I have a theoretical question: If one key fob (rolling codes) is programmed to be used for 2 cars (of the very same model and configuration), which is possible with the OEM dealer software, what would be the negative implications from technical perspective?

Thanks. I typically also try to close caption my videos (but sadly I don’t think the machine translation for other languages use my English captions).

It’s manufacture specific; but I agree. I keep asking people for recommendations on where to buy different receivers to try it out. So far the receiver I have does KeeLoq but is susceptible to replay attack. I have another two receivers on the way. I’ve heard Genie (intellicode) seemed to get in a strange state when replaying past codes from ReadRAW - but the units are $60+ so I think I’ll probably try eBay after defcon to see if I can get a remote + receiver for cheaper.

You're welcome. It's been fun learning. If you have questions about Sub-GHz, the best place to ask is my discord server -- discord.com/invite/NsjCvqwPAd I also wrote a wiki, which I hope to improve over the holidays. github.com/jamisonderek/flipper-zero-tutorials/wiki/Sub-GHz

Glad you liked it!

Glad it was helpful!

Thanks for watching. I have a playlist of rolling codes videos - kzbin.info/aero/PLM1cyTMe-PYJfnlDk3NjM85kU5VyCViNp

Thank you! Cheers! This Saturday video is similar but on KeeLoq (DoorHan) protocol.

Thanks. Next Saturday I'm releasing a video that goes into *way more detail* on the actual encoding (from a RAW file all the way to decoding all the data & forming a valid Sec1.0 SUB file). I'm on the 5th video about rolling codes, and some feedback I got was people are ready to hear the encoding details. I think it will likely also cover Security 2.0 -- which makes for a long video, but it's still interesting to contrast the two protocols. (Now that I've learned about them both.)

I'll try to do one on Security+ 2.0 in a few weeks. You ask a great question about the conversion! I have a spreadsheet that explains it, but I didn't think it was appropriate to discuss in this introduction video. Join my discord at discord.com/invite/NsjCvqwPAd and ask there, and I'll share the spreadsheet. The basic idea is each digit alternates between rolling and fixed. For rolling, it's we just use the {digit from the packet} (base 3). But when we get to the end, we invert all of binary bits and come up with the hex value. For both rolling and fixed we increment an accumulator with the last digit we figured out. But for fixed, we calculate the digit using the formula (60+{digit from packet}-accumulator) and then take the result divide by 3 and use the remainder (so the digit is 0,1 or 2). I think the spreadsheet I created explains it better. If you are familiar with reading code, then github.com/flipperdevices/flipperzero-firmware/blob/b90e2ca3426cf4c3e7bf6360e010b7aed71e6e41/lib/subghz/protocols/secplus_v1.c#L366 probably explains it even better! I think the actual decoding may be wrong in the slide, since I was just learning.

Yes, but typically the encoding or encryption makes it difficult to figure out what the key should be (assuming it’s looking for a count within 16 ahead of where you are). In some cases where Save is disabled, I can Read a signal (write key down on paper), then edit my .SUB file with key & it resumes from there using the proper fix (SN+BTN) code. Of course, now you risk desync the device; which is probably why save was disabled in the first place.

I haven't looked at NFC yet, so I'm not sure how that protocol works. In October I plan to start learning NFC and RFID, but my understanding is there are lots of different standards in that space. You can ask in my Discord channel (discord.com/invite/NsjCvqwPAd) and maybe Zve8, Bettse or someone else that knows way more about nfc can answer your questions. I'm interested to learn more about real-world issues you are encountering (so I can cover the topic in a future video).

Even with the MF key, there are additional steps that would have to be figured out, since it's a custom configuration. Read more here... forum.flipper.net/t/intellicode-2-code-dodger-2/3389/35 Also, intellicode uses a version of KeeLoq, so this video applies more (kzbin.info/www/bejne/rmXQnWSAdq1kp5I). I'm just learning in so many areas. I have a lot to learn around crypto and other areas, it would take a huge effort & potentially get misused by the community. What I think *might* be possible would be to create some roll-forward sequence codes tied to a Sn and then program those into a Flipper Zero. Then you could pair your Flipper as a remote and then use a custom app to do roll-forward sequences. I could do a proof-of-concept and share the files (but then my subscribers would all have common Sn, which isn't great). Maybe I can teach how they can tear apart their own remote to create the files? Join my Discord server (discord.com/invite/NsjCvqwPAd) and let's continue the conversation!

I made a "Rolling Flaws" application, which enabled a Flipper to act as a KeeLoq receiver. You can then choose the flaws to enable, size of window, replay attacks, etc. You can read more about it on my GitHub... github.com/jamisonderek/flipper-zero-tutorials/tree/main/subghz/apps/rolling-flaws

Is there a particular iButton device you are thinking about? All I have is a DS18B20 (which does give a fixed id + temp data) and a Java One ring (I haven't try accessing the Java side of it).

@@MrDerekJamison the one that can read KEYFOBs

I'm studying the firmware of the Flipper to understand so I can teach this video series, since I know nothing about rolling codes before doing this series. Both Security+1.0 and Security+2.0 use base 3 numbers. Maybe in my next video on Security+2.0 we can geek out more and discuss the encoding (or decoding) part & differences between the two algorithms, if you think that would be helpful? Here is the line in Security+1.0 that I concluded it was base-3... github.com/flipperdevices/flipperzero-firmware/blob/52b59662627254ae5ccde6201b5c4921573fc769/lib/subghz/protocols/secplus_v1.c#L368

Also, feel free to join my Discord server, if you haven't already. The #general channel is a great place to ask more in-depth questions you may have about encoding/decoding. discord.com/invite/NsjCvqwPAd

@@MrDerekJamisonamazing thank you for the response! I’m eating this stuff up

Great question. Security+ 2.0 is covered in the 5th video in my rolling codes playlist... kzbin.info/aero/PLM1cyTMe-PYJfnlDk3NjM85kU5VyCViNp

anyway to brute force it? its a 850 LM Security +2.0 390 Mhz@@MrDerekJamison

@@WPGinterceptor460InterceptorIf you capture one signal with CFW firmware (like RogueMaster) it will be able to play all future signals. Brute forcing to discover both the FIX and HOP code would take a really long time.

As the manufacturer, it’s not obvious what you should do when you detect a replay!/rollback. Balance between security, convenience, etc. most cases owner is going to fix the symptoms & never understand what happened. Hopefully some KZbin channel posts how to resync that model of receiver. 😀