Exploring rolling codes with flipper :

I’m “new” to rolling code systems but here you have some tips to explore rolling code system with official firmware of flipper :

TIPS HERE CAN DE-SYNC YOUR ORIGINAL REMOTE - USE AT YOUR OWN RISK :

  • If your system do use rolling codes you can allways save a raw file of your remote if you know the modulation and frequency. Do this with the remote away from the reciever. Now test with flipper to open your lock. Because the flipper will have the exact same “next” code that your remote will send this will allow to open your gate/unlocck your system a single time. You can try to send the code a 2nt time and check if it does work.

  • I have a tobaco machine unlocker that it’s based on KeyLoq and it does unlock with the fixed key of the remote no matter what hopping/rolling code the command uses … Many other systems might be configured to be this way - fixed code instead of rolling even if you use a rolling code remote.

  • Bypass flipper restriction to save rolling codes - just save the signal as “raw”, as the flipper will not care for protocol checking and will save the 0 and 1 as is so you can have a sub file with your rolling code that you can analyze later with cli command to grab the keys. Also your sub will most likely have many hopping/rolling keys.

I think that flipper should allow to save the rolling code to file because that way one could test if a specific key on a specific rolling code will be of use if re-played. Same can be checked anyway by saving a raw file with the added problem of the raw file most likely cointain more than one rolling code.

  • Save a raw file with a long press of the remote away from your gate. You will save on your raw many sequencial keys/rolling codes. If your gate/system is vulnerable to a re-sync attack there are chances that playing the raw will make the gate/system to think that counter is lost/wrong because it checks and sees several valid codes on the correct sequency and then adjusts the counter to your saved sequency going back in time and allow for codes to be re-used as it would re-sync to an older state.

If all fails but
a) You can still save a single raw with a code that works a single time on flipper

you can :

Use your original remote and press for example “unlock” and save to flipper as 1- Unlock then you press lock and save as 2- unlock then you do a 3rd save as “lock” - all of this away from the gate. You will have on flipper a list of saved files that can be used only once by order (unless you use your original remote and it re-syncs the system to a future code invalidating the ones saved on the flipper.

Now you go to your gate you use flipper file 1 and it open the gate, you now delete that file and use file 2 to close the gate, then use file 3 and so on …

I like the option of saving/sending a specific rolling code (not available in official firmware) because you cn check if a specific single code can be re-used to exploit your system (check the security of it). When you send a saved sub most likely there will be severa rolling codes on it, not just one and even if the first is used and blocked/expired by your gate/system it might still accept the others and as a pratic standpoint it’s kind of pointless protection on the flipper side because nothing prevents the user to “attack” something they don’t own by using a raw capture of a rolling code that can by the obviouse rason be saved on flipper.

Hope this helps someone.

5 Likes

KeeLoq UPDATE :

My conclusions after playing a little bit more with KeeLoq …

  • When you have a count of 0000 on flipper READ decoding it means that flipper doesn’t have a manufacturer key so it can’t decode/know what point on the counter you are for your keeloq system/implementation.

  • Many KeeLoq implementations only care for fixed key and work as a simple code. Saving a RAW on the correct modulation/frequency with flipper will do and a replay attack will work. When it doesn’t a re-sync will work.

  • KeeLoq re-sync by sending 2 consecutive presses of original remote. Found it here :

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj7wIusxfv5AhUbhc4BHYqfC9kQFnoECBoQAQ&url=https%3A%2F%2Fww1.microchip.com%2Fdownloads%2Fjp%2FAppNotes%2F91002a.pdf&usg=AOvVaw0FgFoGL_4QTTK_A5mvtbQV

The KEELOQ algorithm also features sophisticated synchronization
techniques. The system will continue to
function even if the transmitter is activated repeatedly
while not in range of the receiver (as would happen if a
child played with the remote control). If a button is
pressed out of range more than 16 times, synchronization
will be lost. However, two successive transmissions
in range will restore synchronization. When no
response occurs to a transmitter operation, the user’s
natural reaction is to press the button a second time.
Synchronization will be restored when he does. Operation
is totally transparent — the user may not even
become aware that synchronization has been lost and
restored.

  • When KeeLoq re-sync it dosn’t check if it’s re-sync on a past count so …

Just save a raw on the corect frequency/modulation with 2 consecutive presses of the original remote … done !

6 Likes

Hi could you make a video how to do it correctly?
it could help many people like me

8 Likes
  • frequency: Sub-GHz => Frequency Analyzer (example: 317.999 MHz)
  • modulation: where do I get the modulation from?

Thanks in advance!