Car key hacking: the explanations | Science for You #21
After showing you that it's possible to unlock a car with a simple radio key and a computer, here are the detailed explanations. We'll analyze the signal from a vehicle's key using an RTL-SDR and attempt to reproduce it with a YARD Stick One, another dongle that can transmit. We'll also take a look at the electronics and see what security measures car manufacturers have implemented to make hacking more difficult.
Note: According to the key's electronic circuit documentation, the radio coding used is Manchester (https://fr.wikipedia.org/wiki/Codage_.... However, with the YARD Stick One, I chose to assume it uses NRZ (https://fr.wikipedia.org/wiki/Non_Ret..., which is much simpler. Otherwise, I was experiencing quite a few reception errors. This doesn't change anything for the retransmission, as I don't attach any importance to the code content. We can therefore consider that we are dealing with NRZ at twice the bit rate of Manchester.
Note 2: Sometimes, the YARD missed the first bit of the message, shifting everything by one bit. The preamble then became 5555..., as can be seen in the first test, and the rest of the message was changed.
Link to GQRX: https://gqrx.dk/
The official RTL-SDR website: https://www.rtl-sdr.com/
YARD Stick One overview page: https://greatscottgadgets.com/yardsti...
Some GQRX equivalents: https://www.rtl-sdr.com/big-list-rtl-...
RfCat documentation: https://github.com/atlas0fd00m/rfcat/...
Follow me on social media:
Mastodon: https://mastodon.tiennot.net/@guilhem
Twitter: / tiennotg
Facebook: / tiennotg
Instagram: / guimscience