+ Post New Thread
Results 1 to 5 of 5
  1. #1
    Member level 3
    Points: 1,299, Level: 8

    Join Date
    Jul 2011
    Posts
    63
    Helped
    4 / 4
    Points
    1,299
    Level
    8

    how to reverse engineering rf remote key fob ?

    IR_protocol.rarhi,,,All genius..
    how to reverse engineering rf remote key fob ?

    I have successfully done reverse engineering of ir remote.
    now, I can clone any kind of if remote like(tv, settop box, music system) using raspberry_pi(LIRC).
    https://drive.google.com/file/d/0Bwu...it?usp=sharing
    above link shows one of decoded signal(temp31.map). After decoding signal, I send the code using raspberry pi. Special thanks to Ondřej Staněk

    Now ,I want to try hand on RF remote.

    1. how to get frequency of unknown rf remote key fob (for CAR)??
    2. which Modulation Techniques used??
    3. now,after getting the frequency , I will buy receiver of same frequency type, but what type of output it will give..??

    In short ,I am trying to clone the rf remote key fob, using raspberry pi for automation purpose(open/lock door/window).

    ALL genius are requested to help on this, specially who have done some RnD on this...
    thanks in advance..
    Regardss..
    Last edited by ALMIGHTY TECH; 23rd December 2013 at 09:24.

    •   AltAdvertisement

        
       

  2. #2
    Super Moderator
    Points: 260,240, Level: 100
    Awards:
    1st Helpful Member

    Join Date
    Jan 2008
    Location
    Bochum, Germany
    Posts
    45,443
    Helped
    13827 / 13827
    Points
    260,240
    Level
    100

    Re: how to reverse engineering rf remote key fob ?

    International car thiefs are working on the same project...



    •   AltAdvertisement

        
       

  3. #3
    Advanced Member level 5
    Points: 25,337, Level: 38

    Join Date
    Dec 2010
    Location
    Southampton and holiday cottage in Wensleydale (UK)
    Posts
    4,863
    Helped
    1315 / 1315
    Points
    25,337
    Level
    38

    Re: how to reverse engineering rf remote key fob ?

    I am not an international car thief, so I have been unable to unscramble the long pseudo-random cycling code, that the car manufacturers have used.
    Frank



    •   AltAdvertisement

        
       

  4. #4
    Member level 3
    Points: 1,299, Level: 8

    Join Date
    Jul 2011
    Posts
    63
    Helped
    4 / 4
    Points
    1,299
    Level
    8

    Re: how to reverse engineering rf remote key fob ?

    they might use random code generator. but if we copy any of that random code, and re-transmit the same code. receiver must accept that code..



  5. #5
    Advanced Member level 2
    Points: 6,438, Level: 19

    Join Date
    Jan 2007
    Location
    Sweden
    Posts
    610
    Helped
    270 / 270
    Points
    6,438
    Level
    19

    Re: how to reverse engineering rf remote key fob ?

    For a car-fob, when a certain code have been accepted by receiver is it automatically blocked against reuse. Else had it not been a working rolling code system.

    A common rolling code system is KeeLoq which have a 32 bit random sequence generator. When a key fob is paired in a such system, do it get a synchronized window, 256 steps wide, in case some of the key-presses not are received.
    KeeLoq can have up to 4 key-fobs paired in the same system, so it exist a rolling window with 1024 alternative bit sequences that is accepted by receiver.
    Each key-fob must also provide its own identity and what functions that is wanted, such as lock door, open trunk, so a transmitted sequence is a bit longer then 32 bits. but in each sequence is also that part coded, based on actual rolling value.
    As a part of the protection, too many tries that fails with a certain key-identity, and that fob is blocked for ever.

    If you copy a certain transmitted code, if it is a 32-bit wide rolling code, will this code sequence be reusable next time, after 4294967295 key-presses, if each of these presses are accepted by receiver as correct.

    There are methods to break rolling codes, such as trying to calculate what seed value the key-fob is programmed with, when paired. In a weak coded system can a part of the seed value be calculated by copy two following sequences, and then xor them with each other.
    Knowing seed value and knowing last sent code is then enough to calculate next accepted code sequence.

    In a more complex rolling code system can it exist more then one 32-bit rolling-code sequence at the same time, which not is synchronized with each other.
    Typical, for one of these in key-fob rolling generators, is it programmed with a new random seed value each time key-fob is inserted in ignition-lock, if its existing code sequence is accepted.
    A certain code-sequence will still, sooner or later be repeated (and accepted), but when it happen is less predictable, then if it only have had one 32-bit sequence.
    If code sequence is 64 bit wide (2*32bit) and a new accepted sequence is received each second, will a sequence be repeated next time sometimes around 6E12 years ahead.
    Most systems have cryptographically weakness of some kind so learning details about actual hardware and software can result in alternative solutions.

    Maybe just rumors that only international car thieves knows anything about:
    As modern car-fobs can be very complex can sometimes things go very wrong and the car wont accept any key-fob and refuse to pair once blocked key-fobs. To solve this do systems have back-doors, master-keys, for resetting the lock system in the car.
    A simple way to open a locked car is to externally connect wires to a parking-lamp and connect a CAN-adapter instead of lamp, and order car CAN-system to unlock all doors and start engine. This do mainly works on exclusive cars that have all lamps connected over the CAN-bus.


    2 members found this post helpful.

--[[ ]]--