As an over-65 electronics nerd it warms my heart to watch a young person use TERMUX to ssh to an RPi and run a PWM signal out to a make-shift antenna on GPIO4. So marvelously geeky. Thanks and God bless.
Ok so I believe in your case with a rolling code you want to use a jammer in conjunction with your sniff and repeat. I believe by jamming the key fobs rf from making it to the vehicle and you simultaneously grabbing the code .. That code you just snatched is still good for a use. I'm an idiot though some 1 please correct me if im wrong.
I’m getting an error code... I can capture the signal but can’t replay. From what I have heard this is a problem with the latest release of the program.
Just subsribed thanks for this i have been searching for this from very long time. but can you please tell me what is the samplerate you use after you get error plz tell me ?
Does it work on rolling code (if the car is keyless) if you replay the signals when you are near the car. Can you pull the door handle so the car unlocks?
@@tissentissen7245 all you do is jam the signal to the car while recording (point a second antenna at the car transmitting white noise with more power than the key does). then when the person hits the button a second time thinking the car didn't catch it, you resend the first code so the person sees the car blink and lock, and keep the second code for once they walk away. Nothing fancy to it like that kid wants to pretend. It works because you will have 2 valid codes that the car never received. Then when you send the first one, the second becomes the active code. On newer cars there may be some more processing to do because the car sends the fob a code back that is used to generate the next code.
@@excitedbox5705 hank you for contacting me. Is it possible to use jammer and sdr or one full duplex device for this purpose? - unlocking/replay rolling code of car can we contact via email? Your time will be highly appreciated. thanks,
@@excitedbox5705 yes but how can your jam the signal and at the same time capture it on the raspberry in addition to that the car uses AM signals and sends on two frequencies at the same time... A tutorial from you would be nice!
No we shouldn’t already know what programs to use or how if we’re trying to learn how to read radio frequencies and how to setup this device. If we did then why would we need ur video? Thx for teaching this to people that already understand it.
What I didn't explain is the most basic concepts of how to operate a raspberry pi. You can find that in 1000 tutorials around the internet. This is RF hacking, not "how to use linux for dummies" . If you don't know how to install an operating system, you need to start there. I'm not here to hold your hand plugging in a power adapter and formatting an SD card
Some want simple, but this is intended for those who want to actually learn how it's done. After all, the "simple" way wouldn't need a video demonstration. This shows more of what happens behind the scenes when you run those scripts made for you on the hackrf
This doesnt work bro, you dont even have a band pass filter. It just creates noise. thats probably why its shot in the dark so no one can see you unlocking it with the key fob. Id like to see the fft of the replay and maybe the demoded wave form in audacity or something
Yeah you're right, I made a thirty minute video to fake unlocking a car for youtube for no reason using an actual method. All the people saying it worked are all just bots I had comment here.
giving it the ability to transmit is a little harder. There's a tutorial here : www.instructables.com/id/RF-315433-MHz-Transmitter-receiver-Module-and-Ardu/
There already are publications about the vulnerabilities of car keyless entry, but those rather showed the weaknesses of their proprietary undocumented "cryptography". But here this is much worse!!! There is NO rolling code AT ALL!!!
Whats worse is the "cryptography" used is basically the same as generating a hash and matching it against the cars to see if it "belongs". This still leaves the possibility of recording dynamic keys, and jamming the frequency in such a way they they never make it to the car, leaving that key open to use at any time in the future.
@@ModernHam This attack is called "RollJam" and was invented by Samy Kamkar, but, before knowing about this I imagined that I coule record 2 signals while jamming some of the last bits (let's say 4) so I now have two valid rolling codes with the last 4 bits missing. I then transmit my first code with the 16 different combinations, one of which is valid and will lock the car. and the owner will think that the car is successfully locked after the 2nd press. But now I have another valid code with 4 missing bits and I can time again try all 16 combinations and unlock the car. *This only works if the lock/unlock button is the same. On many cars it's not however many garage door openers use the same button.
Did they update rpitx or something. Everything worked fine but sendiq.sh isn’t in it. So I can’t send the iq file to my car. Did I do something wrong or did they take it out.
I didn’t I must’ve missed a step or something. A day after I set it up(without sendiq) my raspberry pi wouldn’t boot correctly. Did you have this problem
amazing i done it before but another way love to see more maybe we can bring things to light for people that don't believe in real life hacks that R so easy to pull off really cheap and it is not a reality it is happening every day as long as you have a little brain lots of my friends say i be doing to much but win show them day like you need to be working for a security company or something i also have a book coming out this summer i will get back at you on it this summer nice
As an over-65 electronics nerd it warms my heart to watch a young person use TERMUX to ssh to an RPi and run a PWM signal out to a make-shift antenna on GPIO4. So marvelously geeky. Thanks and God bless.
Fascinating, I have all the bits to try this... except our cars having rolling code
Is it where the code changes everytime so no one can record the old data then replay it
@@M4CHINE69 in a word yes
Ok so I believe in your case with a rolling code you want to use a jammer in conjunction with your sniff and repeat. I believe by jamming the key fobs rf from making it to the vehicle and you simultaneously grabbing the code .. That code you just snatched is still good for a use. I'm an idiot though some 1 please correct me if im wrong.
