-
Notifications
You must be signed in to change notification settings - Fork 0
Brute‑Force & Jamming
The brute command performs an exhaustive search over a fixed‑code space. It is designed for educational purposes to demonstrate the weakness of fixed‑code (dip‑switch) remotes.
Fixed‑code remotes (common in older garage doors, gates, and some home automation) use a static bit sequence – typically 8, 12, or 24 bits. The remote transmits this code each time a button is pressed. VoidRecon transmits every possible combination (from 0 to 2^bits - 1) until it finds the correct one that opens the receiver.
- The device assumes OOK (On‑Off Keying) modulation.
- Each bit is represented by a pulse of a fixed duration – the symbol time.
- The
brutecommand sends each code, pauses briefly, then moves to the next.
brute <usec> <bits>| Parameter | Description |
|---|---|
<usec> |
Symbol time in microseconds (duration of each bit pulse). |
<bits> |
Number of bits in the remote code (e.g., 24 for many garage openers). |
You must know the symbol time of the target remote. If it’s wrong, the receiver won’t recognise the signal.
- Common values: 200–400 µs for many simple OOK remotes.
- You can measure it using
rxraw(raw sampling) or an oscilloscope. - Example: if you see a bit pattern with alternating pulses, measure the average pulse length.
-
Time: Transmitting all combinations takes 2^bits × (usec × bits) plus overhead.
- For 24 bits at 200 µs, that’s 16.7 million attempts. At ~10 ms per attempt, it takes ~46 hours.
- Rolling‑code systems (modern garage openers, keyless entry) are not vulnerable – they use cryptographic rolling codes that change each time.
- Range: Ensure the device is close enough to the receiver for the signal to be received.
brute 200 24This will attempt all 16,777,216 possible 24‑bit codes with a symbol time of 200 µs. Press x to stop the process.
⚠️ Warning: This can take many hours and may drain your battery. Only use on devices you own or have explicit written permission to test.
The jam command transmits a continuous carrier (or modulated signal) on the currently selected frequency and modulation. This can overwhelm receivers and block communication.
- The CC1101 is set to transmit a constant signal (or a repeating pattern, depending on the modulation) on the configured frequency.
- Nearby receivers tuned to that frequency may be unable to decode valid packets due to the high noise floor.
jam- Starts jamming on the current frequency and modulation settings.
- Press
xto stop jamming.
🚨 Jamming is illegal in most countries under telecommunications laws. Using a jammer to disrupt authorised communications can result in severe fines, equipment confiscation, and even imprisonment.
- Do not use jamming near emergency services, aviation, or public safety networks.
- Only use this feature in a shielded environment (like a Faraday cage) or on a frequency where you have explicit permission to transmit.
- Educational use only – the feature is included to demonstrate how RF interference works and to test immunity of your own devices in a controlled setting.