diff --git a/content/posts/nissan-keyfob/index.md b/content/posts/nissan-keyfob/index.md new file mode 100644 index 0000000..ccae5bc --- /dev/null +++ b/content/posts/nissan-keyfob/index.md @@ -0,0 +1,141 @@ +--- +title: "Analysis of a 2005 Nissan Altima Remote Keyfob" +date: "2021-01-08" +author: "William Floyd" +featured_image: "media/fob/closed.jpg" +categories: [ + "Hardware", + "Electronics", + "Hacking", + "SDR", + "Automotive", + "RF" +] +tags: [ + "Nissan", + "Altima", + "Wireless", + "315MHz" +] +--- + +I got my first car a few months ago - a decidedly beat up North American 2005 Nissan Altima. +It came with a remote keyfob, but something was shorting internally, and the battery would drain within a matter of hours. +I ordered a two-pack of aftermarket fobs from Amazon, paired them no problem, and that was that. + +After a while though, I got to thinking, how might I connect my car to my Home Assistant system? +I am reluctant to tap into the CAN bus directly, so instead I am going to investigate utilizing the same method as my remote fob. Specifically, I want to program my own "fob" using an Arduino and a RF transmitter (spoiler: I cannot, at least for now). + +*** + +# The Hardware + +[![Opened remote](media/fob/opened.jpg)](media/src/fob/opened.jpg) + +While I may analyze the original fob at some point, for the time being I shall work from the aftermarket fob. +Opening the casing reveals a rather simple circuit ([front](media/fob/pcb_front.jpg), [back](media/fob/pcb_back.jpg)) - battery contacts, four buttons, a smattering of passives, an oscillator, the main control chip, 8 test points, and an antenna trace running around the perimeter of the PCB. + +[![Closeup](media/fob/closeup.jpg)](media/src/fob/closeup.jpg) + +Rather unhelpfully, the control IC is unmarked, so either I'll need to wait until I can look at the original fob to find any clues, or try to find what I need online. + +As a note, it should be easy enough for me to replace the buttons with an electrical solution controlled by an ESP8266 or similar - I may end up doing this some day. +For the time being, however, I have nothing to glean from the hardware in my fob. + +# Research + +A quick look at the Amazon listing for my fob already tells me what models of fobs it replaces: KBRASTU15, CWTWB1U758, and CWTWB1U821. +Matching other listings, my specific model is the KBRASTU15. +This is actually an FCC ID, so that's my next lead. + +This [fccid.io](https://fccid.io/KBRASTU15) listing is a rather useful, providing original FCC images and documents. +Unfortunately, the [internal images](https://fccid.io/KBRASTU15/Internal-Photos/Internal-Photos-140601.pdf) are low enough resolution to prevent reading the IC silkscreen. +Interestingly, the aftermarket fob has a small fraction of the part count of the original fob, while still functioning perfectly. +The most useful available document is the [Technical Description](https://fccid.io/KBRASTU15/Operational-Description/Technical-Description-139545.pdf). +This is where we start to get somewhere. + +In essence, the fob emits a wakeup sequence 'A', followed by sequence 'B' repeated as long as the button is pressed. +The structure of these sequences is also described - sufficient to say, it uses a rolling code system. +Importantly for my analysis, the encoding method of the signal is given (though interestingly their diagram annotations seems to be incorrect). + +With this information in hand, I ordered a cheap RTL-SDR (a Nooelec NESDR Mini 2+). + +# SDR Analysis + +[![4 Presses of the Locking Key](media/4_locks.png)](media/4_locks.png) + +The radio, being a North American model, operates at 315MHz. +Using Universal [Radio Hacker](https://github.com/jopohl/urh), I began capturing examples of locking and unlocking signals. +Using the software is outside the scope of this post, but I found some YouTube videos by the software author that proved to be useful - it's not hard to learn to use. + +Ultimately, I ended up trimming down 4 'B' sequences each of locking and unlocking (that is, different presses, not repeats during the same press). +I also opted not to include the preamble and header of these 'B' sequences, as these are the same for any fob and include no actual information. + +The resulting signals varied in length and followed no apparent repeating format - this is where the encoding scheme described in the FCC documents comes in. +Fortunately, URH allows specifying and chaining encoding schemes, as well as calling external software to decode the data. +As I am not dealing with a large amount of data, I wrote a quick bash script to decode the data: + +```bash +#!