Inspired by the "unhackable" modern steering column locks such as 3Q0905861A (Audi A4 B9). The content of my repos makes it pretty obvious that I'm currently on the hunt for every (servo) drive from a passenger car. This time the hunter becomes the hunted. Steering columns locks will hunt me to the end of 2025 - two more weeks left 🙂 I will probably fail miserably. There are at least three reasons for that. First, the extended CAN ID renders brute-force search for IDs impractical for a DUT without a working car. Second, an electronic steering column lock (ESCL) is a security feature designed to prevent unauthorized use of the vehicle - do not expect it to react on a single CAN frame with a fixed payload. Third, I'm not a cybersecurity hobbyist (yet) and my tools are close to nonexistent in this particular field. If you are in a similar position, my suggestion is to start from something less challenging. Let's build our own transmitter and receiver pair that uses rolling code authentication. Are you curious upon what principle a remote keyless entry (RKE) system may be based? If yes, you came to the right place.
Note
The demo uses wired communication. We are here to grasp the idea of a hopping code authentication method - the physical layer does not affect our current experiment. You can use any hardware of your choice - preferably the one that offers hardware hashing but you can always do that part also in software1 (buttons are pressed by humans relatively slowly). In my case the receiving device is a compatible CAN bus node.
Don't worry 🙂 Just log in to MyST and hit Alt-K to generate /Drivers/CMCIS/ and /Drivers/STM32H5xx_HAL_Driver/ based on the .ioc file. After a couple of seconds your project will be ready for building.
- Rolling code (Wikipedia)
- Rolling code (Grokipedia)
- KeeLoq (Wikipedia)
- An Introduction to KeeLoq Code Hopping (Microchip)
- KeeLoq Code Hopping Encoder (Microchip)
- RollBack & RollJam: Exploring vulnerabilities to strengthen vehicle security (Vietsol)
- How does a rolling code work? (StackExchange Cryptography)
- CAN Injection: keyless car theft (Canis Automotive Labs)
- Advancing keyless entry/go (NXP)
- Samy Kamkar: Automotive security research (Wikipedia)
- advrc - Advanced Rolling Codes (arongeo on GitHub)
- KeeLoq (Hosein Hadipour, hadipourh on GitHub)
- Rolling Code Authentication System (Robert McDermott, robert-mcdermott on GitHub)
Create your own home laboratory/workshop/garage! Get inspired by ControllersTech, DroneBot Workshop, Andreas Spiess, GreatScott!, bitluni's lab, ElectroBOOM, Phil's Lab, atomic14, That Project, Paul McWhorter, Max Imagination, Nikodem Bartnik, Stuff Made Here, Mario's Ideas, Aaed Musa, and many other professional hobbyists sharing their awesome projects and tutorials! Shout-out/kudos to all of them! Promote README-driven learning 🙂
Warning
Rolling/hopping codes - do try them at home ❗
210+ challenges to start from: Control Engineering for Hobbyists at the Warsaw University of Technology.
Stay tuned 😎
Footnotes
-
An exemplary use of Mbed TLS is demonstrated in my Wall of Entropy. ↩
