 --> 00:22:44,810 security products. 622 00:22:45,830 --> 00:22:48,379 And I also 623 00:22:48,380 --> 00:22:50,659 don't I'm not 624 00:22:50,660 --> 00:22:52,789 I also show stock because solutions 625 00:22:52,790 --> 00:22:54,679 to this are quite easy, called Rawling 626 00:22:54,680 --> 00:22:56,599 Codes, where the code sends all the time, 627 00:22:56,600 --> 00:22:57,890 but you have a fixed seed. 628 00:22:59,210 --> 00:23:01,189 If you do such a system, you should use 629 00:23:01,190 --> 00:23:02,569 rolling code at all. 630 00:23:02,570 --> 00:23:03,799 It's their fault if they don't do. 631 00:23:03,800 --> 00:23:05,899 It's what we've learned 632 00:23:05,900 --> 00:23:08,299 is that it's 633 00:23:08,300 --> 00:23:10,279 not hard to do hardware hacking. 634 00:23:10,280 --> 00:23:12,649 We reverse engineer a real device used 635 00:23:12,650 --> 00:23:14,179 for security for Gates. 636 00:23:14,180 --> 00:23:16,309 We improved how we serve, search 637 00:23:16,310 --> 00:23:17,569 for documents, FCC. 638 00:23:17,570 --> 00:23:19,729 We can make new friends and Hattab, 639 00:23:19,730 --> 00:23:22,339 we know how to program a microcontroller. 640 00:23:22,340 --> 00:23:24,019 There are lots of code examples which 641 00:23:24,020 --> 00:23:25,429 will help you to program this one. 642 00:23:25,430 --> 00:23:27,499 It's really very well 643 00:23:27,500 --> 00:23:28,429 documented. 644 00:23:28,430 --> 00:23:30,139 We use software defined radio. 645 00:23:30,140 --> 00:23:32,119 It's at this level, it's not voodoo. 646 00:23:32,120 --> 00:23:34,189 It works. We know how to solve this, 647 00:23:34,190 --> 00:23:36,169 although we had fun. 648 00:23:36,170 --> 00:23:38,149 And if you want more info, there's a 649 00:23:38,150 --> 00:23:40,339 wiki. There are two videos which go 650 00:23:40,340 --> 00:23:42,229 more into details and the source code is 651 00:23:42,230 --> 00:23:44,509 also available and that's open 652 00:23:44,510 --> 00:23:45,510 for questions. 653 00:23:54,560 --> 00:23:57,409 Thank you very much for this great talk. 654 00:23:57,410 --> 00:23:59,509 So any questions, please line 655 00:23:59,510 --> 00:24:01,459 up behind the microphones. 656 00:24:01,460 --> 00:24:02,720 Oh, yeah. Number four, please. 657 00:24:03,850 --> 00:24:06,229 Hello. I work at a research 658 00:24:06,230 --> 00:24:08,479 facility at accelerator 659 00:24:08,480 --> 00:24:10,429 facility, and I've got access to my 660 00:24:10,430 --> 00:24:13,069 laboratory rooms with this stuff. 661 00:24:13,070 --> 00:24:15,889 And there are really expensive 662 00:24:15,890 --> 00:24:17,719 equipment behind the doors. 663 00:24:17,720 --> 00:24:19,519 So the first thing I'm going to find out 664 00:24:19,520 --> 00:24:22,219 is if this works and 665 00:24:22,220 --> 00:24:24,829 if it doesn't, what what 666 00:24:24,830 --> 00:24:27,649 you mentioned is rolling codes. 667 00:24:27,650 --> 00:24:29,599 So if it doesn't work like that, what 668 00:24:29,600 --> 00:24:31,479 does rolling code, and that is it for 669 00:24:31,480 --> 00:24:33,470 Brogo is no 670 00:24:35,480 --> 00:24:37,129 solution for not cloning remotes. 671 00:24:37,130 --> 00:24:38,359 And this is partly important, for 672 00:24:38,360 --> 00:24:40,489 example, if you have a car 673 00:24:40,490 --> 00:24:42,139 because you don't want everyone to to 674 00:24:42,140 --> 00:24:43,879 steal a car and you have cars on remotes 675 00:24:43,880 --> 00:24:45,949 to car industry, use a lot 676 00:24:45,950 --> 00:24:47,359 of time rolling cords. 677 00:24:47,360 --> 00:24:49,159 And how it works is that you have one 678 00:24:49,160 --> 00:24:51,319 seat in the in 679 00:24:51,320 --> 00:24:53,269 the remote and every time you press the 680 00:24:53,270 --> 00:24:55,939 button it generates and it calculates 681 00:24:55,940 --> 00:24:57,829 a hash, some kind of a hash of the seat. 682 00:24:57,830 --> 00:24:59,539 And every time it changes because the 683 00:24:59,540 --> 00:25:01,939 counter increments and 684 00:25:01,940 --> 00:25:04,069 on the in the car, it has exactly 685 00:25:04,070 --> 00:25:06,349 the same seat. It knows this remote 686 00:25:06,350 --> 00:25:07,249 has this seat. 687 00:25:07,250 --> 00:25:09,829 So I know which code will be next 688 00:25:09,830 --> 00:25:12,379 and every time will be completely random. 689 00:25:12,380 --> 00:25:14,119 So you don't know for which come from you 690 00:25:14,120 --> 00:25:16,219 don't know the seat and see if you have a 691 00:25:16,220 --> 00:25:18,559 central building, then you have a central 692 00:25:18,560 --> 00:25:21,200 remote system which which knows where 693 00:25:22,370 --> 00:25:24,169 which knows which code is transmitted. 