Skip to content
Transceiver for Hella wireless car key fobs.
Branch: maint-3.8
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmake port to 3.8 Jun 6, 2019
examples port to 3.8 Jun 6, 2019
grc port to 3.8 Jun 6, 2019
include/keyfob port to 3.8 Jun 6, 2019
lib port to 3.8 Jun 6, 2019
python port to 3.8 Jun 6, 2019
swig port to 3.8 Jun 6, 2019
utils init Jun 23, 2015
.gitignore init Jun 23, 2015
CMakeLists.txt port to 3.8 Jun 6, 2019
MANIFEST.md add manifest Jan 8, 2016
README.md update readme Jun 6, 2019
gqrx-20150211-143803.wav init Jun 23, 2015
gqrx_20150306_154200_434400000.wav init Jun 23, 2015

README.md

This is a GNU Radio module to receive and reencode signals of (some) wireless car key fobs from Hella.

Development

Like GNU Radio, this module uses master and maint branches for development. These branches are supposed to be used with the corresponding GNU Radio branches. This means: the maint-3.7 branch is compatible with GNU Radio 3.7, maint-3.8 is compatible with GNU Radio 3.8, and master is compatible with GNU Radio master, which tracks the development towards GNU Radio 3.9.

Dependencies

GNU Radio

Installation

mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

Usage

See the flow graphs in the apps folder.

Frame Format and Crypto

I recommend checking out the paper Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems by Flavio D. Garcia, David Oswald, Timo Kasper and Pierre Pavlidès, presented at the 25th USENIX Security Symposium.

The paper covers the frame format, crypto, and security issues of wireless key systems. This transceiver supports what the authors call VW-3 and VW-4. According to my understanding, the WAV files (i.e., signal samples) in this repository and a firmware dump of the ECU should be a good starting point to clone key fobs and to extract the master key.

There is also a Wired article on it.

Further Information

I blogged about the module and gave a talk at SDR Academy (slides and video).

You can’t perform that action at this time.