10 | CC1101 registers
11 | | Name | Address | Value |
12 | Description |
|---|
| IOCFG2 | 0x0000 | 0x29 | GDO2 Output Pin Configuration |
13 | | IOCFG1 | 0x0001 | 0x2E | GDO1 Output Pin Configuration |
14 | | IOCFG0 | 0x0002 | 0x06 | GDO0 Output Pin Configuration |
15 | | FIFOTHR | 0x0003 | 0x47 | RX FIFO and TX FIFO Thresholds |
16 | | SYNC1 | 0x0004 | 0xD3 | Sync Word, High Byte |
17 | | SYNC0 | 0x0005 | 0x91 | Sync Word, Low Byte |
18 | | PKTLEN | 0x0006 | 0xFF | Packet Length |
19 | | PKTCTRL1 | 0x0007 | 0x04 | Packet Automation Control |
20 | | PKTCTRL0 | 0x0008 | 0x05 | Packet Automation Control |
21 | | ADDR | 0x0009 | 0x00 | Device Address |
22 | | CHANNR | 0x000A | 0x00 | Channel Number |
23 | | FSCTRL1 | 0x000B | 0x06 | Frequency Synthesizer Control |
24 | | FSCTRL0 | 0x000C | 0x00 | Frequency Synthesizer Control |
25 | | FREQ2 | 0x000D | 0x10 | Frequency Control Word, High Byte |
26 | | FREQ1 | 0x000E | 0xB0 | Frequency Control Word, Middle Byte |
27 | | FREQ0 | 0x000F | 0x5A | Frequency Control Word, Low Byte |
28 | | MDMCFG4 | 0x0010 | 0xF9 | Modem Configuration |
29 | | MDMCFG3 | 0x0011 | 0x68 | Modem Configuration |
30 | | MDMCFG2 | 0x0012 | 0x03 | Modem Configuration |
31 | | MDMCFG1 | 0x0013 | 0x22 | Modem Configuration |
32 | | MDMCFG0 | 0x0014 | 0xF8 | Modem Configuration |
33 | | DEVIATN | 0x0015 | 0x44 | Modem Deviation Setting |
34 | | MCSM2 | 0x0016 | 0x07 | Main Radio Control State Machine Configuration |
35 | | MCSM1 | 0x0017 | 0x30 | Main Radio Control State Machine Configuration |
36 | | MCSM0 | 0x0018 | 0x18 | Main Radio Control State Machine Configuration |
37 | | FOCCFG | 0x0019 | 0x16 | Frequency Offset Compensation Configuration |
38 | | BSCFG | 0x001A | 0x6C | Bit Synchronization Configuration |
39 | | AGCCTRL2 | 0x001B | 0x03 | AGC Control |
40 | | AGCCTRL1 | 0x001C | 0x40 | AGC Control |
41 | | AGCCTRL0 | 0x001D | 0x91 | AGC Control |
42 | | WOREVT1 | 0x001E | 0x87 | High Byte Event0 Timeout |
43 | | WOREVT0 | 0x001F | 0x6B | Low Byte Event0 Timeout |
44 | | WORCTRL | 0x0020 | 0xFB | Wake On Radio Control |
45 | | FREND1 | 0x0021 | 0x56 | Front End RX Configuration |
46 | | FREND0 | 0x0022 | 0x10 | Front End TX Configuration |
47 | | FSCAL3 | 0x0023 | 0xE9 | Frequency Synthesizer Calibration |
48 | | FSCAL2 | 0x0024 | 0x2A | Frequency Synthesizer Calibration |
49 | | FSCAL1 | 0x0025 | 0x00 | Frequency Synthesizer Calibration |
50 | | FSCAL0 | 0x0026 | 0x1F | Frequency Synthesizer Calibration |
51 | | RCCTRL1 | 0x0027 | 0x41 | RC Oscillator Configuration |
52 | | RCCTRL0 | 0x0028 | 0x00 | RC Oscillator Configuration |
53 | | FSTEST | 0x0029 | 0x59 | Frequency Synthesizer Calibration Control |
54 | | PTEST | 0x002A | 0x7F | Production Test |
55 | | AGCTEST | 0x002B | 0x3F | AGC Test |
56 | | TEST2 | 0x002C | 0x81 | Various Test Settings |
57 | | TEST1 | 0x002D | 0x35 | Various Test Settings |
58 | | TEST0 | 0x002E | 0x09 | Various Test Settings |
