I am looking to replicate a device for a uni assignment I have coming up on automotive vehicle security.
I am looking for a device/device(s) which can ultimately simulate a mitm scenario on passive vehicular keyless entry.
I have been trying to perform this scenario with arduino to no avail.
I require items to , sniff LF PKES (125)kHz data and relay it via radio/wifi to a second box. The item need to be somewhat ‘trunked’
The scenario goes.
Read 125khz Lf data from vehicle door > relay data (analog or digital) to a second box in proximity of the matching keyfob to the vehicle. As it goes apparently the car sends a triggered lf signal in search of the keyfob, as the keyfob is out of vehicle range - I need to repeat/amplify/extend this signal to second device in proximity of the keyfob which will then reply with a uhf signal over 433mhz. Was looking at bee devices require more help in the area. Can provide project outline from my university regarding.
Do you have items that match this criteria. I have 3 weeks till deadline and am struggling with this. Any help is greatly appreciated. If you have these products
Please forward information ‘ price ‘shipping eta to Sydney aus etc at your earliest convenience.
In my inventory I do have a few rtl-sdr’s a ham it up converter and a proxmark.
Any help is appreciated - from what I’ve read the cryptographic keys/mechanisms do not need to be demodulated and can be forwarded/repeated/amplified in their analog entirety.
Some Ideas that have come to fruit - would possibly be 2 x pi’s running in adhoc with a transparent udp / ftp local proxy and adcs at either end /
Xbee mesh system with bi directional ADC @ each end node.
Am stumped. Not looking to ‘hack’ or try to decipher any cryptography or so on just looking to relay an analog signal. In its entirety over a longer than preconfigured distance.
As cost is an important factor as I’m only a student would like to know from higher skilled makers if I’m in the ballpark etc before I lay down some dish on some components. And kindly ask for a heads up - if not.
Full transparency In no way shape or form have I the slightest clue when it comes to rf/radio.
I’m not too versed in RF either, but I think I understand what you’re looking to do: Take a signal, digitise it, send that, and convert it back to analog at the other end.
This is quite the task! You’ll need a high-speed ADC/DAC (with a sample rate of somewhere around 10x or more of your highest frequency if you care about what your waveform looks like, more is better here)
As you can see, chips like these are generally not found in breakout boards, and expensive.
Then comes the challenge of sending data at 32MBit/s (2MSPS for example for 20x carrier freq * 16-bit depth + overhead) or higher. Generally, high-frequency microwave links are needed for this.
Also, the PKES may expect a response within a certain time frame. Your system may introduce enough latency for it to figure out what’s happening
If you’ve got SDRs that are happy to talk USB3 or the like (moves stuff in the gigabits/s) and a capable wireless link, and no latency requirements for your PKES, maybe you’ll be able to pull this off, but it’s certainly more than I could accomplish in 3 weeks.
I truly hope you pull this off! Hopefully some of our more radio-minded community members can chime in on this one, maybe an RF-amplifier-based repeater solution could work? Again, not my strong suit by far.
Any reason why you don’t just figure out the modulation algorithm used so you can relay the slow digital info (this would be a lot easier I imagine)? If you’ve got SDRs already, you might have all you need to inspect the signal up close in your own time.
Hi All
Just another small spanner maybe. Or another important consideration.
Licensing. Any RF systems used would have to be of the licence free variety which have frequency band(s) and power limitations.
On a happier note all commercially available (like the 433MHz TX/RX) equipment or bits SHOULD satisfy these requirements.
Interesting challenge. I found this link which looks like the scenario you outline. They simply relayed the analog data using a 2.4GHz link (doesn’t require a license, and capable of a 125kHz bandwidth) to the key. Any attempt to decode the data e.g. to relay on a 433MHz link introduces delays, may be detected by the LF sender so ignored. I skimmed the article, so it may not be useful to you. Be interested in your progress.
One down side to 2.4GHz could be interference. There are a number of things using this frequency range, the most significant is WiFi. Microwave ovens also but although the power is upward of 1kW the oven screening is pretty good and not much gets out. WiFi on the other hand is designed to get out or transmit otherwise it would not work very well.
As a practical example I have a wireless (2.4GHz) reversing camera system comprising a low power TX at the rear and a RX at the front of the vehicle. Every time I reverse out of my driveway I get exactly the same interference at the same point of travel so I put that down to my own WiFi and that on either side of me. I live with that as it is really very little bother and nothing can be done about it anyway. But it could be a problem in Kris’ application.
Cheers Bob
Haven’t seen any related posts to this since early last year.
However, with that being said, breaking or exploiting an RF authentication system that uses rolling codes (usually by scrambling incoming signal and sniffing the packet for later replication, known as a Relay Attack rather than a classic MITM which occurs in real time) even if in a legal RF band it is still a little grey on how it falls under the Radiocommunications Act 1992 as well as revisions to part six of the Crimes Act 1900 which covers unauthorised access to digital systems, not to mention intentionally quite difficult to do.
Cybercrimes including radiocommunication disruption (even if it is performed accidentally or for ethical purposes) are often both difficult to prosecute and defend. Long story short, if unsure about how a system works that you’re attempting to compromise and more importantly how it could affect nearby unrelated systems, it is best to keep the exercises on paper until confirmed
However, for the purposes of understanding how these attacks work from a red team perspective (and more importantly how it is defended against), a software defined radio is essentially used to block some legitimate access requests, while also capturing the next sequences (that are using some form of “hopefully” forward secure rolling encryption) and replaying them to bypass the fact that each sequence used to unlock the vehicle should be both unique and unpredictable.
However if you capture enough packets and can determine what algorithm is being used to perform the encryption, you may be able to predict what future valid responses may be and send those instead of messages captured (hopefully, this should be practically impossible).
This would have been a fairly exciting exercise for a uni course, I’m curious what campus and discipline this was for, I hope it went well!
Hi James
Just notice this reappear in an old thread (Oct,22)
It is the “Send that” bit that HAS to be analog. Try poking some up and down DC (data) into the end of a piece of wire and see how far it gets. To the end of the wire if you are lucky.
Think about it. There is no such thing as “digital” Radio. The Radio bit is analog, there are digital techniques in the modulation process but that is where it ends. The “radio” bit has to be analog.
Cheers Bob
