Read here.
I believe most, if not all, (consumer) cars are Hitag2 ā¦So I proffer these links:
3 Likes
A quick search on ebay for Hitag2 products show transponder/remotes on the 433 Mhz frequency so it would something to do with flipper in sub-ghz mode and NOT with RFID functions, if possible to do anything at all ā¦
My car key contains this chip (i think hitag 2)
Car key locksmiths shop can reprogram another empty chip and share the secret key. If this chip has a common frequency, canāt it be emulated ?
datasheets
https://pdf1.alldatasheet.com/datasheet-pdf/view/1242534/PHILIPS/PCF7936.html
1 Like
The problem is not with putting 1ās & 0ās in the radio signal - as @Spildit says, itās just a modulation on 433MHz
The problem is breaking the crypto, so you know WHAT 1ās and 0 you need.
Itās been a looong time since I looked at Kevās research, but iirc one of the attacks is fairly lean on CPU time in exchange for an 8TB lookup table - so if you can interface the FZ to a hard drive, or array of SDCards, that attack vector may be an option 
So after reading these posts, I wanted to copy my keyfob (Mazda 6 2011). I used the frequency analyzer mode and saw that they key was sending packets at 315MHz, but I had recorded it using ASK protocol and it didnāt work. I looked into the keyās fcc id and saw the parameters on their testing, which was FSK, 315MHz. It didnāt say whether it was dynamic or static. And now it works, I was afraid of making my keyfob inactive, however that didnāt happen.
I didnāt need to do any programming. With the FZ, I read the lock/unlock buttons, saved them and ran them and car was able to lock/unlock
Chip on the fob was: MH860-DM98, couldnāt find a datasheet for it. If anyone finds it, let me know
2 Likes
and itās actually really sad. that the repetition of sending works, therefore any student can use your car.
Yeah, I was thinking the same thing. So they can get into my car, but they canāt drive off with it, because theyād still need the key with the transponder.
I have found that the best way to defeat rolling codes is to jam the signal while capturing at the same time. This requires either 2 flipper zeros, 2 hackrf ones or 1 flipper zero and 1 hackrf one (my current setup). If you jam in Us at about 314.7999 with either device and capture at 315.0000 with either device that the fob press does not go thru to the vehicle but it is still captureable and usable with the recorded noise to open/etc. Said vehicle.
To start it would be nice to have decoders / parsers for cars on Flipper a little bit like in pandora.
As for jamming might not be necessary at all.
If you have a parser and the code is based on keeloq most likely you can emulate the fob and send future codes as interception will show position of counter and even worse ā¦
On majority of systems sending 2 consecutive codes will make re-sync and car will lock/unlock. Some cars might require 5 presses ā¦
Just try it ā¦ save a raw on the correct frequency/modulation of your car remote and press unlock 6 times. Play it back ā¦ most likely will work even if you have rolling codes and you are further in the future ā¦ be aware that you might de-sync your original remote.
Ok. Maybe it is not straightforward to clone key fobs, but maybe you can clone the open windows signal. Supposedly in some cars keeping the open door constantly opens the windows (to air the car in a hot day). Maybe this signal is not passing through the door parser?
Car key have 3 components - blade that is cutted and flipper canāt do nothing about, the transponder/hitag2 that locks the ignition/injectors and the remote to open doors, trunck, windows, etc ā¦ HiTag transponder have to be adressed as a RFID but remote is addressed as radio subghz and itās possible to save and replay raw already as long as you have correct modulation and frequency. You can clone those signals of the remote already but might have trouble if they are dynamic/rolling codes. I already made a request for parsers here :
1 Like
Why help this guy??? Come on its pretty clear what his intensitions are here. Dood if you cant figure it out on your own then too bad. Why people insist on helping people like this are beyond me.
This is very true. I know a locksmith that does lots of vehicle work. He has fixed a few cars messed up by bad tools or people that do not know how to use them. He pays pretty good money for the proper tools. Itās wise to be careful.
Could two Flipper Zeros be used to relay a rolling code to the target car?
Thatās possible or one Flipper could copy the rolling code then you physically move in range of the car to use it. The code will remain valid until the owner uses the fob close enough to the car that it can be heard by the car.
I suspect standard rolling codes are not what you intended to ask about though. I believe you want to know about a relay attack that requires real time bidirectional communication. That might be possible as well with work. I think that depends more on whether the Flipper can speak their language(protocol). There may also be issues on some cars where timing is an issue.
To be honest I wondered if 2 or more Flipper zeros could work in unison to expedite a code break, just theoretical.
I also found a you tube video on my topic and think there is work around. Just me learning in a roundabout way.
I looked here:
#44 Hacking and Cloning a Garage Door Opener using SDR Radio
by, Andreas Spiess
It is on you tube
Hope this helps.
1 Like
He has TWO GREAT channels. Heās my number one when it comes to micro controllers specifically. Heās also into Amateur radio(as am I) so he can be a wealth of information on wireless. SDR can be very cheap when you only need to listen to signals. They begin to be a bit more expensive when you also need to transmit. Consider checking out his second channel. There are a lot of topics that cross over into both realms.
Primary electronics channel
https://www.youtube.com/@AndreasSpiess
Amateur Radio(HAM) second channel
https://www.youtube.com/channel/UCQwyP4Yd0-O49e05kMUJgQQ
How can you boost the signal of the original key so you can extend the range, not clone it just boost the signal so the rolling code work everytime.
In summary, creating a universal device like the Flipper to function as a backup car key for various makes and models involves significant technical challenges. It requires in-depth knowledge of specific car key systems, RF communication protocols, and robust security measures. Additionally, attempting to emulate rolling codes would likely face legal and ethical challenges due to potential misuse. If youāre interested in a backup solution for your car key, itās recommended to explore options provided by the car manufacturer or authorized third-party services. These solutions are designed to meet security standards and comply with legal regulations.