Hacking Toyota’s super duper fantastical secure rolling-code Key Fob.
Рет қаралды 45,119
Күн бұрынA few hundred dollars + a few custom lines of code, that’s all it takes now to swipe a brand new vehicle off a driveway.
The system for locking and unlocking cars remotely is called Remote Keyless Entry (RKE), and it’s more complex than it might seem. Each button-press is unique, which prevents an attacker from simply recording you hitting the unlock button and playing it back later.
RKE systems use a rolling-code, which is highly regarded as the industry standard for keeping your vehicle “un-hackable”. The key fob and the car have a counter that increases each time a button is pressed. That way, a previously recorded button press will not be accepted.
But what if some of your key fob presses never make it to your car? Perhaps you’re out of range, behind thick glass, or just fidgeting with your keys, or perhaps someone with a nefarious motive is lurking and waiting to intercept the signal, or even easier, has access to your keys for just a few seconds. These button-presses move the counter on the key fob forward, but not the car. To prevent accidental button-presses from locking out car owners, RKE systems reset to the lower counter number if they detect that the fob has more button-presses than the car.
The reset system assumes that as long as the counter number on the fob is higher than the car, it can’t be a replay attack. But this means that codes captured before the reset occurred-which never made it to the car-would be accepted, this is demonstrated in the next post, and clearly proves that rolling-code RKE systems used by the biggest players in the automotive industry are extremely vulnerable and very easily exploited, perhaps just as vulnerable as the predecessor “static-code” type of key fob, if we can capture and replicate lock/unlock commands, we can also capture remote start commands.
Please note, we are not advocating the use of these devices to hack or break into vehicles, we are simply exploiting a vulnerability which is tightly and neatly kept under wraps from consumers, despite the issue having been brought to the attention of automotive manufacturers before.
www.tinytxs.com
@WindsurferHD 2 ай бұрын
I was just at Toyotas USA HQ today. Toyota engineers are working on fixing all hacking techniques.
@honestlocksmith5428 2 ай бұрын
Locksmiths are working just as hard to go around any restrictions. We have the Right to repair.
@WindsurferHD 2 ай бұрын
@@honestlocksmith5428 true.
@tinytx 2 ай бұрын
@@honestlocksmith5428 we agree👌 in the right hands - fully support.
@RandoWisLuL 7 күн бұрын
Everything is hackable.
@WindsurferHD 7 күн бұрын
@@RandoWisLuL not if it’s unplugged
@trelauney Жыл бұрын
Technically, it's easy to make the codes much more secure- tie both ends into an accurate clock. But that means the user can't easily replace their own fob battery, among other things. At least ignition is a lot more secure.
@tinytx Жыл бұрын
Yes very true! But we’ve actually demonstrated on our Instagram page starting the car remotely using the same method!
@lildevfto1379 Ай бұрын
@@tinytxlink?
@jaosix Жыл бұрын
aight guess Im sticking to physical access now for my toyota haha
@OxaudioPhilly Жыл бұрын
I can tell you on the ranges they are cutting out a section on the body to gain access to the can bus lines, same with new toyota/lexus vehicles…
@yungabilify 20 сағат бұрын
Informative!
@JohnSmith-zn3js Жыл бұрын
I could be wrong (won't be the first time or last for sure!) but I was under the impression that rolling codes are specific and in order hence the reason you can replace the battery without the fob needing to be reprogrammed. There is a list of codes but you can actually send a bunch of false codes and the vehicle will revert back to the initial base code it starts with. Regardless this is a good video. More important to me is, where did you get that Hakrf?!?! I love that yours has a pentometer/knob seperate from the selecting buttons! Mine is consolidated and I'm NOT a fan. Is that an aftermarket unit?? And as mentioned in other comments, The Flipper is a cool gadget but by no means new tech.
@tinytx Жыл бұрын
Hi! Yes it’s an aftermarket version, they’re actually available on Amazon. Loaded with MAYHEM and everything, much better than stock version IMO.
@JohnSmith-zn3js Жыл бұрын
@TINYTX INC. Sweet! Thanks for the info. Will definitely have to check those out. Can always use a spare!!
