you are fundamentally wrong, keeloq does not work exactly like that, there is no direct dependence that the next hop should be at least somewhat similar to the previous one, all values are “random”, but almost any correctly generated hop will work when decoded by the receiver, the button code that satisfies the rule must match with the code in fix , the last 10 bits of the serial number match the fix part and the counter should be !more! previously received by the receiver. and from this we can conclude that the hop part can simply be generated randomly, it will have the same effect as you, depending on your luck, and this is not optimal at all
You are correct, it’s all just luck. I should have been more clear that we could start the upper 32-bits from anywhere - only the lower 32 bits need to match. We can increment by any amount (or random). The graph I made based on the 65536 actual values of my remote, and then trying starting from the last code transmitted (because we have to start from somewhere). The table I made is for my remote and using an increment of 1. Had I started the counting from somewhere else, my luck would have changed; and perhaps incrementing by 1 would have performed much worse/better. My hope is that people see on average it could take years (at least for my remote) & they could get lucky and open on the second try. I showed there are two different kinds of matching. If we focused on the second kind of match, I could have rigged it so that we started at a hop that happened to decode to count 0011 and matching the end of our serial number, then jumped to another code that happened to decode to count 0012 and matching the end of our serial number (which would have opened 1/4 of the codes on a Genie remote or 1/2 of the codes on standard KeeLoq). Typically you don’t know a code that is 10,000 codes from now; unless you dumped the full remote (using tool like Genie Recorder) or know the MF code. And if you dumped the codes, you would be better off making 4-SUB files to always open that remote, then trying a brute force attack. I thought starting from the last code sent was most fair, but you can start anywhere you feel lucky. 🍀
Like it how u say use for educational purpose..lol u know theres a school fof criminals..and yes what they learn is educational for malicious purpose..but i get it ppl scare to say wrong thin and god forbid lol toutube bans them..omg what i am gonna do now..oh thanks to flipper i ahave over 50 thousandd emails ...🎉😂
Much appreciated! Hopefully the skids aren’t watching. It was fun brute forcing, even if I did pick the easiest/quickest code. (During the brute force attack, I was out mowing the lawn, since I knew I had 70 minutes.). 🤣
Finally some subghz brute forcing, very useful showing how youre adding your own code to the bruteforce app, I will definately use that one day :) great content
The sub-ghz brute force app that we modify is at github.com/derskythe/flipperzero-subbrute. Unleashed firmware is at github.com/DarkFlippers/unleashed-firmware (be sure to clone with --recursive). Setting up dev env is at (ruclips.net/video/gqovwRkn2xw/видео.html). If you need help, my Discord server is discord.com/invite/NsjCvqwPAd.
No, for bruise forcing you don’t need the original remote. Although one original signal from the remote can help you determine the fixed portion of the code.
I thought it was Saturday! My clock in my office only has days on it and is clearly pointing at "Friday" but I still thought it was Saturday. 🤦 Oh well, hopefully you can watch this video during your lunch break. 🤣🤣🤣
Glad it makes sense. In my Discord server I also released the C# program I wrote to determine how long codes will take to brute force given a dump with all the keys. In a few days I’ll try to package it up into one of my GitHub tutorials. It is “fun” to brute force and see the motor eventually spin; especially after waiting a couple hours hoping it will work.
Cars use a variety of protocols. Some cars use KeeLoq but the MF key isn't known. Typical brute force attack is measured in months, so you are much better off with Rollback attack or RollJam attack. Be careful to understand your local laws around jamming even if it is your own vehicle.
