After playing around with my SDR and wireless sockets I had a look at other devices, which also use ASK/OOK modulated signals. I found a different wireless socket system, an alarm system and a sex toy. After analyzing the signals, I wanted do build a remote to control them all. I used an Adafruit Trinket (ATtiny85) as micro controller and a cheap OOK transmitter module at 433MHz. The code on the controller just sends the same signal as the original remote replay attack).
I put some more effort into the alarm system and reversed the full protocol. A packet of the remote simply consists of an identifier and a command (e.g. disarm the system). The alarm system only “listens” to signals with a known identifier. However, there are only 6561 identifiers. Therefore, I implemented a brute-force attack mode, in which my remote sends a disarm command for all identifiers, eventually disabling all alarm systems. This takes about 15 minutes in average.
A brute-force mode was also implemented for both wireless socket systems, allowing to turn on or off any socket within range.
This is what the remote looks like.
You can turn on or off any of these devices.
