Flipper Zero - Rolling Codes Part 1 : Security+1.0
ฝัง
- เผยแพร่เมื่อ 3 มิ.ย. 2024
- This is part of a series of videos about rolling codes on the Flipper Zero. When possible, I'm using official firmware, but in some videos, I may modify a few lines and recompile. This first video explains the concept of rolling codes & then looks at the details of Security+1.0 codes.
Only use on hardware you own (if you rent, it's probably NOT okay to mess with). Only use on hardware that you don't rely on (if you can't pay to get it fixed, don't mess with it).
I haven't been able to find a lot of hardware to test on, so I'm typically relying on the Flipper Zero software implementation for reading/sending and understanding the protocols (which may not exactly match production hardware). I'm still new and learning about the various protocols, so please leave a comment if you know more updated information. If you want to have a dialog, my Discord server is probably the easiest way to communicate.
Timeline:
0:00 - Introduction
0:25 - Educational use only
0:44 - Lock picking rules
0:57 - Rolling code rules
1:58 - Static code
2:22 - Dynamic code
2:35 - Rolling code
3:12 - DANGER - Don't REPLAY/FUZZ codes!
4:30 - Security+1.0 on the Flipper Zero
6:39 - Security+1.0 intro
7:50 - Security+1.0 details
9:23 - .SUB files update "Key" on send
10:41 - Summary
Discord: / discord
Ko-fi: ko-fi.com/codeallnight - วิทยาศาสตร์และเทคโนโลยี
i subscribed not only for the quality content but mainly for when I started in the middle of the series and you told me to start at the beginning AND YOU HAD A PLAYLIST EASY TO FIND WITH ALL THE VIDEOS
If it CAN be screwed up, generally I WILL screw it up. 🤣 Thx for the help to avoid that.
PLEASE don't mess with production rolling codes & desync your remote! Later this month I'll have an app you can run on a 2nd Flipper to practice rolling codes & hopefully September I'll have an app that can run on less expensive hardware (probably ESP32-S2/Arduino Uno + CC1101 + some screen [or serial port]).
My first couple of videos are going to help just understand what all the displayed fields are, then we can start to go deeper into one of the protocols. Then we can continue looking at more protocols.
I bought hardware for KeeLoq, so I can make a few videos on that one. If you know where I can buy inexpensive receivers in the US (garage door openers, gate controllers, etc.) that the Flipper Zero can Read, please let me know. If there is a particular rolling code protocol from github.com/flipperdevices/flipperzero-firmware/tree/dev/lib/subghz/protocols that you are interested in, let me know that too!
Don't forget to join my discord channel for more conversations and giveaways... discord.com/invite/NsjCvqwPAd
Thanks again for subscribing to my channel!
I have a theoretical question: If one key fob (rolling codes) is programmed to be used for 2 cars (of the very same model and configuration), which is possible with the OEM dealer software, what would be the negative implications from technical perspective?
Such pedagogy ! Thanks for clean and clear explanations ! 🤘
And also wanted to add that for those whose english is not native-language (like the 🐸I am XD), yours is crystal-clear and easily understandable.
Keep on going !
Thanks. I typically also try to close caption my videos (but sadly I don’t think the machine translation for other languages use my English captions).
Thank you for sharing your knowledge
You're welcome. It's been fun learning. If you have questions about Sub-GHz, the best place to ask is my discord server -- discord.com/invite/NsjCvqwPAd
I also wrote a wiki, which I hope to improve over the holidays. github.com/jamisonderek/flipper-zero-tutorials/wiki/Sub-GHz
Excellent presentation, thank you
Glad it was helpful!
Amazing Video! ❤ Thank you so much
Glad you liked it!
I'm still a noob and learning all this stuff. This protocol is somewhere along the "encoded", "obfuscated", "encryption" spectrum... perhaps it is more accurately described as "obfuscated". The algorithm doesn't use a key, so if people know the complex reordering bit scheme, they can reverse any data sent with this protocol.
If it's that easy to screw up your remote, it's a DoS, so that's a vulnerability in itself.
It’s manufacture specific; but I agree. I keep asking people for recommendations on where to buy different receivers to try it out. So far the receiver I have does KeeLoq but is susceptible to replay attack. I have another two receivers on the way. I’ve heard Genie (intellicode) seemed to get in a strange state when replaying past codes from ReadRAW - but the units are $60+ so I think I’ll probably try eBay after defcon to see if I can get a remote + receiver for cheaper.
Brilliant video thanks
Thanks. Next Saturday I'm releasing a video that goes into *way more detail* on the actual encoding (from a RAW file all the way to decoding all the data & forming a valid Sec1.0 SUB file). I'm on the 5th video about rolling codes, and some feedback I got was people are ready to hear the encoding details. I think it will likely also cover Security 2.0 -- which makes for a long video, but it's still interesting to contrast the two protocols. (Now that I've learned about them both.)
Hi Derek! I wanted to ask you how you took the second packet in this video and converted the 20 trit long packet and got it into the form of E6000044? Moving between the trit of the serial of the "FOB" to decimal or Hex made sense but I haven't figured out how you converted the original two packets into 63A5EB6D and E6000044. Anyways, thanks for making the video and would love if you did a companion for Security+ 2.0. Cheers
I'll try to do one on Security+ 2.0 in a few weeks.
You ask a great question about the conversion! I have a spreadsheet that explains it, but I didn't think it was appropriate to discuss in this introduction video. Join my discord at discord.com/invite/NsjCvqwPAd and ask there, and I'll share the spreadsheet.
