Identification of the wireless protocol of a car key fob

As a continuation of my previous post, I will use HackRF One with Universal Radio Hacker (URH) software for the quick identification of the wireless protocol used in my car remote key fob. 

Since I didn't know the transmission frequency of the fob, I first used HackRF Spectrum analyzer software to identify its frequency. Here in Europe the more probable frequencies should be in the range of 433 MHz, 868 MHz or 915 MHz ISM frequencies, so I configured a frequency span from 400 MHz to 1 GHz. 

I let the analyzer start the scan and pressed the buttons of the key fob to transmit the data. The transmission appeared very clear at the frequency of 434 MHz. I noted this frequency to be used with URH software. 


Then, I launched URH software and started with its Spectrum Analyzer to the fine identification of the transmission frequency; in this case 434,408 MHz. 


After that, I captured a couple of transmissions for each of the three buttons of the fob using the "Record signal" function of URH. These signals are added automatically to the "Interpretation" tab of the URH program.



URH automatic detects the parameters of the signal, which in this case has OOK modulation (ASK modulation in URH), and with 600 Samples/Symbol, etc.


Now it is interesting to change the "Signal View" mode to "Demodulated", in order to see the signal translated as bits. 

 
Looking to the demodulated signal, it is easy to identify that it is encoded using differential Manchester, also called biphase mark code. A lack of transition at the clock tick means a '1' and a transition at the clock tick means a '0'. 

E.g. the captures below show the demodulation of the latest bits for the three buttons (two traces for each button). Apparently, the latest six bits identify the pressed button.


Using the "Analysis" tab of URH, the signals are automatically decoded. I selected "Differential Manchester" as Decoding mode and "Hex" as "View data as". From these results, it appears that there is a common preamble, changed data that it is likely the pseudo-random rolling code, and the latest bits are the identification of the button as explained above. 

Conclusion

This post shows a basic usage of URH and how it facilitates the identification of a simple wireless protocol.

Comments

Post a Comment

Popular posts from this blog

Software arsenal for the HackRF One

Image
HackRF One , from Great Scott Gadgets, is a Software Defined Radio (SDR) capable of transmission or reception of radio signals from 1 MHz to 6 GHz, supporting sample rates up to 20 Msamples per second. This is a powerful tool for radio experimentation, it is cheap, and compared to cheap RTL SDR dongles, it has the capability of transmit. There are tons of information in the web about this device and SDR in general and I suggest to start with the wiki , but it is not that easy to identify what software would be the more adequate to the particular needs and the specific issues for installing on Windows platform. I expect that this post would help you on this. Note that you are responsible for using your HackRF One legally! Zadig The first step for using HackRF One on a Windows computer, will be installing the required USB drivers using Zadig application. Downlad Zadig (note that SDR# Community Installer already includes it) and follow the instructions below: (1) Connect th
Read more

Simple impedance meter project with STM32F4 Discovery board

Image
This post describes an experimental software-based impedance meter project that uses the STM32F4 Discovery board with very few additional components. The meter operates at a fixed exciting sinusoidal frequency of 59659 Hz, and it is capable to measure the impedance vector of a load, i.e. its resistance and reactance. A measurement is initiated by the user by pressing the blue button of the board and the readings are output to a terminal emulator program through the USB interface. The measurement principles are based on the article "An LMS Impedance Bridge – QEX Sept/Oct 2015" from Dr. George R. Steber. The project and source code is available at the following link . It is assumed that the reader has background in the STM32 environment. Overall operation The block diagram of the illustration below shows the basic building blocks of the meter. The capacitor and resistor in addition to the interconnection elements, are the only external components required. Howeve
Read more

Acoustics Emanation Tool

Image
Mechanical PIN-Entry keypads such as the used in secure payment terminals, ATMs, keypad lock on door, etc; can be vulnerable to attacks based on differentiating the sound emanated by different keys. The sound of button clicks can differ slightly from key to key, although the sound of clicks sound very similar to the human hear. Several research studies have demonstrated that it is possible to recover the typed data from the acoustic emanations and has been a known source of concern and present a threat to user privacy; see the References section below. Besides, keypad emanations are specifically tested in the PCI SSC PTS security-testing process required for the approval of secure payment terminals. The "Monitoring During PIN Entry" testing requirement, verifies that there is no feasible way to determine any entered PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring . Precisely, thes
Read more