59 | | PARTNUM | 0x0030 | 0x00 | Chip ID |
60 | | VERSION | 0x0031 | 0x04 | Chip ID |
61 | | FREQEST | 0x0032 | 0x00 | Frequency Offset Estimate from Demodulator |
62 | | LQI | 0x0033 | 0x00 | Demodulator Estimate for Link Quality |
63 | | RSSI | 0x0034 | 0x00 | Received Signal Strength Indication |
64 | | MARCSTATE | 0x0035 | 0x00 | Main Radio Control State Machine State |
65 | | WORTIME1 | 0x0036 | 0x00 | High Byte of WOR Time |
66 | | WORTIME0 | 0x0037 | 0x00 | Low Byte of WOR Time |
67 | | PKTSTATUS | 0x0038 | 0x00 | Current GDOx Status and Packet Status |
68 | | VCO_VC_DAC | 0x0039 | 0x00 | Current Setting from PLL Calibration Module |
69 | | TXBYTES | 0x003A | 0x00 | Underflow and Number of Bytes |
70 | | RXBYTES | 0x003B | 0x00 | Overflow and Number of Bytes |
71 | | RCCTRL1_STATUS | 0x003C | 0x00 | Last RC Oscillator Calibration Result |
72 | | RCCTRL0_STATUS | 0x003D | 0x00 | Last RC Oscillator Calibration Result |
73 |
74 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ### Media
2 | [RyscCorp Students post](https://store.ryscc.com/blogs/rysc-students/christopher-queensland-academy-for-science-mathematics-and-technology)
3 |
4 | [RTL-SDR Blog post](https://www.rtl-sdr.com/explaining-and-demonstrating-jam-and-replay-attacks-on-keyless-entry-systems-with-rtl-sdr-rpitx-and-a-yardstick-one/)
5 |
6 | [Cafe Scientifique QUT 2017](https://qasmt.eq.edu.au/qut-cafe-scientifique-2017/)
7 |
8 | [Short unnarrated video of capture](https://www.youtube.com/watch?v=VFLYEQ_u7Mc)
9 |
10 | # Jam and Replay Attack on Vehicular Keyless Entry Systems
11 | #### Raspberry Pi version
12 |
13 | Item | Price in AUD (store)
14 | -----|--------------------
15 | Raspberry Pi 2 Model B | $50 (element14)
16 | Yard Stick One RF dongle | $130 (NooElec)
17 | Power bank | <$30 (eBay)
18 | Wire for antenna | <$1 (any short piece of copper wire)
19 | (optional) Wi-Fi adapter | $15 (AliExpress)
20 | **Total** | **$211 ($226 with Wi-Fi adapter)**
21 |
22 | #### Arduino version
23 | Item | Price in AUD (store)
24 | -----|--------------------
25 | Arduino Pro Mini |$3 (eBay)
26 | CC1101 RF transceiver| $6 (eBay)
27 | Breadboard |$3 (eBay)
28 | Hook-up wire |$3 (eBay)
29 | FTDI (one-time use for programming) |$5 (eBay)
30 | **Total** |**$20**
31 |
32 | **Following is an extract of the paper written. It is aimed as a basic overview for those getting started in RF and does not go into much detail. If any RF experts spot errors, please let me know!**
33 |
34 | ## Background of Keyless Entry Systems
35 |
36 | A remote keyless entry system simply refers to any electronic lock that functions without the use of a mechanical key. Commonly, this comes in the form of a key fob, with buttons that communicate using radio frequency (RF) signals with a receiver to perform a certain action, such as locking or unlocking a vehicle.
37 |
38 | ### Types of Remote Keyless Entry
39 | Keyless entry systems can be categorised into three broad types, as seen below.
