Was walking around Target and saw an inexpensive remote outlet which I was pretty sure I could perform the Replay Attack on.
The Replay Attack is when you record a signal from something and transmit it back to perform the operation.
These devices typically transmit around 433 MHz and have no encryption of any kind whatsoever. Just a simple transmit burst for on and off functions.
So for $15 it was a gamble. I took it home and many times you have to look up the FCC ID number of the device to learn the frequency but in this instance I guessed correctly. Around 433 MHz. 433.920 MHz to be exact. Here’s a quick video of how you can find the exact frequency using an SDR software program such as GQRX.
So now that I know the frequency, I have to record the transmission from pushing the on button.
Enter RPITX . This is code for a Raspberry Pi computer. To perform this operation you will need:
- The GE remote outlet (or similar) linked above.
- A Raspberry Pi (Pi 3 Recommended)
- An RTL-SDR device. I use a NooElec NANO 3
- Antenna of some kind for the RTL device
- Wire antenna for GPIO 4 (Pin 7) of the Raspberry Pi
- RPITX software
To install the software run the following 6 commands on your Pi in the terminal (or ssh window).
sudo apt-get update sudo apt-get install git git clone https://github.com/F5OEO/rpitx cd rpitx ./install.sh sudo reboot
You can now cd back to the RPiTX directory (4th command above) and then type the following:
Now this screen pops up.
The default is 434.0 however I changed mine to 433.920 as noted above. Hit okay then select the gain. The default of 35 is good so just select it. If you need more oomph you can go to 45 max.
Then finally your output frequency (transmit) frequency of (again in my case) 433.920.
Yay. Now we are getting somewhere. This screen pops up.
Now to record. Make sure you have your outlet remote in hand and hit enter to record then push and hold the button on the remote. A box will pop up that says “RUNNING” Maybe hold it a second or two or press it a couple times then hit enter again to stop. Your transmit code is now recorded.
Now exit the program and you should still be in the rpitx directory. List the directory with ls and you will see a file named “record.iq”.
Almost done. Now lets rename the file (and of course you can name it anything you want). I chose “turnonoutlet.iq”
sudo mv record.iq turnonoutlet.iq
Now repeat the procedure for recording only this time do the off button and name the file “turnoffoutlet.iq”.
Here we go now! In the same directory (rpitx) run these commands:
sudo ./sendiq -s 250000 -f 433.9200e6 -t u8 -i turnonoutlet.iq sudo ./sendiq -s 250000 -f 433.9200e6 -t u8 -i turnoffoutlet.iq
Yer doing it!
Should turn out like this:
Now with these two commands you can write systemd service files, cron jobs, script files. You can turn the outlet on and off whenever, however, and from wherever you like.