OpenSesame

Sub-GHz
#1

Flipper needs to have a quick way of attacking fixed-code systems.

Should be extremely simple to implement since the sequences can (and should) be pre-generated. I’ve done it with an Arduino at some point (just bit-banging a simple 433mhz transmitter), and since Flipper uses (almost) the same chip as in IM-ME it should be possible to outright use parts of the OpenSesame code.

5 Likes
#2

Good point. I think we should implement this feature completely on MCU without raspberry pi code. Also there is much more interesting Samy’s project RollJam. He use two CC1101 modules, one for jamming, and one for listening. But i’m not sure about two CC1111/CC1101 modules in flipper.

image
image1232×942 420 KB

2 Likes
#3

A dedicated CC1101 just for jamming seems to be an extreme overkill. Maybe we could use a “dumb” 433mhz transmitter for that.

#4
#5

Well, if it helps anyone, I got this working on the Si4010 awhile back. https://github.com/Liath/hekapoo

#6

here is correct code of de Bruijn sequence which I used for OpenSesame:

def debruijn_bytes(k, n):
    a = k * n * bytearray([0])
    sequence = bytearray()
    extend = sequence.extend
    def db(t, p):
        if t > n:
            if n % p == 0:
                extend(a[1: p+1])
        else:
            a[t] = a[t - p]
            db(t + 1, p)
            for j in range(a[t - p] + 1, k):
                a[t] = j
                db(t + 1, t)
    db(1, 1)
    return sequence.translate(_mapping).decode("ascii")
3 Likes
#7

How would you implement this in Flipper to easily use?

#8

I would like to use de Brujin brute-force attack as an option when you need to open some doors ASAP. A binary search of static key - main functionality which I used on my cc1101 because sometimes I need to find the correct key and reuse it without brute-force(for save time in the future) or you just wanna decode the key and that’s it

1 Like
#9

I realized something with RollJam. You don’t actually need two of the CC chips. You need one to receive the signal, and then something else to jam it. Due to this having GPIO pins like a RasPi, I wonder if something like the RPiTx software, shown here: ( https://github.com/F5OEO/rpitx ) could be used to jam the keyfob signal momentarily while the CC chip receives. If told to transmit on the frequency, GPIO pins tend to generate square waves with lots of signal splatter. Perfect for jamming someone’s keyfob. The best part is, the only additional hardware needed is a about a 100 mm jumper wire plugged into a GPIO port. The rest is software.

3 Likes
#10

How does this integrate into existing Opensesame code?

#11

Has anyone here got an IM-ME and fixed the opensesame code for it? I’ve got mine to transmit but I’m struggling with the correct routine to complete the routine, mine just sends the payload then repeats over and over again.

3 Likes
#12

Hey man, can you share somewhere the correct im-me code or firmware ?? I’ve been having the device for so many years and never figured it out. A PM maybe ?

Thank you anyway.

1 Like
#13

Anyone success to implement openseasme on the flipper zero?

2 Likes
#14

If somebody got this working on RPI/Arduino. I would think that you just transmit the code and capture it with flipper and share it with the group?

#15

Do you know how to do this? can you pleas share with us ?

#16

You guys can try this :

But I don’t have any idea if they will work, most likely they will not.
If someone can open anything with the postes files pealse do tell us.

#17

I’ve been playing around with my FLIPPER only for a few days, and I must say that it is a very enjoiable device, but I don’t think that it will be that easy to use it to hack wireless devices. You can’t expect to feed it with an unknown sequence and expect it to magically open gates and garage doors.
I’ve seen the OpenSesame and the DeBruijn sequences in the “UberGuidoZ” folder, but I think they can succeed only with very old and outdated systems.
I live in Europe, and most the equipments installed on gates and garage doors around here have protocols which are pretty complex (or, well, not so basic at least): they introduce the need to repeat the code multiple times to be accepted (therefore avoiding the chance of using the above mentioned OpenSesame or deBruijn sequences), they introduce “pauses” betwenn code repetition (therefore increasing the lenght of the of the sequence), and so on.
I made a “quick” estimation, if I could bake (and I will for sure, as soon as I will have enough time) the proper sequence for the flipper (taking into account all the above mentioned tricks) it would take more or less 6 minutes for the flipper to play it… and that sequence would probably work with that specific equipment only. It’s very unlikely that you can bake an “universal” OpenSesame sequence nowadays.
By the way, these are just my 2 cents…

2 Likes
Has anyone tried to port Open Sesame to the Flipper?
#18

You are correct, I had my flipper for a couple of weeks now, I already built bruteforce file for CAME 12 bit gate which is working just fine.

It would take 16 minutes to run the sequence. As you said you need to account for the pauses and leading signals, and I found out you that need also to add extra pauses between the codes or else your flipper will drop around 10 -25 % of the keys sent.

Now this is could be practical for a known protocol and 12bit protocol, but if the gate uses 24 bit forget about that completely, as it could take years to bruteforce it.

Regarding opensesame sequence its very old sequence and its extremely unlikely to find something use it now, as it depends on only sending 0’s and 1’s without any protocol.

1 Like
#19

Can you please share your code? How to use it?

#20

Very interesting
I hope we will have news of your research.