Challenge description: During your physical penetration test, you notice a garage door at the back of the company that catches your eye. Using your RTL-SDR, you manage to record the opening signal. Now you need to identify the bit sequence sent to the door’s receiver so you can build your own transmitter.
We’re asked to figure out the binary sequence sent to a garage door receiver. For this, a file named garage.wav is provided.
Let's open it using Universal Radio Hacker.
When you open a file with URH, it automatically tries to decode the signal by detecting the modulation and other parameters. Spoiler: The automatic detection totally sucks for this challenge. Let’s do it manually so we understand it better :)
To start, you need to know which type of modulation is used. For garage remotes, it’s usually a type of ASK (Amplitude Shift Keying) modulation.
With this digital modulation, the amplitude of the carrier signal represents the data, where different amplitudes represent different bits. For example:
You can visually tell it’s ASK by these bursts and pauses that show clearly distinct amplitudes.
Since the same signal repeats itself several times, you can “crop” the signal to keep just one instance. This way, you end up with a single signal corresponding to the garage door opening. Next up: figuring out the encoding. Remember, don’t confuse modulation with the encoding method.
To send a binary message (essentially a digital signal), you encode it, think of it as the way bits are organized.
Then you modulate the digital signal (with ASK, for instance) to turn it into a radio wave that can be transmitted.
The first long burst (12ms) corresponds to the preamble. A pulse, often made up of 1s, used to “wake up” the receiver and get it ready for what follows.
The rest corresponds to the data sent to open the garage door, and you’ll notice something peculiar: the lengths of the bursts and pauses differ. More precisely, a long burst (2400μs) is always followed by a short pause (1200μs), and a short burst (1200μs) is always paired with a long burst (2400μs). This resembles pulse modulations like PWM or PDM except that those use either a fixed pause duration or a fixed burst duration, here, we’ve got both. The encoding method might look something like this:
I couldn’t pin down the exact modulation type, so feel free to drop a comment if you know it :)
Anyway, you can determine the binary sequence simply by counting the bursts and pauses following the logic of the diagram.
Now, since we have URH, we might as well use it. First, determine the Samples/Symbol, which represents the duration of 1 bit. In our case, it’s 3600μs because, as we saw, a 1 equals 2400+1200 and a 0 equals 1200+2400. Next, adjust the Center value which helps URH set a threshold (the green and pink areas) to decide what’s considered a 1 or a 0. Finally, remove the preamble since it’s not needed.
And there you have it, a binary sequence that turns out to be the correct flag! Note that I assumed that a 1 is represented by a long burst followed by a short pause, and a 0 by a short burst followed by a long pause. In this case, it worked, but in another challenge the reverse could have been true. Since there’s no ASCII flag to verify it, aside from testing both binary sequences as the flag, there isn’t much else to confirm it, unless you actually had the garage door to try it out :)
