# How do wireless key fobs work?



## Barry Allen (Apr 18, 2018)

Can someone with knowledge explain how the wireless key fobs work? I'm just wanting a basic description of whether they use RFID or something else to interface with the car. It's only for my curiosity.


----------



## Eddy Cruze (Jan 10, 2014)

How does anything work that transmits signals, I would think by Radio Waves? Remember the original TV Remote Controls that didn't use batteries and just made a chime noise? This I'm sure is covered at Google


----------



## ChevyGuy (Dec 13, 2014)

PFM - Pure frigging magic. 

What particular function are you talking about? The basic key fob is "push the button and it sends a radio signal". The fancy ones used with push-button start also have a coil that picks up a magnetic signal sent out by the car. The car has an idea of where the fob is (inside or outside) based on which coil the fob responds to. 

The Cruze (1st gen) has 6 coils. One in each front door and near the license plate area. Internally, there's two in the center console (front and back) and one just behind the back seat.


----------



## Barry Allen (Apr 18, 2018)

I understand the basics of how the remote signaling for door locks, trunk, horn, etc. works. I'm just curious about what kind of encryption GM uses to lock those key fobs to specific vehicles.

I'm also interested if the key fob contains an RFID chip. I assume it does because even with the battery dead you can place the key fob in the cup holder and the car will start, so it has to be some sort of active signaling for when the battery works but a passive backup for when the battery is dead.


----------



## ChevyGuy (Dec 13, 2014)

Barry Allen said:


> I understand the basics of how the remote signaling for door locks, trunk, horn, etc. works. I'm just curious about what kind of encryption GM uses to lock those key fobs to specific vehicles.


I think the correct question is how does the car recognize the fob(s) it's been programmed for and no others. I believe each fob has a unique ID, much like the MAC ID on a Ethernet card.

I believe there's also "code rotation" to prevent a simple replay attack from getting access to your car. 




Barry Allen said:


> I'm also interested if the key fob contains an RFID chip. I assume it does because even with the battery dead you can place the key fob in the cup holder and the car will start, so it has to be some sort of active signaling for when the battery works but a passive backup for when the battery is dead.


I don't think it's a separate system. I think at close range, the coil to pick up the magnetic "call" is able to power the fob. It's an alternate power source to the existing system, not a separate system.


----------



## plano-doug (Jul 1, 2015)

ChevyGuy said:


> I believe there's also "code rotation" to prevent a simple replay attack from getting access to your car.


That's my understanding as well. The transmitter advances to the next code with each press of the button. The receiver does likewise. The receiver also will accept later or earlier codes, up to ±5, I think. That way, if the user presses the button on the fob while it's out of range of the car, the fob will be one code ahead, but the receiver can still figure it out. 

I can't remember exactly how the system resolves the case of the transmitter getting too far ahead, but trips to the dealer are usually not necessary 

Doug

.


----------



## ChevyGuy (Dec 13, 2014)

plano-doug said:


> That's my understanding as well. The transmitter advances to the next code with each press of the button. The receiver does likewise. The receiver also will accept later or earlier codes, up to ±5, I think. That way, if the user presses the button on the fob while it's out of range of the car, the fob will be one code ahead, but the receiver can still figure it out.


Ahead, yes. But I don't think it would accept any behind. That would leave the door open for a replay attack. 

Once a code is received, it won't work again until the table comes back around. I'm not sure how big the code table is, but I'd imagine it's pretty big.

The bigger the table is, the further ahead the receiver can accept without creating too big a window.


----------



## plano-doug (Jul 1, 2015)

ChevyGuy said:


> Ahead, yes. But I don't think it would accept any behind. That would leave the door open for a replay attack.
> 
> Once a code is received, it won't work again until the table comes back around. I'm not sure how big the code table is, but I'd imagine it's pretty big.
> 
> The bigger the table is, the further ahead the receiver can accept without creating too big a window.


As I recall, there was a Dallas Semi app note that described this very well, but danged if I can find it now. So some of the details are fuzzy. I agree, accepting old codes would indeed leave the car vulnerable. Good catch.

I looked for the note before my last post, but gave up. I wanted to post a link to it. I'm afraid maybe the app note got lost in the shuffle when Maxim took over Dallas.

I wanted to take a peek at it because, in my brain, I know for sure I'm munging about 6 different things together, but it seems like there was a linear feedback shift register in the key fob app...or was that the CRC generator for the EEPROM?  

Doug

.


----------



## Barry Allen (Apr 18, 2018)

ChevyGuy said:


> I believe there's also "code rotation" to prevent a simple replay attack from getting access to your car.


Can't that be spoofed with the same vulnerability as comes with garage door openers?

I seem to remember a man-in-the-middle attack scenario that some hackers pointed out years ago. A bad actor can set up a receiver and transmitter that blanks out the relevant frequency spectrum with noise. You back out of your garage and key your garage door remote to where it transmits code number (example) 624,589 out of 1 million possible combinations. Except your garage door opener doesn't receive that code because the bad actor has everything flooded with jamming RF noise, but their receiver captures that code transmitted. The door doesn't close and you think "That's weird" so you key the garage door opener again to where it transmits code number 935,920... and the garage again doesn't close again. Press again, code number 359,120... and the garage door doesn't close again. Press again, code number 318,259.. and the garage finally closes. It does this because the bad actor's man-in-the-middle jammer/transmitter finally captured a few codes and it transmits the original code number 624,589 to the garage door opener that is blissfully unaware the code hasn't been used up until that point because of the RF jamming. You go on your way to work or wherever. Sometime later the bad actor comes to your house and they've not got the next three useful codes from your transmitter because it jammed the original transmissions to pick up the codes and store them from later use.