/bin/bash + +lc='' + +while IFS= read -r -n1 c; do + + if [ "${c}" == '' ]; then + break + fi + + if [ "${c}" != "${lc}" ] && [ "${lc}" != '' ]; then + echo -n "${lc}" # Deal with the last character + lc="${c}" + elif [ "${lc}" == "${c}" ]; then + if [ "${c}" == '0' ]; then + echo -n '1' + else + echo -n '0' + fi + lc='' + elif [ "${lc}" == '' ]; then + lc="${c}" + fi + +done <<<"${1}" + +exit + +``` + +This does the trick, and all the data has a uniform length of 67 bits. +While the document specifies 66 bits, perhaps the aftermarket keyfob adds an extra bit. +In any case, this extra trailing bit is always 0. + +Finally we have something like this: + +[![Decoded data](media/decoded.png)](media/decoded.png) + +The top four entries are when locking, the bottom four when unlocking. +The highlighted segments from left to right, as per the technical document, are: +* encrypt +* serial number +* function code +* verify code + +It can easily be seen how the intent of the button press is not encrypted, but is part of the function code near the end. +Also, the serial is correctly defined, as it does not change at any point. +I am not sure what the verify bits are present for - perhaps if an error occurs the encoding scheme would result in a non 0 result (though this is purely speculation). + +What we know now is that the keyfob does indeed use a rolling code algorithm, though not which one (web searches do not seem to specify). + +# More Research + +I do not have access to the original keyfob at this time, so some image searching may be in order. +Several leads appeared: +[![Different model fob with same compatibility](media/research/alt_1.jpg)](media/research/alt_1.jpg) +[![Pre-owned OEM fob](media/research/alt_2.jpg)](media/research/alt_2.jpg) +[![Similar model to mine](media/research/alt_3.jpg)](media/research/alt_3.jpg) + +None of them appear especially legible, so the first thing I can do is compare the logo on the OEM fob to existing rolling code chip manufacturers. +As it happens, Microchip is the company in question, producing the widely documented Keeloq product line ((leaked spec sheet)[http://keeloq.narod.ru/decryption.pdf]). +Looking at their product lines, it becomes clear that the original fob used the HCS361 chip. +My aftermarket chips must be using a knockoff or unmarked version of this. \ No newline at end of file diff --git a/content/posts/nissan-keyfob/media/4_locks.png b/content/posts/nissan-keyfob/media/4_locks.png new file mode 100644 index 0000000..777fb0c --- /dev/null +++ b/content/posts/nissan-keyfob/media/4_locks.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:44bf8983131f719430c0f610070fd0876a357724d40e9c56178ac0923bcbe67d +size 4722 diff --git a/content/posts/nissan-keyfob/media/decoded.png b/content/posts/nissan-keyfob/media/decoded.png new file mode 100644 index 0000000..bed8499 --- /dev/null +++ b/content/posts/nissan-keyfob/media/decoded.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aa28c9af09706b2a8883abd18f61feeab0ae5cde46de58c23c7ade69aafbecf5 +size 22557 diff --git a/content/posts/nissan-keyfob/media/fob/closed.jpg b/content/posts/nissan-keyfob/media/fob/closed.jpg new file mode 100644 index 0000000..43962c7 --- /dev/null +++ b/content/posts/nissan-keyfob/media/fob/closed.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:34c85b97150781d666ef3195530dc7b7f308f42303ca400217330422c972f10f +size 37154 diff --git a/content/posts/nissan-keyfob/media/fob/closeup.jpg b/content/posts/nissan-keyfob/media/fob/closeup.jpg new file mode 100644 index 0000000..f089b6e --- /dev/null +++ b/content/posts/nissan-keyfob/media/fob/closeup.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e14a8a063de48df6476f8c82051c7f4ff367f37a89438267c729a802183104a1 +size 51663 diff --git a/content/posts/nissan-keyfob/media/fob/opened.jpg b/content/posts/nissan-keyfob/media/fob/opened.jpg new file mode 100644 index 0000000..9343553 --- /dev/null +++ b/content/posts/nissan-keyfob/media/fob/opened.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e5ec2d419b1758f65e3ff13e367b7afcf29e5d82c9a670b65291a2a956e60b57 +size 44796 diff --git a/content/posts/nissan-keyfob/media/fob/pcb_back.jpg b/content/posts/nissan-keyfob/media/fob/pcb_back.jpg new file mode 100644 index 0000000..8d1b5db --- /dev/null +++ b/content/posts/nissan-keyfob/media/fob/pcb_back.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93587c889ed50d6e2cdd3f8bc682c5c67fd1a804014a95e197f63bf0c0ec3e69 +size 32277 diff --git a/content/posts/nissan-keyfob/media/fob/pcb_front.jpg b/content/posts/nissan-keyfob/media/fob/pcb_front.jpg new file mode 100644 index 0000000..fc8fb83 --- /dev/null +++ b/content/posts/nissan-keyfob/media/fob/pcb_front.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d43a5b60a84ab2b73f07803a7da84deb7e9475a2c3a1a3b6c13e4984a1d24a55 +size 35815 diff --git a/content/posts/nissan-keyfob/media/research/alt_1.jpg b/content/posts/nissan-keyfob/media/research/alt_1.jpg new file mode 100644 index 0000000..435531e --- /dev/null +++ b/content/posts/nissan-keyfob/media/research/alt_1.