Flipper Zero: Linear/Camden MegaCode SubGHz Replay Attacks

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone I previously covered linear multi codes and how to brute force them but today I'd like to cover linear's Mega Code system now just for a little Clarity the receiver seen in this video they are all labeled Camden these are their RX7 modules from my understanding Camden purchased these from linear and rebrands them for the Canadian Market if anyone knows otherwise please let me know in the comment section linear's Mega codee System is dated but still widely in used today found in all manners of Access Control applications residential and Commercial Overhead Doors uh commercial parking garages automatic accessibility door controls as well as entry and exit gates transmitters come in a variety of shapes and sizes ranging from handheld fobs like this one here to ones that can be mounted on sunvisors and vehicles to wall switch ready versions like this one here they can actually be plugged right into the switch to avoid running wires up to the door operator it's worth mentioning that these RX7 units they can learn 10 unique codes while the Camden rxrg can learn 40 and their model 480c receiver can learn up to 480 here is a example photo of a receiver in an accessibility door I recently worked on just to provide a little bit of insight into how they're typically set up inside of an operator note the antenna being routed out of the top of the case the operator's aluminum housings are really good at blocking the signals from the transmitters from reaching the receivers typically a small hole is drilled into the case and the antenna is pulled through to circumvent that issue the protruding antennas make identifying an RX7 module quite easy they're always thin white wires with a small black tip here are a couple photos of some exposed RX7 antennas that I've spotted in the wild unlike linear's multi-code system the setup does not use dip switches like you can see here to set the code rather the receiver learns the specific code sent by the transmitter after programming it in each transmitter comes pre-programmed with according to the manufacturer one of over 1 million possible codes the lack of dip switches coupled with a large amount of codes means a Brute Force attack isn't exactly feasible the mega Code system uses the frequency of 318 MHz the signal sent from the transmitter uses ask modulation and contains 24 bits of data one sync bit 16 bits for the remote code four bits for the facility code and three bits for the data bits which indicate the channel or button used all of this will be something you'll be able to see after capturing the transmission with the flipper so presently this module is powered for a 24volt power supply and currently it has no remotes programmed to it meaning pressing these buttons will do absolutely nothing pressing the program button we'll put it into the learning State at which point remotes can be programmed to it it's very short window now that the transmitters have been learned pressing the button will activate the relay in the receiver which you can hear quite [Music] clearly the red LED indicator will also illuminate upon activation a little bit of a side note the instruction manual says holding this for more than 5 Seconds it will erase all the remotes I found that to be untrue in most cases it takes about 15 to 30 seconds so now that we know how this system works let's go ahead and do a replay attack so we will open up the sub gigahertz app select read already set to 318 Mega code is a known protocol you don't need to worry about capturing and replaying raw data all the information will be decoded by The Flipper and there it is so we'll go ahead hit send and there we go simple replay attack so kind of a long video for just a simple replay attack but I think it's important to know how these systems function and how they're integrated um to really understand what you're doing and uh I hope maybe you learn something from this if you have any questions about the content of this video or you have any requests for other flipper zero content please let me know in the comments section that's all I got thanks for watching
Info
Channel: surlydirtbag
Views: 1,351
Rating: undefined out of 5
Keywords: Flipper Zero, Flipper Zero Bruteforce, Flipper Zero Replay, Replay Attack, Hack the Planet, SubGhz, Sub-Ghz, Sub Ghz, Camden, MegaCode, Linear, surlydirtbag
Id: 9hDEhu1_7sU
Channel Id: undefined
Length: 6min 4sec (364 seconds)
Published: Thu Feb 15 2024
Related Videos
Is The Flipper Zero Useful For Anything?
saveitforparts
577K
2024 Hacker Every Day Carry feat. Flipper Zero!
Talking Sasquach
15K
It’s Been a Good Run, Phone Providers.
Data Slayer
3.6M
Flipper Zero: Bruteforcing Linear Multicode Wireless Door Controls
surlydirtbag
10K
Decrypt a Mifare Classic 1K
Tech Security Tools
5.5K
Should you get a Talkpod a36plus?
sn0ren
4.7K
The most deadly project on the Internet
bigclivedotcom
6.3M
My Absolute Favorite Flipper Zero GPIO Boards!
Talking Sasquach
49K
KNOW THIS ABOUT THE FLIPPER ZERO...
andy kirby
265K
Hacking your doorbell // RF Replay Attack using HackRF One Portapack H2 // Flipper Zero Alternative
Hakista TV (Pinoy Hacker)
7.3K
You’ve Never Seen WiFi Like This
Data Slayer
230K
Flipper Zero: WiFi Dev Board Alternatives
Just Call Me Koko
67K
Flipper Zero: Opening Your Sentry Safe When The Combo Is Lost
surlydirtbag
5.6K
FlipMods Elite General Overview for Flipper Zero
Sacred Antwon
8.5K
Retrieving NFC Keys from Card Readers #flipperzero
TechAndFun
56K
CAN Commander - FlipperZero
Matthew KuKanich
4.5K
Understanding Radio Signals with #flipperzero
TechAndFun
8.4K
NEW electric car motor is 67% more powerful, 20% smaller & weighs 75kg
The Electric Viking
36K
Flipper Zero: Truth or Hype?
Hacking Modern Life
127K
Rolling codes explained #flipperzero
TechAndFun
225K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.