i subscribed not only for the quality content but mainly for when I started in the middle of the series and you told me to start at the beginning AND YOU HAD A PLAYLIST EASY TO FIND WITH ALL THE VIDEOS
@MrDerekJamison Жыл бұрын
PLEASE don't mess with production rolling codes & desync your remote! Later this month I'll have an app you can run on a 2nd Flipper to practice rolling codes & hopefully September I'll have an app that can run on less expensive hardware (probably ESP32-S2/Arduino Uno + CC1101 + some screen [or serial port]). My first couple of videos are going to help just understand what all the displayed fields are, then we can start to go deeper into one of the protocols. Then we can continue looking at more protocols. I bought hardware for KeeLoq, so I can make a few videos on that one. If you know where I can buy inexpensive receivers in the US (garage door openers, gate controllers, etc.) that the Flipper Zero can Read, please let me know. If there is a particular rolling code protocol from github.com/flipperdevices/flipperzero-firmware/tree/dev/lib/subghz/protocols that you are interested in, let me know that too! Don't forget to join my discord channel for more conversations and giveaways... discord.com/invite/NsjCvqwPAd Thanks again for subscribing to my channel!
@proletsearch4 ай бұрын
I have a theoretical question: If one key fob (rolling codes) is programmed to be used for 2 cars (of the very same model and configuration), which is possible with the OEM dealer software, what would be the negative implications from technical perspective?
@jeffreybrunken556 Жыл бұрын
If it CAN be screwed up, generally I WILL screw it up. 🤣 Thx for the help to avoid that.
@kuronons7520 Жыл бұрын
Such pedagogy ! Thanks for clean and clear explanations ! 🤘 And also wanted to add that for those whose english is not native-language (like the 🐸I am XD), yours is crystal-clear and easily understandable. Keep on going !
@MrDerekJamison Жыл бұрын
Thanks. I typically also try to close caption my videos (but sadly I don’t think the machine translation for other languages use my English captions).
@Zarc0Z Жыл бұрын
If it's that easy to screw up your remote, it's a DoS, so that's a vulnerability in itself.
@MrDerekJamison Жыл бұрын
It’s manufacture specific; but I agree. I keep asking people for recommendations on where to buy different receivers to try it out. So far the receiver I have does KeeLoq but is susceptible to replay attack. I have another two receivers on the way. I’ve heard Genie (intellicode) seemed to get in a strange state when replaying past codes from ReadRAW - but the units are $60+ so I think I’ll probably try eBay after defcon to see if I can get a remote + receiver for cheaper.
@MrDerekJamison Жыл бұрын
I'm still a noob and learning all this stuff. This protocol is somewhere along the "encoded", "obfuscated", "encryption" spectrum... perhaps it is more accurately described as "obfuscated". The algorithm doesn't use a key, so if people know the complex reordering bit scheme, they can reverse any data sent with this protocol.
@cecinestpasmonhistoire45808 ай бұрын
Thank you for sharing your knowledge
@MrDerekJamison8 ай бұрын
You're welcome. It's been fun learning. If you have questions about Sub-GHz, the best place to ask is my discord server -- discord.com/invite/NsjCvqwPAd I also wrote a wiki, which I hope to improve over the holidays. github.com/jamisonderek/flipper-zero-tutorials/wiki/Sub-GHz
@manuelvelaz9516 Жыл бұрын
Amazing Video! ❤ Thank you so much
@MrDerekJamison Жыл бұрын
Glad you liked it!
@3DComputing10 ай бұрын
Excellent presentation, thank you
@MrDerekJamison10 ай бұрын
Glad it was helpful!
@alzalame6 ай бұрын
Thank you for sharing 👍👍👍
@MrDerekJamison6 ай бұрын
Thanks for watching. I have a playlist of rolling codes videos - kzbin.info/aero/PLM1cyTMe-PYJfnlDk3NjM85kU5VyCViNp
@monmo4529 Жыл бұрын
Super!
