Hack My House: Garage Door Cryptography Meets Raspberry Pi February 13, 2019
News

Today’s story is one of victory and defeat, of mystery and adventure… It’s time to automate the garage door. Connecting the garage door to the internet was a must on my list of smart home features. Our opener has internet connection capabilities built-in. As you might guess, I’m very skeptical of connecting a device to the internet when I have no control over the software running on it.

The garage door is controlled by a button hung on the garage wall. There is only a pair of wires, so a simple relay should be all that is needed to simulate the button press from a Raspberry Pi. I wired a relay module to a GPIO on the Pi mounted in the garage ceiling, and wrote a quick and dirty test program in Python. Sure enough, the little relay was clicking happily– but the garage door wasn’t budging. Time to troubleshoot. Does the push button still work? *raises the garage door* yep. How about the relay now? *click…click* nope.

You may have figured out by now, but this garage door opener isn’t just a simple momentary contact push button. Yes, that’s a microcontroller, in a garage door button. This sort of scenario calls for forensic equipment more capable than a simple multimeter, and so I turned to Amazon for a USB oscilloscope that could do some limited signal analysis. A device with Linux support was a must, and Pico Technology fit the bill nicely.

Searching for a Secret We Don’t Actually Need

My 2 channel Picotech oscilloscope, the 2204A, finally arrived, and it was time to see what sort of alien technology was in this garage door opener. There are two leads to the button, a ground and a five volt line. When the button is pressed, the microcontroller sends data back over that line by pulling the 5 V line to ground. If this isn’t an implementation of Dallas 1-wire, it’s a very similar concept.

The wire protocol appears simple enough to reproduce, ideally with an opto-isolator. I found a suitable chip and got it on order. With the physical interface sorted, it was time to move on to the data itself.

So, what does the request to open look like? “Open Sesame”? The Picoscope software is capable of signal decoding, so some futzing with those settings got reproducible results. UART at 9.6 kbaud. 38 bytes of data were being sent over the wire, and the next step was to capture several of those packets to look for patterns.

Each packet started with a repeatable pattern that Picoscope decoded as 55 01 00. A header of sorts? A source or destination identifier? So far, I just didn’t have enough information to tell. Other than that pattern, the data appeared to be random. So where to from here?

<img data-attachment-id="343075" data-permalink="https://hackaday.com/2019/02/13/hack-my-house-garage-door-cryptography-meets-raspberry-pi/img_20190128_103619/" data-orig-file="https://hackadaycom.files.wordpress.com/2019/01/img_20190128_103619-e1548695473491.jpg" data-orig-size="3189,1814" data-comments-opened="1" data-image-meta='{"aperture":"1.7","credit":"","camera":"ONEPLUS A5010","caption":"","created_timestamp":"1548671780","copyright":"","focal_length":"4.103","iso":"100","shutter_speed":"0.0015105740181269","title":"","orientation":"1"}' data-image-title="img_20190128_103619" data-image-description="" data-medium-file="https://hackadaycom.files.wordpress.com/2019/01/img_20190128_103619-e1548695473491.jpg?w=400&h=228" data-large-file="https://hackadaycom.files.wordpress.com/2019/01/img_20190128_103619-e1548695473491.jpg?w=800" src="https://hackadaycom.files.wordpress.com/2019/01/img_20190128_103619-e1548695473491.jpg?w=400&h=228" …read more

Source:: Hackaday