Keyless Entry Attacks
RF
Keyless entry systems use RF communication that can be intercepted, replayed, or relayed. Common frequencies are 315 MHz (US) and 433 MHz (EU).
Attack Types
Relay Attack
- • Extend key fob range
- • Two devices: one near key, one near car
- • Works on passive entry systems
- • Defeated by motion-based keys
Replay/RollJam
- • Capture and replay signals
- • RollJam blocks + captures
- • Works on rolling code systems
- • Requires jamming capability
Signal Analysis with SDR
bash
# Required: RTL-SDR, HackRF, or Flipper Zero
# Capture with GNU Radio / gqrx
# Tune to 315 MHz or 433.92 MHz
# rtl_433 - Decode common protocols
rtl_433 -f 433920000 -s 1000000
# Flipper Zero
# Sub-GHz -> Read RAW
# Captures and replays signals
# URH (Universal Radio Hacker)
# GUI for signal analysis
urh
# Analyze captured signal:
# 1. Identify modulation (ASK/OOK common)
# 2. Determine baud rate
# 3. Decode bits
# 4. Identify rolling code vs fixed codeLegal Warning
Attacking keyless entry systems on vehicles you don't own is illegal. Only test
on your own vehicles with proper documentation.