How replaying rolling code causes desync

So I’ve seen a few posts here and on reddit about people “desyncing” their key fob by replaying a rolling code. I do understand how rolling code can prevent replay attacks, since a captured code cannot be reused. However, if the code is captured while out of range of the receiver, then it should work once. What I don’t understand is how you could desync your key while doing so.

Since the flipper cannot generate a valid code but only replay a captured one, and since the key never send twice the same code, the key is always “ahead” of the flipper. So it should never run “behind” the door / car ? What am I missing ?

I don’t want to break my car key by testing this out.

Don’t replay your car key, that’s the only thing known to break.

Yes, raw recording something like KeeLoq, Nice FloR-S, FAAC SLH works because the remote doesn’t get anything back i.e. it’s simplex i.e. it’s one way only.

Car keys can have a challenge-response over radio, and if your key were to not finish its’ part, wouldn’t that look odd to you?

1 Like

Ok makes sense. So there is a challenge-response going on in some situations.

So if I attack for example a garage door using rolling codes (but no challenge-response), it’s impossible to desync it simply by replaying one code right ? How would one know if a challenge-response is happening ? Could this be detected somehow to make sure I don’t attack the wrong target and end up breaking things ?

For example, if i listen while opening my car with the key, would I be able to see somehow that a challenge-response is going on ?

1 Like

I wonder why the hell they enabled such an attack on third task of security - that is, availability. Anyone can replay an old code, and if it causes the remote it came from not to work anymore, it is a Bad Idea due to all the vandals out there.

1 Like

There are many implementations of rolling code. A device hearing a correct but already used code several times may increment the counter or lock out a transmitter. Make sure you know how to relearn or resync a remote with a device before you mess with rolling code devices. Also make sure you have an extra transmitter. In the case of a car I would make sure i had a minimum of three fobs before messing with it. Some cars require 2 working fobs to relearn a messed up fob. The alternative is often a locksmith or a dealer. Lot’s of cars don’t do challenge response yet so they can be a valid research option using a Flipper.

If I were going to do research on my own car I would buy an extra third party remote and pair that to my car as a “new fob”. Then I would exclusively use that new fob for tests.

With a garage it’s a bit safer. There should be a button you can access on the garage control(motor). You can use that to add or re-add a remote. Bonus tip: The Flipper can emulate some rolling code garage doors. Check out the “Add Manually” process.