![[91] Flipper Zero - Understand SPI Protocol](http://i.ytimg.com/vi/_XrRwtcaAIE/mqdefault.jpg)
![[91] Flipper Zero - Understand SPI Protocol](/img/tr.png)
![[76] Flipper Zero - Rolling Codes Part 1 : Security+1.0](http://i.ytimg.com/vi/fmCzYAX7O38/mqdefault.jpg)
you are fundamentally wrong, keeloq does not work exactly like that, there is no direct dependence that the next hop should be at least somewhat similar to the previous one, all values are “random”, but almost any correctly generated hop will work when decoded by the receiver, the button code that satisfies the rule must match with the code in fix , the last 10 bits of the serial number match the fix part and the counter should be !more! previously received by the receiver. and from this we can conclude that the hop part can simply be generated randomly, it will have the same effect as you, depending on your luck, and this is not optimal at all
You are correct, it’s all just luck. I should have been more clear that we could start the upper 32-bits from anywhere - only the lower 32 bits need to match. We can increment by any amount (or random). The graph I made based on the 65536 actual values of my remote, and then trying starting from the last code transmitted (because we have to start from somewhere). The table I made is for my remote and using an increment of 1. Had I started the counting from somewhere else, my luck would have changed; and perhaps incrementing by 1 would have performed much worse/better.
My hope is that people see on average it could take years (at least for my remote) & they could get lucky and open on the second try.
I showed there are two different kinds of matching. If we focused on the second kind of match, I could have rigged it so that we started at a hop that happened to decode to count 0011 and matching the end of our serial number, then jumped to another code that happened to decode to count 0012 and matching the end of our serial number (which would have opened 1/4 of the codes on a Genie remote or 1/2 of the codes on standard KeeLoq). Typically you don’t know a code that is 10,000 codes from now; unless you dumped the full remote (using tool like Genie Recorder) or know the MF code. And if you dumped the codes, you would be better off making 4-SUB files to always open that remote, then trying a brute force attack.
I thought starting from the last code sent was most fair, but you can start anywhere you feel lucky. 🍀
Like it how u say use for educational purpose..lol u know theres a school fof criminals..and yes what they learn is educational for malicious purpose..but i get it ppl scare to say wrong thin and god forbid lol toutube bans them..omg what i am gonna do now..oh thanks to flipper i ahave over 50 thousandd emails ...🎉😂
Great work! I love how in-depth you go on these videos. So much great stuff to learn, keep it up!
Much appreciated! Hopefully the skids aren’t watching. It was fun brute forcing, even if I did pick the easiest/quickest code. (During the brute force attack, I was out mowing the lawn, since I knew I had 70 minutes.). 🤣
Finally some subghz brute forcing, very useful showing how youre adding your own code to the bruteforce app, I will definately use that one day :) great content
You're welcome! If you get stuck brute forcing your own system, feel free to ask in my Discord server. discord.com/invite/NsjCvqwPAd
The sub-ghz brute force app that we modify is at github.com/derskythe/flipperzero-subbrute. Unleashed firmware is at github.com/DarkFlippers/unleashed-firmware (be sure to clone with --recursive). Setting up dev env is at (ruclips.net/video/gqovwRkn2xw/видео.html).
If you need help, my Discord server is discord.com/invite/NsjCvqwPAd.
Do we need to attach our F0 physically to the remote like in the other genie videos, for this tutorial?
No, for bruise forcing you don’t need the original remote. Although one original signal from the remote can help you determine the fixed portion of the code.
I thought it was Saturday! My clock in my office only has days on it and is clearly pointing at "Friday" but I still thought it was Saturday. 🤦 Oh well, hopefully you can watch this video during your lunch break. 🤣🤣🤣
Thank you nicely explained.
Glad it makes sense. In my Discord server I also released the C# program I wrote to determine how long codes will take to brute force given a dump with all the keys. In a few days I’ll try to package it up into one of my GitHub tutorials.
It is “fun” to brute force and see the motor eventually spin; especially after waiting a couple hours hoping it will work.
Nice Vid
Thanks
can i use the bruteforce with cars to unlock them or only with door
and nice video bro
Cars use a variety of protocols. Some cars use KeeLoq but the MF key isn't known. Typical brute force attack is measured in months, so you are much better off with Rollback attack or RollJam attack. Be careful to understand your local laws around jamming even if it is your own vehicle.
👍
Then it will have to be a quantum Flipper Zero