Bruteforcing Padlocked Signal

franmal · January 5, 2023, 9:43pm

Hi,
I’m new to the device as I have just recently came about one. Just today I started to play with gate opening remote (not mine) and flipper zero was able to register 433 raw signal. Replaying it did not operate the gate. When I went signal recognition it showed me details of the pilot signal (manufacture) and cycled thru hex values which suggest rolling key. I could not save it

Reading thru forums I see that other people have similar behavior which raises couple of questions, to more advanced users:

Why we can’t save it? Even in raw, dump form ?
Does saving a lot of readings would not allow throw the dumps against some bruteforcing software to get details like sn/seed etc that then could be used to bruteforce again ? Not expert here - just thinking out loud
Would FlipperZero be a platform for Rolljam vulnerability attack or it cant TX/RX at the same time?

Not being able to save the dump just seems counterproductive in that field, or is it done on purpose?

jmr · January 6, 2023, 12:02am

On a practical note I see a lot of people messing up their rolling code devices then asking how to fix them. There is a decent probability of locking out a vehicle or garage. I strongly recommend you not attempt to replay rolling codes on anything you don’t own unless the owner gives you permission and they are aware of the potential consequences. A remote resync is not always possible and special equipment may be needed to reprogram the remote. I’ve been studying rolling codes and found they are implemented in very different ways. You should know the full details of the system before proceeding any further.

I have not seen anyone do a true Rolljam attack with the Flipper. That would require special software to be written. I have seen people do a similar but simpler attack with a Flipper though.

franmal · January 6, 2023, 1:45pm

That’s actually a great idea in regards of not being able to resync. What if flipper zero would cause a DDoS of sorts, fuzzying tons of rollingcodes blocking ability to use normal user-remote as effect of the attack. Something for smarter than me people to consider.