@MrDerekJamison Жыл бұрын
Thank you! Cheers! This Saturday video is similar but on KeeLoq (DoorHan) protocol.
@venjsystems11 ай бұрын
Brilliant video thanks
@MrDerekJamison11 ай бұрын
Thanks. Next Saturday I'm releasing a video that goes into *way more detail* on the actual encoding (from a RAW file all the way to decoding all the data & forming a valid Sec1.0 SUB file). I'm on the 5th video about rolling codes, and some feedback I got was people are ready to hear the encoding details. I think it will likely also cover Security 2.0 -- which makes for a long video, but it's still interesting to contrast the two protocols. (Now that I've learned about them both.)
@phish27134 Жыл бұрын
cool
@user-fn6fm8ko5y Жыл бұрын
Hi Derek! I wanted to ask you how you took the second packet in this video and converted the 20 trit long packet and got it into the form of E6000044? Moving between the trit of the serial of the "FOB" to decimal or Hex made sense but I haven't figured out how you converted the original two packets into 63A5EB6D and E6000044. Anyways, thanks for making the video and would love if you did a companion for Security+ 2.0. Cheers
@MrDerekJamison Жыл бұрын
I'll try to do one on Security+ 2.0 in a few weeks. You ask a great question about the conversion! I have a spreadsheet that explains it, but I didn't think it was appropriate to discuss in this introduction video. Join my discord at discord.com/invite/NsjCvqwPAd and ask there, and I'll share the spreadsheet. The basic idea is each digit alternates between rolling and fixed. For rolling, it's we just use the {digit from the packet} (base 3). But when we get to the end, we invert all of binary bits and come up with the hex value. For both rolling and fixed we increment an accumulator with the last digit we figured out. But for fixed, we calculate the digit using the formula (60+{digit from packet}-accumulator) and then take the result divide by 3 and use the remainder (so the digit is 0,1 or 2). I think the spreadsheet I created explains it better. If you are familiar with reading code, then github.com/flipperdevices/flipperzero-firmware/blob/b90e2ca3426cf4c3e7bf6360e010b7aed71e6e41/lib/subghz/protocols/secplus_v1.c#L366 probably explains it even better! I think the actual decoding may be wrong in the slide, since I was just learning.
@user-oy7jx7nd5g Жыл бұрын
So, is it possible that you could overwrite a .sub file with a future count on the key, and then emulate that signal to unlock a device that is looking for that next count?
@MrDerekJamison Жыл бұрын
Yes, but typically the encoding or encryption makes it difficult to figure out what the key should be (assuming it’s looking for a count within 16 ahead of where you are). In some cases where Save is disabled, I can Read a signal (write key down on paper), then edit my .SUB file with key & it resumes from there using the proper fix (SN+BTN) code. Of course, now you risk desync the device; which is probably why save was disabled in the first place.
@timothykinzer399 Жыл бұрын
Im having troubles with nfc and the door reader isthis kinda the same principle?
@MrDerekJamison Жыл бұрын
I haven't looked at NFC yet, so I'm not sure how that protocol works. In October I plan to start learning NFC and RFID, but my understanding is there are lots of different standards in that space. You can ask in my Discord channel (discord.com/invite/NsjCvqwPAd) and maybe Zve8, Bettse or someone else that knows way more about nfc can answer your questions. I'm interested to learn more about real-world issues you are encountering (so I can cover the topic in a future video).
