Hi all,
This is the garage door opener I am looking to be copied or emulated.
Here are the captures files:
Zt07_btn1.sub (74.3 KB)
Zt07_btn2.sub (68.8 KB)
Zt07_btn3.sub (57.7 KB)
Zt07_btn4.sub (57.9 KB)
I tried to replay a 1 button press capture, the garage door did not open. I replayed a 10 button press capture, the garage door was activated!
Regards,
K
hcs 300 , it’s Keeloq rolling code, replay won’t open your gate
Also flipper is already able to “read” your protocol ---- It’s already decoded … This is the first file you posted … Try READ instead of read raw and you should see some data …
Interestingly, the gate reacted when I replayed the 10 button press RAW. I tested a few more combination, found that a RAW recording of two 1 sec button press would work beautifully.
Flipper did not allow me save because it is a rolling code.
i.e. repeating 2+ sends makes your system fire even though it is a rolling code. that’s how I am “safety”
“Secured”
I’ve saw so far systems with KeyLoq that don’t care for the hopping/rolling code, as long as you send the fixed key the device unlocks/open even if you repeat the same hopping key/code over and over again. Also if you have a combination of sequential hopping codes the device might re-sync to your flipper/raw capture and unlock/open as the device might think it loosed it’s state/count.
IF the raw files were saved with the remote away from the gate just use flipper to send the saved file several times and see if it does work. There is the possibility of flipper capturing several hopping codes send by the original remote and re-sending the same raw with for example 10 hopping codes just work because even if the first codes are discarded the other that follow are accepted. You have a problem if you use your original remote to open and your saved sub from a day ago still works …
It can not be! it’s a “security” code. like so, flipper against illegal use
But for that somehow flipper shouldn’t save the raw files when a rolling code is present yet it does. So it’s easy even with official/stock firmware to send security rolling code (as raw).
I do not believe in sensorship at this level.
Okay, the results are in: the two 1-sec button press raw capture works all the time.
it means your system is susceptible to “re-sync” attack
Your Cnt is 0000 and i don’t think it’s a re-sync problem … it’s worse … i think your system is just using the Fix key so it works like a fixed code system … same as my tobaco machine … if you were to send the same Hop+Fix most likely the gate would open as well … But it’s just my bet … we can test this when i do arrive home later today … i can make a file for you to test with a single/same code/key. If it works all the time you system is in fact a single key one …
EDITED - Ok,@k1048576 i did send you in a message. Please check private messages. Thanks.
Thank you!
I believed that the system is susceptible resync attack.
(a) The two 1-second button press replay always worked.
(b) A recorded rolling code while the remote is away worked once, and once everytime after (a) activated the gate.
EDIT: after the original remote activates the system, the recording rolling code emulation did not work.
K
That is strange because using the original remote should invalidate “older” codes so makes no sense that you use the original remote and a code saved will work again … The point of rolling code is as well to prevent code re-use …
Ok … this :
The KEELOQ algorithm also features sophisticated synchronization
techniques. The system will continue to
function even if the transmitter is activated repeatedly
while not in range of the receiver (as would happen if a
child played with the remote control). If a button is
pressed out of range more than 16 times, synchronization
will be lost. However, two successive transmissions
in range will restore synchronization. When no
response occurs to a transmitter operation, the user’s
natural reaction is to press the button a second time.
Synchronization will be restored when he does. Operation
is totally transparent — the user may not even
become aware that synchronization has been lost and
restored.
Should work on ANY KeeLoq. Just save a raw file with 2 consecutive presses of the original remote … this will work every single time to unlock your system, because the system will re-sync to the flipper raw saved on a past count… and the you will do the same with original remote to re-sync to future count …
