Maxwell Dulin Turns a Software-Defined Radio Against a 30-Year-Old Sears Garage Door Opener

Security consultant Maxwell Dulin has written up a project to figure out how a 30-year-old Sears garage door opener works — by capturing the signal on a software-defined radio.

"Leading up to some other research (stay tuned!), I dove into my childhood home's electronic garage door opener," Dulin explains in a post brought to our attention by RTL-SDR.com. "This garage door remote is labeled as the Sears Craftsman 139.53708 Garage Door Remote, which was originally manufactured 30+ years ago. The remote has 9 DIP switches. These are used to configure the secret code that is transmitted to unlock the garage door. Each of these switches has three options: +, 0 and -."

Dulin's first port of call: Finding out what frequency the remote uses to community with its paired receiver. Using a HackRF software-defined radio (SDR) dongle and the GQRX software, Dulin was able to find the frequency after ten minutes of scanning: 390MHz.

Next came the process of figuring out exactly what the signal was. "From looking at the recording in Inspectrum," Dulin writes, "all of the green lines are the same on the vertical axis. This indicates that the frequency of the signal is consistent; this rules out both frequency and phase modulation as a result. Since the only item changing is amplitude (thick green line is the ON), this must be a form of amplitude modulation. To be more precise, only signal ON or signal OFF is being used. This is a specific type of amplitude modulation called On-Off Keying (OOK)."

The next step: Figuring out the encoding scheme, using a feature of the Inspectrum analysis tool to overlay a grid on the symbol view alongside a threshold graph function, which automatically attempts to decode the data. By toggling the DIP switches on the transmitter, a range of signals could be captured — allowing Dulin to reverse engineer the packets — and figure out two ways to "attack" the garage door system.

The first is straightforward: Recording a transmission and replaying it at a later time, tricking the door into believing it comes from the original remote.

The second somewhat smarter: Brute-forcing the secret code, sending all possible combinations one after another — a process that takes about 104 minutes to complete. "If this was done in the middle of the night or while somebody was on vacation," Dulin notes, "it would be fairly practical for breaking into somebody's garage."

Dulin's full write-up is available on his blog, while the GNU Radio flow graph and Python source code for the project have been published to GitHub under an unspecified open source license.