Breaking into cars wirelessly with a $32 homemade device called RollJam
At this years Def Con conference speaker Samy Kamkar revealed how he built a $32 device called “RollJam” which is able to break into cars and garages wirelessly, by defeating the rolling code protection offered by wireless entry keys. Def Con is a very popular yearly conference that focuses on computer security topics.
A rolling code improves wireless security by using a synchronized pseduo random number generator (PRNG) on the car and key. When the key is pressed the current code is transmitted, and if the code matches what the car is expecting the door opens. The seed for the PRNG in the car and key is then incremented. This prevents replay attacks.
The RollJam hardware currently consists of a Teensy 3.1 microcontroller and two CC1101 433 MHz RF transceiver modules. It works by recording the wireless key signal, but at the same time jamming it so that the car does not receive the signal. When the key is pressed a second time the signal is first jammed and recorded again, but then the first code is replayed by the RollJam device. Now you have an unused code stored in RollJam that can be used to open the car. Samy shows how this works using an SDR and waterfall display graph in the following slide.
Samy’s full set of presentation slides can be downloaded from samy.pl/defcon2015. Also several large publications including networkworld.co, Wired.com and forbes.com have also covered this story with longer more in depth articles that may be of interest to readers.
Did anyone actually ever have a link to the plans for this thing? I have never been able to find the plans. People only want to sell the final unit.
Shoot me a link or a copy of the plans if you have them
I got hit I simply pulled the fuses for the driver door unlock and the other unlock relay for the other doors the doors still lock manually and with a key you cannot unlock it with the remote they are now blocked I plan to put an old school manual alarm no remote on my sub so if they gain access they will be screwed the pin will pull on the door sill alarm sounds. Also plan to put a baby monitor in the back seat to hear them the main box in bed room night stand with 45 cal ready to go!!
You realize that breaking into a car is only a misdemeanor.
By restraining a perp with a 45 you would be committed a felony.
Let me know how that works for you.
Better idea:
Put an old credit card that has been rendered useless in the glovebox. Very easy to find.
Now the perp is committing a felony, now you can restrain them till the police arrive.
Use a blowgun instead of the 45.
Aim for the calf’s.
Depends on the jurisdiction. Where I live we can effect a citizen’s arrest. According to state law, the arresting citizen can use all necessary force to restrain and prevent the escape of a suspect until the police arrive. I’ve never needed to do it myself, but my .357 Sig and I are well prepared.
I need schematic for RollJam device.. You have? Please contact me.. I pay
Still need it?
Hi Kingolop,
I still need a schematic. I am searching everywhere but can’t find. Can you help me out?
I need one and willing to pay as well
I still need the schematic if anyone has it, or any other relevant info I would really appreciate it. I have all the parts. Do you know if the rolljam code on github by elliddel1 is complete? Researching not GTA-ing.
To counter this “attack”, you can just get close to your car/garage and press the unlock button again on your remote. This will trigger the car/garage to drop the previous keys (one of which is also in the attacker’s hands) plus the current key which was sent when you pressed the unlock button near the car/garage and will initiate the process of random key generation again, rendering the captured key for the attacker useless. Shortly, just unlock your car/garage again once you are VERY close to it (to make sure that the attacker doesn’t interfere with you this time). Reference: http://auto.howstuffworks.com/remote-entry2.htm
I think that you might have missed that they can also convert lock codes into unlock codes. So you push your button to lock, no audio feedback beep is sent, is your warning to physically go to your card and manually lock it.