So after reading these posts, I wanted to copy my keyfob (Mazda 6 2011). I used the frequency analyzer mode and saw that they key was sending packets at 315MHz, but I had recorded it using ASK protocol and it didn’t work. I looked into the key’s fcc id and saw the parameters on their testing, which was FSK, 315MHz. It didn’t say whether it was dynamic or static. And now it works, I was afraid of making my keyfob inactive, however that didn’t happen.

I didn’t need to do any programming. With the FZ, I read the lock/unlock buttons, saved them and ran them and car was able to lock/unlock

Chip on the fob was: MH860-DM98, couldn’t find a datasheet for it. If anyone finds it, let me know

and it’s actually really sad. that the repetition of sending works, therefore any student can use your car.

Yeah, I was thinking the same thing. So they can get into my car, but they can’t drive off with it, because they’d still need the key with the transponder.

I have found that the best way to defeat rolling codes is to jam the signal while capturing at the same time. This requires either 2 flipper zeros, 2 hackrf ones or 1 flipper zero and 1 hackrf one (my current setup). If you jam in Us at about 314.7999 with either device and capture at 315.0000 with either device that the fob press does not go thru to the vehicle but it is still captureable and usable with the recorded noise to open/etc. Said vehicle.

To start it would be nice to have decoders / parsers for cars on Flipper a little bit like in pandora.

As for jamming might not be necessary at all.

If you have a parser and the code is based on keeloq most likely you can emulate the fob and send future codes as interception will show position of counter and even worse …

On majority of systems sending 2 consecutive codes will make re-sync and car will lock/unlock. Some cars might require 5 presses …

Just try it … save a raw on the correct frequency/modulation of your car remote and press unlock 6 times. Play it back … most likely will work even if you have rolling codes and you are further in the future … be aware that you might de-sync your original remote.

Ok. Maybe it is not straightforward to clone key fobs, but maybe you can clone the open windows signal. Supposedly in some cars keeping the open door constantly opens the windows (to air the car in a hot day). Maybe this signal is not passing through the door parser?

Car key have 3 components - blade that is cutted and flipper can’t do nothing about, the transponder/hitag2 that locks the ignition/injectors and the remote to open doors, trunck, windows, etc … HiTag transponder have to be adressed as a RFID but remote is addressed as radio subghz and it’s possible to save and replay raw already as long as you have correct modulation and frequency. You can clone those signals of the remote already but might have trouble if they are dynamic/rolling codes. I already made a request for parsers here :

Why help this guy??? Come on its pretty clear what his intensitions are here. Dood if you cant figure it out on your own then too bad. Why people insist on helping people like this are beyond me.

This is very true. I know a locksmith that does lots of vehicle work. He has fixed a few cars messed up by bad tools or people that do not know how to use them. He pays pretty good money for the proper tools. It’s wise to be careful.

Could two Flipper Zeros be used to relay a rolling code to the target car?

That’s possible or one Flipper could copy the rolling code then you physically move in range of the car to use it. The code will remain valid until the owner uses the fob close enough to the car that it can be heard by the car.

I suspect standard rolling codes are not what you intended to ask about though. I believe you want to know about a relay attack that requires real time bidirectional communication. That might be possible as well with work. I think that depends more on whether the Flipper can speak their language(protocol). There may also be issues on some cars where timing is an issue.

To be honest I wondered if 2 or more Flipper zeros could work in unison to expedite a code break, just theoretical.
I also found a you tube video on my topic and think there is work around. Just me learning in a roundabout way.
I looked here:

#44 Hacking and Cloning a Garage Door Opener using SDR Radio

by, Andreas Spiess
It is on you tube
Hope this helps.

He has TWO GREAT channels. He’s my number one when it comes to micro controllers specifically. He’s also into Amateur radio(as am I) so he can be a wealth of information on wireless. SDR can be very cheap when you only need to listen to signals. They begin to be a bit more expensive when you also need to transmit. Consider checking out his second channel. There are a lot of topics that cross over into both realms.

Primary electronics channel
https://www.youtube.com/@AndreasSpiess

Amateur Radio(HAM) second channel
https://www.youtube.com/channel/UCQwyP4Yd0-O49e05kMUJgQQ

How can you boost the signal of the original key so you can extend the range, not clone it just boost the signal so the rolling code work everytime.

In summary, creating a universal device like the Flipper to function as a backup car key for various makes and models involves significant technical challenges. It requires in-depth knowledge of specific car key systems, RF communication protocols, and robust security measures. Additionally, attempting to emulate rolling codes would likely face legal and ethical challenges due to potential misuse. If you’re interested in a backup solution for your car key, it’s recommended to explore options provided by the car manufacturer or authorized third-party services. These solutions are designed to meet security standards and comply with legal regulations.

When a car dealer asks you 130+ € for a remote and you find it in AliExpress for 2.72€, you start to evaluate some alternatives.

Did you get one and manage to get it to work? Cheap keys are a crap shoot.

That comment didn’t age well, did it? LOL. Hyundai and Kia have shown how easy it is to steal a car these days.

Some FYI on tech chronology and how it works… I did a paper on the Hitachi H1 passive transponder system like 16 years ago; rolling code(Nissan, Mazda, Toyota). A security company did one on the TI system(Ford, GM) about 14 years ago… Ford had a system back in the 90s that was only a resistor in the key(Passkey) which was immediately defeated… There were some guys at a EU hacker con who actually beat a SKIM stored algorithm about 10 years ago.

The algorithm is always stored in the BCM(usually under middle or right of the dash), or a SKIM(usually close to the steering column). I’ve never seen the algorithm stored in the media board or ECM. Jeep stored the seed in the ECM for a while, and a lot of OBD2 tools could blank it and the Jeep would still run.

1975-1984 Anti-Hotwire circuits; Nissan had them all the way up till the 90s in the Maxima and other models. In the 70s it was mostly Italian and German cars. Northern EU and Russian cars didn’t have anything till transponders were common around 2001

1985 GM had the first chip-key; I believe in the Corvette… it’s in the BCM I believe; no details on the ASIC debug capabilities

1995 Ford started resistor based Passkey program, Honda and other JDM started non-rolling transponder systems; stored in BCM. GM didn’t start a program till 1998; also BCM based. Not all JDM cars had it

2000-2006 Everything had BCM or SKIM stored non rolling systems; Hitatchi H1, TI’. ASIC typically had debug fuse blown, but you could blank seed or set new seed in ECM and start with any key. Suzuki and maybe Kia had no chips this era

2006+ Rolling code algorithms; same algo storage; different ECM configurations for seed or checksum

Regarding Rolling Code: The passive transponder has memory… If it was just the car chips you wouldn’t have the replay problem where it goes out of sync and you have to have a dealer’s network access to reset and rekey…

Pro car thieves in California had dealer access and would swap ECM on a lot of GM cars that had a special seed that would allow any key to work, and they had the cut code for owner keys from the network too; they stole rolling code GM cars in under two-minutes… The Hellcat theft wave was relay or dealer access; they swapped boards after transport and stripped the cars…

Bypass kits put the key or fob in a RFID antenna enclosure wired-in the circuit …

All UHF 315MHz or 433MHz

TL;DR; You’d need the algorithm to maintain response-sync; open the BCM or SKIM and look for unlocked SPI or JTAG, or some form of VRM or clock glitch attack to dump firmware over some exposed bus. This is how Chinese chip programmers are made. I’ve only seen two algorithms defeated outside the programmer market; nobody really looks, though

These companies are all cheap and lazy… You can likely glitch and dump the algorithms on everything and make tools…

Do u know the names of any of these devices?