Citroen C1, C2, C3 and Peugeot 307 keyfob :

Sub-GHz
#1

If someone is able to code parsers and code apps for flipper maybe someone can make decoders for car fobs and have flipper behave like a cheap pandora !!
Here is my contribuition :

https://www.amazon.es/Heart-Horse-Botones-Control-Ci-TRO-en/dp/B09KY54NVV/ref=sr_1_22?__mk_es_ES=ÅMÅŽÕÑ&crid=J5YKS4347ZBB&keywords=llave+citroen+c3&qid=1666721177&qu=eyJxc2MiOiI1LjIyIiwicXNhIjoiNC40NiIsInFzcCI6IjQuMjYifQ%3D%3D&quartzVehicle=21-10397&replacementKeywords=llave+citroen&sprefix=llave+citroen+c3%2Caps%2C113&sr=8-22

Cars.zip (98.1 KB)

1
1843×518 41.5 KB

2
2856×521 43.5 KB

Lock/Unlock - 1 press
Lock_13/Unlock_13 - 13 presses for each.
Sync - 10 sec.press (for re-sync with car) - as shown in the attached pictures.

Decoded signal will look like this :
c7aabfbb20c2922085e28

example (NOT THE ATTACHED FILES DECODED) JUST TO GET IDEA OF FORMAT :

  1. 069A - Type 69 is for Berlingo 2002-2008. PN:6554RH, Partner PN:6554RG
  2. 07CA - Type 7C is for Citroen Xsara Picasso. PN:6554RF
  3. 0A5A - Type A5 is for Peugeot 307. PN:6554RC
  4. 0C1A - Type C1 is for Citroen C3 XTR with front fogs from 2002 up till CAN. PN:6554RE
  5. 04DA - Type 4D is for Peugeot 406 phase 2. PN:6554RA
  6. 096A - Type 96 is for Citroen C2/C3 pluriel from 2003 up till CAN (flip type key). PN: 6554RJ
  7. 01CA - Type 1C is for Peugeot 206 NO front fogs 2002-2005. PN:6554YL
  8. 0B8A - Type B8 is for peugeot 206 NO front fogs 2005-2007. PN:6554YQ
  9. 0C7A - Type C7 is for Peugeot 206 WITH front fogs 2002-200?. PN:6554YR
    10.0DBA - Type DB is for peugeot 206+ 2009-2012. PN:6554YV
#2

Also if someone does want to make decoder/app for CARS i’m willing to buy used remotes/fobs from ebay and make captures for decoding/add to flipper.

I can’t write apps/parsers so if someone wants to team up i can buy remotes/make captures for someone else implement the decoding/sending on flipper.

#3

how simple are you) decode rolling codes by records) 3 button presses, good luck

#4

Idea is NOT (initialy) to decrypt rolling code and get to “predict” the next code.

Idea is to :

1- READ the signal and get decoded data that you can re-send (like on keeloq when you don’t have manufact. key).

2- Simply “translate” the data from a key press (one code) intro hex that you can read …

I was not meaning decrypt and crack the rolling code, i was talking about parse/decode the signal captured by flipper intro readable single codes…

For example on my signal you just need the FIXED portion of the code to get the ID of the car (know what car isusing the remote) and to get the number (serial ID) as it doesn’t change to programm on the hitag2, etc …

There is use to decode RAW signal intro hex data even if the code changes with each press and you can’t crack the dynamic code to predict the next code or know ehere on the counter you are …

If you can’t even “decode” or know what “data” the remote is actually sending then you can’t do nothing at all.

#5

I’m NOT asking for this to be added to official version of flipper, i’m asking for a 3rd party app to be created !!!

Notes :

  • Pandora code grabber can already capture and decode car fob signals so this is possible to do. If it’s possible to do can be implemented in flipper as well.

  • This already exist : Mini KD Car Key Remote Maker Generator Kit Set Locksmiths Programmer For Android | eBay - that product generate virtual remotes and cover more than 1000 cars …

  • Even if crypto can’t be cracked/reversed it still serves some functions to have a DECODER/ENCODER to send without decryption for example :

  • get the FIXED part of the code the remote sends to get serial ID to add to transponder to programm on car by tools like sbb, etc … you can grab info from decoding remote data even if hopping code can’t be generated.

  • It will be like having a keeloq without manufacturer key, you can still analyze the data and find flaws. Way easy to test and analyze with decoded data rather than sub files with raw data.

  • One can make experimentation with decoded data and encode it’s own data, like replacing serial, try to resend codes or codes that look generic, one can see what codes are sent to re-sync, etc … it would be way easy to analyze data to further attempt to explot/attack.

Flipper is supposed to be a tool to explore protocols, etc …~

Saying that it’s hard/impossible without even trying it’s just bad … one can go one step at a time and start from beginning and to start it would be of use to translato those raw subs in hex data that we can use…

Thanks.

1 Like
#6

I said that this is impossible for a couple of signal records, changing the serial number will not give anything without changing part of the encoded message (learn the mat part), simple recording and playback is already available. and no one forbids the community to make such an application, delicate packet format, it is also not clear what to change in it, most of the protocols have a CRC part and blindly changing part of the data will not give anything at all

#7

It would still be of use to have a decoder for :

  • Diagnose of damaged/working keyfob - if a keyfob sends a signal that decodes as expected then it’s not broken. If you read raw and send raw you don’t know if the remote is broken or not as sending might not work because of rolling codes.

  • Add serial number to hitag2 using programmer to programm remote on car, you need ID from radio, fixed part of code that you can grab with flipper.

  • Many utility like Kaiju and even PandwaRF are moving to implement this sort of feauture or even more …

  • One could have an app to record many presses of keyfobs to text so one can compare the output to attempt to decrypt or analyze the signal.

Just as “raw” there is nothing of big use/value to work with, decoded info even if “encrypted” does have more value and can be used in an easy way.

So i’m still asking for someone that can code plug-ins to have a decoder for car fob signals implemented on flipper.

Car Key Emulation