Identification of the wireless protocol of a car key fob

As a continuation of my previous post, I will use HackRF One with Universal Radio Hacker (URH) software for the quick identification of the wireless protocol used in my car remote key fob. 

Since I didn't know the transmission frequency of the fob, I first used HackRF Spectrum analyzer software to identify its frequency. Here in Europe the more probable frequencies should be in the range of 433 MHz, 868 MHz or 915 MHz ISM frequencies, so I configured a frequency span from 400 MHz to 1 GHz. 

I let the analyzer start the scan and pressed the buttons of the key fob to transmit the data. The transmission appeared very clear at the frequency of 434 MHz. I noted this frequency to be used with URH software. 


Then, I launched URH software and started with its Spectrum Analyzer to the fine identification of the transmission frequency; in this case 434,408 MHz. 


After that, I captured a couple of transmissions for each of the three buttons of the fob using the "Record signal" function of URH. These signals are added automatically to the "Interpretation" tab of the URH program.



URH automatic detects the parameters of the signal, which in this case has OOK modulation (ASK modulation in URH), and with 600 Samples/Symbol, etc.


Now it is interesting to change the "Signal View" mode to "Demodulated", in order to see the signal translated as bits. 

Looking to the demodulated signal, it is easy to identify that it is encoded using differential Manchester, also called biphase mark code. A lack of transition at the clock tick means a '1' and a transition at the clock tick means a '0'. 

E.g. the captures below show the demodulation of the latest bits for the three buttons (two traces for each button). Apparently, the latest six bits identify the pressed button.


Using the "Analysis" tab of URH, the signals are automatically decoded. I selected "Differential Manchester" as Decoding mode and "Hex" as "View data as". From these results, it appears that there is a common preamble, changed data that it is likely the pseudo-random rolling code, and the latest bits are the identification of the button as explained above. 

Conclusion

This post shows a basic usage of URH and how it facilitates the identification of a simple wireless protocol.

Comments

Popular posts from this blog

Software arsenal for the HackRF One

Simple impedance meter project with STM32F4 Discovery board

Python notebooks and the SARK-110 Antenna Analyzer