i subscribed not only for the quality content but mainly for when I started in the middle of the series and you told me to start at the beginning AND YOU HAD A PLAYLIST EASY TO FIND WITH ALL THE VIDEOS

If it CAN be screwed up, generally I WILL screw it up. 🤣 Thx for the help to avoid that.

PLEASE don't mess with production rolling codes & desync your remote! Later this month I'll have an app you can run on a 2nd Flipper to practice rolling codes & hopefully September I'll have an app that can run on less expensive hardware (probably ESP32-S2/Arduino Uno + CC1101 + some screen [or serial port]). My first couple of videos are going to help just understand what all the displayed fields are, then we can start to go deeper into one of the protocols. Then we can continue looking at more protocols. I bought hardware for KeeLoq, so I can make a few videos on that one. If you know where I can buy inexpensive receivers in the US (garage door openers, gate controllers, etc.) that the Flipper Zero can Read, please let me know. If there is a particular rolling code protocol from github.com/flipperdevices/flipperzero-firmware/tree/dev/lib/subghz/protocols that you are interested in, let me know that too! Don't forget to join my discord channel for more conversations and giveaways... discord.com/invite/NsjCvqwPAd Thanks again for subscribing to my channel!

@proletsearch

2 ай бұрын

I have a theoretical question: If one key fob (rolling codes) is programmed to be used for 2 cars (of the very same model and configuration), which is possible with the OEM dealer software, what would be the negative implications from technical perspective?

Such pedagogy ! Thanks for clean and clear explanations ! 🤘 And also wanted to add that for those whose english is not native-language (like the 🐸I am XD), yours is crystal-clear and easily understandable. Keep on going !

@MrDerekJamison

9 ай бұрын

Thanks. I typically also try to close caption my videos (but sadly I don’t think the machine translation for other languages use my English captions).

Excellent presentation, thank you

@MrDerekJamison

8 ай бұрын

Glad it was helpful!

If it's that easy to screw up your remote, it's a DoS, so that's a vulnerability in itself.

@MrDerekJamison

10 ай бұрын

It’s manufacture specific; but I agree. I keep asking people for recommendations on where to buy different receivers to try it out. So far the receiver I have does KeeLoq but is susceptible to replay attack. I have another two receivers on the way. I’ve heard Genie (intellicode) seemed to get in a strange state when replaying past codes from ReadRAW - but the units are $60+ so I think I’ll probably try eBay after defcon to see if I can get a remote + receiver for cheaper.

Amazing Video! ❤ Thank you so much

@MrDerekJamison

9 ай бұрын

Glad you liked it!

Thank you for sharing your knowledge

@MrDerekJamison

6 ай бұрын

You're welcome. It's been fun learning. If you have questions about Sub-GHz, the best place to ask is my discord server -- discord.com/invite/NsjCvqwPAd I also wrote a wiki, which I hope to improve over the holidays. github.com/jamisonderek/flipper-zero-tutorials/wiki/Sub-GHz

Brilliant video thanks

@MrDerekJamison

9 ай бұрын

Thanks. Next Saturday I'm releasing a video that goes into *way more detail* on the actual encoding (from a RAW file all the way to decoding all the data & forming a valid Sec1.0 SUB file). I'm on the 5th video about rolling codes, and some feedback I got was people are ready to hear the encoding details. I think it will likely also cover Security 2.0 -- which makes for a long video, but it's still interesting to contrast the two protocols. (Now that I've learned about them both.)

I'm still a noob and learning all this stuff. This protocol is somewhere along the "encoded", "obfuscated", "encryption" spectrum... perhaps it is more accurately described as "obfuscated". The algorithm doesn't use a key, so if people know the complex reordering bit scheme, they can reverse any data sent with this protocol.

Thank you for sharing 👍👍👍

@MrDerekJamison

4 ай бұрын

Thanks for watching. I have a playlist of rolling codes videos - kzread.info/head/PLM1cyTMe-PYJfnlDk3NjM85kU5VyCViNp

Hi Derek! I wanted to ask you how you took the second packet in this video and converted the 20 trit long packet and got it into the form of E6000044? Moving between the trit of the serial of the "FOB" to decimal or Hex made sense but I haven't figured out how you converted the original two packets into 63A5EB6D and E6000044. Anyways, thanks for making the video and would love if you did a companion for Security+ 2.0. Cheers

@MrDerekJamison

10 ай бұрын

I'll try to do one on Security+ 2.0 in a few weeks. You ask a great question about the conversion! I have a spreadsheet that explains it, but I didn't think it was appropriate to discuss in this introduction video. Join my discord at discord.com/invite/NsjCvqwPAd and ask there, and I'll share the spreadsheet. The basic idea is each digit alternates between rolling and fixed. For rolling, it's we just use the {digit from the packet} (base 3). But when we get to the end, we invert all of binary bits and come up with the hex value. For both rolling and fixed we increment an accumulator with the last digit we figured out. But for fixed, we calculate the digit using the formula (60+{digit from packet}-accumulator) and then take the result divide by 3 and use the remainder (so the digit is 0,1 or 2). I think the spreadsheet I created explains it better. If you are familiar with reading code, then github.com/flipperdevices/flipperzero-firmware/blob/b90e2ca3426cf4c3e7bf6360e010b7aed71e6e41/lib/subghz/protocols/secplus_v1.c#L366 probably explains it even better! I think the actual decoding may be wrong in the slide, since I was just learning.