The basic idea is each digit alternates between rolling and fixed. For rolling, it's we just use the {digit from the packet} (base 3). But when we get to the end, we invert all of binary bits and come up with the hex value. For both rolling and fixed we increment an accumulator with the last digit we figured out. But for fixed, we calculate the digit using the formula (60+{digit from packet}-accumulator) and then take the result divide by 3 and use the remainder (so the digit is 0,1 or 2). I think the spreadsheet I created explains it better. If you are familiar with reading code, then github.com/flipperdevices/flipperzero-firmware/blob/b90e2ca3426cf4c3e7bf6360e010b7aed71e6e41/lib/subghz/protocols/secplus_v1.c#L366 probably explains it even better!
I think the actual decoding may be wrong in the slide, since I was just learning.
Thank you for sharing 👍👍👍
Thanks for watching. I have a playlist of rolling codes videos - th-cam.com/play/PLM1cyTMe-PYJfnlDk3NjM85kU5VyCViNp.html
So, is it possible that you could overwrite a .sub file with a future count on the key, and then emulate that signal to unlock a device that is looking for that next count?
Yes, but typically the encoding or encryption makes it difficult to figure out what the key should be (assuming it’s looking for a count within 16 ahead of where you are). In some cases where Save is disabled, I can Read a signal (write key down on paper), then edit my .SUB file with key & it resumes from there using the proper fix (SN+BTN) code. Of course, now you risk desync the device; which is probably why save was disabled in the first place.
Any chance you could play around with genie intellicode? Community has been talking about a missing manf key
Even with the MF key, there are additional steps that would have to be figured out, since it's a custom configuration. Read more here...
forum.flipper.net/t/intellicode-2-code-dodger-2/3389/35
Also, intellicode uses a version of KeeLoq, so this video applies more (th-cam.com/video/x4ml1JAH1q0/w-d-xo.html). I'm just learning in so many areas. I have a lot to learn around crypto and other areas, it would take a huge effort & potentially get misused by the community.
What I think *might* be possible would be to create some roll-forward sequence codes tied to a Sn and then program those into a Flipper Zero. Then you could pair your Flipper as a remote and then use a custom app to do roll-forward sequences. I could do a proof-of-concept and share the files (but then my subscribers would all have common Sn, which isn't great). Maybe I can teach how they can tear apart their own remote to create the files?
Join my Discord server (discord.com/invite/NsjCvqwPAd) and let's continue the conversation!
Super!
Thank you! Cheers! This Saturday video is similar but on KeeLoq (DoorHan) protocol.
cool
Im having troubles with nfc and the door reader isthis kinda the same principle?
I haven't looked at NFC yet, so I'm not sure how that protocol works. In October I plan to start learning NFC and RFID, but my understanding is there are lots of different standards in that space.
You can ask in my Discord channel (discord.com/invite/NsjCvqwPAd) and maybe Zve8, Bettse or someone else that knows way more about nfc can answer your questions. I'm interested to learn more about real-world issues you are encountering (so I can cover the topic in a future video).
How did you learn that this the 42b was in base 3?
I'm studying the firmware of the Flipper to understand so I can teach this video series, since I know nothing about rolling codes before doing this series. Both Security+1.0 and Security+2.0 use base 3 numbers. Maybe in my next video on Security+2.0 we can geek out more and discuss the encoding (or decoding) part & differences between the two algorithms, if you think that would be helpful?
Here is the line in Security+1.0 that I concluded it was base-3... github.com/flipperdevices/flipperzero-firmware/blob/52b59662627254ae5ccde6201b5c4921573fc769/lib/subghz/protocols/secplus_v1.c#L368
Also, feel free to join my Discord server, if you haven't already. The #general channel is a great place to ask more in-depth questions you may have about encoding/decoding.
discord.com/invite/NsjCvqwPAd
@@MrDerekJamisonamazing thank you for the response! I’m eating this stuff up
did you ever make the app?
I made a "Rolling Flaws" application, which enabled a Flipper to act as a KeeLoq receiver. You can then choose the flaws to enable, size of window, replay attacks, etc.
You can read more about it on my GitHub...
github.com/jamisonderek/flipper-zero-tutorials/tree/main/subghz/apps/rolling-flaws
Can you do video that uses this with i button. i button is very useful.
Is there a particular iButton device you are thinking about? All I have is a DS18B20 (which does give a fixed id + temp data) and a Java One ring (I haven't try accessing the Java side of it).
@@MrDerekJamison the one that can read KEYFOBs
What about security+ 2.0
Great question. Security+ 2.0 is covered in the 5th video in my rolling codes playlist...
th-cam.com/play/PLM1cyTMe-PYJfnlDk3NjM85kU5VyCViNp.html
anyway to brute force it? its a 850 LM Security +2.0 390 Mhz@@MrDerekJamison
@@WPGinterceptor460InterceptorIf you capture one signal with CFW firmware (like RogueMaster) it will be able to play all future signals. Brute forcing to discover both the FIX and HOP code would take a really long time.
Looks like the big companies want make money because if a lot of cars get dsynce they have a solution for it and they will share high prize pure buisness
As the manufacturer, it’s not obvious what you should do when you detect a replay!/rollback. Balance between security, convenience, etc. most cases owner is going to fix the symptoms & never understand what happened. Hopefully some TH-cam channel posts how to resync that model of receiver. 😀