rtl-sdr.com

Discuss RTL-SDR and cheap software defined radio
It is currently Tue May 23, 2017 1:16 am

All times are UTC





Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: How to copy car key fob?
PostPosted: Thu Feb 16, 2017 6:03 am 
Offline

Joined: Thu Feb 16, 2017 5:44 am
Posts: 2
Hello,

I'd like to build device which would be able to copy key fob. What would be the easiest/best approach?

More details:
My friend is running car rental company and he need some device which would be able to lock/unlock car using mobile phone (GSM module/BT module/whatever wireless). My idea is use Arduino Uno (or sth similar) and copy the key fob.
Car owner would use his key fob to teach the device and then place it in car.
I'd like to avoid buying programmed key and teaching car the new key. That would be way too complicated for car owners.

Thank you very much for any help!


Top
 Profile  
 
PostPosted: Thu Feb 16, 2017 7:02 am 
Offline
Site Admin

Joined: Mon Nov 19, 2012 11:54 pm
Posts: 1004
It's not that easy, most car fobs have rolling code security, so once the button is pressed the code changes. You need the official IC with the rolling code algorithm programmed in by the manufacturer and they probably won't give that to you. Probably the only way would be to purchase a second keyfob from the car manufacturer, and activate that keyfob via the arduino.


Top
 Profile  
 
PostPosted: Thu Feb 16, 2017 11:27 pm 
Offline

Joined: Wed Feb 15, 2017 9:52 am
Posts: 18
rtlsdrblog wrote:
It's not that easy, most car fobs have rolling code security, so once the button is pressed the code changes. You need the official IC with the rolling code algorithm programmed in by the manufacturer and they probably won't give that to you. Probably the only way would be to purchase a second keyfob from the car manufacturer, and activate that keyfob via the arduino.


I'm not so sure about them using rolling codes. I've heard there are car thieves that have these "black boxes" that they can hold near a car and like magic the doors unlock. And it works with all cars too, not limited to a particular manufacturer. So it's not like they took out the crypto chip from an existing keyfob to use in their hacking device. Otherwise, it would be locked into working with only one brand of car. I think each car is programmed with a unique number (like a UUID, universally unique ID) that no 2 cars in the world share. When that serial number is transmitted using the proper modulation, followed by a command (such as "unlock doors"), the car reacts to the transmitted ID+command. I think these black boxes work by trying every possible UUID that could be assigned to a car, followed by the unlock command, using an ultra-fast dedicated microcontroller.

Of course, I could be mistaken about this.


Top
 Profile  
 
PostPosted: Fri Feb 17, 2017 6:04 am 
Offline
Site Admin

Joined: Mon Nov 19, 2012 11:54 pm
Posts: 1004
Ben321 wrote:
rtlsdrblog wrote:
It's not that easy, most car fobs have rolling code security, so once the button is pressed the code changes. You need the official IC with the rolling code algorithm programmed in by the manufacturer and they probably won't give that to you. Probably the only way would be to purchase a second keyfob from the car manufacturer, and activate that keyfob via the arduino.


I'm not so sure about them using rolling codes. I've heard there are car thieves that have these "black boxes" that they can hold near a car and like magic the doors unlock. And it works with all cars too, not limited to a particular manufacturer. So it's not like they took out the crypto chip from an existing keyfob to use in their hacking device. Otherwise, it would be locked into working with only one brand of car. I think each car is programmed with a unique number (like a UUID, universally unique ID) that no 2 cars in the world share. When that serial number is transmitted using the proper modulation, followed by a command (such as "unlock doors"), the car reacts to the transmitted ID+command. I think these black boxes work by trying every possible UUID that could be assigned to a car, followed by the unlock command, using an ultra-fast dedicated microcontroller.

Of course, I could be mistaken about this.


Almost all modern cars have rolling code security. Those black boxes are most likely jam, record and replay devices. See rolljam http://www.rtl-sdr.com/?s=rolljam .


Top
 Profile  
 
PostPosted: Fri Feb 17, 2017 6:47 am 
Offline

Joined: Wed Feb 15, 2017 9:52 am
Posts: 18
rtlsdrblog wrote:
Ben321 wrote:
rtlsdrblog wrote:
It's not that easy, most car fobs have rolling code security, so once the button is pressed the code changes. You need the official IC with the rolling code algorithm programmed in by the manufacturer and they probably won't give that to you. Probably the only way would be to purchase a second keyfob from the car manufacturer, and activate that keyfob via the arduino.


I'm not so sure about them using rolling codes. I've heard there are car thieves that have these "black boxes" that they can hold near a car and like magic the doors unlock. And it works with all cars too, not limited to a particular manufacturer. So it's not like they took out the crypto chip from an existing keyfob to use in their hacking device. Otherwise, it would be locked into working with only one brand of car. I think each car is programmed with a unique number (like a UUID, universally unique ID) that no 2 cars in the world share. When that serial number is transmitted using the proper modulation, followed by a command (such as "unlock doors"), the car reacts to the transmitted ID+command. I think these black boxes work by trying every possible UUID that could be assigned to a car, followed by the unlock command, using an ultra-fast dedicated microcontroller.

