Keeloq KL Unknown without save option

Sn4yKeR · January 11, 2023, 12:24am

Hello everyone! as the newbie i am, for my first post i’ve a question and not a contribution.

btw, I want to thank the devs for such a great job with this amazing device.

I am trying to decode my garage door remote, it uses 433.92 hz modulation AM270, when I use the “read” option, every time i press the button it detects a code, but seems to be Keeloq codes (Dynamic/Rolling codes if i am correct)

Most of the codes it detects are “KL Unknown [hexa code]”, only a few codes have the MF: as Leopard, Mutancode, Reff, etc.

Seems like the Save option is not available for any of these codes.

Is it because current version can’t decode the protocol my remote uses to generate new codes?
Are you planing to enable the option for these kind of codes in the future?

I can provide the raw data and try to get more info about the remote. Would that help on anything?

Thanks!!

jmr · January 11, 2023, 2:54am

The code will change every time you press the button. Even if you capture the code it can’t be reused because it’s rolling code.

With that said there is a process by which you can add your Flipper as an extra garage remote. Have a look at Sub-GHz add manually. You will first need to identify the details of your remote. Things such as the FCC Id and pictures will help.

Sn4yKeR · January 11, 2023, 10:29am

Hey! thanks for replying!!

i’ve opened the remote to check de chips it uses and this is that i saw

And these are the codes i see when i use the Read option

So, do you think there is a chance to add it manually? I will check how to do it later on

Thanks again

Spildit · January 11, 2023, 6:15pm

For security reasons and others official firmware doesn’t allow to save/replay rolling codes.

jmr · January 11, 2023, 10:36pm

That was the info we need to identify it. I’m not sure if the Flipper can handle it though. That looks like a pretty secure chip which uses challenge and response.

The HCS410 is a code hopping transponder device designed for secure entry systems. The HCS410 utilizes the patented KEELOQ® code hopping system and bi-directional challenge-and-response for logical and physical access control. High security learning mechanisms make this a turnkey solution when used with the KEELOQ® decoders.

Sn4yKeR · January 12, 2023, 9:43am

I’ve saved raw data for 15 clicks, and then i’ve sent the raw signal next to the gate, after a few seconds, it could open the gate, it did it only twice (from 10 attempts).

If it is such as a secure system as you say, that’s great (i am glad my building garage is safe heheh)

I will have to contact the company to buy an additional remote…
the “programming” of additional remotes cost like 70 dollars each (remote included)…

Thanks for replying!

jmr · January 24, 2023, 10:16am

That is interesting. Raw data should not be able to open it due to the challenge response. Think of it an ever variable in a math problem but you only get to see the answers.

Your remote would send a Rolling code.
The gate has a list of codes and never accepts any code twice.
If the gate recognizes a valid code so it picks a random number.
5748689

The gate does some math and sends the result.
64499432440

The remote then does some math on that number and sends a reply.
5748689

The gate recognizes the number it started with and opens. The problem is the process starts over with a new rolling code and a new random number. So if you replayed the signals you recorded nothing would happen. Only the remote and gate know the secret formula. The formula is the actual key but it was never transmitted. If you were able to open the gate even once with raw data something isn’t set up right.

For the sake of the example I actually created formulas. My formula was extremely simple but very difficult to reverse.
(random number*7159)+23344567889

Their formulas are much better.

maqumih · January 27, 2023, 7:31pm

Actually, not. Just plot knows pairs, challenge as X and response as Y.

Maybe it’s the same trick that works for normal KeeLoq - trigger resync.

jmr · January 28, 2023, 12:37am

It’s easy when you know the integers and operators but you wouldn’t know any of that in the real world. We can test your theory if you like. It’s not a trivial task since the random number changes with each transmission.

maqumih · January 29, 2023, 5:45pm

In real world it is hard, but I’m talking of

, not of real protocol.
Some of the real crypto have failed in similar ways though, IIRC.

jmr · January 29, 2023, 10:58pm

Feel free to recover the keys. This shoul be very easy compared to the real thing.
685101480925443497727
1778286104
909291162784667029935
2360204900
2545529195590417779603
6607312341
3139727727245167093119
8149646008
1765015312087140088983
4581368526
2633606905117603203123
6835931581
830657895021358944963
2156100161
3134869889856049728447
8137036744
1867068858926232518883
4846264201
1217924674314301840551
3161310642

maqumih · January 31, 2023, 6:01pm

385259392548 * random_number + 56721853944735

jmr · January 31, 2023, 9:11pm

Great job!

import random

x = 0
while x < 10:
    a = random.randint(1000000000, 9999999999)
    b = a*385259392548+56721853944735
    print(b)
    print(a)
    x += 1

maqumih · February 1, 2023, 6:50pm

Wanna invent something harder?

jmr · February 1, 2023, 10:42pm

I wouldn’t know where to stop. A game like that needs rules or it could out of hand.

maqumih · February 2, 2023, 6:33pm

I don’t see how it can get out of hand, but let’s err on safe side and stop now then.

jmr · February 2, 2023, 10:47pm

I just mean I could go a bit nuts without limits and it might not be fun anymore.