Attacking a car alarm. How does a car alarm security system work?

Since such devices as bladeRF, HackRF, RTL-SDR, and software systems like GNU Radio had become widely available, reverse engineering of radio air data got really simple and entertaining.


All information is provided for informational purposes only. Neither the editorial board nor the author is responsible for any possible harm caused by the materials of this article.

BladeRF, HackRF (to a lesser extent RTL-SDR) make it possible to fully observe the air and interact with it. Some enthusiasts have already created software allowing to interpret GPS signals, set up a Bluetooth stack and Wi-Fi on a computer and launch your own GSM base station. One guy even managed to intercept the signals from the meteorologic satellite and deciphered the transmitted images. Actually, the examples are numerous.


The similar result can be achieved by connecting a radio transmitter to the audio-card input, but in this case the system will only cover the range around several dozens kilohertz (in accordance with the audio-card’s sampling rate), which is not much and just won’t fit for many tasks.

The default standard option for radio signal investigations software is GNU Radio. This system offers a great set of tools from filters and simple mathematical transformations of the signal to interfaces allowing to transmit data to the network and write your own modules. This soft is what we will use.


There are quite a few useful modules for GNU Radio. Gr-gsm is definitely worth mentioning, it helps work with GSM networks data.


We are going to work with OS X. If you don’t have Xcode, you will have to get it from App Storesince we will need the compiler that goes complete with it. Since we are going to use GNU Radio, we’ll also need the graphic system X11 (take it here). Now let’s install the main libraries Macports. If you don’t have them, download them at

Then you should add the following to the shell config file .bashrc:

If everything goes well, the response should look more or less like this:

To see full information, enter interactive mode:

And type info and version:

Here we should pay attention to the following line:

Important point: for our device to work we’ll need an FPGA image, which you can download for instance from here. Choose a file depending on the FPGA size (we have 40 KLE), in our case it will be hostedx40-latest.rbf. Download it and load using the command

You should see the lights flickering on the device — this means it is ready for work.


FPGA — is a semiconductor device that allows hardware realization of various operations such as digital processing of signals and other interesting and useful things. For example, you can use it to set up BladeRF to work without a computer.

The last thing is unstalling GNU Radio, to do it use the following command

Then add bladeRF support to GNU Radio using gr-osmosdr module:

Now you can launch the program and start playing:

Tuner to search for an active signal

First let’s make a scanner with a visualization of frequency spectrum to scan the air. It will help us find the signal from the car alarm remote for our research. To do it, choose osmocom Sink inGNU Radio’s right window — it is the model of the device itself — then drag this block to the working area and specify the device in the block’s preferences (we have bladeRF, so in Device Arguments we set bladerf=0). Then put there the frequency (Ch0: Frequency) and bandwidth the scanner will see. Other settings can stay at their default values for now.

Please subscribe to read full article

1 year

for only $300

With subscription you are free to read all of the materials of
Read more about the project

Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.