How Does a Rolling Code Transmitter Work?
How Does a Rolling Code Transmitter Work?
A rolling code transmitter is used to secure keyless entry systems like car remotes and garage door openers. It prevents replay attacks in which a third party captures the signal and then replays it to unlock the vehicle.
Rolling codes use pseudo random number generators to deterministically generate single-use passcodes. Each time the remote and receiver synchronize, they create a new random code.
Frequency
A rolling code transmitter is a keyless entry device that transmits a unique signal to a receiver. This signal is then used to unlock a car or garage door without the need for the owner to insert a key into the vehicle.
In the past, thieves could use devices called “code grabbers” to capture the signal and later re-transmit it to open doors or turn on other electronic devices in the home. However, with rolling code systems, the signal is unique for every use and cannot be captured by a code grabber.
The system uses encryption to prevent attackers from capturing and using the signal. It also prevents a replay attack, in which an eavesdropper can record the transmission and then re-transmit it at a later time to cause the receiver to ‘unlock’.
There are many different systems, but the basic principle is that each time a remote control is activated, it generates a new code and transmits it to the receiver. The receiver keeps track of what codes it has received from the transmitter and only responds to new ones. This way, if an attacker sent the same code to the receiver twice, it would immediately trigger the alarm and immobiliser on the target car.
Similarly, in a remote-controlled garage door opener, a transmitter generates a new code when a button is pushed. The receiver then compares the new code to the previous one and either opens or closes the door based on whether it is valid or not.
This type of security system is used to prevent replay attacks, in which an eavesdropper records the transmission and re-transmits it at a later time to cause the door to open or close. It is common in remote garage door openers and keyless car entry systems.
According to the present invention, a rolling code transmitter comprises a microcontroller, a battery, and means for producing a first RF transmitted code, a second RF transmitted code, and a fixed code portion and a rolling code portion.
The fixed code portion is a single trinary bit and the rolling code portion comprises alternating digits. The alternating digits are encoded in a first 20-bit frame and a second 20-bit frame which have a single synchronization or identification pulse indicating the start of the frame and whether it is the first or second frame.
Bits
A rolling code transmitter and receiver is a device that has the ability to generate different codes for a device, like a keyless entry system in a car. When the transmitter sends a code, the receiver receives it, and if it matches, the device can work together to unlock the vehicle.
Rolling code works by using a pseudo random number generator (PRNG) that has two pieces of information: a previous number it generated, and a calculation to be performed. When it generates the next number, the other device can check it with its PRNG and determine if the numbers are identical. This is a non-cryptographic system, and it can be susceptible to attacks that don’t require a cryptographic algorithm.
In a rolling code system, the transmitter and receiver are designed to be synchronized so that they never send the same code twice. This is because sending the same code twice will cause a malfunction.
The receiver then stores the fixed and rolling code in a 32-bit memory address, where it can be decoded by a processor to provide a signal that actuates an electric motor to open or close a movable component. The fixed code portion of the memory address is a three-valued or trinary bit code, while the variable code portion is a 16-bit fixed code word and a 16-bit variable code word.
When the code is received, the processor compares it to the stored code and then creates a new code that can be transmitted. This is done through a series of commands and by using a random number generator.
Typically, the code is sent bit-for-bit, so that it won’t be repeated on more than one occasion. This ensures that the attacker won’t be able to replay the same code.
Another security feature of the rolling code system is that the counters on the remote and the receiver are not exactly equal. If their counters are different, the receiver will reject the transmitter and mark it as lost. This is done to prevent unauthorized use of the remotes or vehicles.
If you’ve ever held down a button on a keyless remote for a long time, you’ve probably noticed that the device repeatedly transmits the same code several times per second. This is called “rolling code” and is an integral part of the security of many modern keyless remotes, which means that it’s important to be able to understand how it works.
Time
Most keyfobs that unlock cars, garage doors, and gates use a rolling code transmitter to secure the system. A rolling code transmitter deterministically generates a new code each time you use the remote to unlock the car, open the gate, or actuate the door. This way, an attacker cannot re-use codes from earlier attempts to unlock or gain access to the vehicle, and is unable to break into it at a later date.
This makes it a fairly simple and reliable security measure for a keyless entry device, because there is only a very small chance that an attacker will find a compatible keyfob and have access to the receiver found in the car. In fact, it is virtually impossible to unlock another person’s car with this method because there are only 256 possible code combinations that the transmitter and receiver will accept.
However, it is not completely impossible to hack into these systems because a hacker can simply use two cheap software-defined radio dongles. One of these devices can be used to intercept the frequency that the keyfob transmits on, while the other can be used to filter out any data segment from the transmission.
Once a thief has an effective RF dongle, he can then perform an attack known as codegrabbing / rolljam. It’s a relatively simple and popular attack that can be done with just a few pieces of low cost hardware.
In order to prevent this attack from happening, Honda vehicles have a rolling code counter. Once the synchronizing counter is increased after each keyfob button is pressed, it must be reset before the next command can be sent out to the receiver.
Then, a series of commands is sent to the receiver in order to set it into a re-sync mode. After each cycle of this counter is completed, the code will not work again and the re-sync mode will be reset.
These vulnerabilities have been a concern for the automotive industry and many researchers are trying to come up with ways to mitigate this problem. A common way to do this is by using a Pseudo Random Number Generator (PRNG). The PRNG generates a sequence of numbers that are different every time it is run, so it is essentially close to random and will never be reused.
Counter
Counters are a type of circuit used in digital logic and computing. They typically have an input line called the clock and output lines that represent a number in the binary or BCD number system. Each pulse that is applied to the clock input increments or decrements the counter’s number.
A counter can be found in many different types of electronic and computer devices. They are commonly used for time measurement, displaying a count of objects, and in various detection circuits.
In a rolling code transmitter, a keyfob transmitter keeps a synchronization counter C that is incremented every time the button is pressed. When the receiver receives a message that matches one of the keyfob’s synchronization codes, the receiver extracts the synchronization counter C and compares it to the most recent validated synchronization counter N in its memory. If C is greater than N, the car unlocks the doors or activates another function of the car.
If C is less than N, the receiver clears the bit counter and the rolling and fixed code registers. The active period and the inactive period are tested to ensure that they are not more than 4.5 milliseconds.
When the bit counter test in step 712 indicates that the bit is a 0 it is set equal to 1. Control is transferred to setup 734 to verify that the rolling and fixed codes are also a 0 which means the signal has emanated from an authorized transmitter.
Then in the next step 760, the first bit that has been received and the sink bit plus trinary data bits are tested to determine whether they are indicative of a first frame or a second frame. If they are indicative of a second frame, the first bit is cleared and the sink bit plus trinary data is added to the rolling code sequence.
Then in a step 762, the received frame and the sink bit plus trinary data are added together to form the complete inverted rolling code. This inverted rolling code is then transmitted over the radio frequency (RF) channel to a remote device, such as a car, to activate its functions.