Basic RF sniffing with the Bus Pirate
Getting some data out of those cheap dumb transmitter/receiver pairs takes the better part of 30 seconds. I hooked one up to see if I could capture some remote keyless entry traffic. (and it worked)
The first dump I took was of a cheap garage door opener that is real popular here, this is the same system I used in one of my previous projects. The data is composed of an active low signal, a frame starts with a single low going pulse followed by 12 static bits (ie, really easy to hack). Each bit is composed of a low and high portion, the ratio of these portions determine a zero or one bit. The system works on 403.55MHz so I needed to turn out the inductor core completely to pick it up.
The dump was made with the Alternate Sump Client and the Bus Pirate, I powered the module directly from the BP meaning that I had to turn on the power supplies through the terminal before using the logic analyzer mode. Next I dumped a keeloq remote control, the protocol is pretty well explained in the HCS301 datasheet which is used in the remote. This one worked on 433MHz.
Since the static code isn’t real interesting and I’ve hacked it before I’m going to try my hand at keeloq, I at least want to write a small ap that can decode the unencrypted bits.
Found a similar page: http://bertrik.sikken.nl/433mhz/