It's far fetched, but it's a know vulnerability.


----------



## plano-doug (Jul 1, 2015)

Barry Allen said:


> Can't that be spoofed with the same vulnerability as comes with garage door openers?


As I understand it, while two transmitters could send the same code, the next codes will be different. The fobs may transmit on the same frequency, using the same modulation scheme and data scheme. But each one uses a different key that makes them unique. The key is used to create a new code relative to the previous code. So, if both transmitters send the same code but have different keys, then their subsequent codes will be different. 

The receiver has the key so it knows what code(s) to look for. With one good code but no key, the perp has a slim chance - 1 in 64K, or 1 in a million, or even less - of guessing the next code.

If I can dig up the document I was looking for regarding this, I'll post a link here.

Doug

.


----------



## ChevyGuy (Dec 13, 2014)

Barry Allen said:


> Can't that be spoofed with the same vulnerability as comes with garage door openers?


Easier then that. Apparently what's used is a "relay" box. It picks up the signal from the car and sends to companion unit that transmits the same signal - with power (longer range). Since the majority of people leave their keys near the door, such a strong signal is enough to cause the key to respond as if it was next to (or inside) the car. Effectively, the thieves are using your key without ever having to lay hands on it.

The good thing for us, thieves with that kind of equipment is unlikely to bother with Cruzes. There are far more attractive cars to steal.


----------



## Barry Allen (Apr 18, 2018)

ChevyGuy said:


> The good thing for us, thieves with that kind of equipment is unlikely to bother with Cruzes. There are far more attractive cars to steal.


I said that when I owned my Hyundai Accent. "The anti-theft is that it's a Hyundai Accent."

That, and the manual transmission helps.


----------



## plano-doug (Jul 1, 2015)

ChevyGuy said:


> Easier then that. Apparently what's used is a "relay" box. It picks up the signal from the car and sends to companion unit that transmits the same signal - with power (longer range). Since the majority of people leave their keys near the door, such a strong signal is enough to cause the key to respond as if it was next to (or inside) the car. Effectively, the thieves are using your key without ever having to lay hands on it.


You're a generation or two ahead of me  I'm still thinking of key fobs from the 90's and 00's. 

That said, I would expect the current keys to still use some sort of rotating code that would prevent theft, no?

Doug

.


----------



## Ma v e n (Oct 8, 2018)

To the best of my knowledge the current generation key fobs don't get out of synced with any reasonable amount key presses out of range. In the 90s and 2000s pre-GMLAN it was as few as 7 key presses would unsynch the car and fob. It took a simultaneous lock/unlock press on the fob to resync.

I've yet to come across a single transmitter for a full keyless access GM that was out of sync.

In the switchblade style first gen fobs the transmitter and the "key" were separate functionalities. You could program the "remote" to one car, and make the "key" work another. You can't do that anymore with new style hidden key.

I thought I remembered coming across Somewhere that the new fobs were 128bit asymmetric encrypted. So not only is there an unfathomably huge number of codes, it's not enough to secure data from a few queries and responses, to be able to crack the encryption, you need millions of these before you could be able to begin to crack it.

Previously GM used 16, then 64, and most recently 96 bit on some stuff. The 96 bit got hacked, but I don't think it was asymmetric, just a rolling 96bit


----------



## Ma v e n (Oct 8, 2018)

And yes, the fob and the antenna in the service pocket have a lower power coil in order to couple and wirelessly power the fob for authentication purposes.


----------



## Ma v e n (Oct 8, 2018)

And yes, the fob and the antenna in the service pocket have a lower power coil in order to couple and wirelessly power the fob for authentication purposes.


----------



## Ma v e n (Oct 8, 2018)

And yes, the fob and the antenna in the service pocket have a lower power coil in order to couple and wirelessly power the fob for authentication purposes.


----------



## ChevyGuy (Dec 13, 2014)

plano-doug said:


> You're a generation or two ahead of me  I'm still thinking of key fobs from the 90's and 00's.


Ok. While I guess it's possible to jam and intercept a signal simultaneously, that's not a trivial task. Not too many years ago, that would be military-grade technology.




plano-doug said:


> That said, I would expect the current keys to still use some sort of rotating code that would prevent theft, no?


I'm sure they do. However, given that it seems you can buy replacement fobs on the cheap from China, I have to wonder if it hasn't been cracked.

Then of course, there's the other method. You plant someone with a valet service. When they get a car, they add a new key to it. As long as you have a good key, adding one isn't hard and instructions are right in the owner's manual. Later, the bad guys use that new key to pick up the car.


----------



## Ma v e n (Oct 8, 2018)

Chevyguy, that's precisely why the newest vehicles require 2 good keys/transmitters to perform a quick add procedure.


----------

