Unlocking AZKOYEN STEP (Keeloq) with Flipper :

Spildit · October 10, 2022, 6:07pm

This “exploit” works with ALL Azkoyen Step machines in Portugal - Europe and most likely can be applyed way more widely.

I will call to this a SINGLE CODE CAPTURE / RE-SYNC / REPLAY ATTACK !

Machines are locked so that children / underage people can’t buy from the machine. It uses JCM Gen1 Neo/Sagem(Tabaco) KeeLoq !

How to attack (does work on ALL machines at least in Portugal) :

Set Flipper to READ RAW - Set frequency to 433.92 and set modulation to AM650.
-Capture a SINGLE press of the original/working remote and save it.
To unlock the machine replay the captured data 2 or 3 times. Machine will be unlocked even if current status of KeeLoq is way further from captures.

With non-official firmare :

Set flipper to READ on 433.92/AM650 and capture A SINGLE KEELOQ SEQUENCE/CODE. Save it.
-Just re-send the code 2 or 3 times. Same code, no need to have a valid sequence. Having 1 code in enought.
-Machine will unlock.

“all of your tobacco are belong to us”

lol

This is even worse of what i was expecting as i was expecting to need a sequence of valid keeloq codes to execute this “attack” / re-sync but it does look like machine re-sync on a single code as long as it’s valid and that code is on the margin of allowed codes once re-sync so whe you manage to press 2 or 3 times the same code it will be re-sync to that and machine will now accept that single/same code without need of re-sync. Only if you use original remote to advance on the sync count you will need to send the same captured code 2 or 3 times for it to be valid again and so on …

A single valid code can be re-used … FOREVER.

Spildit · October 14, 2022, 5:01pm

Spying on your competitors with Flipper !!!

Install the JCM_Tech manufacturer key on your flipper and now you will be able to emulate AZKOYEN keyfobs and check the counter of the keeloq.
Go in the morning to a coffee shop and ask for tobacco, use Flipper to READ the signal and get the counter of the keeloq.
Go there in the night and do the same.
Subtract the value in hex of the counter and you will know how many times the machine was activated during the day, and more or less know how many tobacco was sold by the machine.
Do the same in several coffee shops on your local area. You will know the ones who are selling more !!!

Mareg74 · October 16, 2022, 1:01pm

Where can we find this one ?

Spildit · October 16, 2022, 2:11pm

Not allowed here. Please check PM.

percypogi · November 6, 2022, 9:36am

Please would u mind sharing? Thanks

Lapty3l · November 6, 2022, 1:50pm

Hello !
I’m also interested in having the MF key of JCM Tech…
Thanks a lot !

Spildit · November 6, 2022, 3:00pm

Official firmware devs already have access to this info/keys so it’s up to them now to implement them (or not) on flipper official firmware. Regards.

EAV · December 3, 2022, 6:20pm

I just checked the frame and it is from an AZKOYEN controller manufactured by JCM TECH

Spildit · December 5, 2022, 8:39am

Yes, it is.

EAV · December 5, 2022, 11:27am

I am interested in having the program to program the PIC16F630 of the AZKOYEN receiver.
Due to a programmer error (manufacturer) the KeeLoq counter is lost…

Spildit · December 6, 2022, 6:34pm

Counter isn’t an issue as long as you still have original remote.
Those machines don’t care about counter at all. You only need to send a single valid code even if it was already sent… You need to have correct key on reciever that match remote. Just that.

YaBaPT · December 26, 2022, 11:26pm

Hi, Portuguese here too. Mind sharing? Thanks.

Spildit · December 27, 2022, 12:26pm

Please check PM !

thomasr · February 5, 2023, 12:10am

Hello Spildit, c

thomasr · February 5, 2023, 4:48pm

Hello all,
Can il have jcm Keys for garage Doors wirh Rolling code please ?
Thanks

jmr · February 6, 2023, 12:01am

What a careless implementation. Who are these people? Honda? /teasing

Spildit · February 6, 2023, 6:40pm

It’s available on non-official firmware. Just check firmware repository and you will find it.

Natbeau · May 3, 2023, 4:55am

Hi Spildit!

Thank you so much for knowledge sharing.
can I have MF key of JCM Tech Please ? THANKS !

Spildit · July 31, 2023, 9:30am

it’s available in non-official firmware not supported here. simply goolge for it.

also for those machines you don’t need the rolling code at all. as long as you have a single valid keeloq code you are ok so you can simply record a raw signal from a valid remote and use that as long as you want.

They don’t care about security, the more someone bypass it the better as they will selll more tobacco lolololioliol

it’s just done to prevent kids from using the machine.