Hi can i contact u to further explanation? I've been programming a lot in python and raspberry pi but never with radio things and im lost. It'll be good to have buddy with same aspirations as mine.

hay u just inspired me

You should make a video on this. Because I’ve looked up his code and it’s broken… so not sure how you managed to have his script converted to rpi and work

@@Uneke have you tried fixing the code with Chat GPT?

@@pablowatanabe7929 might work… long shot though considering it could be something as simple as he changed the frequencies.

Thanks because Obama has blamed Bush for his own mistakes.

This is not me giving you guys crap or anything, but just a friendly reminder to keep things civil here. Too often have I seen political conversations become political arguments.

prizedcoffeecup I LOLd it was worth it.

prizedcoffeecup i

Apparently I'm not being able to link the "two-character passwords x garage door openers" with the apparent fact Obama blamed Bush for his own mistakes. Care to explain?

LFCooledWhip Thanks!

I can see your passion in doing this type of cool youth charitable educational content . I see that you currently do work with big brother/sister program. that's pretty awesome man ! I'm enjoy your videos man. I like the clean-up on this one .

​@@samykamkaryou think this information will stop us from giving this device a bad use?

gotbletu Muah-ah-ah-ah-ahhhh... (Dr. Evil)

+gotbletu Plan B 1. Buy up a pallet load of IM Me toys. 2. Post how to video on KZbin 3. Sell IM Me toys for $150 each 4. Evil entrepreneur laugh (not that anyone would do this)

+jfan4reva And suddently someone breaks into your own house with your sold equipment lol xD

it would be illegal

+David .. trollbait, I'm sure.. but you seem to be unaware of the FCC.

I have heard that excuse before, but on a buisness email account and not being careful with the password (It was a strong password), saying that nobody would exploit/hack/crack her email. Person was not careful enough and it got taken over by a spammer, which quickly got the email blacklisted and the provider quickly locked down the account after that. How the person got a hold of the account I don't know, but I suspect it was her doing emails over unencrypted wifi, hostile wifi or whatever, and sending the password in plain text instead of at least encrypted while sending the password that I said was the bare minimum. She/her husband failed to do something that easy, because the provider has step by step explanations how to set it up etc, which I told her about (She didn't have said phone with her or she was going home at that point, don't remember which). So no, that excuse is stupid. People will hack/crack wifi for several reasons, and the least worst one is perhaps those doing it do mess with the owner of the wifi, like pranks etc. Even though your family might not be affected directly, it can affect others or indirectly affect your family as well. Even people leeching internet can be annoying, what would it be like if police comes around because a hacker used the wifi for hacking purposes? Depends where you are situated what is likely or not, but being under suspicions of hacking is not a pleasant experience, then up it to suspicions of child pornography downloads! So even with a simple password like a single word or two (which is stupid because of dictionary attacks), it will be more secure than just numerals, which a lot of people try to do first on wifi's because of the WPS exploit. It could even be that the first password tried is actually 00000000, IIRC this correctly about WPS cracking.

ownstar

same XD

Jokes on you, you don't have a garage XD

man I want me one now that's what's up

I need me one pre installed but 200 $ is a lot of money

+Harald Kubota There are a ton of defcon videos about physical security. You would enjoy them.

you got me right there

How did u know?

Can the smart response xe open garage doors because I got one

man I wish this one got can do that

ghostrider090 Thanks!!

@@samykamkar man I want me one pre installed

@@samykamkar now that's the real thing

XSteamBunnyX It's not really about the good or bad... just the beauty of an inquisitive mind.

The Aftermath NO but when a inquisitive mind finds some new information, at some point a decision is made of what you will doing with your findings. Do you keep the information secret and use it for your own or some other people/ organizations benefit, or do you inform the public, and make companies making millions /billions of dollars accountable for what they sell. Seems the ultra basic of any form of ethical hacking. Im clueless about hacking, just interested in circuit bending, and what what can be done with what is usually taught benign little toys. This one was meant to interface with the internet, so its a bit more sophisticated.

Ralph ralphson I agree that a decision is obviously formulated when the topic has potential issues. I just mean to suggest that tinkerers aren't typically doing this because they specifically want to be 'good' or 'evil' per se. It's merely down to the love of taking things apart and learning how they work at a fundamental level, most of the other stuff is an after thought.

_T_Love_ You Don't Know!!!!!

Daniel Briscoe lok

Simon MacLean SAME

Yes, we have no bananas.

Simon MacLean same. I thought for sure it said "banana for sale" until reading your comment.

Simon MacLean now i want a banana

De Bruijin sequences certainly do not allow you to store more information in less. In this case, it allows for multiple brute force attempts to be compressed into fewer bits due to the design of the receiver looking at the last n bits. It is impossible to take a greater amount of information and compress it into less. You could never hold say 8 bits of information in 7. Or even a million in a million minus one.

+Crash Weekly Thank you for commenting! We are now officially affiliated. Looking forward to our continued affiliations together.

Ravindra Pawaskar Thanks!

Dan Bert Awesome, thanks Dan!

+David Schne Hey David, thanks for the comment! Always open to interesting 1099 work! You can reach me at code@samy.pl

+John Smith Crazy! Good find. Can you share any info on the car?

+Samy Kamkar Tested it again today and it was the last 26 bits and then my rtl just stopped working. I'm getting a hackrf so I can double check, to be sure, and be able to transmit. Car is a Hyundai Accent. I'll keep you posted.

+John Smith Awesome! Would love to know more when you find out

+John Smith The signal can be kind of misleading. It's using more bits than that. Can't remember the details but hak5 talked about it with the YARD stick one.

+rentacow I know but I was focusing on the end of the sequence because the first part is unchanged every time. The only bits that were changing came at the end. Another thing I'm going to try is to catch the signal without the car receiving it and see if I can just reuse that signal.

Every multi-tenant building I've ever seen uses the fixed code versions, while in single family homes I typically see rolling codes used (which are susceptible to other attacks, such as some described in kzbin.info/www/bejne/i3_Kp4aeg5mIibc)

@Sammy - Interesting. I was aware of replay attacks on rolling-code systems, but never even considered the simpler fixed systems because I just figured that they were phased out long ago. It's a curious thing that this might not be the case though.

Haha, you ARE ahead of the curve!

Samy Kamkar haha, g thanks...but again..it's not saying much lol ...love the videos man...they are like Ted talks but not rushed and actually useful/helpful/informational! thanks for them!

Most people wouldn't have thought to look for an algorithm -- I think that's impressive. You did it while watching the video, when it took me days/weeks (to fully get this project up!) -- glad you enjoy them!

Samy Kamkar THANKS man! ::: blushing::: hahaha ....as you were explaining the bits, the combination limit and that it doesn't recheck a wrong entry, I was thinking "there's got to be a certain set of codes that could be shortened to overlapping repeats or a master set of all possible combos somewhere in the math that could be isolated and just run and because of the no error checking it could just be run and that one sequence would open everything, and do it fast...especially without return communication...hmm, I wonder how I can figure that out?" .... then 48 seconds later you mention it lol

007order007 check out pablos holman videos on youtube, he talks about this sort of stuff also.

Often times, you could just use a baby monitor or walkie talkie that had the same carrier frequency of the more common wireless phones, such as 900mhz or 2.5ghz, and you would be able to listen to most wireless phone calls in range. It was a common practice by nosy people to use those in apartment complexes where you would often be close enough to receive multiple signals from different neighbors. Whenever I lived in an apartment complex, I used a landline only.

Tyee Cambrón He's not hacking the garage door opener. He's hacking a toy and using it to scan through the codes :: that is, literally giving every code possible.

Regnoult François Maybe stupid proposition but the rolling code, why not sending "010" and "101" repetitively. The generated code would be "10101010101010101010101..." you can guess that at one point the code will fall on that. If it's harmoniously generated in 4096 try it will one of the code will fall at least once. With 8192 try, chances are quite high.