40 |
41 | 
42 |
43 | *Figure 1: One-way, two-way & passive RKE illustration*
44 |
45 | 1. A one-way RKE requires a manual button press to perform an action. The vehicle receives the signal and confirms that it is a valid code, then performs the required action. With a rolling code system, a cryptographically secure pseudorandom number generator (PRNG), installed in the vehicle and the key fob, is used to periodically change the required code after a keypress, usually with a buffer to account for accidental out-of-range button presses. One-way RKEs are the simplest and most common form of keyless entry, and its security will be the focus of this report (van de Moosdijk & Visser, 2009, pp. 8-9).
46 |
47 | 2. Two-way RKEs require a 'response' from the key fob given a certain 'challenge' from the vehicle (Alrabady & Mahmud, 2005, p. 2).
48 |
49 | 3. Passive RKEs (abbr. PKEs) automatically unlock within a certain radius or upon the user touching a door handle; they are usually paired with a push-button ignition switch (van de Moosdijk & Visser, 2009, p. 9).
50 |
51 | ## Proof-of-concept device
52 | ### Quick Intro to RF Hardware & Software
53 | Several new technologies have made RF security testing simpler and more affordable for hobbyists and researchers, the most important development being the software-defined radio.
54 |
55 | 
56 |
57 | *Figure 2: RTL-SDR used to analyse signal (RTL-SDR.com, 2013)*
58 |
59 | A software-defined radio is a radio system where components traditionally implemented in hardware, such as filters and demodulators, are instead implemented in software (Dillinger, Madani, & Alonistioti, 2003). The setup typically involves an RF front end and an analogue-to-digital converter, connected to a computer via USB. The computer performs the complex tasks, such as demodulation, which refers to extracting the original signal from a carrier wave. Recently, it was found that a common USB TV tuner dongle, the RTL-SDR (refer Figure 2), could be made to send raw I/Q data to a computer (in-phase and quadrature, referring to the real and imaginary components of an RF signal) (Whyte, 2013). Hence, it became affordable for the average hobbyist to have a wide-band spectrum analyser. At the time of writing, such a dongle could be obtained for less than 10 USD (eBay Inc., 2017).
60 |
61 | In addition, advances in computing hardware and software have allowed for complex signal analysis using graphical flow graph software, such as GNURadio, capable of manipulating, decoding and encoding data for use with software defined radios (The GNU Radio Foundation, Inc., 2017). Another important development is the popular Raspberry Pi single board computer, which for 35 USD offers a full Linux operating system running on a 900Mhz quad-core processor, 4 USB ports, display outputs and 40 general purpose input-output (GPIO) pins, which provides an easy-to-use, affordable testing base for the experimental jam and replay attack outlined below (Raspberry Pi Foundation, 2015).
62 |
63 | ### Overview of Jam and Replay Attack
64 | The attack that was carried out against the one-way RKE is a jam and replay attack. A high level overview and illustration of this attack is shown in Figure 3.
65 |
66 | 
67 |
68 | *Figure 3: Jam and replay attack*
69 |
70 | The attacker utilises a device with full-duplex RF capabilities (simultaneous transmit and receive) to produce a jamming signal, in order to prevent the car from receiving the valid code from the key fob. This is possible as RKEs are often designed with a receive band that is wider than the bandwidth of the key fob signal (refer Figure 3, right). The device simultaneously intercepts the rolling code by using a tighter receive band, and stores it for later use. When the user presses the key fob again, the device captures the second code, and transmits the first code, so that the user’s required action is performed (lock or unlock) (Kamkar, 2015). This results in the attacker possessing the next valid rolling code, providing them with access to the vehicle. The process can be repeated indefinitely by placing the device in the vicinity of the car. Note that if the user unlocks the car using the mechanical key after the first try, the second code capture is not required, and the first code can be used to unlock the vehicle.
