Car Key fob reverse engineering
▲ 234 r/embedded

Car Key fob reverse engineering

Lately I've been trying to recover the key fob protocol of my bmw 320d 2005 car till I discovered that the key fob operates on 868.35mhz with what is called Frequency Shift Keying (transmitting a significant via modulating the msg bits as frequency shift instead of amplitude shift since noise rarely affects the frequency) to lock/unlock or trunk, everytime I capture something using the RTL sdr with gqrx on Kali I get different signals for pressing same button which indicates that this is not a trivial On Off Keying but some proprietary protocol is being implemented, from the amplitude to time plot I can clearly see the preamble alternating bits then a fixed and indow of bits across all button pressings which suggests some sort of an identifier.

Any one has experience on such project feel free to leave a comment.

Or if u know some sort of tip that helps me recover the binary representation of the msg being transmitted you are welcomed.

u/mahdi_sto — 3 days ago
▲ 111 r/masterhacker+1 crossposts

FSK/OOK based layer-2 protocol reverse engineering

Lately I've been trying to recove the key fob protocol of my bmw 320d 2005 car till I discovered that the key fob operates on 868.35mhz with what is called Frequency Shift Keying to lock/unlock or trunk, everytime I capture something using the RTL sdr with gqrx on Kali I get different signals for pressing same button which indicates that this is not a trivial On Off Keying but some proprietary protocol is being implemented, from the amplitude to time plot I can clearly see the preamble alternating bits then a fixed and indow of bits across all button pressings which suggests some sort of an identifier.

Any one has experience on such project feel free to leave a comment.

Or if u know some sort of tip that helps me recover the binary representation of the msg being transmitted you are welcomed.

u/Sufficient-Pair-1856 — 2 days ago

FDK/OOK Based layer-2 protocol reverse engineering

Lately I've been trying to recove the key fob protocol of my bmw 320d 2005 car till I discovered that the key fob operates on 868.35mhz with what is called Frequency Shift Keying to lock/unlock or trunk, everytime I capture something using the RTL sdr with gqrx on Kali I get different signals for pressing same button which indicates that this is not a trivial On Off Keying but some proprietary protocol is being implemented, from the amplitude to time plot I can clearly see the preamble alternating bits then a fixed and indow of bits across all button pressings which suggests some sort of an identifier.

Any one has experience on such project feel free to leave a comment.

Or if u know some sort of tip that helps me recover the binary representation of the msg being transmitted you are welcomed.

u/mahdi_sto — 3 days ago
▲ 2.3k r/hardwarehacking+2 crossposts

DDoS on WPA3!

Been spending a couple of lonths tinkering with a DIY multi-node wireless security rig, and I finally got the hardware coordination working smoothly.

The project uses a mix of ESP32 boards to look at how modern networks handle disconnections and roaming. I'm using an ESP32-S3 (with 8MB RAM / 16MB Flash) to spin up a clone access point, while an ESP32-CAM(Master) handles the orchestration alongside a couple of standard dev boards(Slaves).

The interesting part was tackling WPA3. Since WPA3 mandates Protected Management Frames (PMF), traditional layer-2 deauth frames don't really cut it anymore. To work around this and test client reconnection behaviors, I integrated two NRF24L01 modules to introduce a highly localized, 1-second burst of 2.4GHz RF disruption. The goal is to see how the WPA3 handshake and roaming mechanisms react when forced to re-authenticate under sudden signal loss just after triggering the SA query mechanism causing clients to be kicked out from the network by the Ap itself and never connecting back thanks to the evil twin Ap.

u/mahdi_sto — 27 days ago
▲ 33 r/masterhacker+1 crossposts

I Spent a Day Hacking My Own Security Camera. It Gave Up Its Secrets by Midnight.

Long-ish, but if you run Dahua (or any IP cam) at home, this might matter.

Bought a DH-F2C-PV. Audited it properly before trusting it. Expected dumpster fire. Instead: firmware is patched against the big old CVEs, cloud path uses QUIC+TLS, ARP spoofing blocked by the router. Solid… mostly.

