Home Forum The Makers Workshop Open Projects PIC/RF IC -Garage Rolling Code Remote Hacking Project (non-jamming)

This topic contains 0 replies, has 1 voice, and was last updated by  kaster 2 weeks, 6 days ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #4516

    kaster
    Participant
    Context: Is it possible to just hack/RE my garage which has a B&D TB5v2 transmitter using rolling codes. Equipment I have: YardStickOne – ANT500, GoodFet, premium Female/Female Jumper wires 20 x 6″. Adafruit Perma-Proto half sized Breadboard PCB and a Pocket AVR aswell as an Ubuntu OS.
    The garage door receiver is a B&D Controll-A-Door P Diamond Panel Door Opener
    “A friend suggestion would be to determine the rolling code algorithm, and then implement it yourself using your YardStickOne. I’d do this by dumping the flash from the PIC16F (assuming it’s not protected — bunnie has a document on removing protection from PICs via invasive attack — if it gets to this and you don’t want to go down that route, let me know as I’d be interested in doing it in my lab), then disassembling the flash and determining the rolling code algo (finding the interrupts triggered when a button is pressed and reversing from there). Then you can use the programming feature to sniff the data you need during a reprogram to plug in the necessary seed into the rolling code algo. if you don’t have an SDR, you can use the YS1 “specan” feature to determine the frequency (or from the reversed binary) and oversampling in YS1 to determine the baud rate (it’s FSK), then use YS1 with the proper frequency+baudrate to view the actual data sent by remote”
    Basically I want to dump the flash of the PIC16F526 non-evasively – without de-soldering it from the board. My friend said more often than not the protection fuse is not going to be set.
    He then went on to tell me to look up the datasheet and tools to dump the flash (datasheet will describe how as well). if you have a PIC programmer, it should be able, otherwise some other device like buspirate, goodfet, or just a microcontroller like arduino or another PIC should suffice but you may need to write some code or find a project for dumping flash from that type of chip.
    Here is a picture of the remote: https://imgur.com/a/ZPzkJ
    The MCU is a PIC16F636 14 pin
    And the other chip is: IA4221
                            A1X6
                            0834
    Basically I want to extract/dump the data/code from PIC16F636 14 pin MCU, rather than using samy kamkars RollJam technique
    Other details:
    ~1/SL
    0823V86
    I also want to go about dumping the flash non-invasively and using tools/equipment such as a logic analyzer, Pickit2 or Pickit3 for these particular chips. Another possibility is to voltage or clock glitch the PIC16F636 to bypass its protection (if it’s fused)? ‘m guessing most of these algorithms (rollingcode)/PRNG are pretty simple and we might be able to break it just by sniffing the traffic between the PIC16F636 and RF (IA4221 – Which looks like spi bus) IC using a logic analyzer – I have a saleae knock off from china.  We woud just need to look at the datasheet to understand which pins have SPI traffic.
    And if we can work out how the transmitter works (the IA4221), we can simply read the commands being sent from the microcontroller, hold the microcontroller in reset (typically – connect the reset pin to ground, but woud need to check the datasheet etc) and send our own commands.

    Useful Readings: https://www.openpcd.org/dl/HID-iCLASS-security.pdf

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.