I have been looking at these units, wondering if they would pick up engine pulses from an ignition coil on a motorcycle and give a clean square wave. They are cheap and small. Do you know whats inside them and how they work?
@rectify20032 ай бұрын
Good Job As always, I didnt want to read the manual Subscribed
@ROBOROBOROBOROBO2 ай бұрын
You are great, thank you so much for making this video, I was too scared to do this and got lost on the eevblog didnt know how to start. But after seeing your video with great and simple instructions, I will follow this tutorial :) One question, instead of the SD card do you think we can use 64 gb USB?
@TheBionicbone2 ай бұрын
Thanks, I am glad it helped you. You could try the 64gb USB but sometimes these things only recognise SD / USB flash simulating devices that are 32gb or less. It's a technical limitation. I cant remember honestly if this does or doesn't. But try, it will or it wont and no harm should come from trying.
@joeynexus45252 ай бұрын
Thanks a lot, sir. Great and easy fix which helped me. 😊
@wps442 ай бұрын
Many thanks for posting the video, it's been about 9 months since I've used my AP200 to reset my oil and service intervals, but I seem to remember I used the prompt ignition 2 has engine running also for live data . Once again thanks for the video
@TheBionicbone2 ай бұрын
I think you are correct, although Position 2 (engine started) is not normally recommended when resetting any ECU value (as far as I understand), certainly when resetting error codes its advised not to have the engine running so it kind of unexpectely caught me out by requesting it. Either way it has worked with no issues
@Big12Bear2 ай бұрын
At 20:55, after you press "Date/Time", you got the "NTP" selection. However, I don't have this "NTP" option, and the screen just have "Date/Time" and "Display off" selection. The middle 2 selections, "NTP" and "Time Zone", are misssing. Do you know how to add them? I am using a SDS1104X-E, with Software Version=6.1.37R10, Uboot-OS Version=8.1, FPGA Version=2021-11-08, Hardware Version=01-05. Thx !
@cao12 ай бұрын
How
@ted27043 ай бұрын
Informative video. I know a little more about my analyser than I did 30 minutes ago, but bro, you gotta work on that teeth sucking tick.
@TheBionicbone3 ай бұрын
I never noticed that, but listened to a video I did today and I see what you mean. Spent 20 mins editing and cutting them out lol, there was quite a few. I hate it when people have the meter bleeping for continuity testing, so I'm fully with you. Thanks for letting me know.
@ted27043 ай бұрын
@@TheBionicbone Thanks a bunch! I subscribed to your channel to track your progress (smiles) Question: Do you experience Pulseview freezing up on you regularly running it on Winblows? I've run it on several flavours of linux (Mint, Manjaro, Arch) and Pulseview will always freeze on me having to close it down and restart.
@TheBionicbone3 ай бұрын
Occasionally but I'm normally messing with lots of stuff, plugging things in and out the USB hubs. One thing I noticed is the driver doesn't like the USB being interrupted while the program is running, so I give it a priority port direct the the laptop and a good shielded USB cable. It seems to help.
@samyared56093 ай бұрын
Thank you for the experiment. I have the same device. I use it with sigrok. I tried to download the usbee software, but it is not available anymore. Have you tried using a 10x oscilloscope probe to be able to test voltages higher than the 10 volt max this device can handle?
@TheBionicbone3 ай бұрын
Thank you for watching and commenting. I'll check the usbee software, I was not aware they had removed it. The x10 probe is an interesting one, I've not tried that but I just found a good cheap <£30 oscilloscope FNIRSI 138pro that comes with an x10 probe. Check my recent videos.
@fastbike98453 ай бұрын
Very useful thx - I'm just starting to play with some CANbus home automation gear.
@sippinxol99613 ай бұрын
Is it possible too just make a single esp -32 rolling code module
@TheBionicbone3 ай бұрын
I am not quite sure what you mean? Maybe remove the Tx Rx, maybe use the one ESP32 and have both Tx and Rx attached to it although not sure why. Maybe you can explain more.
@walterhell14994 ай бұрын
Cheers, it worked perfect just as you laid it out. my SDS1204X-E is updated for MSO,WIFI, AWG.... 😀 thank you
@TheBionicbone3 ай бұрын
I am really pleased this helped you. Thank you for taking the time to comment, it means a lot.
@mrkf96844 ай бұрын
How can i get a copy to test?
@TheBionicbone4 ай бұрын
Sorry it not ready for release, it needs a lot more documentation and I moved onto other stuff because the interest was not very high for the freelander 2. I still have a freelander 2 though and planning to have more time this year to continue as I have a personal interest.
@mrkf96844 ай бұрын
@TheBionicbone myself. Im looking for sniffer or can scope. I have issues on some module not talking or kind of delays.
@threeMetreJim4 ай бұрын
It will be a software emulated ev1527 or a Princeton Technology chip; viewing the waveform will tell you which one. Usually available between a receiver chip and decoder IC on the receiver pcb. Reminds me of my decoding sessions as a young teen, using a receiver (from a junked car alarm), tape recorder, and data slicer into an 8 bit home computer. Really bodgy, but it worked. For ASK now, I'd simply interface a bare receiver to the input of a sound card and record the result in Audacity for analysis. I'd be using a bare 433MHz transmitter module connected to an arduino to generate the signal rather than the sledgehammer esp and cc1101 combination. Soundcard is fine on the demodulated signal from a receiver for these things as the data rate is so low.
@threeMetreJim4 ай бұрын
This is how i'd try, just from your description (not looked at the code). Capture 1, then send random guess to move along, send captured and repeat. If the random guess is right, door opens otherwise you'll only need to send as many attempts as you have in the numbers list. Trying to roll your own rolling code without knowledge of cryptography is usually a disaster. You should see how complex the original keeloq was, but it still was broken after the method used was leaked.
@SarlonGamer4 ай бұрын
Thank you so much for this video i bought the V4 myself and its been difficult to find videos for the new version of this dongle
@x_CrossHair_x4 ай бұрын
I was playing with this.. (I set a wide bandwidth) of 200,000 to grab a wack of devices.. (BaseBand Noise Blanker) not used.. RF Gain 32.8 (But.. I say This Plugin Needs work also 😊) Fidle Fidle
@TheBionicbone4 ай бұрын
Yeah I agree. I found is it was difficult for the plug in to work put what the signal was. My car TPMS is detected but the values are incorrect. Thus the same header but different calculations used for that signal. I did find it all very interesting though. I'll come back to this one day. So many projects at the moment.
@abqlewis5 ай бұрын
This didn’t make sense the first time I viewed it. When I realized you were working with an ARM Teensy, I started to understand. You’re not saying anything untrue, but it would be more accurate if you replaced most of the places you say “Arduino” with “Teensy 3”. The original Arduinos and original Teensys were AVR MCUs. AVRs use DDRX, PINX and PORTX registers at a low level for port manipulation. Starting with v3, the Teensys became ARM MCUs. ARMs use a completely different register system to control IO bits in a completely different process than AVRs. When the Teensy 3s came out, Paul Stoffregen (the Teensy creator) extended the digitalWrite function to work for his ARM setup. He also extended the Arduino direct port calls (DDRA = 0x0F) to generate ARM register code when the board is set to Teensy 3 (and now 4). So when you write direct port register code in Arduino, for an ARM Teensy, it’s not really direct code anymore. This and the fact that ARM register bit manipulation works very differently, gives you the non-predicted results for your tests. Compile and run your test code on an AVR Arduino (UNO, Nano, Leonardo, etc), or a Teensy 2.0, and you should get very different results.
@J.D-g8.15 ай бұрын
Should be possible to get same result by telling the compiler to unroll loops, however im not comfortable enough with compiler optimization to trust the compiler to actually unroll the loops i want to unroll, so either code it ugly or look at the dissasembly to make sure. :)
@mas11ful5 ай бұрын
Hi again. I did finally get the code to compile, but the serial monitor did not show the text, only a bunch of questions marks.
@TheBionicbone5 ай бұрын
Make sure you have the serial monitor band rate (speed) set to the same as the program on the Serial.begin(xxxx) line
@mas11ful5 ай бұрын
Serial port set to same baud rate. Still same garbage.
@mas11ful5 ай бұрын
Thanks for the great video. I tried your Code and I can’t get it to compile. What am I missing?
@drewlarson655 ай бұрын
"dumps the flash and cackles* ez hack
@8x13b5 ай бұрын
You could add an RTC to the electronics and have the code be dependent on the time it receives the message. It solves the problem of desync.
@TheBionicbone5 ай бұрын
Thanks for watching. Desync has been resolved on the latest updates. Check the channel for the latest videos or github which also links to the videos.
@elmegil5 ай бұрын
"unrolling the loop" :)
@TheBionicbone5 ай бұрын
@elmegil I shall use loops with caution in future lol
@AbyssalArray5 ай бұрын
The waveform of the last one looks extremely distorted, so it still seems like the bitwise is faster without sacrificing the waveform?
@TheBionicbone5 ай бұрын
@AbyssalArray I'm sure what you are seeing on the last test is the oscilloscope not sampling quick enough cos I'm trying to collect too much data. If I ran that as a single test so I could capture just a small window, and just used Ch1 and Ch3 on my scope so I could get the full 1GSa/s rather than the 100kSa/s on the test then that would look perfect. I know, its difficult to accept, my guess is compilers have just got so good they compile the base arduino code extremely well and fully optimised.
@aquahood5 ай бұрын
So you jam one of the signals and you store the rolling code which remains valid cuz it hasn't been used and then you're in....
@TheBionicbone5 ай бұрын
They call this Rolljam, see latest videos for Rolljam I'm working on.
@dougaltolan30175 ай бұрын
If an incorrect code is repeated, Rx wont progress.. Hacker records 2 valid sequences and plays them back alternately. Rx progresses and looks ahead so it only takes once round the sequence and I'm in.
@TheBionicbone5 ай бұрын
After x (set by user) incorrect receives the rx starts a lock down, again set by user, ever increasing time outs. Its not perfect and can create a long lock out. But at least the criminal is also locked out.
@dougaltolan30175 ай бұрын
@@TheBionicbone there is a solution... Use encryption... Encrypted information is salt (key word that must be present) and a counter. Tx encrypts a sentence comprised of salt, count and RSA signature(that's overkill, but hey..) then increments count. Because count is never the same, RSA signature will never be the same. Encrypted, doubly so. Rx only has to decode a valid packet (correct encryption was used), check salt and RSA signature (double protection), and check that count is greater than any recieved so far (pre recorded packets won't work).
@TheBionicbone5 ай бұрын
It's true and the normal way, but I like to find different things and while what you mention and RSA is industry standard the industry is already preparing for the future. Search quantum resistant algorithms, and look for US government or banking
@franklee6635 ай бұрын
Maybe I misunderstood, the entire project only offers one function for a fully 4 button sender. If this is the case, I would suggest that instead of binary, we use fibonacci number base, 1 2 3 6, if you use this base 1 = 0001, 2 = 0010, 3 = 0100, 4 = 0101, 5 = 0110, 6 = 1000, 7 = 1001, 8= 1010, 9 = 1100, 10 = 1101, 11 = 1110, 12 = 1111 and the last button could be encoded into the last code sent, so you have 12,13,14,15 based on binary coding. If any transmitter sends any numbers above 12 in a sequence, you can lock it up.
@TheBionicbone5 ай бұрын
I think you understood well. Any changes could be made and that one could easily be added, to make a unique implementation and I encourage people to make changes to keep their own unique setup. I'm not sure you know but you can config to lock up after x unsuccessful attempts so you could tap into that, and repeated last code etc is handled. Tx number is already hashed into the first number sent, eventually I'll hash the button probably into the first number too.
@artursmihelsons4155 ай бұрын
Another great experiment video with shared knowledge! 👍 But this gives me an idea - second remote with rolling code, but working in infrared range.. That will be unseenable by jammer and can be used when jammer activity in area is discovered.. 😂
@TheBionicbone5 ай бұрын
It's a fact that if you didn't need the range then IR would be a safer solution 🤣
@user-zv9cq2yz8u5 ай бұрын
really well done chef, what a technique!!!
@TheBionicbone5 ай бұрын
Thank you very much
@OstfriesenVlog6 ай бұрын
nice plugin and video , thx and greetings from Germany :)
@TheBionicbone6 ай бұрын
Greetings my German friend. It’s been a long time since I was in Germany, but I remember good times.
@artursmihelsons4156 ай бұрын
It's great to see project progress and updates! 👍
@TheBionicbone6 ай бұрын
Thank you
@h.e.c.6 ай бұрын
Nice video @TheBionicbone ! Couple of ideas of hacking this really quickly and to overcone the "repeating of the same code" protection, based only in video, i.e. without review of the actual code: 1. Capture more than one actual set of codes from the actual sender, then alternate those until they roll over. In addition, you can interleave those with few fake codes too. 2. If only one real set of codes can be captured, simply interleave those with at least one fake code and run the loop until code rolls over. Basically, any system, which have "limited" set of rolling codes, which are being eventually reused, will be vulnerable to replay attack without some additional protection steps being put in place, like: A. Increasing amount of the codes (duh!). B. Increasing the time between futher code match attempts with each unmatched code to prevent fast brute forcing or rolling over. C. Keeping log of let's say 10 to 100 last attempted codes to see if some are being sent repeatedly. D. In conjuction with C. above, consider "blacklisting" valdid codes used out of sequence too many times. E. Using (as an alternative or in conjunction with) the "endless" list of codes by either using a mathematical formula rather than fixed list, or by "recalculating" the list before each reuse by the simple formula. Basic idea is to make the total amount of brute force or replay attack attempts to take very long time to make it impractical to try / use / break the code.
@TheBionicbone6 ай бұрын
Sorry about the audio sync, thanks to Andrew from Awell Digital channel this has been fixed for the next video.
@artursmihelsons4156 ай бұрын
Nice! 👍 For dealing with interference, just add at the packet end CRC. If received CRC doesn't match calculated value from received packet, receiver just ignores packet all together as faulty and don't even check compatibility with rolling code.. 😉 And waits for new packet.. For remote part - before CRC add in packet button press counter in coded manner (XOR, bit swap etc). Remote will update counter after every button press and send that data in packet. Receiver, after CRC check, first decodes received button press counter data in packet, then according to that data, goes looking in rolling code table. To prevent hacking, button press counter can't be smaller than stored last counter value in receiver, that's mean's - there is no way to reuse old or precisely captured rolling code data, because counting can only go forward until looping.. If button press counter data is smaller than expected, packet will be simply dropped.. For extra safety, button counter data can be added, even in middle of data packet between rolling code data. From theoretical point of view, even if hacker will decode button press data, it can't replicate next parcel, because he don't have rolling code data table, but this add will ensure good remote and receiver synchronization..
@TheBionicbone6 ай бұрын
@artursmihelsons415 what can I say, great minds think alike. Have a look at the update I have just released :) kzread.info/dash/bejne/dZqBpsOaerTgnMY.html. I have added multiple Rx option, and I've added the Rx number in the exact way you have mentioned for the button (I may do this for the button later). Failed transmissions are a thing of the past, even in high interferance areas. Thanks so much for your great comment and for watching and taking part, it really is appreciated.
@deterdamel73806 ай бұрын
Thanks for the follow up. I think program memory is not the main issue with encryption, especially if you - in my opinion - wast memory for the pre-shared generated key tables. You have to spend CPU-cycles and energy for encryption/decryption. I used in an experimental AVR based 433MHz transmitter/receiver ChaCha20-Poly1305 for encryption and integrity. This worked pretty good for these bit-rates.
@TheBionicbone6 ай бұрын
Thanks for watching and taking the time to comment. Energy is a key factor for me but honestly I don’t have any base to justify that on, maybe one for another video encryption and hash vs recall from memory. I’ve added ESP32 support and will be looking at deep sleep and overall energy usage. I’m still thinking though, better to be 100% not reversible than reversible but encrypted and hashed. Time will tell. Thanks again.
@christopherlastname76386 ай бұрын
😅thanks for the awesome video!
@TheBionicbone6 ай бұрын
Glad you liked it!
@jonathan-._.-6 ай бұрын
idea 1: lets say you have a recorder at the door - that pciks up the signals whenever you leave and come back , it would always send open signal and then close signal meaning around 4 requests per day i think you could get the whole code relatively quickly (depending on sizeof rollingCode and sizeofSendingRollingCode ) 🤔 im not a security expert but i think there should be some public/private key involved and some encryption
@TheBionicbone6 ай бұрын
Thanks for your comment. Can I ask you to check initValue, it applies when sizeOfRollingCode is reached. There is also an update video kzread.info/dash/bejne/iJ2ctphqaMyxgKQ.html which explains the encryption situation
@frankjrgenjrgensen51796 ай бұрын
Im just passing by. I havent studied this algorithm. But a it is a testcase perhaps, to consider 20 neighbours having the same locking mechanism - it should not leave the neighbour that happens to be on holiday for some weeks with a locket door.
@TheBionicbone6 ай бұрын
Thanks for looking. This won’t happen because the qiachip devices have to be paired, Tx to Rx, thus signals from a non paired Tx are ignored. I appreciate your comment though and you having a look.
@parthsahni89526 ай бұрын
very interesting stuff
@TheBionicbone6 ай бұрын
Thanks, your comment is appreciated
@arva1kes6 ай бұрын
I made implementation where i have aes encryption and decryption. I would send random IV unencrypted and send encrypted counter from remote to receiver (with also the command - button click/longpress/dual press etc.). AFAIK sending IV plaintext would not be bad practice. I would always allow higher counter number than the one already sent, so it would never go out of sync and would not allow lower number so it can't be replay attacked. On the remote and receiver side I save counters to eeprom and use rolling location for wear leveling and very high endurance (20+ years having multiple transmissions per day). Only problem I have is that it eats up majority of typical arduinos rom and ram. Your implementation seems far lighter and time will tell if it's secure if more people test and look into it. Thanks for great work.
@TheBionicbone6 ай бұрын
Thanks for your positive comments, I too intend to use eeprom too, it’s a good point to use rolling location for this.
@milo2karel6 ай бұрын
Thanks for describing this solution. I truly believe the rolling key mechanism is obsolete and not secure. The standard encryption & decryption mechanism from the computer world is a secure solution. Of course, RAM and storage are an issue, but there are dedicated security chips or controllers with hardware assisted encryption modules (many of them out there). The AVR is an old platform now (from 90's). There is nice example of the implementation here ww1.microchip.com/downloads/en/appnotes/atmel-42784-software-library-for-aes-128-encryption-and-decryption-on-megaavr_applicationnote_avr284.pdf
@unclealig6 ай бұрын
couple years ago i used an RTL dongle from an DVB-T usb-stick (with a RTL2832U chip) for listening to ATC radio using SDR#. Now i am trying to set it up all again, but i cant receive ATC radio (now using the current AIRSPY SDR# software). However, i can receive radio broadcasting (FM). any hint what i am doing wrong? thanks
@TheBionicbone6 ай бұрын
Did you see my recent video on fine tuning 433MHz signals?
@larrybud6 ай бұрын
4:05, I hadn't noticed that setting before! Awesome!
@TheBionicbone6 ай бұрын
@larrybud I’m glad you found the video useful, thanks for watching
@TheBionicbone6 ай бұрын
@larrybud Oh while I think about it, watch out for the bug , it doesn’t copy MISO over 😁. I keep meaning to report it to siglent
@larrybud6 ай бұрын
@@TheBionicbone Good to know! Also on EEVBlog, some people had an issue after the latest firmware update. I found a thread on there where decoding wasn't working, and I believe I had the same issue, and for me the problem was whether it would trigger on rising or falling edge. It *seems* that the display would show one thing, but the trigger actually was doing something else. A toggle of that option "reset" that setting so it would work properly. I can't absolutely confirm this is what fixed it for me because once I fixed mine, I can't reproduce the issue again.
@user-dy7rx5hp1j6 ай бұрын
Voici les informations dans le menu état système : SDS 1104X-E Ver soft 6.1.37R10 Ver Uboot os 8.3 Ver FPGA 2021-11-08 Ver Hard 01-05 Type prod SDS1204X-E Merci
@user-dy7rx5hp1j6 ай бұрын
Super, j'aimerai avec tout ce savoir faire !! Je suis débutant, j'ai installé la dernière version du software : SDS1xx4X-E Firmware (4-Channel Models) -V6.1.37R10 (Release Date 03.30.23 ) mais je n'arrive pas à installer le dernier software : SDS1xx4X-E Operating System -V3 (Only For 4-Channel models) (Release Date 01.04.23 ) est ce normal ? j'ai bien 4 fichiers sur ma clef mais aucun ne se termine par .ADS ou .CFG donc impossible de lancer la mise à jour Si quelqu'un peut m'expliquer doucement ?... Merci
@TheBionicbone6 ай бұрын
If I recall correctly the new OS is only for certain Hardware versions that need particular support, most of us don’t need it. Looking at your menu, you don’t need it
@user-dy7rx5hp1j6 ай бұрын
Bonjour, Merci pour votre retour, de toute façon c'est largement suffisant pour moi Bonne journée ;)@@TheBionicbone
@user-dy7rx5hp1j6 ай бұрын
JEU
@NicksStuff6 ай бұрын
What happens when you sync the Tx and Rx? Have you looked at the raw frames? Couldn't you use them to know where the code starts from?
@TheBionicbone6 ай бұрын
I can not see any vulnerability here. Since it is driven from a list of random numbers set by the user rather than a generated next number then the next set of numbers is impossible to reverse engineer and therefore impossible to tell where we are in the list. Also, if it was possible to workout say "in the middle of the list", it still would not help because what comes next is only known by the list in both the Tx and Rx, it can not be calculated.
@NicksStuff6 ай бұрын
@@TheBionicbone When you resync them, you don't change the list, right? So it wouldn't be hard to put a receiver near your garage door, register frames passively for a month, then flood it with wrong guesses and force you to resync them. You'll start somewhere in the list and I'll know the next frame from my previous recording.
@TheBionicbone6 ай бұрын
@@NicksStuff ok I see what you are getting at. At the moment no battery back up, thus power down Rx and we'd have to start again, reset Tx too. Also if you reflashed with "your settings" and did not change your settings or base numbers then it would repeat from the start. If someone had been recording your codes then technically they could start replaying them. With the latest code on each 10 incorrect then it would lock up for 60 seconds, then 120, 240, 480 seconds etc. any codes sent during this time are totally ignored. For clarity a normal code resync moves forward never backwards, so the Rx catches up with the Tx which can only go forward. Eventually, once I start on the text messages part I'll add eeprom, I hope then I'll be able to store how many times the list has been played, then I'll be able to roll the numbers forward and reset back to the correct position and be at the next new numbers. I hope all that makes sense, it does in my head 😁
@nicoladellino81246 ай бұрын
Nice video an project, THX.
@TheBionicbone6 ай бұрын
Thank you for a great comment
@Rob_III6 ай бұрын
Rule #1 in cryptography: Don't roll your own! Don't get me wrong, I appreciated and liked the video, but as a demonstration of the basic idea. But for anyone thinking of implementing this: Don't! Use an existing, proven, algorithm!
@TheBionicbone6 ай бұрын
@Rob_III with the greatest of respect I have to disagree. Let me pose a scenario. If I purchased a Land Rover Discovery today (if I could afford one:) ) then it would be very easy to use a relay attack and steal it, crime stats and LR insurance increase demonstrate how many are being stolen. If I somehow disabled LR protection and used mine own method in a different way to unlock the car, how long would thieves hang around trying a relay attack before moving on to an easier target? My point is, the uniqueness of my design and allowing each to be different in list of codes, init-value (which is only apply once the list is used not every time), the number of codes to make a full sequence, all mean end users can make their system unique and this in itself (in my opinion) is the best security of all.
@Rob_III6 ай бұрын
Hi@@TheBionicbone, thanks for your reply in the first place! I disagree though. What you're describing (look it up on Wikipedia) is "Security through obscurity". The best cryptographic algorithms are open and reviewed by cryptanalysts. I wish I could post a bunch of links, but I highly recommend you also google "cryptography don't roll your own". Ofcourse, if you implement your idea as a "one off" then most likely thieves won't hang around for long to try and figure it out; however, if your method is being used more and more widely you can bet that someone is going to figure out some (maybe sidechannel-)attack on your algorithm and break it wide open.
@robertbruce76866 ай бұрын
Like Microchip did (Keeloq), 😆?
@newmonengineering6 ай бұрын
I have written my own algorithm and no one knows what it is. Without me telling someone the method it's even less likely someone can hack it. I generate my own unique key and use no ones algorithm, only my very own and I'd love to see someone hack it without looking at my code because I personally doubt looking at the encrypted text anyone could make any s3nse of it. I tried to hack it with a few known methods and those all fail because those are known methods. Just my 2c.
@Rob_III6 ай бұрын
@@newmonengineeringAgain: This is "Security through obscurity". Are you using a CSRNG or a PRNG? Are you using constant-time comparison or are you vulnerable to side-channel attacks like a timing attack? Are you a cryptography expert or are you just "making things very complicated so someone will never be able to hack my system"? Again, and this has been proven time-and-again: When it comes to security the adage is, for good reason: Don't roll your own. If you think you can do better than proven algorithms then you **should** be able to tell someone how yours works and **still** be safe. Because, at one point or another, a determined attacker, **will** get a hold of your code (maybe not in source code form but in binary form) and **will** be able to reverse engineer it. You are going to have to assume that and if not, and your code relies on someone not having access to the code you've already lost. Now, an attacker may not be interested in hacking a one-off, it may not be worth the time or effort, but if your algorithm is going to be used at scale, you can bet your behind your algorithm is going to fail unless reviewed by cryptanalysts at the very least.
@AndyHullMcPenguin6 ай бұрын
You don't necessarily need to *store* many codes for your sequence. You can use a seed for a pseudo random number generator. If both Rx and Tx use the same pseudo random number generator and the same seed/salt then they can programmatically follow the same sequence without needing to store a large lookup table. Also look in to shared secrets, HMAC and Rolljam vulnerability. Also, multiple failed codes should cause a progressively longer timed lockout. This makes it much more difficult for a brute force attack to succeed within a time frame acceptable to the attacker.
@TheBionicbone6 ай бұрын
Thanks for commenting. The idea of storing the random numbers is to remove the predictability of the next code and eliminate any reverse engineering by capturing a few codes. Although for the next loop I do intend to reseed the numbers so they don’t repeat, but again the hacker would be unaware of when that happens since it will not be after every transmission. I like to think of it as using spare memory, while adding security and challengeing the current methods. I like the time out idea I may use that as well as lock out after 10 unsuccessful attempts. RollJam is also on the hit list but this need/may need different Tx/Rx device, if possible I'd really like to make a vibrating Tx Fob in the event RollJamming is detected, but lets see how far I get based on end user interest.
@xhivo976 ай бұрын
@@TheBionicbone That is a non issue if you use encryption. The common vulnerability to fix is guarding against rolljam attacks which can only be done with embedding a timestamp. Any other rolling code is going to be susceptible to rolljams and replay attacks too triggered when not in range.
Пікірлер
I have been looking at these units, wondering if they would pick up engine pulses from an ignition coil on a motorcycle and give a clean square wave. They are cheap and small. Do you know whats inside them and how they work?
Good Job As always, I didnt want to read the manual Subscribed
You are great, thank you so much for making this video, I was too scared to do this and got lost on the eevblog didnt know how to start. But after seeing your video with great and simple instructions, I will follow this tutorial :) One question, instead of the SD card do you think we can use 64 gb USB?
Thanks, I am glad it helped you. You could try the 64gb USB but sometimes these things only recognise SD / USB flash simulating devices that are 32gb or less. It's a technical limitation. I cant remember honestly if this does or doesn't. But try, it will or it wont and no harm should come from trying.
Thanks a lot, sir. Great and easy fix which helped me. 😊
Many thanks for posting the video, it's been about 9 months since I've used my AP200 to reset my oil and service intervals, but I seem to remember I used the prompt ignition 2 has engine running also for live data . Once again thanks for the video
I think you are correct, although Position 2 (engine started) is not normally recommended when resetting any ECU value (as far as I understand), certainly when resetting error codes its advised not to have the engine running so it kind of unexpectely caught me out by requesting it. Either way it has worked with no issues
At 20:55, after you press "Date/Time", you got the "NTP" selection. However, I don't have this "NTP" option, and the screen just have "Date/Time" and "Display off" selection. The middle 2 selections, "NTP" and "Time Zone", are misssing. Do you know how to add them? I am using a SDS1104X-E, with Software Version=6.1.37R10, Uboot-OS Version=8.1, FPGA Version=2021-11-08, Hardware Version=01-05. Thx !
How
Informative video. I know a little more about my analyser than I did 30 minutes ago, but bro, you gotta work on that teeth sucking tick.
I never noticed that, but listened to a video I did today and I see what you mean. Spent 20 mins editing and cutting them out lol, there was quite a few. I hate it when people have the meter bleeping for continuity testing, so I'm fully with you. Thanks for letting me know.
@@TheBionicbone Thanks a bunch! I subscribed to your channel to track your progress (smiles) Question: Do you experience Pulseview freezing up on you regularly running it on Winblows? I've run it on several flavours of linux (Mint, Manjaro, Arch) and Pulseview will always freeze on me having to close it down and restart.
Occasionally but I'm normally messing with lots of stuff, plugging things in and out the USB hubs. One thing I noticed is the driver doesn't like the USB being interrupted while the program is running, so I give it a priority port direct the the laptop and a good shielded USB cable. It seems to help.
Thank you for the experiment. I have the same device. I use it with sigrok. I tried to download the usbee software, but it is not available anymore. Have you tried using a 10x oscilloscope probe to be able to test voltages higher than the 10 volt max this device can handle?
Thank you for watching and commenting. I'll check the usbee software, I was not aware they had removed it. The x10 probe is an interesting one, I've not tried that but I just found a good cheap <£30 oscilloscope FNIRSI 138pro that comes with an x10 probe. Check my recent videos.
Very useful thx - I'm just starting to play with some CANbus home automation gear.
Is it possible too just make a single esp -32 rolling code module
I am not quite sure what you mean? Maybe remove the Tx Rx, maybe use the one ESP32 and have both Tx and Rx attached to it although not sure why. Maybe you can explain more.
Cheers, it worked perfect just as you laid it out. my SDS1204X-E is updated for MSO,WIFI, AWG.... 😀 thank you
I am really pleased this helped you. Thank you for taking the time to comment, it means a lot.
How can i get a copy to test?
Sorry it not ready for release, it needs a lot more documentation and I moved onto other stuff because the interest was not very high for the freelander 2. I still have a freelander 2 though and planning to have more time this year to continue as I have a personal interest.
@TheBionicbone myself. Im looking for sniffer or can scope. I have issues on some module not talking or kind of delays.
It will be a software emulated ev1527 or a Princeton Technology chip; viewing the waveform will tell you which one. Usually available between a receiver chip and decoder IC on the receiver pcb. Reminds me of my decoding sessions as a young teen, using a receiver (from a junked car alarm), tape recorder, and data slicer into an 8 bit home computer. Really bodgy, but it worked. For ASK now, I'd simply interface a bare receiver to the input of a sound card and record the result in Audacity for analysis. I'd be using a bare 433MHz transmitter module connected to an arduino to generate the signal rather than the sledgehammer esp and cc1101 combination. Soundcard is fine on the demodulated signal from a receiver for these things as the data rate is so low.
This is how i'd try, just from your description (not looked at the code). Capture 1, then send random guess to move along, send captured and repeat. If the random guess is right, door opens otherwise you'll only need to send as many attempts as you have in the numbers list. Trying to roll your own rolling code without knowledge of cryptography is usually a disaster. You should see how complex the original keeloq was, but it still was broken after the method used was leaked.
Thank you so much for this video i bought the V4 myself and its been difficult to find videos for the new version of this dongle
I was playing with this.. (I set a wide bandwidth) of 200,000 to grab a wack of devices.. (BaseBand Noise Blanker) not used.. RF Gain 32.8 (But.. I say This Plugin Needs work also 😊) Fidle Fidle
Yeah I agree. I found is it was difficult for the plug in to work put what the signal was. My car TPMS is detected but the values are incorrect. Thus the same header but different calculations used for that signal. I did find it all very interesting though. I'll come back to this one day. So many projects at the moment.
This didn’t make sense the first time I viewed it. When I realized you were working with an ARM Teensy, I started to understand. You’re not saying anything untrue, but it would be more accurate if you replaced most of the places you say “Arduino” with “Teensy 3”. The original Arduinos and original Teensys were AVR MCUs. AVRs use DDRX, PINX and PORTX registers at a low level for port manipulation. Starting with v3, the Teensys became ARM MCUs. ARMs use a completely different register system to control IO bits in a completely different process than AVRs. When the Teensy 3s came out, Paul Stoffregen (the Teensy creator) extended the digitalWrite function to work for his ARM setup. He also extended the Arduino direct port calls (DDRA = 0x0F) to generate ARM register code when the board is set to Teensy 3 (and now 4). So when you write direct port register code in Arduino, for an ARM Teensy, it’s not really direct code anymore. This and the fact that ARM register bit manipulation works very differently, gives you the non-predicted results for your tests. Compile and run your test code on an AVR Arduino (UNO, Nano, Leonardo, etc), or a Teensy 2.0, and you should get very different results.
Should be possible to get same result by telling the compiler to unroll loops, however im not comfortable enough with compiler optimization to trust the compiler to actually unroll the loops i want to unroll, so either code it ugly or look at the dissasembly to make sure. :)
Hi again. I did finally get the code to compile, but the serial monitor did not show the text, only a bunch of questions marks.
Make sure you have the serial monitor band rate (speed) set to the same as the program on the Serial.begin(xxxx) line
Serial port set to same baud rate. Still same garbage.
Thanks for the great video. I tried your Code and I can’t get it to compile. What am I missing?
"dumps the flash and cackles* ez hack
You could add an RTC to the electronics and have the code be dependent on the time it receives the message. It solves the problem of desync.
Thanks for watching. Desync has been resolved on the latest updates. Check the channel for the latest videos or github which also links to the videos.
"unrolling the loop" :)
@elmegil I shall use loops with caution in future lol
The waveform of the last one looks extremely distorted, so it still seems like the bitwise is faster without sacrificing the waveform?
@AbyssalArray I'm sure what you are seeing on the last test is the oscilloscope not sampling quick enough cos I'm trying to collect too much data. If I ran that as a single test so I could capture just a small window, and just used Ch1 and Ch3 on my scope so I could get the full 1GSa/s rather than the 100kSa/s on the test then that would look perfect. I know, its difficult to accept, my guess is compilers have just got so good they compile the base arduino code extremely well and fully optimised.
So you jam one of the signals and you store the rolling code which remains valid cuz it hasn't been used and then you're in....
They call this Rolljam, see latest videos for Rolljam I'm working on.
If an incorrect code is repeated, Rx wont progress.. Hacker records 2 valid sequences and plays them back alternately. Rx progresses and looks ahead so it only takes once round the sequence and I'm in.
After x (set by user) incorrect receives the rx starts a lock down, again set by user, ever increasing time outs. Its not perfect and can create a long lock out. But at least the criminal is also locked out.
@@TheBionicbone there is a solution... Use encryption... Encrypted information is salt (key word that must be present) and a counter. Tx encrypts a sentence comprised of salt, count and RSA signature(that's overkill, but hey..) then increments count. Because count is never the same, RSA signature will never be the same. Encrypted, doubly so. Rx only has to decode a valid packet (correct encryption was used), check salt and RSA signature (double protection), and check that count is greater than any recieved so far (pre recorded packets won't work).
It's true and the normal way, but I like to find different things and while what you mention and RSA is industry standard the industry is already preparing for the future. Search quantum resistant algorithms, and look for US government or banking
Maybe I misunderstood, the entire project only offers one function for a fully 4 button sender. If this is the case, I would suggest that instead of binary, we use fibonacci number base, 1 2 3 6, if you use this base 1 = 0001, 2 = 0010, 3 = 0100, 4 = 0101, 5 = 0110, 6 = 1000, 7 = 1001, 8= 1010, 9 = 1100, 10 = 1101, 11 = 1110, 12 = 1111 and the last button could be encoded into the last code sent, so you have 12,13,14,15 based on binary coding. If any transmitter sends any numbers above 12 in a sequence, you can lock it up.
I think you understood well. Any changes could be made and that one could easily be added, to make a unique implementation and I encourage people to make changes to keep their own unique setup. I'm not sure you know but you can config to lock up after x unsuccessful attempts so you could tap into that, and repeated last code etc is handled. Tx number is already hashed into the first number sent, eventually I'll hash the button probably into the first number too.
Another great experiment video with shared knowledge! 👍 But this gives me an idea - second remote with rolling code, but working in infrared range.. That will be unseenable by jammer and can be used when jammer activity in area is discovered.. 😂
It's a fact that if you didn't need the range then IR would be a safer solution 🤣
really well done chef, what a technique!!!
Thank you very much
nice plugin and video , thx and greetings from Germany :)
Greetings my German friend. It’s been a long time since I was in Germany, but I remember good times.
It's great to see project progress and updates! 👍
Thank you
Nice video @TheBionicbone ! Couple of ideas of hacking this really quickly and to overcone the "repeating of the same code" protection, based only in video, i.e. without review of the actual code: 1. Capture more than one actual set of codes from the actual sender, then alternate those until they roll over. In addition, you can interleave those with few fake codes too. 2. If only one real set of codes can be captured, simply interleave those with at least one fake code and run the loop until code rolls over. Basically, any system, which have "limited" set of rolling codes, which are being eventually reused, will be vulnerable to replay attack without some additional protection steps being put in place, like: A. Increasing amount of the codes (duh!). B. Increasing the time between futher code match attempts with each unmatched code to prevent fast brute forcing or rolling over. C. Keeping log of let's say 10 to 100 last attempted codes to see if some are being sent repeatedly. D. In conjuction with C. above, consider "blacklisting" valdid codes used out of sequence too many times. E. Using (as an alternative or in conjunction with) the "endless" list of codes by either using a mathematical formula rather than fixed list, or by "recalculating" the list before each reuse by the simple formula. Basic idea is to make the total amount of brute force or replay attack attempts to take very long time to make it impractical to try / use / break the code.
Sorry about the audio sync, thanks to Andrew from Awell Digital channel this has been fixed for the next video.
Nice! 👍 For dealing with interference, just add at the packet end CRC. If received CRC doesn't match calculated value from received packet, receiver just ignores packet all together as faulty and don't even check compatibility with rolling code.. 😉 And waits for new packet.. For remote part - before CRC add in packet button press counter in coded manner (XOR, bit swap etc). Remote will update counter after every button press and send that data in packet. Receiver, after CRC check, first decodes received button press counter data in packet, then according to that data, goes looking in rolling code table. To prevent hacking, button press counter can't be smaller than stored last counter value in receiver, that's mean's - there is no way to reuse old or precisely captured rolling code data, because counting can only go forward until looping.. If button press counter data is smaller than expected, packet will be simply dropped.. For extra safety, button counter data can be added, even in middle of data packet between rolling code data. From theoretical point of view, even if hacker will decode button press data, it can't replicate next parcel, because he don't have rolling code data table, but this add will ensure good remote and receiver synchronization..
@artursmihelsons415 what can I say, great minds think alike. Have a look at the update I have just released :) kzread.info/dash/bejne/dZqBpsOaerTgnMY.html. I have added multiple Rx option, and I've added the Rx number in the exact way you have mentioned for the button (I may do this for the button later). Failed transmissions are a thing of the past, even in high interferance areas. Thanks so much for your great comment and for watching and taking part, it really is appreciated.
Thanks for the follow up. I think program memory is not the main issue with encryption, especially if you - in my opinion - wast memory for the pre-shared generated key tables. You have to spend CPU-cycles and energy for encryption/decryption. I used in an experimental AVR based 433MHz transmitter/receiver ChaCha20-Poly1305 for encryption and integrity. This worked pretty good for these bit-rates.
Thanks for watching and taking the time to comment. Energy is a key factor for me but honestly I don’t have any base to justify that on, maybe one for another video encryption and hash vs recall from memory. I’ve added ESP32 support and will be looking at deep sleep and overall energy usage. I’m still thinking though, better to be 100% not reversible than reversible but encrypted and hashed. Time will tell. Thanks again.
😅thanks for the awesome video!
Glad you liked it!
idea 1: lets say you have a recorder at the door - that pciks up the signals whenever you leave and come back , it would always send open signal and then close signal meaning around 4 requests per day i think you could get the whole code relatively quickly (depending on sizeof rollingCode and sizeofSendingRollingCode ) 🤔 im not a security expert but i think there should be some public/private key involved and some encryption
Thanks for your comment. Can I ask you to check initValue, it applies when sizeOfRollingCode is reached. There is also an update video kzread.info/dash/bejne/iJ2ctphqaMyxgKQ.html which explains the encryption situation
Im just passing by. I havent studied this algorithm. But a it is a testcase perhaps, to consider 20 neighbours having the same locking mechanism - it should not leave the neighbour that happens to be on holiday for some weeks with a locket door.
Thanks for looking. This won’t happen because the qiachip devices have to be paired, Tx to Rx, thus signals from a non paired Tx are ignored. I appreciate your comment though and you having a look.
very interesting stuff
Thanks, your comment is appreciated
I made implementation where i have aes encryption and decryption. I would send random IV unencrypted and send encrypted counter from remote to receiver (with also the command - button click/longpress/dual press etc.). AFAIK sending IV plaintext would not be bad practice. I would always allow higher counter number than the one already sent, so it would never go out of sync and would not allow lower number so it can't be replay attacked. On the remote and receiver side I save counters to eeprom and use rolling location for wear leveling and very high endurance (20+ years having multiple transmissions per day). Only problem I have is that it eats up majority of typical arduinos rom and ram. Your implementation seems far lighter and time will tell if it's secure if more people test and look into it. Thanks for great work.
Thanks for your positive comments, I too intend to use eeprom too, it’s a good point to use rolling location for this.
Thanks for describing this solution. I truly believe the rolling key mechanism is obsolete and not secure. The standard encryption & decryption mechanism from the computer world is a secure solution. Of course, RAM and storage are an issue, but there are dedicated security chips or controllers with hardware assisted encryption modules (many of them out there). The AVR is an old platform now (from 90's). There is nice example of the implementation here ww1.microchip.com/downloads/en/appnotes/atmel-42784-software-library-for-aes-128-encryption-and-decryption-on-megaavr_applicationnote_avr284.pdf
couple years ago i used an RTL dongle from an DVB-T usb-stick (with a RTL2832U chip) for listening to ATC radio using SDR#. Now i am trying to set it up all again, but i cant receive ATC radio (now using the current AIRSPY SDR# software). However, i can receive radio broadcasting (FM). any hint what i am doing wrong? thanks
Did you see my recent video on fine tuning 433MHz signals?
4:05, I hadn't noticed that setting before! Awesome!
@larrybud I’m glad you found the video useful, thanks for watching
@larrybud Oh while I think about it, watch out for the bug , it doesn’t copy MISO over 😁. I keep meaning to report it to siglent
@@TheBionicbone Good to know! Also on EEVBlog, some people had an issue after the latest firmware update. I found a thread on there where decoding wasn't working, and I believe I had the same issue, and for me the problem was whether it would trigger on rising or falling edge. It *seems* that the display would show one thing, but the trigger actually was doing something else. A toggle of that option "reset" that setting so it would work properly. I can't absolutely confirm this is what fixed it for me because once I fixed mine, I can't reproduce the issue again.
Voici les informations dans le menu état système : SDS 1104X-E Ver soft 6.1.37R10 Ver Uboot os 8.3 Ver FPGA 2021-11-08 Ver Hard 01-05 Type prod SDS1204X-E Merci
Super, j'aimerai avec tout ce savoir faire !! Je suis débutant, j'ai installé la dernière version du software : SDS1xx4X-E Firmware (4-Channel Models) -V6.1.37R10 (Release Date 03.30.23 ) mais je n'arrive pas à installer le dernier software : SDS1xx4X-E Operating System -V3 (Only For 4-Channel models) (Release Date 01.04.23 ) est ce normal ? j'ai bien 4 fichiers sur ma clef mais aucun ne se termine par .ADS ou .CFG donc impossible de lancer la mise à jour Si quelqu'un peut m'expliquer doucement ?... Merci
If I recall correctly the new OS is only for certain Hardware versions that need particular support, most of us don’t need it. Looking at your menu, you don’t need it
Bonjour, Merci pour votre retour, de toute façon c'est largement suffisant pour moi Bonne journée ;)@@TheBionicbone
JEU
What happens when you sync the Tx and Rx? Have you looked at the raw frames? Couldn't you use them to know where the code starts from?
I can not see any vulnerability here. Since it is driven from a list of random numbers set by the user rather than a generated next number then the next set of numbers is impossible to reverse engineer and therefore impossible to tell where we are in the list. Also, if it was possible to workout say "in the middle of the list", it still would not help because what comes next is only known by the list in both the Tx and Rx, it can not be calculated.
@@TheBionicbone When you resync them, you don't change the list, right? So it wouldn't be hard to put a receiver near your garage door, register frames passively for a month, then flood it with wrong guesses and force you to resync them. You'll start somewhere in the list and I'll know the next frame from my previous recording.
@@NicksStuff ok I see what you are getting at. At the moment no battery back up, thus power down Rx and we'd have to start again, reset Tx too. Also if you reflashed with "your settings" and did not change your settings or base numbers then it would repeat from the start. If someone had been recording your codes then technically they could start replaying them. With the latest code on each 10 incorrect then it would lock up for 60 seconds, then 120, 240, 480 seconds etc. any codes sent during this time are totally ignored. For clarity a normal code resync moves forward never backwards, so the Rx catches up with the Tx which can only go forward. Eventually, once I start on the text messages part I'll add eeprom, I hope then I'll be able to store how many times the list has been played, then I'll be able to roll the numbers forward and reset back to the correct position and be at the next new numbers. I hope all that makes sense, it does in my head 😁
Nice video an project, THX.
Thank you for a great comment
Rule #1 in cryptography: Don't roll your own! Don't get me wrong, I appreciated and liked the video, but as a demonstration of the basic idea. But for anyone thinking of implementing this: Don't! Use an existing, proven, algorithm!
@Rob_III with the greatest of respect I have to disagree. Let me pose a scenario. If I purchased a Land Rover Discovery today (if I could afford one:) ) then it would be very easy to use a relay attack and steal it, crime stats and LR insurance increase demonstrate how many are being stolen. If I somehow disabled LR protection and used mine own method in a different way to unlock the car, how long would thieves hang around trying a relay attack before moving on to an easier target? My point is, the uniqueness of my design and allowing each to be different in list of codes, init-value (which is only apply once the list is used not every time), the number of codes to make a full sequence, all mean end users can make their system unique and this in itself (in my opinion) is the best security of all.
Hi@@TheBionicbone, thanks for your reply in the first place! I disagree though. What you're describing (look it up on Wikipedia) is "Security through obscurity". The best cryptographic algorithms are open and reviewed by cryptanalysts. I wish I could post a bunch of links, but I highly recommend you also google "cryptography don't roll your own". Ofcourse, if you implement your idea as a "one off" then most likely thieves won't hang around for long to try and figure it out; however, if your method is being used more and more widely you can bet that someone is going to figure out some (maybe sidechannel-)attack on your algorithm and break it wide open.
Like Microchip did (Keeloq), 😆?
I have written my own algorithm and no one knows what it is. Without me telling someone the method it's even less likely someone can hack it. I generate my own unique key and use no ones algorithm, only my very own and I'd love to see someone hack it without looking at my code because I personally doubt looking at the encrypted text anyone could make any s3nse of it. I tried to hack it with a few known methods and those all fail because those are known methods. Just my 2c.
@@newmonengineeringAgain: This is "Security through obscurity". Are you using a CSRNG or a PRNG? Are you using constant-time comparison or are you vulnerable to side-channel attacks like a timing attack? Are you a cryptography expert or are you just "making things very complicated so someone will never be able to hack my system"? Again, and this has been proven time-and-again: When it comes to security the adage is, for good reason: Don't roll your own. If you think you can do better than proven algorithms then you **should** be able to tell someone how yours works and **still** be safe. Because, at one point or another, a determined attacker, **will** get a hold of your code (maybe not in source code form but in binary form) and **will** be able to reverse engineer it. You are going to have to assume that and if not, and your code relies on someone not having access to the code you've already lost. Now, an attacker may not be interested in hacking a one-off, it may not be worth the time or effort, but if your algorithm is going to be used at scale, you can bet your behind your algorithm is going to fail unless reviewed by cryptanalysts at the very least.
You don't necessarily need to *store* many codes for your sequence. You can use a seed for a pseudo random number generator. If both Rx and Tx use the same pseudo random number generator and the same seed/salt then they can programmatically follow the same sequence without needing to store a large lookup table. Also look in to shared secrets, HMAC and Rolljam vulnerability. Also, multiple failed codes should cause a progressively longer timed lockout. This makes it much more difficult for a brute force attack to succeed within a time frame acceptable to the attacker.
Thanks for commenting. The idea of storing the random numbers is to remove the predictability of the next code and eliminate any reverse engineering by capturing a few codes. Although for the next loop I do intend to reseed the numbers so they don’t repeat, but again the hacker would be unaware of when that happens since it will not be after every transmission. I like to think of it as using spare memory, while adding security and challengeing the current methods. I like the time out idea I may use that as well as lock out after 10 unsuccessful attempts. RollJam is also on the hit list but this need/may need different Tx/Rx device, if possible I'd really like to make a vibrating Tx Fob in the event RollJamming is detected, but lets see how far I get based on end user interest.
@@TheBionicbone That is a non issue if you use encryption. The common vulnerability to fix is guarding against rolljam attacks which can only be done with embedding a timestamp. Any other rolling code is going to be susceptible to rolljams and replay attacks too triggered when not in range.