Then I forced local LAN mode (blocked outbound internet → app still streams instantly). That's when it falls apart.

Quick surface scan:

- 80/tcp — HTTP admin, plaintext creds 😬

- 554/tcp — RTSP Digest auth, defaults rejected

- 37777/tcp — Dahua DHIP/SDK, auth works, old CVEs patched but port still open

- No 443, 8080, etc.

Cloud path (P2P relays in China/Alibaba/US) is encrypted end-to-end. Couldn’t MITM it from LAN.

**The vuln: local fallback stream**

Same-LAN → app switches to direct PTCP/DHIP → raw DHAV over UDP. No TLS, no SRTP, nothing. Plaintext video+audio frames across Wi-Fi.

How I intercepted it (passive + PSK) :

  1. Monitor mode + channel lock

  2. tshark capture with WPA-PSK pre-loaded

  3. aireplay-ng deauth phone → forces fresh 4-way handshake

  4. Open app, stream ~90s

  5. airdecap-ng decrypts → ~12 MB plaintext pcap

  6. Filter camera→phone UDP → extract DHAV payload

  7. Custom python script carves audio frames (0xf0 type)

  8. ffmpeg -f alaw -ar 8000 → clean room audio playback

DHAV structure (reverse-engineered, zero public docs):

0–3 DHAV magic

4 frame type (fd=I, fc=P, f0=audio)

8–11 timestamp LE

12–15 payload size LE

32+ payload (proprietary HEVC for video, G.711 A-law audio)

Video is non-standard HEVC — won’t render in ffmpeg/vlc without Dahua SDK. Audio decodes fine.

Fix (actually works);

- VLAN the camera — kills local path completely, forces encrypted cloud

- Disable port 37777 if you don’t need it

- Enable HTTPS admin panel (if the option exists)

Full annotated packet captures + DHAV frame map in the Medium writeup (link in first comment).

What cams are you running? Seen this plaintext-local-stream trick in other brands (Reolink, Hikvision, etc.)?

Thoughts?

Link to full publication:

https://medium.com/@mahdicxx/i-spent-a-day-hacking-my-own-security-camera-it-gave-up-its-secrets-by-midnight-e982be933d89

u/mahdi_sto — 1 month ago

Captive Portal on a single ESP32

Fit a WifiPumpkin3's rogue AP inside an ESP32s3 supporting APSTA, DNS spoofing, NAPT tunneling

Been digging into what the ESP32 WiFi stack is actually capable of for wireless security research and honestly it's way more powerful than people give it credit for.

The idea was to port the core concepts of WiFiPumpkin3 onto the chip itself. No Kali, no wifi interfaces, just a 5 bucks microcontroller powered from a USB bank.

The interesting part architecturally is running APSTA mode, the chip acts as an AP for clients while simultaneously connecting upstream as a STA to the real router. DNS spoofing handles captive portal redirection until the portal interaction is done, lets queries pass through to the real upstream. NAPT takes care of the internet tunneling so connected clients get actual internet access while causing traffic reorientation and thus sniffing it, which makes the whole thing behave like a legitimate hotspot. I tried to serve HTTPS directly from the chip with a cert generated for the spoofed domain but it didn't work, note that there's also a separate admin interface for scanning, cloning APs, monitoring traffic and managing everything in real time.

The main challenge was keeping DNS, HTTPS and NAPT tasks running concurrently on FreeRTOS without race conditions on a single radio doing two jobs at once.

Repo: github.com/mahdamin/ESP32-WiFiPumpkin

Happy to talk through the APSTA or NAPT implementation if anyone's done similar stuff.

reddit.com
u/mahdi_sto — 1 month ago
▲ 2 r/wifi

Captive Portal on a single ESP32!

Fit a WifiPumpkin3's rogue AP inside an ESP32s3 supporting APSTA, DNS spoofing, NAPT tunneling

Been digging into what the ESP32 WiFi stack is actually capable of for wireless security research and honestly it's way more powerful than people give it credit for.