694 00:25:24,170 --> 00:25:26,029 So you should they should use rolling 695 00:25:26,030 --> 00:25:28,279 codes if they have a central system. 696 00:25:28,280 --> 00:25:29,629 If they don't have a central system, it's 697 00:25:29,630 --> 00:25:30,769 a bit harder because you need to 698 00:25:30,770 --> 00:25:31,819 synchronize the two. 699 00:25:31,820 --> 00:25:33,979 But yeah, try to find one with building 700 00:25:33,980 --> 00:25:35,899 codes and you can using software, you 701 00:25:35,900 --> 00:25:37,579 find radio, you can see easily if it's 702 00:25:37,580 --> 00:25:39,329 uses ruling or not. 703 00:25:39,330 --> 00:25:41,119 OK, thank you. 704 00:25:41,120 --> 00:25:42,499 The Internet has a question. 705 00:25:44,940 --> 00:25:47,159 OK, yeah, well, the Internet wants 706 00:25:47,160 --> 00:25:49,349 to know or somebody on the Internet 707 00:25:49,350 --> 00:25:51,989 wants to know why you didn't get 708 00:25:51,990 --> 00:25:54,179 in to or if you did, to get 709 00:25:54,180 --> 00:25:56,579 into any kind of trouble because of 710 00:25:56,580 --> 00:25:59,309 you breaking into the top are 711 00:25:59,310 --> 00:26:01,449 like, well, 712 00:26:01,450 --> 00:26:03,829 being able to open any of them doors. 713 00:26:03,830 --> 00:26:05,909 I've I haven't been 714 00:26:05,910 --> 00:26:07,889 to the security room because I'm not 715 00:26:07,890 --> 00:26:09,119 interested in the security room. 716 00:26:09,120 --> 00:26:10,559 I'm interested in relaxing. 717 00:26:10,560 --> 00:26:12,629 And also in this building, 718 00:26:12,630 --> 00:26:14,039 it's not really important to have a 719 00:26:14,040 --> 00:26:15,659 remote and to have all this hassle of 720 00:26:15,660 --> 00:26:17,389 reverse engineering because you seem to 721 00:26:17,390 --> 00:26:18,839 hot party pretty low. 722 00:26:18,840 --> 00:26:20,039 So jump over it. 723 00:26:20,040 --> 00:26:21,809 And around the building you will always 724 00:26:21,810 --> 00:26:23,579 find the door which is open. 725 00:26:23,580 --> 00:26:25,649 So you can always come in the building. 726 00:26:25,650 --> 00:26:27,689 And I had no problem even with the 727 00:26:27,690 --> 00:26:29,519 security. I mean, they don't see if it's 728 00:26:29,520 --> 00:26:30,959 a closed remote or not. 729 00:26:34,170 --> 00:26:35,489 One more question from the Internet, 730 00:26:35,490 --> 00:26:36,490 please. 731 00:26:37,770 --> 00:26:40,379 Yeah, somebody wants to know 732 00:26:40,380 --> 00:26:42,569 about if it's possible to open 733 00:26:42,570 --> 00:26:44,219 cars with this. 734 00:26:44,220 --> 00:26:45,779 No, not not new cars. 735 00:26:45,780 --> 00:26:48,059 New cars use rolling codes and still have 736 00:26:48,060 --> 00:26:49,829 strong, stronger encryption. 737 00:26:49,830 --> 00:26:51,959 So if your car uses 738 00:26:51,960 --> 00:26:53,250 this, you should sue them. 739 00:26:54,720 --> 00:26:56,789 But generally, courts have ruled 740 00:26:56,790 --> 00:26:58,559 out ruling cords and you can use not use 741 00:26:58,560 --> 00:27:00,149 this technique. So it's a lot more 742 00:27:00,150 --> 00:27:01,089 advanced in cars. 743 00:27:01,090 --> 00:27:03,269 Try to use something which is 744 00:27:03,270 --> 00:27:05,009 less attacked. 745 00:27:05,010 --> 00:27:06,609 OK, thank you. 746 00:27:06,610 --> 00:27:08,069 So I guess we have time for one more 747 00:27:08,070 --> 00:27:10,549 question from the Internet once more. 748 00:27:10,550 --> 00:27:12,749 Um, well, um, 749 00:27:12,750 --> 00:27:14,879 OK. I was going to say that there 750 00:27:14,880 --> 00:27:17,039 is none, but there is one now, um, 751 00:27:17,040 --> 00:27:19,169 and that is what other stuff 752 00:27:19,170 --> 00:27:20,519 can I help with your method. 753 00:27:21,930 --> 00:27:24,450 Well, we did it for one 754 00:27:25,920 --> 00:27:27,779 gawad from Auto and General Electric. 755 00:27:27,780 --> 00:27:29,849 Motors are not very easy to try to 756 00:27:29,850 --> 00:27:32,159 find another one. This is just one one 757 00:27:32,160 --> 00:27:34,229 product from one company, which is in 758 00:27:34,230 --> 00:27:35,609 California. 759 00:27:35,610 --> 00:27:36,959 In Europe, they probably will use for 760 00:27:36,960 --> 00:27:38,579 something completely differently. 761 00:27:38,580 --> 00:27:40,649 So look at to go at 762 00:27:40,650 --> 00:27:42,359 your garage door or the garage of your 763 00:27:42,360 --> 00:27:43,609 neighbor, things like that. 764 00:27:45,190 --> 00:27:47,769 OK, so very, very simple devices 765 00:27:47,770 --> 00:27:49,089 when they are cheap, generally, they are 766 00:27:49,090 --> 00:27:51,879 simple. So look at that. 767 00:27:51,880 --> 00:27:52,880 OK, thank you. 768 00:27:54,300 --> 00:27:55,469 Thank you very much. 769 00:27:55,470 --> 00:27:56,470 Thank you.