@RandoWisLuL 7 күн бұрын
The Flipper is nice, especially with add-on boards, if it can do the task you want it to do. Like why bring the HackRF or Proxmark out if the flipper can do it? Not to say by any means that the HackRF/Proxmark isnt like 10fold more powerful, but i mean Flippers can be useful. Add on boards can pack a nice punch too.
@nickhackett5643 Жыл бұрын
Are you familiar with how newer proximity unlock key fobs work, the ones that don't require you to press a button but rather unlock the car as soon as you get near it automatically? Is there some sort of more proper handshake? Also, how many valid codes does the vehicle hold on to at a time? If I was out of range of my vehicle and pressed the unlock button 200/2000/however many times, would the car think the code was invalid because the counter in the fob is so far ahead of the car?
@ForgedEggs Жыл бұрын
The Passive Keyless entry systems work on 2 different wireless systems. First, when you touch the handle, the car sends out a 315KHz RFID signal which the fob sees and responds to with an open command at 433MHz (315MHz in the US)
@honestlocksmith5428 2 ай бұрын
@ForgedEggs the pke is 125khz. The fob responds on its frequency used with the bcm.
@ForgedEggs Жыл бұрын
You've described the RollJam attack, which isn't Toyota specific so it's a little unfair to rag on them for that. Instead, rag on them for not properly using a CAN gateway in the RAV4 models. With a CAN injector and a little brute force to the inside wheel well you can hit the headlights with a CAN spike attack to unlock the doors and replay a key auth packet to start it.
@TheLostAdventuress Жыл бұрын
No I tried
@crsv7armhl 11 ай бұрын
He also neglected to mention that rolljam only gets you one good code, which is only valid *if* you use it before the keyfob is used again. Key windows are a thing; and as soon as the fob is used again, which has a code aheadof the one you got, your code is invalid. Rolljam is a fun concept but not practical. There are other, easier techniques.
@honestlocksmith5428 2 ай бұрын
You can't start it as that is a different system.
@user-ms4mz7qp1k 18 күн бұрын
Would it also get the frequency of you starting the car when your also jamming it at the same time?
@Steliosgiannatos Жыл бұрын
Since the release of the flipper zero everyone is going crazy thinking these attacks are brand new. By the way I saw I comment regarding desync the fob. How come it does not affect it? Awesome video !
@tinytx Жыл бұрын
That’s right, they’ve been around for years, just with different tools. If you desync the fob the vehicle will no longer recognize the fob, but codes can be captured and stored for later, you can capture hundreds or even thousands and store them for use at your leisure.
@nikbirkundi5223 16 күн бұрын
Hi sir I’m genuinely curious about this device and got me thinking that just like how you said if a key fob is out of range, the key fob and the vehicle cannot communicate. Does that mean all remote start car are venerable of their starting signal on their key being captured and used to start their vehicle???
@tinytx 16 күн бұрын
@@nikbirkundi5223 that is 100% correct, any wirelessly transmitted signal can be compromised, it may not be simple across different technologies and industries, but as of 2024, there has not been any significant change to the security protocols that these key fobs are using, and to make matters worse, the vehicle manufacturers are complicit and 100% aware of these severe security breaches, why they choose not to address this problem is beyond our understanding, thousands of vehicles are exploited and stolen every day with basic off the shelf electronics.
@nikbirkundi5223 16 күн бұрын
@@tinytx thats pretty sad to be honest. The fact that it would work on modern cars that use remote start is just absurd👏
@tinytx 16 күн бұрын
@@nikbirkundi5223 totally agree, we need to put pressure on the vehicle manufacturers.
@nikbirkundi5223 16 күн бұрын
@@tinytx Right! So in theory my bmw would be vulnerable to this kind of attack? Please say no.
@tinytx 16 күн бұрын
@@nikbirkundi5223 your BMW is actually more secure than most other makes but it’s still vulnerable!