Of course, I could be mistaken about this.


Almost all modern cars have rolling code security. Those black boxes are most likely jam, record and replay devices. See rolljam http://www.rtl-sdr.com/?s=rolljam .


There have also been news reports of car thieves walking along a street, and any car near them suddenly just unlocking. So some of these devices apparently can try all the possible codes in the set, in a fraction of a second, and any car within RF communication distance of the device will just unlock like magic. Sort of like a master key. It works on any car using the code set that the hacker's black box was programmed with. And at the press of a button, the device tries all possible codes in a second or less.


Top
 Profile  
 
PostPosted: Mon Feb 20, 2017 9:34 am 
Offline

Joined: Thu Feb 16, 2017 5:44 am
Posts: 2
rtlsdrblog wrote:
It's not that easy, most car fobs have rolling code security, so once the button is pressed the code changes. You need the official IC with the rolling code algorithm programmed in by the manufacturer and they probably won't give that to you. Probably the only way would be to purchase a second keyfob from the car manufacturer, and activate that keyfob via the arduino.


so what if I buy Universal Key Fob and copy car key as they do it here:
https://www.youtube.com/watch?v=uI5Xq8nZQSw
Do you think that would work? Let's assume both key fobs use rolling codes and work at 433 Mhz.


Top
 Profile  
 
PostPosted: Tue Feb 21, 2017 7:34 am 
Offline

Joined: Thu Feb 16, 2017 6:56 am
Posts: 4
mira_11 wrote:
rtlsdrblog wrote:
It's not that easy, most car fobs have rolling code security, so once the button is pressed the code changes. You need the official IC with the rolling code algorithm programmed in by the manufacturer and they probably won't give that to you. Probably the only way would be to purchase a second keyfob from the car manufacturer, and activate that keyfob via the arduino.


so what if I buy Universal Key Fob and copy car key as they do it here:
https://www.youtube.com/watch?v=uI5Xq8nZQSw
Do you think that would work? Let's assume both key fobs use rolling codes and work at 433 Mhz.


I think you dont need to think too much on rolling codes. If you copy the signal off the hook of vehicle range seperately, then vehicle can accept the code transmitted via another transmitter (not fob key)
Here is an example (with signal jamming) http://spencerwhyte.blogspot.com.cy/201 ... eplay.html


Top
 Profile  
 
PostPosted: Tue Feb 21, 2017 9:33 am 
Offline
Site Admin

Joined: Mon Nov 19, 2012 11:54 pm
Posts: 1004
stevevaius wrote:
mira_11 wrote:
rtlsdrblog wrote:
It's not that easy, most car fobs have rolling code security, so once the button is pressed the code changes. You need the official IC with the rolling code algorithm programmed in by the manufacturer and they probably won't give that to you. Probably the only way would be to purchase a second keyfob from the car manufacturer, and activate that keyfob via the arduino.


so what if I buy Universal Key Fob and copy car key as they do it here:
https://www.youtube.com/watch?v=uI5Xq8nZQSw
Do you think that would work? Let's assume both key fobs use rolling codes and work at 433 Mhz.


I think you dont need to think too much on rolling codes. If you copy the signal off the hook of vehicle range seperately, then vehicle can accept the code transmitted via another transmitter (not fob key)
Here is an example (with signal jamming) http://spencerwhyte.blogspot.com.cy/201 ... eplay.html


Yep that's the same as rolljam. But then you only have one valid rolling code stored away. Once its used you cannot reuse that signal ever again.


Top
 Profile  
 
PostPosted: Tue Feb 21, 2017 9:34 am 
Offline
Site Admin

Joined: Mon Nov 19, 2012 11:54 pm
Posts: 1004
mira_11 wrote:
rtlsdrblog wrote:
It's not that easy, most car fobs have rolling code security, so once the button is pressed the code changes. You need the official IC with the rolling code algorithm programmed in by the manufacturer and they probably won't give that to you. Probably the only way would be to purchase a second keyfob from the car manufacturer, and activate that keyfob via the arduino.


so what if I buy Universal Key Fob and copy car key as they do it here:
https://www.youtube.com/watch?v=uI5Xq8nZQSw
Do you think that would work? Let's assume both key fobs use rolling codes and work at 433 Mhz.


Again it depends if the car has rolling code security or not. Probably some older model cars don't have it and a copy device like this might work. But if there is rolling codes then it won't work.


Top
 Profile  
 
PostPosted: Sun Mar 12, 2017 7:50 pm 
Offline

Joined: Thu Mar 09, 2017 7:04 pm
Posts: 21
This has become major police issue here in England, so we should be careful not to inadvertently tell crooks how to do it:

http://www.dailymail.co.uk/news/article ... ailed.html

http://www.bbc.co.uk/news/uk-england-38225274

http://www.telegraph.co.uk/news/2016/12 ... k-jammers/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Powered by phpBB® Forum Software © phpBB Group