Up until recently it was open during working hours but the site operators now are keeping it closed. This is hugely annoying for our lab as we get frequent customers and deliveries so we're constantly having to get up and walk across the building to open the gate.
I believe the centsys system uses a 434mhz frequency. Attached is a picture of the remote internals.
I'm wondering about the best way to develop a system where we can press a button from a distance and get the gate to open.
My thoughts are to use a LoRa set up to transmit a signal to a microcontroller situated near the gate, which would then transmit the correct 434mhz signal to have it opened. I'm assuming I will need two different sets of transmitters as they won't be one size fits all.
I'm also assuming I'll need to try and sniff the correct frequencies from our existing key fobs.
thinking out loud here…
You may find it easier to put a relay or opto across the local button if it exists,,or dedicate a remote to the task, and ‘press the button’ remotely…across a 433 or similar remote radio link.
or maybe you could boost the performance of the existing receivers with a better antenna, or simple RF amplifier.
I’m guessing it’s only one-way communication, so the rx antenna might be the easiest answer.
We've talked/joked about it with the operators before. The site is owned by my organisation and it is my organisations asset (the gate and key fob) so there shouldn't be any issue. I'm not trying to hack some other companies processes, just make our lives easier Worst case scenario I'd just have to dismantle it, but it'd be a fun project.
A gate controller like that probably uses "rolling codes". Good luck cracking that.
I'm not sure. There's a whole heap of key fobs, and no obvious RTC battery. When the batteries die they don't need reprogramming or anything. I guess if I at least build a sniffer tool I can see if the data changes over time/button presses?
You may find it easier to put a relay or opto across the local button if it exists,,or dedicate a remote to the task, and ‘press the button’ remotely…across a 433 or similar remote radio link.
I did think it'd be cute to make some over-engineered robotic arm that pressed the button for me haha.
Does the gate have a keypad near it for physical code entry? If it does, you build a new keypad over the top of the existing one. When someone presses a key, it activates the underlying key. When your box receives a signal, it also activates the proper key sequence. I'm thinking a bunch of tiny servos to press the underlying keys. A strong candidate for a MacGyver award
Rolling code keys each have a unique individual code pattern when manufactured, in no way related to whether they have been powered or not. Each key must therefore be validated by or "programmed into" the receiver.
I'd find a way to activate the fob by RC.
Then I'd place the fob close enough to work reliably and activate it by RC.
That way you can skip all that other junk.
You just need an RC button pusher.
The idea of a light hack to the existing remote control device in that you simply make a connection to its push button sounds good. A new receiver would (electrically) operate that push button. This combined remote control device and new receiver would be installed somewhere near the gate. A transmitter in lab would be used to activate the receiver and, hence, open the gate.
You’d want it all battery operated unless, that is, there is a convenient mains supply near the gate where you install the combined remote control device and new receiver.
I did publish a design here recently for a synchronized Nrf24L01 transceiver pair where both sides are battery operated and you may be able to base your design on something like that. Integrating it with your remote control should be quite simple. You may also find better solutions. Synchronised NRF24L01+ Transceiver Pair for Low Power Operation Using the ATtiny1614
In the pentesting community everyone carries a tool called a relay bridge on their keychains. It is simply a piece of wire used to bridge across two electrical points. Inside the gate control box (which is usually keyed alike to thousands of others across the country, that use a common key), there is usually a single relay that controls the opening of the gate, the last component going from the low voltage RX circuitry to the high voltage motor or actuator. Simply bridging this relay gets the gate to open.
So despite all the effort they put into high security fobs and RFID badges, often the easiest vector of attack is to just ignore those.
That is one option- Simply supplement the existing RF circuitry with a second set of your own design, that both activate the final relay.
But I also like 6v6gt's solution. Use one of the existing transmitters as a stationary relay station, and electrically connect your preferred brand of transmitter to its button, thereby extending its range.
A company called Linx Technologies used to make these high power rf amplifier chips, that would boost the 433MHz signal significantly past the legal limit. Unfortunately they discontinued those, but they do still sell all kinds of RF chips made for remote control, some of which offer encryption options, if you are down to engineer a remote system yourself. They also sell prefabricated remotes that pair up with their receiver chips.
Personally I would also add networked connectivity with an esp8266 so I could open it from my phone as well, assuming you can find a spot to mount the original remote that is close enough to the gate as well as a wifi signal.
Well yeah; that's why pentesters have a set of keys that include all the common keyed-alike bittings. 99% of those control boxes use a common key. But honestly those types of locks are usually garbage anyway- very easy to rake open even for someone with no experience in lockpicking.
However this being OPs own property I would assume opening the box would not be an issue.
It seams to me this could be done with an Arduino on a wifi or ether network and a browser at the other end. That makes it available to all in the building if needed. You can always password it if you want.
Looks like the site operators are finally moving on sorting out a proper intercom unit.
In the interim I ended up making a doorbell system with D1 Minis and ESPNOW. They're keeping the gate open but are locking the front door instead.
Essentially a battery powered front door button unit sends a message to an intermediate, and that then sends on to the bell unit in the lab. If the signal wasn't strong enough I could add additional intermediates to get the message from the door to the lab, all sorted!
Worst case scenario I'd just have to dismantle it, but it'd be a fun project.