@tacolover619 Жыл бұрын
Tip: Remove your antenna to produce cleaner signals that are close to the HackRF (receiver)
@musicmusic3646 11 ай бұрын
:D
@user-ms4mz7qp1k 17 күн бұрын
Got a question. Can’t you not start the car Cus if you jam the car and try to get the frequency of the car starting wouldn’t it not turn on since it’s jammed
@tinytx 17 күн бұрын
@@user-ms4mz7qp1k that is the case just for this video, but in real-life the bad actors would come back another time, maybe even the same day or night, the code is saved and just used at a later date and time, as far as the vehicle is concerned, it’s never received that stolen start up sequence code (the authorization “handshake”) so it accepts it as a never-before-used code.
@user-ms4mz7qp1k 17 күн бұрын
@@tinytx really appreciate you replying to all the comments but I think you misunderstood my question. For example a push to start car (keyless) can someone jam the car then capture the signal for the ignition as they push the button to start the car?
@tinytx 16 күн бұрын
@@user-ms4mz7qp1k oops sorry, I see what you mean. Yes and no, the signal and handshake will occur if the vehicle owner remote starts their car, so yes this can be jammed and captured but if the vehicle owner is in their car a jammer will have no effect nor will anything be captured when they press the physical push to start button as starting the vehicle with this method is nothing more than an actual physical switch being engaged.
@user-ms4mz7qp1k 16 күн бұрын
@@tinytx but isn’t it not just a physical switch? It operates with the signal of the key fob so that the car knows that the key is in the car to start the ignition? Can this signal be captured by thieves? Or is it only possible to copy the signal of the ignition with remote start vehicles? Btw subbed to your channel
@justinrogers8096 25 күн бұрын
Have you considered Roll-Jam or SARA?
@letsgetto1millwithoutvids Жыл бұрын
I know someone who developed an even more secure security system than rolling codes they said they will make a video about it soon
@dimitridimitri8740 Жыл бұрын
Thanks for interesting video. How much is average or maximum recieving distance from keyfob to hackrf in Urban conditions? You also press long the button. In real life, the owner of the car just clicks one time and that's all. Does this sdr simply send the same code that recieved or can also modify it? For instance if sdr accepted signal "lock", can it send signal "unlock" ? How to deal with that
@tinytx Жыл бұрын
With different antennas you can extend range significantly, at the least 10’s of metres. Regardless of long press or short press the signal will be captured, I long press in the video to show the signal appearing on the waterfall of the analyzer for those watching, the SDR will only repair the captured signal, no modification done at all, if received signal lock, SDR will play lock, same with unlock, car-start etc, SDR cannot modify signal, only replay captured signal and that’s all👍
@dimitridimitri8740 Жыл бұрын
@TINYTX INC. So what's the practical ways of recieving signal "lock" and send command "unlock" or get "unlock" signal that will really work? If keyfob ( keyless entry) is out of range, is it possible to copy that from 1-2 meters distance by sdr tools or flipper zero? I know that russian some devices can accept signal lock and then send command "unlock".. they cost expensive . But they don't work on all cars.. Also, get interested, how is possible to bruteforce the rolling code cars? Several devices needed?
@grzegorzp.5734 Жыл бұрын
You cant compare this sec flaw to the static code.. With rolling code you need to either to jam the car and sniff the keyfob, or get physical access to keyfob itself. Both are more risky and complicated, and limited in use (depends on haw many keypresses you manage to catch). With static code you need to capture the keyfob signal ONCE and you have unlimited access to the vehicle anytime you want. I'm not saying it's undoable with rolling code, but statement that it's as unsecure as static code is also exaggeration. Much easier for thieves is to use the Bulgarian "Gameboy" - not only does it open/close a car, it also starts the engine, and all of that WITHOUT any neccessity of keyfobs being even close to the thief.
@tinytx Жыл бұрын
Good points made👌 thank you for sharing!
@ramonmurillo300 Жыл бұрын
You just blew my mind with this one👀 just got my flipper but I need this what's the link?
@otra_geminiana 3 ай бұрын
This you can do with flipper
@user-dn9kk9qu5y Жыл бұрын
How do transfer that copied single into a remote
@aky19832001 9 ай бұрын
What about when you touch the door handle and that unlocks. I never rest the key fob.
