Reverse engineering a car key fob signal

I had to reverse engineer some cheap key fob purchased on AliExpress for an electronic project. It was simple enough that thanks to an oscilloscope and wikipedia I was able to do it after persisting long enough.<p>Next time I will try the method from this blog post. And maybe become a better hacker.

There&#x27;s also a gnu-radio flow graph which serves a similar purpose: <a href="https:&#x2F;&#x2F;github.com&#x2F;bastibl&#x2F;gr-keyfob">https:&#x2F;&#x2F;github.com&#x2F;bastibl&#x2F;gr-keyfob</a>.<p>Presentation here: <a href="https:&#x2F;&#x2F;www.fleark.de&#x2F;keyfob.pdf" rel="nofollow">https:&#x2F;&#x2F;www.fleark.de&#x2F;keyfob.pdf</a>

&gt; These keys are generated and tracked using a counter which has to stay in sync between the remote and the car. This ensures that the car doesn’t reuse an old key, and that the remote always generates fresh keys.<p>Something I&#x27;ve always wondered about is, how do <i>learning</i> remotes defeat this?<p>My car has a couple of built-in garage door buttons, and I&#x27;m pretty sure I programmed it by just hitting the remote button in the garage while the car was in a learning mode. Is that a much more sophisticated feature than you would assume (e.g. decoding the signal, recognizing the type, then initiating a pairing with the opener, instead of just replaying the signal)?

He decoded everything, but he didn&#x27;t actually open a car door. He still has to defeat the rolling code. It&#x27;s not like you can add 1 to it and resend it. From the outside world, the next rolling code should appear random.

I wish car manufacturers would start making tiny (maybe RFID) remotes I could stick in my (minimalist) wallet. Alternatively, looking forward to a tiny Flipper-like (credit-card sized) that can achieve the same result.<p>Seriously, the car fob is the largest thing in my pocket after the phone (thickness-wise at least).

What a refreshing article. One I can understand for a change.

Interesting related development that access to key programming is being put behind some more &quot;security&quot; due in part to easier access of key programming devices, but it&#x27;s on the manufacturer to say what&#x27;s part of the &quot;security&quot; system. Not just keys but can extend to tons of modules.<p>It&#x27;s arguable if this would have any effect on criminals who are known to follow rules (&#x2F;s), but will definitely have an impact on some businesses.<p>A criminal record can disallow participation. One way for people who have a record to enjoy success after serving their sentence is to start and run their own business, but I guess they are screwed. &lt;shrug-emoji&gt;&lt;&#x2F;shrug-emoji&gt;<p><a href="https:&#x2F;&#x2F;wp.nastf.org&#x2F;?page_id=367" rel="nofollow">https:&#x2F;&#x2F;wp.nastf.org&#x2F;?page_id=367</a><p><a href="https:&#x2F;&#x2F;wp.nastf.org&#x2F;wp-content&#x2F;uploads&#x2F;2023&#x2F;07&#x2F;ApplicationCheckList.pdf" rel="nofollow">https:&#x2F;&#x2F;wp.nastf.org&#x2F;wp-content&#x2F;uploads&#x2F;2023&#x2F;07&#x2F;ApplicationC...</a>

Why bother intercepting, decoding, and encoding your own signal when you can just use a big antenna and MITM the fob and the vehicle and convince them they are closer than they really are?

What’s more interesting is that if you get into a car now, there are OBD tools that just let you program a new key and drive off, which is wildly insecure.

&gt; Receiving&#x2F;analyzing raw signals<p>Stock Flipper can receive raw signal.

&gt;Note: Transceiver SDR devices do exist of course, but they tend to be very pricey<p>A HackRF clone is cheaper than a Flipper, and way more capable in my opinion. I would bet most flippers either lie in drawers or are used by stupid teenager kiddies for trolling.

429 Too Many Requests = no images lololololol

Just buy a fob from eBay and program it using your car... Instructions can easily be found online