@@anthonyc3915 that would seem a logical approach and in principle should work
@@anthonyc3915 Hy i need your help give your number plz
I love your video !! U did such a great step by step instructions unlike everybody else tryna explain making this device
you didnt think it was useful to do the vid during the day light
Neat, I'll have to try this out when I get the chance
so does this basically preform the same thing as a hackrf would withkey fobs?
I just bought all of the pieces can't wait to try it out!
Did it work?
Update?
I’m getting an error code... I can capture the signal but can’t replay. From what I have heard this is a problem with the latest release of the program.
@@hahayoucaughtme824 alright. That is bad. Are they gonna fix it ? Or is there a work around ?
Awesome Video thanks for sharing this video
What a fantastic vid and so well put together 👍🏻😊 I have a plutosdr can I do your experiment with it ?
yes you should be able to
very interesting presentation.
In my case it show invalid samplerate warning failed to set center frequency and then started capturing please help
Just subsribed thanks for this i have been searching for this from very long time. but can you please tell me what is the samplerate you use after you get error plz tell me ?
25000
@@ModernHam That is a invalid sample rate.
I have watched this video very awesome...
There is no alternate video on RUclips on this topic...
Thank you very much
All I saw was a light. On a SEN DIQ command hehe.. My name is Klaus !
Very educational
i doubt if it will work with the Roll keys FOB
My devices do
EVAN CONNECT can I buy your devices?
@@evanconnect8384 what is your device?
why when i enter the cmake comand, it shows
bash: cmake: command not found
sudo apt-get install cmake -y
How can i connect my pi through SSH? and do you use a band pass filter?
Great! What's your car model?
Is the "e6" like scientific notation for the fact that the freq was in mHz instead of Hz?
Do you think a Zero would have the power for this?
Very nice sir ...keppe it up ...peace:)
hi moderham could you explain or desglozar the numbers 25000 the g35
and the e6 in "rtl_sdr -s 25000 -g 35 -f 315.0125e6 filename.iq"
I thought the RTL-SDR was only a receiver. How did you transmit on 315/433 MHz ?
The wire attached to the raspberry pi makes it an fm transmitter...
Not the RTL SDR but the pi itself.
@@ModernHam Hello. How is it possible ? Raspberry has a 433Mhz integrated tramitter ?
I would have bet that such a modern (2006) car had a rolling code!
Does it work on rolling code (if the car is keyless) if you replay the signals when you are near the car. Can you pull the door handle so the car unlocks?
i don't think so but if you record the keyfob while not in the car's range it should work
Will this work with other PI models?
Isnt there any way to automatically detect The Magic number???
Nice video. Does it unlock rolling codes too?
You will will be amazed want it can do with a little help but not on RUclips laws i have a lot to share win the time is right
@@Savage.735 You want to share somethig? May be we talk via email?
@@tissentissen7245 all you do is jam the signal to the car while recording (point a second antenna at the car transmitting white noise with more power than the key does). then when the person hits the button a second time thinking the car didn't catch it, you resend the first code so the person sees the car blink and lock, and keep the second code for once they walk away. Nothing fancy to it like that kid wants to pretend. It works because you will have 2 valid codes that the car never received. Then when you send the first one, the second becomes the active code. On newer cars there may be some more processing to do because the car sends the fob a code back that is used to generate the next code.
@@excitedbox5705 hank you for contacting me. Is it possible to use jammer and sdr or one full duplex device for this purpose? - unlocking/replay rolling code of car
can we contact via email? Your time will be highly appreciated. thanks,
@@excitedbox5705 yes but how can your jam the signal and at the same time capture it on the raspberry in addition to that the car uses AM signals and sends on two frequencies at the same time... A tutorial from you would be nice!
How can i contact u for asking some Questions and taking guidelines...
Plz reply just don't like my comments
Help when i transmit it shows caught transmitting 1c and after that nothing happens please help
Did u get it to work? i still have a issue with transmitting.
Will the raspberry pi zero w work for this?
No we shouldn’t already know what programs to use or how if we’re trying to learn how to read radio frequencies and how to setup this device. If we did then why would we need ur video? Thx for teaching this to people that already understand it.
What I didn't explain is the most basic concepts of how to operate a raspberry pi. You can find that in 1000 tutorials around the internet. This is RF hacking, not "how to use linux for dummies" . If you don't know how to install an operating system, you need to start there. I'm not here to hold your hand plugging in a power adapter and formatting an SD card
Can we do this job with just a laptop with kali linux and SDR? do we need to have Raspberry Pi ?
U can only record signal
Yes, RPI is needed for transmission
please make an updated version 2024
Can I use a laptop hooked to a rtlsdr
should be on the back of all key fobs, if not check the fcc database 👍
nice
Can I do this with a Arduino instead of the pi using 433mhz transmitters
I think this would be possible. But you would need different software obviously for your transmitter.
./sendiq command not found
Can I do this with a Arduino instead of the pi
Aurdino isn't a single board computer.
