m2mike

Infrared hacking project

37 posts in this topic

Hello my fellow binrev forum users,

I have been away for a while. I got kind of burned out with this whole scene, but I thought I would come back and propose some new projects for those of you with more free time than myself.

I have been wanting to do some projects, but just haven't had the time or money to get them started. About a year and a half ago, I was having a lot of fun with hacking some infrared padlocks. The Laserlock and the EZ Padlock were proven to be overrated to say the least.

There are many other infrared devices on the market that haven't been publicly exposed yet. I have been debating with myself whether or not I should make public any exploits I find. There are some infrared systems which I am certain are vulnerable, but as I said, I have not made the effort to go after them for aforementioned reasons.

It has been brought to my attention that some older vehicles contain infrared locking systems. Jeep Cherokees that were made between the years 1993 and 1995 use infrared remotes. If I had to guess, I would guess that no rolling code was used with that particular infrared system. Releasing an exploit for those vehicles might be more permissible now since most of those vehicles are not around too much anymore since they are so old. There are aftermarket remotes all over ebay if someone wants to buy one and start experimenting. You could capture some signals with Omniremote under Palm OS and send me the Pronto hex code. From there I could construct a database that could try all of the possible codes. Or you could actually do it yourself with LIRC or WinLIRC. http://www.lirc.org I prefer the Palm myself since I think it is easier.

Other possibilities exist for some infrared fun. I am sure some of us have seen the plans for the MIRT over at i-hacked.com. http://www.i-hacked.com/content/view/176/44/ A mirt could be made quite easily with LIRC or even OmniRemote, but the downside is the limited range of the PDA's infrared signal. It would be a fun proof of concept though. Mods do exist for some PDA's that might allow such a thing to actually work.

I don't really have the money to spend on such things at the moment, but maybe one of you guys do.

0

Share this post


Link to post
Share on other sites
Jeep Cherokees that were made between the years 1993 and 1995 use infrared remotes.

You have got to be shitting me. I'm going to find out more about this one.

0

Share this post


Link to post
Share on other sites
You have got to be shitting me. I'm going to find out more about this one.

Post what you find because that seems really stupid, I mean there are things that give off interfered light, the door could just randomly unlock.

0

Share this post


Link to post
Share on other sites
yea i doubt that random IR signals would cause the doors to unlock, first the IR signals would have to be received by the sensor in a specific sequence, second there would have to be line of sight, and third the signal source would have to be within range. so i think it would be highly unlikely for the doors to randomly unlock.

Ok, maybe, but still it seems like it would be easy just to roll though IR codes and unlock the door. Or at the very least capture the IR code from the remote and the replay it later.

0

Share this post


Link to post
Share on other sites

I have been toying around with the same ideas actually, I am very sure this is feasible

Hello my fellow binrev forum users,

I have been away for a while. I got kind of burned out with this whole scene, but I thought I would come back and propose some new projects for those of you with more free time than myself.

I have been wanting to do some projects, but just haven't had the time or money to get them started. About a year and a half ago, I was having a lot of fun with hacking some infrared padlocks. The Laserlock and the EZ Padlock were proven to be overrated to say the least.

There are many other infrared devices on the market that haven't been publicly exposed yet. I have been debating with myself whether or not I should make public any exploits I find. There are some infrared systems which I am certain are vulnerable, but as I said, I have not made the effort to go after them for aforementioned reasons.

It has been brought to my attention that some older vehicles contain infrared locking systems. Jeep Cherokees that were made between the years 1993 and 1995 use infrared remotes. If I had to guess, I would guess that no rolling code was used with that particular infrared system. Releasing an exploit for those vehicles might be more permissible now since most of those vehicles are not around too much anymore since they are so old. There are aftermarket remotes all over ebay if someone wants to buy one and start experimenting. You could capture some signals with Omniremote under Palm OS and send me the Pronto hex code. From there I could construct a database that could try all of the possible codes. Or you could actually do it yourself with LIRC or WinLIRC. http://www.lirc.org I prefer the Palm myself since I think it is easier.

Other possibilities exist for some infrared fun. I am sure some of us have seen the plans for the MIRT over at i-hacked.com. http://www.i-hacked.com/content/view/176/44/ A mirt could be made quite easily with LIRC or even OmniRemote, but the downside is the limited range of the PDA's infrared signal. It would be a fun proof of concept though. Mods do exist for some PDA's that might allow such a thing to actually work.

I don't really have the money to spend on such things at the moment, but maybe one of you guys do.

