Wireless Security: bypassing a car rolling code of BYD

Wireless Security: bypassing a car rolling code of BYD

First, let's introduce the wireless key of the car key... most of the attacks based on the traditional car are basically replay attacks based on the car key.

Simply put, replay attacks. attackers must capture unused signals from the car key through the device while away from the car. then, the captured signal is sent out near the car to complete the attack ..

However, the captured signal can only be used once. Because the car manufacturer has long considered this issue, the scroll code added to the key

The scroll code is the random code generated by each key operation. each operation key will send the scroll code and Function Code together to the car .. the current scroll code is also stored in the car .. the corresponding function is executed only when the scroll code is consistent ..

Return to the topic.

First, analyze the key frequency, usually 315 Mhz and 433 Mhz.
 

Then determine that the current frequency band is 315 Mhz.

Each piece of data is the same, except for the first and last sections.

After a long period of time, there will be one or more...

Now let's analyze the signal content. The first section is the synchronous guide code, which tells the car to receive signals ..

It can be found that the middle section is different. This is the scroll code I mentioned above to prevent replay attacks. Second, the function code

I have sampled more than 20 elements of the code for analysis ..

Later, when I tested the replay for the second time, the Code was invalid. However, my brain holes opened and spliced multiple used signals, and then I found the door opened. after a large number of times (the door quickly broke down), we found that two commands were launched quickly. the rolling code of the car rolled back to the first command !!!!


 

Originally, F is the current rolling code. F and above are all used rolling codes. The car will not respond after the code is replayed before F!

Can I splice two used instruction codes?

After code A is combined with the BorCorDorE code, the scroll code is rolled back to code A. Therefore, the B, C, D, and E codes can be used again ..

After multiple tests, it is found that only three key signals are captured (even if used !) You can open or close others' doors without restriction when splicing (in order ).

Someone may ask. Will there be a problem that the car key cannot open the door if it is not synchronized with the rolling code of the car? Actually, it does not. The car can receive hundreds of codes after the current code!

Only F0 models are tested

Http://v.qq.com/page/q/a/m/q01662qmoam.html

W0OYuN