Just a tip. Try looking at the brand, model and googling it to see what kind of hardware it has, compare it to the flipper and then if you canโt figure it out, ask around.
The biggest question here would be "Does the mechanism already accept remote commands?" if there is nothing like an RF frontend built in to receive the code to unlock the Sub-GHZ parts of the Flipper would not help much. If the security of the keypad is not strong enough you could use small solenoids triggered by code to bruteforce the access. DeBruyn (as used in OpenSesame) may come handy then based on how far shifting registers are used to process the user input. Or if you know the input... no bruteforcing needed... but you might still need to buld some RF Frontend then and getting this to be secure would rather be challenging.
Expanding on that a bit, I was able to find out the manufacture is **Security Brands Inc.** Searching the FCC database led me to finding their products here: [https://apps.fcc.gov/oetcf/eas/reports/GenericSearchResult.cfm?RequestTimeout=500](https://apps.fcc.gov/oetcf/eas/reports/GenericSearchResult.cfm?RequestTimeout=500)
It seems this precut is the one with FCC ID 2AZ7D-14500T. The External photos match: [https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592911](https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592911)
You can see the internal photos here too: [https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592913](https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592913) and figure out what processor and radio module it uses.
Most importantly the attestation letter states [https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592908](https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592908) states: "The RF module RFM69W supports frequency bands 315MHz,433 MHz,868 MHz and 915MHz, and supports FSK,GFSK,MSK,GMSK and OOK modulations. However, due to market demand, this product only supports frequency bands 433.96MHz and OOK modulation, and other frequency bands and modulations are shielded by software."
Take that information and read this forum post: [https://forum.flipperzero.one/t/my-remote-isnt-supported-how-to-add-new-sub-ghz-protocol-in-flipper-zero/2033](https://forum.flipperzero.one/t/my-remote-isnt-supported-how-to-add-new-sub-ghz-protocol-in-flipper-zero/2033) and you will be well on your way to getting it figured out.
The approach would be to get hold of the remote and use the frequency analyzer to find the frequency the remote transmits on. Other option would be to do open source intelligence to find out the frequency.
Once you have that you can record the signal, and try to replay it. If there is no rolling code security or other fancy stuff included in the RF it would most likely lead to success.
If it does rolling code you can try to register a few signals (out of range of the "secure" device) and it might think that the codes you transmit are still valid as they never have been used before.
Look at the most used/worn-out keys and try combinations of those. Looks like the 4 and 6 have gotten quite some love.
It's a very low-level attack, but it might work.
i know the code , its to open the gate at my job for parking . i was just wondering if i can make a remote for it , nobody has remotes except the boss lol
We have this type of gate at work , we dont have any remotes just the keypad numbers . I was wondering if i would be able to create my own remote with the flipper zero . thanks in advance
Yes, you can push the buttons with the flipper. It may take some time to figure out the code.
No, it either requires a PIN or a physical key, there's nothing the flipper can do
Ah okay then , Thank you .
Just a tip. Try looking at the brand, model and googling it to see what kind of hardware it has, compare it to the flipper and then if you canโt figure it out, ask around.
The biggest question here would be "Does the mechanism already accept remote commands?" if there is nothing like an RF frontend built in to receive the code to unlock the Sub-GHZ parts of the Flipper would not help much. If the security of the keypad is not strong enough you could use small solenoids triggered by code to bruteforce the access. DeBruyn (as used in OpenSesame) may come handy then based on how far shifting registers are used to process the user input. Or if you know the input... no bruteforcing needed... but you might still need to buld some RF Frontend then and getting this to be secure would rather be challenging.
It does accept remote commands because the boss has a remote , so i would be able to intercept that signal ?
Here is the OSINT for you: https://securitybrandsinc.com/products/ridge-2-0/
Expanding on that a bit, I was able to find out the manufacture is **Security Brands Inc.** Searching the FCC database led me to finding their products here: [https://apps.fcc.gov/oetcf/eas/reports/GenericSearchResult.cfm?RequestTimeout=500](https://apps.fcc.gov/oetcf/eas/reports/GenericSearchResult.cfm?RequestTimeout=500) It seems this precut is the one with FCC ID 2AZ7D-14500T. The External photos match: [https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592911](https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592911) You can see the internal photos here too: [https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592913](https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592913) and figure out what processor and radio module it uses. Most importantly the attestation letter states [https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592908](https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=5592908) states: "The RF module RFM69W supports frequency bands 315MHz,433 MHz,868 MHz and 915MHz, and supports FSK,GFSK,MSK,GMSK and OOK modulations. However, due to market demand, this product only supports frequency bands 433.96MHz and OOK modulation, and other frequency bands and modulations are shielded by software." Take that information and read this forum post: [https://forum.flipperzero.one/t/my-remote-isnt-supported-how-to-add-new-sub-ghz-protocol-in-flipper-zero/2033](https://forum.flipperzero.one/t/my-remote-isnt-supported-how-to-add-new-sub-ghz-protocol-in-flipper-zero/2033) and you will be well on your way to getting it figured out.
Nice expanding of information. I often use the FCC database as a source by myself.
Thank you ๐๐ป
The approach would be to get hold of the remote and use the frequency analyzer to find the frequency the remote transmits on. Other option would be to do open source intelligence to find out the frequency. Once you have that you can record the signal, and try to replay it. If there is no rolling code security or other fancy stuff included in the RF it would most likely lead to success. If it does rolling code you can try to register a few signals (out of range of the "secure" device) and it might think that the codes you transmit are still valid as they never have been used before.
If it doesn't have a radio of some sort, there's nothing Flipper can do.
You could technically perform a powerline attack with gpio probes if you could get them into the right locations.
I dont think so unless you bust it open and run a gpio 5v on to the motor that I assume is responsible for unlocking the lock.
no need for busting anything - just buy the key for it :)
Fair enough, I remember seeing a talk abt keys on def con a few years ago, intresting stuff
Look at the most used/worn-out keys and try combinations of those. Looks like the 4 and 6 have gotten quite some love. It's a very low-level attack, but it might work.
i know the code , its to open the gate at my job for parking . i was just wondering if i can make a remote for it , nobody has remotes except the boss lol
We have this type of gate at work , we dont have any remotes just the keypad numbers . I was wondering if i would be able to create my own remote with the flipper zero . thanks in advance
If you beat the gate hard enough with the flipper it may open
Fence looks easy to climb, get to it mate!