How to Hack Wireless Remotes with Radio Replay Attacks - Hak5 1909


How to Hack Wireless Remotes with Radio Replay Attacks - Hak5 1909

Today we're hacking wireless remotes using RF replay attacks using the YARD Stick One!

Today we're hacking wireless remotes using RF replay attacks using the YARD Stick One!

Full show notes at -- Wireless Gear including the YARD Stick One at

In this episode we cover:

- How to gather intel on the device you want to hack
- How to sniff its wireless signals
- Determining modulation
- Decode OOK signals
- Transmitting a Replay Attack with RfCat and the YARD Stick One

Step 1: Gathering Intel

First up we need to identify the device we're going to hack and figure out as much about it as possible. Thankfully in the US this is made easy by the FCC. In our demo we're using this remote control power outlet. It's a cheap simple $10 device that you can get off Amazon with the FCC ID PAGTR-009-1B.

Here we can see it's originally manufactured by Verdant Electronics (Dong Guan) Co., Ltd. out of China and if we pull up the actual test report from the lab we'll figure out that it transmits at 314.9020 MHz using ASK modulation with 80 kHz of bandwidth using a 12 volt battery and an integrated antenna. This lab report even includes a picture of the waveform we'll be reproducing soon.

Step 2: Sniffing the Signal

So now we know where to look for the signal, at 314.9020 MHz and that it's using ASK or Amplitude Shift Key modulation. Using one of my favorite tools, the RTL-SDR, we can now sniff that signal up for analysis. To do so we used GQRX on Kali Linux 2.0.

It's just a matter of tuning the RTL-SDR dongle to the 315 MHz frequency and recording the signal.

315 MHz isn't technically an unlicensed ISM band like WiFi, but the FCC has a license free part 15 band for "Short Range Devices" which commonly use 315 MHz. In Europe you'll more commonly find 433 MHz.

Step 3: Identifying and Decoding the Signal

Since we're dealing with radio signals -- actual waveforms rather than digital wireless packets or frames like with WiFi -- we don't have the luxury of using an analyzer like Wireshark. Rather in this case I'm just going to open up the file in the audio editor Audacity.

And here if we zoom in we'll see the actual signal. What's happening here is when the remote button is pressed we get these pulses. This is what's known as On-Off-Keying, and it's the simplest form of amplitude-shift keying modulation. In this case a pulse is a binary 1 and the absence of a pulse is a binary zero. It's sort of like CW or Morse Code.

More on OOK:

Step 4: Decoding the Signal

Looking at the wave form we can determine a 1 by a pulse and a 0 by the lack there of. Measuring out the distance of a single pulse helps identify two more more consecutive pulses.

Looking at our wave form we get 10001110 11101000 11101000 10001000 10001000 11101000 10001000 10001000. If we convert this to hex in the command line, say with this bash one-liner: printf '%x\n' "$((2#10001110))"

Alternatively just search for a binary to hex converter and what we end up with is 8E E8 E8 88 88 E8 88 88.

The last bit we need to know is the data rate - or how fast each chirp in the On-Off-Keying is transmitted.

To do that we'll just need to select one of the one or zero bits in our audio editor Audacity and determine how long in seconds each bit lasts. In our case it's going at a speed of 0.00055 seconds, or 550 microseconds, which is about 1800 bits per second.

Step 4: Sending the Replay Attack

Finally we fire up RfCat to perform the replay attack. First we'll need to set the frequency with d.setFreq(315060000).

Next we'll need to set the modulation to On-Off-Keying with Amplitude Shift Keying with d.setMdmModulation(MOD_ASK_OOK)

Then it's the data rate which we figured out to be about 550 microseconds so that'll be d.setMdmDRate(int(1.0/0.000550))

Finally we can inject the hex values we converted with d.RFxmit("\x8E\xE8\xE8\x88\x88\xE8\x88\x88\x00\x00\x00" * 40)

d.RFxmit will transmit the hex values using the parameters we just set and I've gone ahead and added three null bytes at the end because we want to transmit the signal over and over a few times to make sure the receiver picks it up -- in this case I'm using * 40 to transmit the binary data 40 times.

If all goes well, you should be mimicking the action of the remote signal captured in step 2.

Read more in our show notes at