0

Share this post


Link to post
Share on other sites

Yeah, I have heard about those Jeeps in a forum a year or so ago, there were also other cars that might have that type of automatic lock.

Indeed there are many IR devices out there that need exposing, but what I want to ask without sounding a little bit dumb is what about the other car remotes like the one I have myself which transmits a signal to the car alarm, isn't that also IR or even the alarms of the stores that have little remotes ?

Virtual

0

Share this post


Link to post
Share on other sites
no those are not IR those are RF, there is quite a bit of difference between the two.

Yes vectors right, very very big difference. If your car remote was using IR I could sit there with my pocket pc, capture the IR from your remote and just play it back and open your door, thats horribly insecure. Where capturing RF would be more complicated, you'd have to find the frequency to begin with.

0

Share this post


Link to post
Share on other sites

Some of you may remember an article from 2600 that is a couple years old now. It was about the fact that you could copy a Mercedes Benz infrared remote key fob with a universal remote and replay the code later to unlock the car. That article got me thinking at the time of what may be possible.

Infrared key fobs are also supposedly used on some models of Saab and Volkswagen. As much as I would love to explore the security there, I don't have the means. The key fobs themselves are expensive and the cars they unlock are even more expensive. If we have any well off hackers who feel like spending some money, then this could make for a very interesting exploration of automobile security systems.

Otherwise, it will never be done. I don't have the time or money to go after these things, but maybe someone can give a visit to a used car lot and do some checking. You will be looking for old Jeep Cherokees and Mercedes models from the mid to late nineties.

I have no reservations releasing a proof of concept for the older Jeeps, but releasing something for "luxury" automobiles might not go over so well. I wouldn't want people doing really stupid stuff with any such infrared software although the thought of sending the panic code to several Mercedes at one time puts a smile on my face. :-)

If someone wants to capture their infrared key fob and send me the timing data, then feel free. PM me.

0

Share this post


Link to post
Share on other sites

Hmm, well now, I knew that was a difference between them but I have not to know more so if you could point me into the right direction to some good manuals about RF and capturing this waves... whatever... I would like to read up on this.

V.

0

Share this post


Link to post
Share on other sites
Hmm, well now, I knew that was a difference between them but I have not to know more so if you could point me into the right direction to some good manuals about RF and capturing this waves... whatever... I would like to read up on this.

Well yes there is a huge difference being that IR refers to light and that RF refers to radio frequencies. The way in which the technologies work and operate are almost in comparable.

For more information I suggest you check out wikipedia on IR and RF, following some of the links to other articles within those articles.

0

Share this post


Link to post
Share on other sites

Thank you, I will read up on that today, probably later when I get off work but as a short question, do you know if in theory is possible to decode a RF device with scanning different codes ? I have heard of such devices but not from believable mouths.

(V)

0

Share this post


Link to post
Share on other sites
Thank you, I will read up on that today, probably later when I get off work but as a short question, do you know if in theory is possible to decode a RF device with scanning different codes ? I have heard of such devices but not from believable mouths.

I don't understand your question. But any device which transmits radio signals can have those signals received. For example, FRS two way radios on channel one will be creating a radio signal with a frequency of 462.5625Mhz. So any device which is listening, like a radio scanner, to modulation of the 462.5625MHz frequency will be able to hear the radio.

That works well in an analog situation, but if the voice was being passed digitally the radio scanner would still only be passing the sound out, and it would be just noise. What you would need in a digital situation is both a device to capture the signal and a device to translate the signal into something understandable. Similar to encryption where you need to get the cypher text, but you also need to translate it, and they are two completely different things.

Edited by Drake Anubis
0

Share this post


Link to post
Share on other sites

Just wondering if Anybody else saw this? Apparently CellPhones are altering the codes in Nissan Key Fobs and locking people out of their cars. I wonder if there could be some way to synchronize both the keys with the decoder/encoder in the door and basically go aroung opening doors

http://www.reuters.com/article/technologyN...=RSS&rpc=22

0

Share this post


Link to post
Share on other sites

I see that no one has touched this project proposal in almost 2 months. Sadly, I am not surprised. If anyone is interested, then contact me or post here.

0

Share this post


Link to post
Share on other sites

I'm interested in what's going on here.. I am looking for a good excuse to play with a microcontroller. (I got a bunch of stuff here but seem to have lost interest... & I smoke way too much pot) I found this yesterday and although it's RF the AES bit might be of interest to ya...

http://www.atmel.ru/Disks/AVR%20Technical%..._avr/AVR411.pdf

I haven't read the whole thing yet but it should shed some light on how 'rolling' codes work on the low level...