@honestlocksmith5428 2 ай бұрын
It's a rolling code. There is no reason to jam the car from receiving the signals that are captured. Ya'll just don't know anything about vehicle security. You can just dump a bin file from the chip without ever knowing anything about the encryption.
@Mike-s9u Ай бұрын
Can you demonstrate when the key is not in ranage
@tinytx Ай бұрын
@@Mike-s9u it would not matter for locking/unlocking, 99% of these exploits are done when the key is far from the vehicle, the vehicle would still unlock without the fob using the captured signal but it likely would not start without the presence of the fob even with a captured start signal
@Mattstar Жыл бұрын
Doesn't this desync the fob?
@tinytx Жыл бұрын
No, it does not alter the fob in any way whatsoever!
@Grey-Troll 7 ай бұрын
My pet turtle told me that the majority of 90s vehicles use a fixed code. I trust him though and he made a backup of my vehicle's fob just in case my dog steps on the lock button when I make a quick stop at a gas station... its happened before!
@honestlocksmith5428 2 ай бұрын
Your pet turtle is wrong. There are very few early vehicles with fixed codes. We're talking about 1 year and one company in particular. I have data dumps for every single make and model car. I have 65k captures for many vehicles.
@Grey-Troll 2 ай бұрын
Well the majority of 90s Nissans then Although its worked on several other cars Myrtle has tested/shown off the capability with, 2 or 3 90s major brands. Honda seems hit or miss.
@jerryosoa3427 Жыл бұрын
First I want to say very good explanation. But you can only open and close the door and not start the vehicle that has start a button, right?
@user-wu6mc8es5w 4 ай бұрын
I think it makes sense because the key has also immobilizer which is not used to unlock the car but to start the ignition, so yeah in theory you are able to open the car in this way but that device I think is not the same what relay attack that must just extend the signal to start a vehicle. Which is the biggest problem in case they want to steal your car. Basically keyless entry best option to turn off that crap until we really get a safe one. I have also installed one more special one there is no way to start my car it cuts the fuel pump and whole ignition.
@honestlocksmith5428 2 ай бұрын
@user-wu6mc8es5w manufacturers updated the software, so the delay in time means replay doesn't work. Not all have this update yet. It takes time to send a signal through the amplifier. So, the cars pke sends a wake-up command, and if the key doesn't respond in exactly the right time frame, the car won't open.
@NeonFreezePlaysGames Жыл бұрын
Wouldn’t the flipper zero also be able to do that
@tinytx Жыл бұрын
Yes just with slightly limited features and reach but absolutely👍
@reillydunn7151 8 ай бұрын
awesome
@NeverGiveUpYo 8 ай бұрын
Lock and unlock works, but can you start the engine?
@tinytx 8 ай бұрын
On majority of models you can if you follow the same sequence of recording the “start” command.
@ignacioperezmares6342 Жыл бұрын
Cuánto saldrá un aparato como ese?
@noimnotarobotcanubeleiveit7024 Жыл бұрын
how babout brute force codes until the car runs out of new codes
@tinytx Жыл бұрын
This would not work, although this was a common attack on garage door openers back in the early 2000’s.
@honestlocksmith5428 2 ай бұрын
It's a rolling code. It doesn't run out of numbers. However, 1 bit is removed from the fob's signal after the first rollover at FFFF to 0000 to have a permanent record of that happening.
@bbankhead9576 Жыл бұрын
So whay you're doing with this device is you're stop the signal from getting to the car and then you save it and can use it lster?
@tinytx Жыл бұрын
Yes, that’s what the device does👍
@johnw6648 Жыл бұрын
please .next time turn the car around so you are not filming in the sun
@zipit-media 8 ай бұрын
I tried that on a car I have 2014 Kia Optima & 2010 Lexus 250h ... Nothing works
@user-ms4mz7qp1k 17 күн бұрын
U probably didn’t jam the signal
@Blackscotti420 Жыл бұрын
We’re do you buy a device like that
@aerochicc Жыл бұрын
Does turning the signal off while out of the vehicle work?
