Why the rolling code remote control is cracked and copied
At present, there are obvious loopholes in car remote control keys, involving many car brands. At present, most cars on the market are equipped with wireless radio frequency remote control keys, which can execute commands such as locking, unlocking, and opening doors. These car remote control keys include fixed code and rolling code. The fixed code method refers to a remote control coding scheme in which the same key is sent by the car remote control key every time the same key is pressed. The problem is that it is easy to crack, and only needs to intercept the unlock signal to invade the remote control door lock system of the car. The possibility of car theft is extremely great.
The rolling code method refers to the remote control coding scheme that the car remote control key will send different passwords every time the same key is pressed. The popular rolling code remote control solution is Keeloq coding from American Microchip Corporation. Others also have MCU rolling codes, AES rolling codes, DES rolling codes, etc. programmed by some manufacturers, and RFID chip rolling codes. They are similar: they all use a pseudo-random algorithm, so that the scroll code issued by the same key every time looks significantly different and has no obvious connection, and the same scroll code can only be valid once, and the second time is invalid. . As shown in FIG. 1, Keeloq coding is used as an example to describe the rolling code encoding and encryption method: The rolling code is formed by serial number, synchronization code, feature code, and function code encrypted by Keeloq algorithm. The serial number is the ID of the transmitting end and is unique; the synchronization code corresponds to the current rolling code and is equivalent to the serial number of the rolling code; the feature code is used to verify the correctness of the decryption after the receiving end decrypts; The function code is a code for instructing the car to move when the corresponding key is pressed. When the sender detects a key press, a function code is generated. The key is encrypted using the Keeloq algorithm to form a rolling code corresponding to the synchronization code. The synchronization code is automatically added and stored in the internal memory of the sending end. The receiving end receives the rolling code. Information, and also update the synchronization code value of the receiving end EEPROM, to ensure the consistency of the synchronization code, and to successfully decode.
The rolling code improves the anti-theft performance to a certain extent, but even the AES encryption method that is generally considered safe still has a certain risk of being stolen, because the so-called rolling code is actually a pseudo-random code. Each time you press the button, The sync code counter is incremented by one and then coded according to the sync code. The disadvantage is that simple changes to the synchronization code may be cracked. And the algorithms and parameters of these coding chips are uniformly set by the manufacturer. Once a leak occurs, all the remote control keys of the same batch will be decoded and copied.