Regnoult François Every remote sends a wait period, so the assumption is a wait period is necessary.

Regnoult François Not sure what you mean here. The code has to be consecutive bits. So if your code is "111111000000", it would never hit in your example. The idea is to produce every consecutive permutation of bits, while reducing the length as much as possible by using overlap (which De Bruijn sequence does for us)

+Regnoult François My guess about the "wait" period is that it is used to mask the vulnerability from anyone who is just tinkering with the sender. The simplest design of the receiver circuit that I can think of would be continuously receiving and testing for the key, and what Samy has shown suggests that this is exactly what happens. The wait period would allow the shift register to empty so that the next time the sender sends the correct key it will be the only data in the register. Without the wait period "dirty" data can be in the shift register when the key is sent. While this at first doesn't sound that bad it would mean that if you do a shift of the key on in the sender (and set the first switch to the same setting that the last switch had before the shift) the receiver would still register a correct key the second time the sender sent the key sequence. It's the dirty data in the register that makes this work. There are several consequences to this such as exposing the vulnerability in a very blatant maner and reducing the available key space from 4096 to 341 (I think, a bit uncertain on the math). Security by obscurity. What a lovely concept...

Helmut Rubio Awesome, thanks!

You would need an RF transmitter, but in that case, yes. I chose this device as (at the time) it was cheaper than an RPi, had a screen, backlight, keyboard, and all the RF functionality needed, so a pretty fun device to be playing with, but any capable microcontroller or machine with proper RF transmitter can perform this attack.

Been looking for an excuse to pick up the Pi or Beaglebone, will probably do it now.

Is this attack still possible on garages which their opener does not have switches? Looking around for transmitters they all seem to have pretty decent range, am I going to end up opening my neighbors by accident?

Those are rolling code based garages and no, this attack will not open it, however I have developed a new attack that exploits rolling codes of those types of garages (as well as cars) -- details in my DEF CON 2015 talk/slides: samy.pl/defcon2015/

+IR Geek Nice!

I can't imagine it being very hard to make with some knowledge, it's just most knowledgable people are privileged and have the things necessary to make these, they have the availibility to learn and don't need to hack for malicious purposes

***** Yeh ya did. He opened it before diving into the De Bruijn explanation.

***** I've added an annotation linking to it at 0:26 -- good idea though, I'll add the demo in the end of videos as well!

Samy Kamkar and ***** thx, mea culpa, it was in there, I just missed it. Cool video with interesting content and great quality. Keep them coming.

MrGollum1996 don't bullshit a bullshitter lmao

MrGollum1996 takes u few seconds to go to your garage opener on the back and look at it.

MrGollum1996 just go in through your house.

+Boosted & Built Garage Would be cool -- it just depends if the system stores it anywhere. GPS only receives so it would require another system in your car to be accessible remotely somehow. My OwnStar attack (kzbin.info/www/bejne/aaDPiYiYiJKjqLc) also can track cars and at the time applied to GM/Benz/BMW/Chrysler, and Charlie Miller and Chris Valasek's Chrysler exploits also allowed acquiring GPS remotely from an unaltered vehicle (epic)...those would be some interesting areas to investigate. What kind of car?

Yeah exactly, that's the only bummer about most GPS because it only receives. I'm in Australia so its a Holden Commodore (GM basically) running a custom installed android 4.4 head unit so not a factory one like in newer cars. So it can obviously run any android app which there may be something out there to assist. I know you can actually plug a 3g network USB dongle (or whatever its called) in for internet so maybe that's the way to access remotely?

+Boosted & Built Garage Sure, as long as you give it some sort of remote/cellular access, you can communicate with it. A 3G/4G dongle would be good and if it's Android, I'm sure there's existing software that would allow it to be accessible (or just keep ssh open and have it automatically reach out to you so you know the IP over time)

Chris Armstrong Well,you might wait days to get someone to open garage...

lol yeah

Chris, great question! You are absolutely correct. You can use the device to simply listen (RX) and obtain the code as soon as the legitimate user uses their own opener (assuming you're in wireless range).

