Identification of the wireless protocol of a car key fob
As a continuation of my previous post, I will use HackRF One with Universal Radio Hacker (URH) software for the quick identification of the wireless protocol used in my car remote key fob.
Since I didn't know the transmission frequency of the fob, I first used HackRF Spectrum analyzer software to identify its frequency. Here in Europe the more probable frequencies should be in the range of 433 MHz, 868 MHz or 915 MHz ISM frequencies, so I configured a frequency span from 400 MHz to 1 GHz.
I let the analyzer start the scan and pressed the buttons of the key fob to transmit the data. The transmission appeared very clear at the frequency of 434 MHz. I noted this frequency to be used with URH software.
Then, I launched URH software and started with its Spectrum Analyzer to the fine identification of the transmission frequency; in this case 434,408 MHz.
After that, I captured a couple of transmissions for each of the three buttons of the fob using the "Record signal" function of URH. These signals are added automatically to the "Interpretation" tab of the URH program.
URH automatic detects the parameters of the signal, which in this case has OOK modulation (ASK modulation in URH), and with 600 Samples/Symbol, etc.
Now it is interesting to change the "Signal View" mode to "Demodulated", in order to see the signal translated as bits.
Looking to the demodulated signal, it is easy to identify that it is encoded using differential Manchester, also called biphase mark code. A lack of transition at the clock tick means a '1' and a transition at the clock tick means a '0'.
E.g. the captures below show the demodulation of the latest bits for the three buttons (two traces for each button). Apparently, the latest six bits identify the pressed button.
Using the "Analysis" tab of URH, the signals are automatically decoded. I selected "Differential Manchester" as Decoding mode and "Hex" as "View data as". From these results, it appears that there is a common preamble, changed data that it is likely the pseudo-random rolling code, and the latest bits are the identification of the button as explained above.
Conclusion
This post shows a basic usage of URH and how it facilitates the identification of a simple wireless protocol.
Comments
Post a Comment