71 |
72 | ### Initial Reconnaissance
73 | The first step in reverse engineering the key fob was to determine its operating frequency. The key fob case was inspected, however there were no visible frequencies or radio IDs listed that offered clues to the operating frequency. Hence, the RTL-SDR was utilised. Common unlicensed frequencies in the International Telecommunication Union Region 3, containing Australia, were tuned to and the key fob repeatedly pressed until a signal became visible on the fast Fourier transform (FFT) plot, which displays a live view of the RF spectrum (refer Figure 4, top half). The horizontal axis represents frequency in megahertz and the vertical axis the amplitude in decibels relative to full scale (dBFS). A waterfall plot is shown in the bottom half, which plots the FFT over time, with the colours representing signal amplitude (blue to red, in increasing signal strength).
74 |
75 | 
76 |
77 | *Figure 4: FFT plot of frequency versus signal strength showing key fob signal at 433.911MHz*
78 |
79 | ### Identifying Modulation
80 | As seen in Figure 4, there are two peaks at 433.878MHz and 433.957MHz, with the entire signal centred at 433.911MHz. Thus, it was deduced that the key fob used a modulation scheme known as 2-FSK (frequency shift keying), where two discrete frequencies are used to transfer digital data. However, the FFT plot does not provide information regarding how the data is actually encoded.
81 |
82 | ### Automated Decoding
83 | To further analyse the signal, a Debian setup was utilised, and the gqrx SDR receiver software used to record the key fob I/Q data. The data was passed to inspectrum, an open-source waveform analysis tool (Software in the Public Interest, Inc., 2017; Csete, 2016; Walters, 2017).
84 | A screenshot of the beginning of the signal is shown in Figure 5.
85 |
86 | 
87 |
88 | *Figure 5: Inspectrum signal analyser displaying preamble, sync-word and rolling code data*
89 |
90 | The vertical axis represents the frequency offset from the centre frequency (433.911MHz) in kHz, whilst the horizontal axis is time in seconds. As established, the signal visibly oscillates between two frequencies. The consistent, repetitive section of the signal on the left hand side of Figure 5 is the preamble, which is used to synchronise the clock of the receiver to correctly decode the transmitter’s packets. Following the preamble is a four-bit sync-word, which in this case is 1100110011001100, or 0xCCCC in hexadecimal. This sync-word is used to avoid clashes with other devices operating in that band. Following the sync-word is the actual rolling code signal, which is repeated twice, divided by a gap, seen in the far right of Figure 5. At first guess, the signal appears to be Manchester encoded, which means every bit (zero or one) is either encoded as high then low, or low then high, for the same period of time (refer Figure 6).
91 |
92 | 
93 |
94 | *Figure 6: Manchester encoding illustration (Wikimedia Commons, 2004)*
95 |
96 | Initially, the signal was decoded by manually capturing I/Q data from the RTL-SDR and using the open-source waveconverter project to demodulate the signal, and then decode it based on pulse lengths (technical details are omitted) (Clark, 2017). However, this process was very tedious and not easily scalable. The system had to be simplified to use dedicated hardware instead of a general purpose SDR.
97 |
98 | ### Jam and Replay Hardware
99 | To simplify the system, a Yard Stick One USB RF transceiver was used, that is capable of receiving and transmitting in various industrial, scientific and medical (ISM) unlicensed bands, including 433MHz, with wide support for modulations such as FSK, ASK (amplitude-shift keying) and OOK (on-off keying). The device was controlled using an interactive Python shell, which allows commands such as d.setMdmFreq(433900000) to be set, in this case setting the modem frequency to 433.9MHz. Further settings such as the modem modulation, frequency deviation, data rate (calculated using inspectrum), channel bandwidth, and packet sync mode were configured to match the key fob’s characteristics.
100 |
101 | ### Replaying Signal
102 | Upon running the Python script and pressing the key fob, data was consistently received, and there were slight deviations in each packet, confirming that the key fob utilised rolling code. I then wrote another function to transmit the signal, by converting the hexadecimal code to the correct BitArray format, and using the d.rfXmit() function. As expected, this unlocked the test automobile when run.
