Basic RF sniffing with the Bus Pirate

Getting some data out of those cheap dumb transmitter/receiver pairs takes the better part of 30 seconds. I hooked one up to see if I could capture some remote keyless entry traffic. (and it worked)

The first dump I took was of a cheap garage door opener that is real popular here, this is the same system I used in one of my previous projects. The data is composed of an active low signal, a frame starts with a single low going pulse followed by 12 static bits (ie, really easy to hack). Each bit is composed of a low and high portion, the ratio of these portions determine a zero or one bit. The system works on 403.55MHz so I needed to turn out the inductor core completely to pick it up.

The dump was made with the Alternate Sump Client and the Bus Pirate, I powered the module directly from the BP meaning that I had to turn on the power supplies through the terminal before using the logic analyzer mode. Next I dumped a keeloq remote control, the protocol is pretty well explained in the HCS301 datasheet which is used in the remote. This one worked on 433MHz.

Since the static code isn’t real interesting and I’ve hacked it before I’m going to try my hand at keeloq, I at least want to write a small ap that can decode the unencrypted bits.


Found a similar page:


~ by s3c on 2011/06/19.

8 Responses to “Basic RF sniffing with the Bus Pirate”

  1. Hello,

    I’d like to use a 433mhz remote control (Jolly Open) to to control an arduino with 433 mhz receiver.
    Your project files regarding your published article on hackaday are not available any more on the net.
    Could you republish them on send me them ?
    Thank you anyway for your contribution

    • Gmail is complaining somewhat about the project files, if you are still interested send me a shout and I’ll make a plan.

  2. I’m to do almost the same, but with another RF system.

    I tried to use Bus Pirate too, but it didn’t work. Can you help a little?

    Thanks in advance

  3. Hi s3c, can you share what was the receiver module you’ve use for this project?

  4. Hi, which port did you use on the bus pirate?

  5. Hello,

    Could you explain your sump client and bp configuration ? When i click capture, it stops capturing after 2 or 3 seconds.


  6. Hello,

    I try to use a same setup as yours but no luck.
    Could you post a reply for this setup please ->


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: