#44 Hacking and Cloning a Garage Door Opener using SDR Radio

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

create see youtubers here is the guy with a Swiss accent again I like my harley-davidson motorcycle a lot always when I'd returned home I have the same problem the garage door is closed and I have to stop take the gloves off and search for the opener it would be cool if I would be able to come home and the door opens automatically to achieve that I have to hack and clone my garage door opener put the newly created cloned below the saddle and connected permanently to 12 volts then the clone would send out a signal as long as my bike is running and the garage door would open as soon as my bike appears wouldn't this be cool so let's start the hack it consists of three steps one to find the frequency and the modulation of the actual garage door opener two to decode the secret code sent out to the door and three to build a new device to emulate the current opener the easiest way to find the frequency and the modulation of your device is if you get this information from the supplier unfortunately I did not find the info so I choose the second possibility to hack it and find it out myself to find a unknown frequency you need either a spectrum analyzer which is capable to scan a whole frequency band or you need a receiver which is capable to do the same spectrum analyzers are very expensive and not available for all hobbyists but fortunately a new technology is available for all of us because it costs less than $10 and does exactly what we need it can receive a wide band of frequencies from a few mega Earth's two well over a gigahertz and it is called software-defined radio or the abbreviation SDR there are many videos and other descriptions about SDR in the internet so I will not go into details on how to install it it consists of a small USB dongle with an antenna which is usually used for TV reception it can be bought for less than $10 on Aliexpress bright people wrote free software to use these tunnels as universal receivers the software I use here is called SDR sharp after downloading and starting the SDR sharp software it is quite simple to find the frequency of the device mine works on forty point six eight megahertz if you have a closer look at the frequency spectrum you see that it has two strong signals which are about 5 kilohertz apart this is a strong indication that my device uses frequency modulation with a digital signal frequency modulation means that the sender varies it's sending frequency according to its input signal and digital means that the sender only transmits two signal levels 0 or 1 1 therefore means that the sender transmits on a higher frequency and 0 means that it transmits on a lower frequency so we have now solved the first point of our list we know the frequencies and the modulation the next part is to find out the transmitted code to do that we have to demodulate the signal to get its digital representation fortunately this can also be done by the very same SDR radio in our case we have to use narrow FM demodulation because the signal has only 5 kilohertz bandwidth now we can hear already a signal and if we hear it it should be possible to record it fortunately SDR sharp has a functionality to record the signal to a WAV file if you select audio you get a WAV file in the SDR sharp directory to analyze WAV files we can use another free software order city if we open the file we see a nice digital signal consisting of packets looking at the packet we see that all are the same now we can have a look at the timing my sender uses short and long signals the short signal is 0.5 milliseconds and the long signal is 1 millisecond so the clock rate is 500 microseconds with this knowledge we can translate the signal string into a string of 1 and zeros and write it down so point 2 of our task list is done the last step is quite easy for me because the frequency of my device is around 40 megahertz and a nice chip exists which can create such frequencies the 80 9850 this chip is programmable and can create different waveforms on frequencies up to 60 megahertz modules with this chip are available on Aliexpress and libraries for Arduino exist also so the plan is to connect such a module to an Arduino and write a small routine to create the signal based on the code extracted before unfortunately it's not so easy 500 microseconds are not very long for an Arduino and the available libraries are not optimized for speed both standard libraries are too slow for our purpose it takes them about one millisecond to change from one to the other frequency which is two times to slow what to do in this situation the ad 9850 chip itself is able to do these fast frequency changes that's at least good news so I have to dig into the sketch the 80 9850 can be connected with a parallel or a serial interface because in the final device I want to use a small 80 tiny chip I want to use the serial interface the available libraries create the serial signals themselves by changing the ports with normal digital write or shift out commands the advantage of such a concept is that you can use all ports of Arduino for connection fortunately a faster way to create serial signals exists on all Arduino the SPI interface the you know has one SPI interface with a clock and two data pins because we only want to transfer data from the Arduino to the 8090 850 we need two pins pin 11 for the data it's also called M OSI and pin 13 for the clock signal to set the frequency of the ad 9850 we need to write a 32-bit number into four 8-bit registers fortunately I found a project which does exactly that I enclose the link below if you are interested the sketch is rather simple i define the secret code i found out in my analysis in an array in setup the SPI interface and the port are initialized the 8090 850 chip needs a value which represents the frequency to calculate this value you have to have a look into the data sheet the output frequency is calculated by multiplying a 32-bit word with the input clock frequency and by dividing this value by 2 to the power of 32 my module has a clock rate of 125 megahertz and the value of the so called tuning word is one three nine seven seven five four one five seven this is the value for the middle frequencies to start with the lower frequency has to be 1250 Hertz lower and the upper frequency 1250 Hertz higher to get the 2500 Hertz shift the next lines put the tuning word into four byte values and shift them out into the register of the 8090 850 as soon as the f-you on the score you deepen gets a pulse the 80 90 850 starts to produce the new frequency the pulse could be created by normal digital write commands here I use a faster way called port manipulation if you are interested in this topic I also enclose a link in the comments to get the right timing I wait for the rest of the 500 milliseconds and continue with the next bit when the entire code is transmitted I wait for 6 milliseconds and start the whole process again the last step is to adjust the frequency of our hacked sensor to the original we start again SDR sharp and send a signal from both sources at the beginning you might see a difference the difference can be adjusted by changing the tuning word at the end both signals should look the same if you want you can demodulate the hacked signal and check it I was too lazy and took the Arduino and the 8090 850 to my garage and what a surprise the door opened problem solved now I still have enough time to reduce the size of my new sender put it into a 3d printed case and mount it to my motorcycle before spring arrives here in Switzerland I hope this video was useful or at least interesting for you bye

Info

Channel: Andreas Spiess

Views: 147,732

Rating: undefined out of 5

Keywords: Arduino, Hacking, Garage door, DIY, electronics, SDR, radio, cloning, clone

Id: LE1CvGWqSsw

Channel Id: undefined

Length: 11min 39sec (699 seconds)

Published: Tue Feb 09 2016