@thegravelgarage1062 Жыл бұрын
Any chance you could play around with genie intellicode? Community has been talking about a missing manf key
@MrDerekJamison Жыл бұрын
Even with the MF key, there are additional steps that would have to be figured out, since it's a custom configuration. Read more here... forum.flipper.net/t/intellicode-2-code-dodger-2/3389/35 Also, intellicode uses a version of KeeLoq, so this video applies more (kzbin.info/www/bejne/rmXQnWSAdq1kp5I). I'm just learning in so many areas. I have a lot to learn around crypto and other areas, it would take a huge effort & potentially get misused by the community. What I think *might* be possible would be to create some roll-forward sequence codes tied to a Sn and then program those into a Flipper Zero. Then you could pair your Flipper as a remote and then use a custom app to do roll-forward sequences. I could do a proof-of-concept and share the files (but then my subscribers would all have common Sn, which isn't great). Maybe I can teach how they can tear apart their own remote to create the files? Join my Discord server (discord.com/invite/NsjCvqwPAd) and let's continue the conversation!
@samueltodd93415 ай бұрын
did you ever make the app?
@MrDerekJamison5 ай бұрын
I made a "Rolling Flaws" application, which enabled a Flipper to act as a KeeLoq receiver. You can then choose the flaws to enable, size of window, replay attacks, etc. You can read more about it on my GitHub... github.com/jamisonderek/flipper-zero-tutorials/tree/main/subghz/apps/rolling-flaws
@ChoChanit-cx1hp Жыл бұрын
Can you do video that uses this with i button. i button is very useful.
@MrDerekJamison Жыл бұрын
Is there a particular iButton device you are thinking about? All I have is a DS18B20 (which does give a fixed id + temp data) and a Java One ring (I haven't try accessing the Java side of it).
@ChoChanit-cx1hp Жыл бұрын
@@MrDerekJamison the one that can read KEYFOBs
@mannyfresh2deff2 ай бұрын
All i know if my flipper cant catch it , at least it tells me wha frequency it is,so instead i just jam 😂now no one gettin in...or out..had dad outside for half hour trying to open garage door...lol,
@paparoach302511 ай бұрын
How did you learn that this the 42b was in base 3?
@MrDerekJamison11 ай бұрын
I'm studying the firmware of the Flipper to understand so I can teach this video series, since I know nothing about rolling codes before doing this series. Both Security+1.0 and Security+2.0 use base 3 numbers. Maybe in my next video on Security+2.0 we can geek out more and discuss the encoding (or decoding) part & differences between the two algorithms, if you think that would be helpful? Here is the line in Security+1.0 that I concluded it was base-3... github.com/flipperdevices/flipperzero-firmware/blob/52b59662627254ae5ccde6201b5c4921573fc769/lib/subghz/protocols/secplus_v1.c#L368
@MrDerekJamison11 ай бұрын
Also, feel free to join my Discord server, if you haven't already. The #general channel is a great place to ask more in-depth questions you may have about encoding/decoding. discord.com/invite/NsjCvqwPAd
@paparoach302511 ай бұрын
@@MrDerekJamisonamazing thank you for the response! I’m eating this stuff up
@WPGinterceptor460Interceptor6 ай бұрын
What about security+ 2.0
@MrDerekJamison6 ай бұрын
Great question. Security+ 2.0 is covered in the 5th video in my rolling codes playlist... kzbin.info/aero/PLM1cyTMe-PYJfnlDk3NjM85kU5VyCViNp
@WPGinterceptor460Interceptor6 ай бұрын
anyway to brute force it? its a 850 LM Security +2.0 390 Mhz@@MrDerekJamison
@MrDerekJamison6 ай бұрын
@@WPGinterceptor460InterceptorIf you capture one signal with CFW firmware (like RogueMaster) it will be able to play all future signals. Brute forcing to discover both the FIX and HOP code would take a really long time.
@JoymingleApp Жыл бұрын
Looks like the big companies want make money because if a lot of cars get dsynce they have a solution for it and they will share high prize pure buisness
@MrDerekJamison Жыл бұрын
As the manufacturer, it’s not obvious what you should do when you detect a replay!/rollback. Balance between security, convenience, etc. most cases owner is going to fix the symptoms & never understand what happened. Hopefully some KZbin channel posts how to resync that model of receiver. 😀