from Hacker News

Reverse engineering a car key fob signal

by wolframio on 3/14/24, 9:45 AM with 83 comments

  • by bombela on 3/14/24, 10:52 AM

    I had to reverse engineer some cheap key fob purchased on AliExpress for an electronic project. It was simple enough that thanks to an oscilloscope and wikipedia I was able to do it after persisting long enough.

    Next time I will try the method from this blog post. And maybe become a better hacker.

  • by JosephRedfern on 3/14/24, 1:32 PM

    There's also a gnu-radio flow graph which serves a similar purpose: https://github.com/bastibl/gr-keyfob.

    Presentation here: https://www.fleark.de/keyfob.pdf

  • by tivert on 3/14/24, 12:29 PM

    > These keys are generated and tracked using a counter which has to stay in sync between the remote and the car. This ensures that the car doesn’t reuse an old key, and that the remote always generates fresh keys.

    Something I've always wondered about is, how do learning remotes defeat this?

    My car has a couple of built-in garage door buttons, and I'm pretty sure I programmed it by just hitting the remote button in the garage while the car was in a learning mode. Is that a much more sophisticated feature than you would assume (e.g. decoding the signal, recognizing the type, then initiating a pairing with the opener, instead of just replaying the signal)?

  • by swamp40 on 3/14/24, 9:11 PM

    He decoded everything, but he didn't actually open a car door. He still has to defeat the rolling code. It's not like you can add 1 to it and resend it. From the outside world, the next rolling code should appear random.

  • by gigel82 on 3/14/24, 4:36 PM

    I wish car manufacturers would start making tiny (maybe RFID) remotes I could stick in my (minimalist) wallet. Alternatively, looking forward to a tiny Flipper-like (credit-card sized) that can achieve the same result.

    Seriously, the car fob is the largest thing in my pocket after the phone (thickness-wise at least).

  • by 0xfeba on 3/14/24, 1:01 PM

    What a refreshing article. One I can understand for a change.

  • by rainbowzootsuit on 3/14/24, 5:24 PM

    Interesting related development that access to key programming is being put behind some more "security" due in part to easier access of key programming devices, but it's on the manufacturer to say what's part of the "security" system. Not just keys but can extend to tons of modules.

    It's arguable if this would have any effect on criminals who are known to follow rules (/s), but will definitely have an impact on some businesses.

    A criminal record can disallow participation. One way for people who have a record to enjoy success after serving their sentence is to start and run their own business, but I guess they are screwed. <shrug-emoji></shrug-emoji>

    https://wp.nastf.org/?page_id=367

    https://wp.nastf.org/wp-content/uploads/2023/07/ApplicationC...

  • by elif on 3/14/24, 1:08 PM

    Why bother intercepting, decoding, and encoding your own signal when you can just use a big antenna and MITM the fob and the vehicle and convince them they are closer than they really are?

  • by solaarphunk on 3/15/24, 3:19 PM

    What’s more interesting is that if you get into a car now, there are OBD tools that just let you program a new key and drive off, which is wildly insecure.

  • by lukasm on 3/14/24, 4:01 PM

    > Receiving/analyzing raw signals

    Stock Flipper can receive raw signal.

  • by tiagod on 3/14/24, 11:22 AM

    >Note: Transceiver SDR devices do exist of course, but they tend to be very pricey

    A HackRF clone is cheaper than a Flipper, and way more capable in my opinion. I would bet most flippers either lie in drawers or are used by stupid teenager kiddies for trolling.

  • by platz on 3/14/24, 3:08 PM

    429 Too Many Requests = no images lololololol

  • by zzz999 on 3/14/24, 2:49 PM

    Just buy a fob from eBay and program it using your car... Instructions can easily be found online