0

Share this post


Link to post
Share on other sites

I may take a look, once i have finished hacking the IR of my Furby.

0

Share this post


Link to post
Share on other sites

Well, it's been almost another 2 months and there seems to be no interest in this. I guess I will have to do it myself. Expect a long wait, guys. I am still in financial trouble and won't have the cash to spend on this for quite some time.

Peace.

0

Share this post


Link to post
Share on other sites

Well, the time has come for me to release something that I never got around to releasing. The main reason is because I have never found the opportunity to field test the prototype I built.

http://m2mike.no-ip.org/Sears.zip

I made this late last year, but never released it. If anyone wants to build a working prototype and field test it, then be my guest.

Be responsible.

0

Share this post


Link to post
Share on other sites
Well, the time has come for me to release something that I never got around to releasing. The main reason is because I have never found the opportunity to field test the prototype I built.

http://m2mike.no-ip.org/Sears.zip

I made this late last year, but never released it. If anyone wants to build a working prototype and field test it, then be my guest.

Be responsible.

I'm actually more interested in exploring RF-controlled systems, seeing as that's what everything's on right now. Releasing a hack for that would be a 'big deal'.

Hey m2mike, you interested in re-starting with RF?

0

Share this post


Link to post
Share on other sites

Hey Breakdance,

That's exactly what m2mike released. It converts IR to RF and it is used to scan garage door RF codes, also could be used to grab the codes and store to memory. Of course, it only works on the older non code rotating systems. For code-rotating systems in both garage doors and automobiles, a new project was started, How to Steal Cars

Great post m2mike. I will build a unit and let you know how it works.

Xmitman

0

Share this post


Link to post
Share on other sites

That's pretty interesting. I read a while ago that repeatedly grabbing codes from the same (keeloq?) remote could drastically reduce the calculation time. I wonder if that article was related to the Belgium study. The timing of it all makes me think so.

Anyway, I want to clear up a few things that were said back in March. The Jeep Cheroke systems were IR, not radio. The key fob was had a clear-lens infrared LED. The receiver itself was mounted inside a gumdrop-sized dome on the ceiling. As you'd probably guess, the IR approach had a long rap sheet of physical problems. Namely, you would get blocked by the A-frame or passengers inside. Also, I don't know exactly how transparent auto glass is to the near-IR spectrum but I'd guess "not very." You had to hold it close to the window.

Basically, I'd like to see this project gain it's old momentum. The automotive scene isn't the only place to find these kinds of controls, and any development here would be pretty far-reaching.

0

Share this post


Link to post
Share on other sites

So I have finally made some headway on some of this project. Can anyone send me their infrared codes from their Jeep? :) I have in my possession some remotes that operate those vehicles, but I need to work with someone here to isolate bits. Just learn your transmitters with OmniRemote and get back to me! I will do the rest!

Do you guys realize that it has been almost a year since I wanted to embark on this? I can't do it without your help, guys!

Edited by m2mike
0

Share this post


Link to post
Share on other sites

The best idea I could come up with is to locate a late model Jeep using Carmax and Automotive.com. That's pretty much the only way I know of to locate anyone who might have a working remote. I don't have OmniRemote, but I have a have another utility that might help out. As long as it's TV remote-compatible

0

Share this post


Link to post
Share on other sites

There are a handful of other vehicles that use an infrared locking system. One such vehicle is the Ford Puma, which was sold exclusively in Europe from 1997 to 2002. It was discontinued in 2002 and replaced with some other model that Ford wanted to sell.

Check out the wikipedia page: http://en.wikipedia.org/wiki/Ford_Puma

Also, check out the programming instructions for infrared transmitters: http://d.1asphost.com/tarmacsurfer/puma%20...programming.pdf

Any Europeans on this board that feel like exploring the infrared on their Pumas? :)

0

Share this post


Link to post
Share on other sites

My friend drives an old Mercedes C280. To my disbelief his keyfob had the tell-tale red opaque corner, and dome-like receiver on his rearview mirror. Sure enough I've cloned it :o

It does seem to have some intelligence. Once I've copied the IR signal from the keyfob and sent it to the car, the car will not respond to that code again. If I clone the key again, it works once again.

I'm using VITO Oscilloscope on my Dell Axim (Pocket PC). Although it kind of gives a representation of the waveform its hard to tell how/why the signals differ each time. I'll keep playing and post when I figure something out.

Does anyone want me to try anything specific?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now