This “exploit” works with ALL Azkoyen Step machines in Portugal - Europe and most likely can be applyed way more widely.
I will call to this a SINGLE CODE CAPTURE / RE-SYNC / REPLAY ATTACK !
Machines are locked so that children / underage people can’t buy from the machine. It uses JCM Gen1 Neo/Sagem(Tabaco) KeeLoq !
How to attack (does work on ALL machines at least in Portugal) :
- Set Flipper to READ RAW - Set frequency to 433.92 and set modulation to AM650.
-Capture a SINGLE press of the original/working remote and save it.
- To unlock the machine replay the captured data 2 or 3 times. Machine will be unlocked even if current status of KeeLoq is way further from captures.
With non-official firmare :
Set flipper to READ on 433.92/AM650 and capture A SINGLE KEELOQ SEQUENCE/CODE. Save it.
-Just re-send the code 2 or 3 times. Same code, no need to have a valid sequence. Having 1 code in enought.
-Machine will unlock.
“all of your tobacco are belong to us”
- This is even worse of what i was expecting as i was expecting to need a sequence of valid keeloq codes to execute this “attack” / re-sync but it does look like machine re-sync on a single code as long as it’s valid and that code is on the margin of allowed codes once re-sync so whe you manage to press 2 or 3 times the same code it will be re-sync to that and machine will now accept that single/same code without need of re-sync. Only if you use original remote to advance on the sync count you will need to send the same captured code 2 or 3 times for it to be valid again and so on …
A single valid code can be re-used … FOREVER.