Transceiver for Hella wireless car key fobs.
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
apps flow graphs: replace deprecated correlator block Jul 21, 2018
cmake update cmake files Jan 8, 2016
docs init Jun 23, 2015
grc update grc files Jun 22, 2016
include/keyfob init Jun 23, 2015
lib Start adding support for some unsupported keys Sep 20, 2016
python delete unused unit tests Aug 7, 2016
swig init Jun 23, 2015
utils init Jun 23, 2015
.gitignore init Jun 23, 2015
CMakeLists.txt cmake: require swig Mar 17, 2017 add manifest Jan 8, 2016 Update Aug 15, 2016
gqrx-20150211-143803.wav init Jun 23, 2015
gqrx_20150306_154200_434400000.wav init Jun 23, 2015

This is a GNU Radio module to receive and reencode signals of (some) wireless car key fobs from Hella.


GNU Radio v3.7.X or the v3.8 development branch (next)


mkdir build
cd build
cmake ..
sudo make install
sudo ldconfig


See the flow graphs in the apps folder.

Frame Format and Crypto

I recommend checking out the paper Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems by Flavio D. Garcia, David Oswald, Timo Kasper and Pierre Pavlidès, presented at the 25th USENIX Security Symposium.

The paper covers the frame format, crypto, and security issues of wireless key systems. This transceiver supports what the authors call VW-3 and VW-4. According to my understanding, the WAV files (i.e., signal samples) in this repository and a firmware dump of the ECU should be a good starting point to clone key fobs and to extract the master key.

There is also a Wired article on it.

Further Information

I blogged about the module and gave a talk at SDR Academy (slides and video).