Can i use this "Leoie USB2.0 FM DAB DVB-T RTL2832U R820T2 RTL-SDR SDR Dongle Stick"?
Great idea but it's more simple with HackRF One
Some want simple, but this is intended for those who want to actually learn how it's done. After all, the "simple" way wouldn't need a video demonstration. This shows more of what happens behind the scenes when you run those scripts made for you on the hackrf
@@ModernHam Thanks ;)
Baki Hanma hi I have some some questions about hackrf and replay attack
@@dandwrasan2342? 😇
Buying Hackrf one is not so simple as u thinking...
this method is very much easier and comfortable for an common user...
The FBI liked this video lol I kid I kid.
This doesnt work bro, you dont even have a band pass filter. It just creates noise. thats probably why its shot in the dark so no one can see you unlocking it with the key fob. Id like to see the fft of the replay and maybe the demoded wave form in audacity or something
Yeah you're right, I made a thirty minute video to fake unlocking a car for youtube for no reason using an actual method. All the people saying it worked are all just bots I had comment here.
Lol ppl are funny
Does this work well with Pi 0 w?????
probably just use the same connections
Can we use arduino uno instead of rasberry pi?
giving it the ability to transmit is a little harder. There's a tutorial here : www.instructables.com/id/RF-315433-MHz-Transmitter-receiver-Module-and-Ardu/
ModernHam thanks brother keep making videos we love your videos
pi@raspberrypi:~/rtl-sdr/build $ cmake ../ -DINSTALL_UDEV_RULES=ON
-bash: cmake: command not found
install gcc
@@NormEnBenidorm gcc ?
@@bilalbeyhan7690 gcc library--> gcc.gnu.org
Use "sudo apt-get install cmake"
Can one use a audio amp to extend signal TX on rpitx? I notice it uses that PWM.
There already are publications about the vulnerabilities of car keyless entry, but those rather showed the weaknesses of their proprietary undocumented "cryptography". But here this is much worse!!! There is NO rolling code AT ALL!!!
Whats worse is the "cryptography" used is basically the same as generating a hash and matching it against the cars to see if it "belongs".
This still leaves the possibility of recording dynamic keys, and jamming the frequency in such a way they they never make it to the car, leaving that key open to use at any time in the future.
@@ModernHam This attack is called "RollJam" and was invented by Samy Kamkar, but, before knowing about this I imagined that I coule record 2 signals while jamming some of the last bits (let's say 4) so I now have two valid rolling codes with the last 4 bits missing. I then transmit my first code with the 16 different combinations, one of which is valid and will lock the car. and the owner will think that the car is successfully locked after the 2nd press. But now I have another valid code with 4 missing bits and I can time again try all 16 combinations and unlock the car.
*This only works if the lock/unlock button is the same. On many cars it's not however many garage door openers use the same button.
when was r-pi was 30 bucks...
instead of ssh just use a screen thats what i use
SSH is awesome though, Come on! haha
I am getting error with " sudo ./sendiq commant not found" what should i have to do?
Remove sudo and try
Bro i am not able to buy raspberry pi 3 can i use raspberry pi zero with wifi ?
According to github.com/F5OEO/rpitx the PiZero is compatible.
Thank you for info keep making videos
raspberry pi zero can ?
If you are able to connect rtl sdr with it.
Did they update rpitx or something. Everything worked fine but sendiq.sh isn’t in it. So I can’t send the iq file to my car. Did I do something wrong or did they take it out.
Not that I know of. Are you sure you issued the command within the rpitx folder? I haven't updated mine.
Yeah look at their github page. sendiq.sh isn’t there
@ModernHam is it possible you copy the code from sendiq.sh and paste it in the comments so I can use it.
i set this up today, with v2 of rpitx. sendiq is there, it's just not called sendiq.sh ... it's simply sendiq, without the .sh suffix.
I didn’t I must’ve missed a step or something. A day after I set it up(without sendiq) my raspberry pi wouldn’t boot correctly. Did you have this problem
$ make
make: *** No targets were specified and no makefile found. Stop.
Now, I dit=d see a Makefile.am but that did nothing
Can u put more then one fob in and can u do it faster 😂
Loud ass intro 🤦🏿♂️
amazing i done it before but another way love to see more maybe we can bring things to light for people that don't believe in real life hacks that R so easy to pull off really cheap and it is not a reality it is happening every day as long as you have a little brain lots of my friends say i be doing to much but win show them day like you need to be working for a security company or something i also have a book coming out this summer i will get back at you on it this summer nice
Cool stuff! Do Let me know!
Your grammar is horrible.
@@ModernHam hello, can you help me in finishing such project? Can we talk via email?
Fake
Or, or, just get a Flipper Zero...
scriptkiddy
😂
write youre own code little boy@@ModernHam
@@ahr0cdovlzk3my1lahqtbmftdw7 I will when you do 😂
ModernHam aha sins?
ModernHam if you dont know who i m, its better you shut up
Im reporting you
For unlocking your own car.
Can some one please help me I can’t get pasted cmake ../ -DINSTALL
I have watched this video very awesome...
There is no alternate video on RUclips on this topic...
Thank you very much