Super!

@MrDerekJamison

10 ай бұрын

Thank you! Cheers! This Saturday video is similar but on KeeLoq (DoorHan) protocol.

cool

So, is it possible that you could overwrite a .sub file with a future count on the key, and then emulate that signal to unlock a device that is looking for that next count?

@MrDerekJamison

9 ай бұрын

Yes, but typically the encoding or encryption makes it difficult to figure out what the key should be (assuming it’s looking for a count within 16 ahead of where you are). In some cases where Save is disabled, I can Read a signal (write key down on paper), then edit my .SUB file with key & it resumes from there using the proper fix (SN+BTN) code. Of course, now you risk desync the device; which is probably why save was disabled in the first place.

Any chance you could play around with genie intellicode? Community has been talking about a missing manf key

@MrDerekJamison

10 ай бұрын

Even with the MF key, there are additional steps that would have to be figured out, since it's a custom configuration. Read more here... forum.flipper.net/t/intellicode-2-code-dodger-2/3389/35 Also, intellicode uses a version of KeeLoq, so this video applies more (kzread.info/dash/bejne/qmihzpODcauXoZM.html). I'm just learning in so many areas. I have a lot to learn around crypto and other areas, it would take a huge effort & potentially get misused by the community. What I think *might* be possible would be to create some roll-forward sequence codes tied to a Sn and then program those into a Flipper Zero. Then you could pair your Flipper as a remote and then use a custom app to do roll-forward sequences. I could do a proof-of-concept and share the files (but then my subscribers would all have common Sn, which isn't great). Maybe I can teach how they can tear apart their own remote to create the files? Join my Discord server (discord.com/invite/NsjCvqwPAd) and let's continue the conversation!

Im having troubles with nfc and the door reader isthis kinda the same principle?

@MrDerekJamison

10 ай бұрын

I haven't looked at NFC yet, so I'm not sure how that protocol works. In October I plan to start learning NFC and RFID, but my understanding is there are lots of different standards in that space. You can ask in my Discord channel (discord.com/invite/NsjCvqwPAd) and maybe Zve8, Bettse or someone else that knows way more about nfc can answer your questions. I'm interested to learn more about real-world issues you are encountering (so I can cover the topic in a future video).

Can you do video that uses this with i button. i button is very useful.

@MrDerekJamison

10 ай бұрын

Is there a particular iButton device you are thinking about? All I have is a DS18B20 (which does give a fixed id + temp data) and a Java One ring (I haven't try accessing the Java side of it).

@ChoChanit-cx1hp

10 ай бұрын

@@MrDerekJamison the one that can read KEYFOBs

How did you learn that this the 42b was in base 3?

@MrDerekJamison

9 ай бұрын

I'm studying the firmware of the Flipper to understand so I can teach this video series, since I know nothing about rolling codes before doing this series. Both Security+1.0 and Security+2.0 use base 3 numbers. Maybe in my next video on Security+2.0 we can geek out more and discuss the encoding (or decoding) part & differences between the two algorithms, if you think that would be helpful? Here is the line in Security+1.0 that I concluded it was base-3... github.com/flipperdevices/flipperzero-firmware/blob/52b59662627254ae5ccde6201b5c4921573fc769/lib/subghz/protocols/secplus_v1.c#L368

@MrDerekJamison

9 ай бұрын

Also, feel free to join my Discord server, if you haven't already. The #general channel is a great place to ask more in-depth questions you may have about encoding/decoding. discord.com/invite/NsjCvqwPAd

@paparoach3025

8 ай бұрын

@@MrDerekJamisonamazing thank you for the response! I’m eating this stuff up

did you ever make the app?

@MrDerekJamison

3 ай бұрын

I made a "Rolling Flaws" application, which enabled a Flipper to act as a KeeLoq receiver. You can then choose the flaws to enable, size of window, replay attacks, etc. You can read more about it on my GitHub... github.com/jamisonderek/flipper-zero-tutorials/tree/main/subghz/apps/rolling-flaws

What about security+ 2.0

@MrDerekJamison

4 ай бұрын

Great question. Security+ 2.0 is covered in the 5th video in my rolling codes playlist... kzread.info/head/PLM1cyTMe-PYJfnlDk3NjM85kU5VyCViNp

@WPGinterceptor460Interceptor

4 ай бұрын

anyway to brute force it? its a 850 LM Security +2.0 390 Mhz@@MrDerekJamison

@MrDerekJamison

4 ай бұрын

@@WPGinterceptor460InterceptorIf you capture one signal with CFW firmware (like RogueMaster) it will be able to play all future signals. Brute forcing to discover both the FIX and HOP code would take a really long time.

Looks like the big companies want make money because if a lot of cars get dsynce they have a solution for it and they will share high prize pure buisness

@MrDerekJamison

9 ай бұрын

As the manufacturer, it’s not obvious what you should do when you detect a replay!/rollback. Balance between security, convenience, etc. most cases owner is going to fix the symptoms & never understand what happened. Hopefully some KZread channel posts how to resync that model of receiver. 😀