lol security tip. don’t send emails saying what can be done…
btw nice job

A grand majority of modern garage door openers from the last 20 years implement a rolling code security measure. This will never give you the same code twice. It’s highly unlikely that you will be able to predict the next code in the sequence without massively reverse engineering the opener.

Just saying.

It would be nice if you could have slots for different codes. So if you have more then one opener (one for the gate, the garage, the office) you can record more then one code and ditch 3 remotes for 1

You’d be surprised at how many of those older openers are still out there. Mine was just replaced a few months ago, it used a static 12bit key.

How about spamming all 2^12 possibilities on the various frequencies used by popular openers? The neighbors would love that.

Seems to me like picking the basement door deadbolt is a much faster, reliable, and subtle approach.

It’s scary how cheap a set of decent picks is, and how easy it is to learn to use them.

@than
read books/internet resources and find someone to teach u o ya and WANT that wish to come true :)

Another thing I should point out is the total lack of publicity about seeing keeloq busted. If your remote-keyless-entry fob for your car says “TRW” on the back then you are vulnerable (Hint: if you drive a Chrysler, Dodge, or several others). Of course, it’s still way easier to smash a window, but this has received no press at all.

Knock out the cheap/flimsy plastic window, and pull the chain release hanging nearby…

nice work, but please focus your pictures before sharing them. I strain my eyes enough.

thanks for the related keeloq info dosman.
–PidGin128

And I thought I was the man for buying another remote control and copying the switch settings over to get two cars into our communal park.

Not saying it was anything special but it made me feel pretty sharp. Till now that is…

Why use this to break into a house?

If you walk up to a house and hit (what appears to be a garage door opener) the neighbors will probably just assume that you are friends of the people who lived there. As long as the residents are out people probably wont even care.

Now this is a hack in the true sense of the word. Well done Hackaday for putting this up and well done to James for this extraordinary bit of kit.

@dosman
KeeLoq being “broken” does not entirely mean that it is insecure.

For the rolling codes used in rke for key fobs and garage door openers, there are three valid attacks: First, a side-channel attack which requires physical access and works mostly on pre-1996 devices. Second, a birthday paradox-based attack to attempt to guess the correct slot for the rolling codes (works relatively well as the code space is ~64K, and with a valid code window of 16 we AT MAX have to try ~4K codes). Third, jam the signal to prevent the car from locking. None of these are really that fantastic of a break.

In any of these cases, that is alot of work to do when a good-sized rock through the window will get you into the car just as effectively.

The real break has to do with STEALING cars. For almost all cars manufactured in the last decade, the keys have a tiny .5″x.25″x.1″ rfid-type micro in them. The car sends this micro a random 32-bit plaintext and the micro responds with a 32-bit cyphertext, if the cyphertext is valid, the immobilizer releases. The break occurs if a third party sends the micro 65536 plaintexts and receives the resulting cyphers back (takes ~1hr). Then, using a cluster it is usually possible to get the encryption key from this (you have a ~65% chance of success). Additionally, some manufactures obtain the encryption key from combining a model-specific manufacturer’s code with the serial # from the key (the micro will give the serial # up if you ask it). If this is the case for the key you cracked, then you can obtain the manufacturer’s code, and get the encryption key for all other cars of this model just by asking the micro what its serial # is. Once you are around the immobilizer, you now need a way to start the car (photographic reproduction of a key, bump keys, hot-wiring the ignition, etc). Note – this method works for some rki systems as well.

Nice project, neat setup, but not hardly new. KeeLoq was busted a while back. Here’s the decoding datasheet on it: http://www.keeloq.boom.ru/decryption.pdf

@Dave0:

Certain vehicles, like many Chrysler/Dodges, have a system to record and playback 3 different garage door opener codes. The system is called HomeLink (homelink.com).

Not much more I can tell you, the code was done in AVRStudio and the schematic and layout in kicad, I used a standard garage door receiver that receives a 12 bit code, the receiver has active low logic levels. Rest you can get from the code and schematic.

Nice I’am a Repo man in colorado need info for scanner R.F transmitter/scanner code grabber for fixed 12 pin security gates. Would love some other type of application for rolling algorithm’s. taw22576@yahoo.com

Please contact me, I have something to propose you :)

Anyone know where to get the source files? The links are dead

I have a security gate opener in my possession that opens the common access gate for apartment complex. The one in my possession belongs to my room mate, and I simply want to dupe it so I can have one too. The homeowners association wants $275 for a new one, fuck that.

When I open it up and look at the wafer its very simple, but must be using a fixed code as there are no bit switches or interface ports. The plastic case says 418 MHz, the name of the company that issued it, and a sticker with a serial number AND a number marked ‘Code:’. I’d greatly appreciate advice, it sounds like the people posting here would know. Thank you!