+Seth Mitchell I was hoping no one would figure it out...but honestly, yes. I am your hero.

Samy Kamkar You have no idea dude xD

+Seth Mitchell

Look at your first sequence, 000, 001, 010... Because the garage uses bit shift register, it will read that same string like this: 000, 000, 000, 001, 010, 101, 010... You could see it as it jumping one-by-one, instead of three-by-three. If we use the normal sequence, it would repeat a lot of the codes, making it take longer. That's where the sequence comes into play, it is ordered in such a way that the string contains all the possible combinations without wasting, or repeating, any of them. (or at least repeating it as little as possible)

Leonardo Segura what I mean is how did you find that order to use

I wrote a program to do it: github.com/samyk/samytools/blob/master/de_bruijn

+ph4nt0m Car keyfobs use rolling codes which are not susceptible to this attack, however are susceptible to my RollJam attack. Some more details on that here: samy.pl/defcon2015/

Nice! Yard Stick One is cheaper and can probably do everything you need.

+Mike Trieu (MegasChara) Well, if the receiver scrambles the code at every attempt, your transmitter would be useless as well. Think about your neighbor unlocking his garage, which changes the code of your remote. What I'd do is that I'd put a "INCOMING CODE" code at the beginning and look for the password. If it fails, wait 5 seconds. This would easily eliminate almost all code cracking devices because It'd take too long time to complete.

+Batuhan GENÇ Couldn't you still just sniff that signal and reproduce it later?

+Anonymous User I've created a new device (after making this video) called RollJam which can attack rolling code garages and cars, not just fixed code garages like this, meaning *all* garages are susceptible to attack. You can learn more from my recent DEF CON talk (kzbin.info/www/bejne/i3_Kp4aeg5mIibc) or more about it here (www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/)

StatusQuo Hey there, the Sony PSP's wireless transmitter only transmits to 2.4GHz (2412-2462MHz to be exact, according to the FCC doc: fcc.io/AK8PSP1001B), while most garages will be 300-433MHz, so they will not be compatible in any way.

Thanks man, good to know. I appreciate your response

+sparky1570784 You would need specifically a sub-GHz chip like the CC11xx, but yes, you could use RasPi.

Branislav Beke Sure, though now you're performing a brute force attack and are only able to use the method of modulation and frequency that specific garage door employs. OpenSesame works on a number of different frequencies, modulations, and exploits the OpenSesame attack, eliminating the need to brute force and reducing the key space by ~95.8%. However, this is still a great idea if you want to brute force your own 12-pin garage, and it's a great way to hack up some electronics. I suggest you do it to learn how it all works! You could also get around the encoder portion and use your AVR/PIC to bypass the encoder chip and then send your own bit stream. If you wanted to change frequency, it would require you to replace the crystal.

Thanks. Very good explanation. BTW I'm 14 years old and I'm trying to hack and create electronics and PC software for like 2 years now.

Branislav Beke Sweet! Keep me updated on here about your projects and how they go.

+David Pritchett Haha, you could just purchase another garage remote for your own garage

wellllllll yeah......... but this way I force myself to learn a bit more about programming and stuff. Though yeah i agree it would be easier and probably cheaper to just get another remote. BTW Props on being one of the fastest youtuber repliers. Less than half an hour is unheard of for most especially on a nearly year old vid. You get my sub for that reason alone!

+David Pritchett Awesome, thanks! If for the programming and hardware experience, then yeah, I definitely recommend building this! In fact, Michael Ossmann's original "opensesame" project that this is based off of would be a great tool to build your opener with as it only sends a single code, so you could program it for your own door without opening a ton of others around you! Here's the link: github.com/mossmann/im-me/tree/master/garage

+Ed Rutmayer You could probably use a 555 to brute force but to produce the De Bruijn sequence I think it would be too difficult with just a 555, but I'm sure there are plenty of analog circuitry people who could determine how to produce the sequence with analog.