Car Key Fobs?

Can the Flipper Zero be used to save and replay older car key fobs? I’m not talking about car keys. I’m talking about the older generation key fobs that just unlocked/locked car doors and alarms?

I tried to use this to record the key fob for my 2001 Toyota and it couldn’t detect a signal. The FCC ID ELVAT5G - indicates this is the 433-434Mhz range.

Can I assume this is some sort of encrypted/rolling code that can’t be recorded and re-played?

Is there any sort of master list of what types of devices can/cannot be used with FZ?

1 Like

You would assume correctly. My truck fob for a 2009 Ram OEM uses the 433Mhz as well. I’m unable to detect as well. Even though they are relatively older, they do utilize rolling codes. The creators have blocked the ability to intercept rolling code for legal reasons (Read in another forum.) There is no master list to my knowledge however, any device that uses replay codes (standard remotes that use the same code every time to communicate) the flipper can read and capture. Anything that utilizes rolling codes like car fobs and even some garage remotes you won’t be able to use unless you rewrite the firmware on the flipper yourself.

1 Like

There’s no encryption on those remotes but the documentation I found says it’s a rolling code. That means the code changes each time the button is pressed. Imagine if the remote and the car agree to increment the code by a secret amount each time. The first code could be 10000 then the next code is 10003 then 10006. The math they use is more complicated then addition but that should give you a general understanding of what’s happening. The formulas are complicated enough the pattern can’t be guessed. I don’t think you will find a good list of devices that can’t be cloned by the Flipper because it’s a moving target.

1 Like

I recorded and replayed my Ford 315MHz fob and not only did it not lock my door as expected, the receiver in the vehicle disabled the fob that I had recorded.
Please be aware of that possible outcome; Make sure you know the procedure to pair your fob to the vehicle again once it becomes un-paired.
Or get locked out. :slight_smile:

1 Like

You aren’t the first. Never try this with a rolling code if you don’t know what you are doing. My best guess is you tried too many times. Now the car and key fob are out of sync or the fob is locked out. Some cars may allow you to synchronize the car and the fob yourself. Others may require a dealer or automotive locksmith.

There are two rules of ethical hacking to ensure you do not harm yourself or others:

  1. Do not attack targets you do not own

  2. Do not attack targets you personally rely on for your own security

I strongly advise anyone against trying to perform a rolling code replay attack. That being said, I believe the thing that bricks these remotes is if the car ever receives the same code twice or receives codes out of order. So performing this exploit without bricking the fob requires careful RF hygiene.

2 Likes

Please!! Does anyone know how to fix this???:pray::pray::pray::pray:

The Flipper Zero will never be able to capture car fobs rolling codes and recover the seed unless a severe vulnerability is found.

The Flipper might be able to emulate a NEW key fob but it would have to be learned by the car as a new fob. I don’t think it would be a simple feature to implement either. I’m trying to research that topic. You would never want a cloned fob because the original and cloned fobs would become out of sync with bad consequences such as both fobs becoming locked out.

How do I re sync a fob?

1 Like

Please be sure to include details of the car fob and car. The process may be different on each vehicle. Usually it takes a simply search on Google or YouTube to find instructions.

Ford expedition factory fob

Try this procedure and ley us know if it works for you.