103 |
104 | ### Jamming Signal
105 | To create the jamming signal, the open-source [rpitx](https://github.com/F5OEO/rpitx) software was utilised, which is capable of transmitting RF signals via the Raspberry Pi’s GPIO pins. Specifically, the variable-frequency oscillator (VFO) mode was used, as it offers “precise frequency resolution” (Okcestbon, 2016). A carrier signal was transmitted at 433.850MHz, slightly below the operating frequency of the key fob, however within the automobile’s receive bandwidth.
106 | `sudo ./rpitx –m VFO –f 433850`
107 |
108 | ### Jam and Replay Attack
109 | The Python replay program was run simultaneously with rpitx, and resulted in the car not locking or unlocking. However, as expected, the signal was captured by the Yard Stick One, and could be replayed at any time to unlock the car. In the interest of responsible disclosure, photographic evidence of the device unlocking the vehicle will not be released as this could compromise the security of many vehicles still in use.
110 |
111 | At this point, the program was ported to a Raspberry Pi single-board computer as it is more portable and affordable compared to a dedicated laptop. A power bank was used to power the Raspberry Pi, and a long-range Wi-Fi dongle allowed communication via secure shell (SSH) from the laptop for initial configuration. An image of the final Raspberry Pi jam and replay setup is shown in Figure 7.
112 |
113 | 
114 |
115 | *Figure 7: Photograph of final Raspberry Pi jam & replay setup showing connections to Wi-Fi, power and RF dongle*
116 |
117 | #### Possible Extension for Two-Way RKEs or PKEs
118 | The basic techniques applied here can be applied to more complex two-way or passive RKEs, using similar hardware. As an example, in a passive keyless entry system, the vehicle emits a low-frequency (LF) signal upon user interaction, such as touching the door handle, to alert all key fobs in the vicinity. The information transmitted via the LF signal is decoded by the key fob, which responds with a valid security code that is validated by the vehicle (Alrabady & Mahmud, 2005).
119 |
120 | A PKE system can be theoretically compromised by a jam and replay attack, however the algorithm for the “response” code given the “challenge” from the vehicle must be reverse-engineered. An even simpler ‘relay’ attack requires an attacker to stand near the vehicle and amplify the LF signals, then transmit this to another attacker who is within close range of the owner’s key fob. The valid response from the key fob can then be transmitted back to the first attacker to unlock the vehicle (Francillon, Danev, & Capkun, 2010).
121 |
122 |
123 | ## Old Readme
124 | **NOTE:** Not final code. Needs to be implemented for each model of vehicle.
125 |
126 | Attempt at RollJam, jam and replay keyless entry systems. Thank you to [Samy Kamkar](http://samy.pl/) who first provided me with the inspiration to perform software defined radio research, view his more polished RollJam device [here](https://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/).
127 |
128 | Uses GNURadio to record IQ data from an RTL-SDR then decodes with a custom protocol made on wave-converter and parses the output to return the hex data.
129 |
130 | Latest version utilises a [Yard Stick One RF Transceiver](https://greatscottgadgets.com/yardstickone/) with RFCat firmware approx $100USD. Thanks to [RyscCorp](https://ryscc.com/) for sponsoring my purchase.
131 |
132 | Will try to transfer register settings when testing is complete to a cheaper CC1101 chip/$1 433MHz chip and Arduino (about 50% done).
133 |
134 | Refer [waveconverter](https://github.com/paulgclark/waveconverter) and [GNURadio](http://gnuradio.org/)
135 |
136 | Further documentation will be uploaded ~~in a few months time~~soon, including a paper on implications and recommendations for manufacturers, end-users and third parties.
137 |
138 | ### Jamming
139 | Attach an antenna to pin 12 of the GPIO header.
140 | Note that output is unfiltered and creates harmonics, probably illegal without licence.
141 | `sudo ./rpitx -m VFO -f [FREQ IN HZ]`
142 |
143 | ### Screenshots
144 | **Inspectrum view of the I/Q taken from GNURadio**
145 | 
146 | **Wave Converter demod settings**
147 | 
148 |
--------------------------------------------------------------------------------
/samples/Capture.grc:
--------------------------------------------------------------------------------
1 |
2 |
3 |