Bypassing Rolling Code Systems – CodeGrabbing/RollJam

A while back we posted about Samy Kamkars popular “RollJam” device, which was a $32 home made device that was able to defeat rolling code based wireless security systems such as those used on modern cars.

Wireless security researcher Andrew Macpherson became interested in RollJam and has now written up a post showing how to create a similar device using the YardStickOne and RFcat wireless tools. In his post Andrew shows how he automates the replay attack side of things using a Python script and two RFcat devices. He also fully explains how rolling codes work and how to attack them using the CodeGrabbing/RollJam technique. Andrew explains the RollJam technique as follows:

  1. Target parks their car, gets out the carAttacker launches a jammer that prevents the car from receiving the code from the remote
  2. Target presses the remote, car does NOT lock and the attacker obtains the first keypress
  3. Target presses the remote a second time and the attacker obtains the second keypress
  4. Attacker then sends the first key press to lock the car, car locks as per normal
  5. Target assumes all is well and carries on about their day
  6. Attacker then sends the second keypress to the car, unlocking it
  7. Profit.
  8. Target returns to the vehicle and remote works as per normal

In the video below Andrew uses an SDR to help demonstrate the RollJam attack.

6. jam and replay rolling code rolljam codegrabbing

Showing how the RollJam attack works.
Showing how the RollJam attack works.
Subscribe
Notify of
guest

16 Comments
Inline Feedbacks
View all comments
wesley de graaf

1 word change BIT
change future rolling code (victim must press button as much possible for future shut off, start again, or lock but probely you dont lock because its driven to a cargo ship or driven to poland or….
victem think his battery is almost empty, when pressing jam the one way RF send, and recieve it with hack rf one with poratapack H2 and the open source software like HAVOC now fast start the rolling code to send first press rolling code (change maybe the BIT to change the function lock unlock ignite etc) and you can drive away
probely the victem press once, then 1 or 2 times slow after with time between and then multiple with short time when he is finished tapping the hell out of the rolling code he stops and thats the time to send rolling code 1 so you have maybe 8 or 10 future codes

Anonymous

Damn bro. I agree with everything but its unosi je to do it with just Hack rf one. You cannot jam and Listen at the same time.

Cookins

Got question. How device can hear code if jammer working on same frequency? Isn’t car key sends and listen on same frequency?

Marcin Jasiukowicz

As far as I understand, the jammer works on a slightly offset frequency which overwhelms the bandwidth of the car receiver, but not the receiver you use to fetch the code.

Para noid

This may have happened to me, but the thief was unable to jimmy the ignition to steal my Jeep.
Question: if I use one of the alarm auxiliary outputs, in latching mode, to a relay that breaks the door unlock circuit, would this defeat the rolljam exploit? I could use the fob normally as I do now. But, if I wanted to add another layer of security, I could hit the aux channel, after locking the doors, so that to unlock them I would first need to trig the aux code again, before sending the unlock code. If the thief tries to send an unlock code, without the aux first, no power will flow to the door solenoid. So, I guess I am asking if these devices can recognize, store, and capture the two separate signals.

Para noid

Also, under this scheme, even if they disable the alarm, without the aux to enable the unlock, the doors would still be locked.

wayne

I hope you don’t mind me asking. I want to learn how to hack rolling codes, can you be kind enough to tell me what exactly I need to buy in order to do this. I want to learn step for step while having the items in my possession I would find it much easier that way.

hope to hear from you soon!

thank you

KarNut

Wayne, You don’t need to buy anything. Just go to your local Police station and Repeat what you just stated above, to a Detective. Also ask him how much time if any, you can get for Conspiracy to Burglarize or steal cars. If you are lucky, then you can get like 5-10 years and you will have plenty of time to learn how it is done without spending any money on parts PLUS you get a Free state funded, all meals and boarding included vacation!

Victim_Of_This_Vulnerability

Hi,
they stole my car last month, and while I am searching I found this post but I wonder how they
can convert the stolen lock code (which a Rolling code) to an unlock code, as I understood that a Rolling code is encrypted and the ‘next’ code (a pseudorandom number) is inside the Rolling code which is encrypted. So how they can change the function lock code to the function unlock code.

I know that they can decrypt the rolling code, modify the function code, encrypt it again, but they need the encryption Private/Public keys, so how they can get the encryption keys. Or all the remote smart keys use the same Private/Public keys, if yes it is very stupid from car manufactures.

I know a very simple method to prevent this Vulnerability 100%, it looks that the car manufactures engineers are not qualified for software security at all.

Thanks
Victim_Of_This_Vulnerability

G

there are software engineering companies that dont get security

h33t

A link to his blog would be nice.

Cop this

Are you not aiding and abiding car theft by publishing this? Maybe you just want to show the world what a clever little vegimite you are.

Andrew MacPherson

Additionally while I do show actually opening the VW (I’d have thought you would use that video here), I dont show the full code that can be used with the devices, so you can’t simply plug and play. Lastly this attack was first described in full in 2009, its definitely not my attack, but having some of the functionality done for you means more people can look and play with this sort of thing and help create better, more secure devices.

-AM

G

i have quite a few years as an apartment manager in the car theft capital of the world. When someone wants to get inside a car, they will do it.

Most commonly I see pen-testing/people staking out our security,
Next, brute force – people smashing in windows for the contents inside and punching ignitions for the car
Finally, I have only seen one gang that had a master key for older non-ignition chipped keys. These guys were the most successful, but were also attracted the most attention from the LAPD. They got caught. Neighorhood car thefts went down 80-90%

Note, we have high-res webcams everywhere, and signs that warn of them. They do absolutely othing as a deterrent. Most of the time, night lightning or angle is unable to provide a useful image that police can use to identify a person. Eveen in daylight, its hard to capture a clean image off video.

Thre only thing that finally brought theft to 0, was hiring a night shift security guard.