The idea was to port the core concepts of WiFiPumpkin3 onto the chip itself. No Kali, no wifi interfaces, just a 5 bucks microcontroller powered from a USB bank.

The interesting part architecturally is running APSTA mode, the chip acts as an AP for clients while simultaneously connecting upstream as a STA to the real router. DNS spoofing handles captive portal redirection until the portal interaction is done, lets queries pass through to the real upstream. NAPT takes care of the internet tunneling so connected clients get actual internet access while causing traffic reorientation and thus sniffing it, which makes the whole thing behave like a legitimate hotspot. I tried to serve HTTPS directly from the chip with a cert generated for the spoofed domain but it didn't work, note that there's also a separate admin interface for scanning, cloning APs, monitoring traffic and managing everything in real time.

The main challenge was keeping DNS, HTTPS and NAPT tasks running concurrently on FreeRTOS without race conditions on a single radio doing two jobs at once.

Repo: github.com/mahdamin/ESP32-WiFiPumpkin

Happy to talk through the APSTA or NAPT implementation if anyone's done similar stuff.

reddit.com
u/mahdi_sto — 1 month ago
▲ 6 r/esp32projects+1 crossposts

Captive Portal on a single ESP32!

Fit a WifiPumpkin3's rogue AP inside an ESP32s3 supporting APSTA, DNS spoofing, NAPT tunneling

Been digging into what the ESP32 WiFi stack is actually capable of for wireless security research and honestly it's way more powerful than people give it credit for.

The idea was to port the core concepts of WiFiPumpkin3 onto the chip itself. No Kali, no wifi interfaces, just a 5 bucks microcontroller powered from a USB bank.

The interesting part architecturally is running APSTA mode, the chip acts as an AP for clients while simultaneously connecting upstream as a STA to the real router. DNS spoofing handles captive portal redirection until the portal interaction is done, lets queries pass through to the real upstream. NAPT takes care of the internet tunneling so connected clients get actual internet access while causing traffic reorientation and thus sniffing it, which makes the whole thing behave like a legitimate hotspot. I tried to serve HTTPS directly from the chip with a cert generated for the spoofed domain but it didn't work, note that there's also a separate admin interface for scanning, cloning APs, monitoring traffic and managing everything in real time.

The main challenge was keeping DNS, HTTPS and NAPT tasks running concurrently on FreeRTOS without race conditions on a single radio doing two jobs at once.

Repo: github.com/mahdamin/ESP32-WiFiPumpkin

Happy to talk through the APSTA or NAPT implementation if anyone's done similar stuff.

reddit.com
u/mahdi_sto — 1 month ago

WifiPumkin on a single ESP32!

Fit a WifiPumpkin3's rogue AP inside an ESP32s3 supporting APSTA, DNS spoofing, NAPT tunneling

Been digging into what the ESP32 WiFi stack is actually capable of for wireless security research and honestly it's way more powerful than people give it credit for.

The idea was to port the core concepts of WiFiPumpkin3 onto the chip itself. No Kali, no wifi interfaces, just a 5 bucks microcontroller powered from a USB bank.

The interesting part architecturally is running APSTA mode, the chip acts as an AP for clients while simultaneously connecting upstream as a STA to the real router. DNS spoofing handles captive portal redirection until the portal interaction is done, lets queries pass through to the real upstream. NAPT takes care of the internet tunneling so connected clients get actual internet access while causing traffic reorientation and thus sniffing it, which makes the whole thing behave like a legitimate hotspot. I tried to serve HTTPS directly from the chip with a cert generated for the spoofed domain but it didn't work, note that there's also a separate admin interface for scanning, cloning APs, monitoring traffic and managing everything in real time.

The main challenge was keeping DNS, HTTPS and NAPT tasks running concurrently on FreeRTOS without race conditions on a single radio doing two jobs at once.

Repo: github.com/mahdamin/ESP32-WiFiPumpkin

Happy to talk through the APSTA or NAPT implementation if anyone's done similar stuff.

reddit.com
u/mahdi_sto — 1 month ago