@tinytx Жыл бұрын
Yes, one needs to only be a few metres away, depending on the antenna used you can be even 10’s of metres away.
@TechMechRandom Жыл бұрын
Rolling codes can be brute forced.
@tinytx Жыл бұрын
Yup, they are not as secure of a system as has been touted.
@sagetajr Жыл бұрын
How much for this device?
@tinytx Жыл бұрын
We do not sell this device on our website but if you’d like one please contact us on Instagram @tinytransmitters you may also find clones of this device on AliExpress but please read the listing carefully, some clones have been reported to have severe issues.
@j9lorna 6 ай бұрын
Can one of these not capture and jam at the same time?
@tinytx 6 ай бұрын
You cannot capture as you are deploying a jammer as you’ll capture the jamming signal as well inadvertently
@honestlocksmith5428 2 ай бұрын
@@tinytxDon't jam it. It's a rolling code. Rolling code! Rolling!
@jasonpitts8395 Жыл бұрын
Mercedes uses 2 freqs w rolling codes.
@anglerdanger7270 Жыл бұрын
What is this device called?
@tinytx Жыл бұрын
“HackRF Portapack”
@anglerdanger7270 Жыл бұрын
@@tinytx how can I learn how to use this device? Just KZfaq?
@MrCtfx Жыл бұрын
No rolling codes?
@tinytx Жыл бұрын
There are rolling codes but we capture a set of codes using the device in the video while blocking the signal to the vehicle, so the vehicle just doesn’t have a chance to authenticate the code so it thinks it’s a code that has never been used before.
@brodicollins3657 Жыл бұрын
@@tinytxso where do you find these devices at?
@brodicollins3657 Жыл бұрын
@@tinytxif you was gonna buy em
@_specialneeds 2 ай бұрын
So if you're in a very unlikely situation, you could possibly do something that serves no purpose. cool.
@tinytx 2 ай бұрын
Sorry you’re so disappointed 🤷♂️ This is a show of case of the methods used by thieves to clone and replay key-fob attacks, it’s not an instructional. This is not an unlikely situation, this is the main method used to swipe almost 90% of vehicles today.
@waveril5167 4 ай бұрын
But nobody opens the car and then goes away?! If someone opens the cars they go inside and drive away? You can't steal a car when the owner is inside and driving lol
@ipwnxdemonzz4223 Жыл бұрын
This does work for rolling code does it
@tinytx Жыл бұрын
Yes
@soapy5343 Жыл бұрын
@@tinytx if the hackrf sends the signal and there is a new code, what happens to the key fob
@tinytx Жыл бұрын
@@soapy5343 nothing! The handshake never occurred in the first place so the vehicle will authenticate the signal and accept it either way
@otra_geminiana 3 ай бұрын
@@soapy5343in most cases the car and the original fob are desinc and this is a mess to solve. Dont play with important devices, use your spear car😂
@honestlocksmith5428 2 ай бұрын
@labizcochadequeso only certain vehicle it's a problem. These would be German vehicles where only authorized people can make key adaptation through obd without removing the memory chip and modifing that directly. Like volkswagen. However. That chip is behind the instrument cluster.
@marklongworth5313 Жыл бұрын
How do you do it with out the key fob tho???
@tinytx Жыл бұрын
You need access to the fob just one time for a few seconds, the codes are then copied and stored for later single-time use
@tinytx 11 ай бұрын
@solomongrundy145 most thieves do not want to steal the physical key as to not arouse suspicion, they just need to clone it quickly, that way they can come back at will without raising any alarms about missing physical keys.
@honestlocksmith5428 2 ай бұрын
@@tinytxTheives have several methods depending on the vehicle. They can replace the bcm and ecu with a known key, or they use professional tools to add a key after picking the lock.
@markhollins2190 Жыл бұрын
Stop displaying our tricks😆
@ST-IV_858 Жыл бұрын
I need a new HC… vrooms for days
@tinytx Жыл бұрын
😂😂😂
justanengineer
Рет қаралды 68 М.
Electronics Repair School
Рет қаралды 80 М.
Talking Sasquach
Рет қаралды 28 М.