Presented at
DEF CON 29 (2021),
Unknown date/time
(Unknown duration).
KeeLoq Remote Keyless Entry systems make use of radio frequency transmissions to operate and have many known weaknesses. A 64-bit manufacturer key is used in transmissions to encrypt an incrementing transmission sequence number in order to provide replay protection. This presentation is a journey into bringing existing research together to make personal Keeloq projects practical, ultimately repurposing a commercial receiver as part of a home automation system integration project.
I will demonstrate how I recovered the manufacturer key by extracting and reverse engineering the receiver's firmware using a JTAG adapter and Ghidra. Next, I will cover decoding and decrypting the KeeLoq transmissions (verified using a logic analyzer), cloning the captured serial and sequence numbers to a new transmitter, and finally, how to export the received transmissions to a home automation system via an add-on WiFi-capable microcontroller.
REFERENCES:
http://ww1.microchip.com/downloads/en/appnotes/00744a.pdf
https://link.springer.com/chapter/10.1007/978-3-540-78967-3_1
https://link.springer.com/chapter/10.1007/978-3-540-85174-5_12
https://github.com/jpleger/hcs301_programming
https://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/
Presenters:
-
Rogan Dawes
- Researcher, Orange Cyberdefense's SensePost Team
Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague's frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.
@RoganDawes
Links:
Similar Presentations: