Let me share with you some interesting findings around hopping codes and a big question I could not find an answer to it.
My garage door remote key fob almost broke today so i decided I needed a replacement. I soon realized that original replacement fobs are so hell expensive that it's not even funny. They charge 40+ pounds for something that's done in China for $1.5 a piece. I decided that's not going to be the way to go.
And so my research started.
There some "universal learning" remotes on ebay, but they state they can't learn "rolling codes". So I had to figure out, what do I have. Little did I know why would that be good or bad to have at that time.
After some hours of research it became clear that my device (Marantec) utilizes a "fixed code" remote protocol. At first I was happy, I thought I could order a cheap replacement from ebay.
However, during the research I also realized that having a fixed-code remote is not exactly secure to have these days, becase those are susceptible to replay attacks - someone "records" your remote's signal, and then replays it when you're away -> your garage door is open. Fixed code remotes are long history in the automotive sector because of easy theft. The new favourite are the "rolling" or "hopping" code systems that should be resitant to replay attacks. The majority of the manufacturer's use a solution called KeeLoq
Anyway, apparently having a rolling-code remote is much better than a fixed code, or so I thought. At least they can't be copied by simple learning key fobs. So I started to think about an upgrade.
BTW: as it turned out, all Marantec devices are fixed code. And guess what? They're HOMELINK compatible.
You surely know, but just for the sake of completeness, HOMELINK is a system that can copy fixed and/or rolling code key fobs and make them available in your car. I became intrigued. How does it copy a rolling code system? I thought it's not possible. I started to dwell into the details of KeeLoq:
and the attacks:
Defense against KeeLoq attacks
To sum up, it's now possible to retrieve the "master key" from the receiver and once you have it, it's very easy to fake any device from that given manufacturer. This master key is the root of all keys. You must know this key to "learn" or fake a new transmitter.
So I put the facts together:
1. If you want to learn rolling-codes, you must know the master key for that given manufacturer.
2. Homelink can learn all kinds of rolling-codes from all kinds of manufacturers (listed on their website).
=> Does this mean that HOMELINK transcievers contain all the master-keys of all the "compatible manufacturer brands"??? Does this also mean that if we crack a homelink device from an elder car, or a Homelink visor we will have all the master-codes? And if we have it, we can open all the garage doors in Europe with just 2 packets captured? If this assumption is really true then we just gave the thiefs our keys willingly.
This seems indeed dire. Imagine, if there was a device that contained all the master keys for automobile manufacturers for KeeLoq...
So... If there's someone knowledgeable in Homelink, please shed a light into how it is able to learn the rolling codes? How is it able to construct the encryption keys without knowing the master keys? And why is it, that only HomeLink transceivers can learn rolling codes and other "universal remotes" not?
By the way, do you know any alternative algorithms to KeeLoq that would be more secure? Are there encoder keyfobs/decoder modules publicly available? If yes, please post some infos/links.