This was a question I had regarding the Passive Keyless Entry. I think it may be challenging to emulate, given the challenge/response on both the RFID and the UHF channels.
2 Likes
I have a simpler scenario that I’m not had any luck with. I just want to detect the presence of my keys leveraging the (passive?) keyless entry LF RFID. [Yes, I lost my keys in the house somewhere.] I was hoping to use the flipper to mimic the signal the car sends when I poke the button on the door handle. I’m assuming that causes the car to send a signal and this signal powers up something on the key fob to send a response. I want to detect that response. I understand the range is small but I was hoping to wave this around my closets and drawers. I have detected a 415MHZ signal when I sniff near the car but haven’t been successful at getting the keys to response without the car.
FCC ID seems to indicate that the FOB uses 315MHz. The range from the door is about 4ft but I can’t reliably detect the 315 signal in the Flipper frequency analyzer. Nor can I use the flipper to read or even detect my existing key.
Can the flipper read 125kHz signal of pke keyfob?
It could not read my fob. Not sure if that’s because it doesn’t transmit unless it like the signal it first received.
Read here.
I believe most, if not all, (consumer) cars are Hitag2 …So I proffer these links:
3 Likes
A quick search on ebay for Hitag2 products show transponder/remotes on the 433 Mhz frequency so it would something to do with flipper in sub-ghz mode and NOT with RFID functions, if possible to do anything at all …
My car key contains this chip (i think hitag 2)
Car key locksmiths shop can reprogram another empty chip and share the secret key. If this chip has a common frequency, can’t it be emulated ?
datasheets
https://pdf1.alldatasheet.com/datasheet-pdf/view/1242534/PHILIPS/PCF7936.html
1 Like
The problem is not with putting 1’s & 0’s in the radio signal - as @Spildit says, it’s just a modulation on 433MHz
The problem is breaking the crypto, so you know WHAT 1’s and 0 you need.
It’s been a looong time since I looked at Kev’s research, but iirc one of the attacks is fairly lean on CPU time in exchange for an 8TB lookup table - so if you can interface the FZ to a hard drive, or array of SDCards, that attack vector may be an option 
So after reading these posts, I wanted to copy my keyfob (Mazda 6 2011). I used the frequency analyzer mode and saw that they key was sending packets at 315MHz, but I had recorded it using ASK protocol and it didn’t work. I looked into the key’s fcc id and saw the parameters on their testing, which was FSK, 315MHz. It didn’t say whether it was dynamic or static. And now it works, I was afraid of making my keyfob inactive, however that didn’t happen.
I didn’t need to do any programming. With the FZ, I read the lock/unlock buttons, saved them and ran them and car was able to lock/unlock
Chip on the fob was: MH860-DM98, couldn’t find a datasheet for it. If anyone finds it, let me know
2 Likes
and it’s actually really sad. that the repetition of sending works, therefore any student can use your car.
Yeah, I was thinking the same thing. So they can get into my car, but they can’t drive off with it, because they’d still need the key with the transponder.
I have found that the best way to defeat rolling codes is to jam the signal while capturing at the same time. This requires either 2 flipper zeros, 2 hackrf ones or 1 flipper zero and 1 hackrf one (my current setup). If you jam in Us at about 314.7999 with either device and capture at 315.0000 with either device that the fob press does not go thru to the vehicle but it is still captureable and usable with the recorded noise to open/etc. Said vehicle.
To start it would be nice to have decoders / parsers for cars on Flipper a little bit like in pandora.
As for jamming might not be necessary at all.
If you have a parser and the code is based on keeloq most likely you can emulate the fob and send future codes as interception will show position of counter and even worse …
On majority of systems sending 2 consecutive codes will make re-sync and car will lock/unlock. Some cars might require 5 presses …
Just try it … save a raw on the correct frequency/modulation of your car remote and press unlock 6 times. Play it back … most likely will work even if you have rolling codes and you are further in the future … be aware that you might de-sync your original remote.
Ok. Maybe it is not straightforward to clone key fobs, but maybe you can clone the open windows signal. Supposedly in some cars keeping the open door constantly opens the windows (to air the car in a hot day). Maybe this signal is not passing through the door parser?
Car key have 3 components - blade that is cutted and flipper can’t do nothing about, the transponder/hitag2 that locks the ignition/injectors and the remote to open doors, trunck, windows, etc … HiTag transponder have to be adressed as a RFID but remote is addressed as radio subghz and it’s possible to save and replay raw already as long as you have correct modulation and frequency. You can clone those signals of the remote already but might have trouble if they are dynamic/rolling codes. I already made a request for parsers here :
1 Like
Why help this guy??? Come on its pretty clear what his intensitions are here. Dood if you cant figure it out on your own then too bad. Why people insist on helping people like this are beyond me.
This is very true. I know a locksmith that does lots of vehicle work. He has fixed a few cars messed up by bad tools or people that do not know how to use them. He pays pretty good money for the proper tools. It’s wise to be careful.
Could two Flipper Zeros be used to relay a rolling code to the target car?