Brute-Forcing Fixed-Code RF Receivers

SDR Brute Forcing using off-the-shelf tooling and frameworks

Recently I was tasked with testing the physical security of a building that used wireless garage door openers. The system is from the early 2000s (even though it was installed in 2016), and is still widely used to this day.

Reversing the opener's RF protocol with URH and USRP hardware reveals a static 8-bit code:

Using off-the-shelf hardware and modifying Corey Harding’s rfpwnon library, a PoC device was built to illustrate that brute forcing the garage’s code is possible within 8 minutes.

References:

• Corey Harding's rfpwnon
• Great Scott Gadgets YARD Stick One