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:25a915c60cd18c1def32b8f1eac1b76d7139b9e33c30f497cf3215e9b8fc6c52 +size 179518 diff --git a/content/posts/nissan-keyfob/media/research/alt_2.jpg b/content/posts/nissan-keyfob/media/research/alt_2.jpg new file mode 100644 index 0000000..ba559ef --- /dev/null +++ b/content/posts/nissan-keyfob/media/research/alt_2.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:31d65d42fb78069eadf27bc3c29f3ab1085a962a7d9a62a9c1b33476466cc243 +size 82970 diff --git a/content/posts/nissan-keyfob/media/research/alt_3.jpg b/content/posts/nissan-keyfob/media/research/alt_3.jpg new file mode 100644 index 0000000..0f9c5bf --- /dev/null +++ b/content/posts/nissan-keyfob/media/research/alt_3.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c9a7e28ad4ee1e913ab18fe86168f4c4d6f5132dfc200c1c38d2ffdf6713b701 +size 84108 diff --git a/content/posts/nissan-keyfob/media/src/.env b/content/posts/nissan-keyfob/media/src/.env new file mode 100644 index 0000000..a978f19 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/.env @@ -0,0 +1 @@ +PNG_OPTIMIZE=true \ No newline at end of file diff --git a/content/posts/nissan-keyfob/media/src/4_locks.png b/content/posts/nissan-keyfob/media/src/4_locks.png new file mode 100644 index 0000000..30c8186 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/4_locks.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:90327d98aedf9d44717caff2206c969621f12e8658ea63a8ff62f2d32111f4b1 +size 10206 diff --git a/content/posts/nissan-keyfob/media/src/4_locks.png.hash b/content/posts/nissan-keyfob/media/src/4_locks.png.hash new file mode 100644 index 0000000..417cc1e --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/4_locks.png.hash @@ -0,0 +1 @@ +45780075c0373b5de461166eeae4f2d5 diff --git a/content/posts/nissan-keyfob/media/src/decoded.png b/content/posts/nissan-keyfob/media/src/decoded.png new file mode 100644 index 0000000..337309c --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/decoded.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b3e0e596841e6b66de657a606a1d78a6021eec7ce425474a0a5da47adf725209 +size 28157 diff --git a/content/posts/nissan-keyfob/media/src/decoded.png.hash b/content/posts/nissan-keyfob/media/src/decoded.png.hash new file mode 100644 index 0000000..525cd67 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/decoded.png.hash @@ -0,0 +1 @@ +d882707b0489e5dfe49d6c0b511dfac4 diff --git a/content/posts/nissan-keyfob/media/src/fob/closed.jpg b/content/posts/nissan-keyfob/media/src/fob/closed.jpg new file mode 100644 index 0000000..1b42232 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/closed.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1f4fac1f4cc2bc0838b9a2804058c1bba9c7f0ea8224d02131cd34e46fd89a76 +size 2458558 diff --git a/content/posts/nissan-keyfob/media/src/fob/closed.jpg.hash b/content/posts/nissan-keyfob/media/src/fob/closed.jpg.hash new file mode 100644 index 0000000..294b086 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/closed.jpg.hash @@ -0,0 +1 @@ +2c10e1f0b80580f2b2ba98a7786d61d0 diff --git a/content/posts/nissan-keyfob/media/src/fob/closeup.jpg b/content/posts/nissan-keyfob/media/src/fob/closeup.jpg new file mode 100644 index 0000000..17be088 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/closeup.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c4f77430f480be6d26ebaec6f808cf01a01ad6f7f0640747a7d73e9047e9103a +size 2541377 diff --git a/content/posts/nissan-keyfob/media/src/fob/closeup.jpg.hash b/content/posts/nissan-keyfob/media/src/fob/closeup.jpg.hash new file mode 100644 index 0000000..f1f4d08 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/closeup.jpg.hash @@ -0,0 +1 @@ +d0d40010aa70ac331725b3ba0b40a9fa diff --git a/content/posts/nissan-keyfob/media/src/fob/opened.jpg b/content/posts/nissan-keyfob/media/src/fob/opened.jpg new file mode 100644 index 0000000..abb98e1 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/opened.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:024f084a787305852a11a12d14cdda7d9cf8af2e9f71b18f34e9fec582eb8338 +size 2520176 diff --git a/content/posts/nissan-keyfob/media/src/fob/opened.jpg.hash b/content/posts/nissan-keyfob/media/src/fob/opened.jpg.hash new file mode 100644 index 0000000..a0b41ad --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/opened.jpg.hash @@ -0,0 +1 @@ +38ea70fb8046f20af6c701be90183bae diff --git a/content/posts/nissan-keyfob/media/src/fob/pcb_back.jpg b/content/posts/nissan-keyfob/media/src/fob/pcb_back.jpg new file mode 100644 index 0000000..2747393 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/pcb_back.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:afc70679687dc5a65772fee6a2703e3c1922db1f3fb289c6d6f77f473009e2df +size 2030729 diff --git a/content/posts/nissan-keyfob/media/src/fob/pcb_back.jpg.hash b/content/posts/nissan-keyfob/media/src/fob/pcb_back.jpg.hash new file mode 100644 index 0000000..64c17ea --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/pcb_back.jpg.hash @@ -0,0 +1 @@ +15d568259ebd4d3b109f7a48e9fc3f75 diff --git a/content/posts/nissan-keyfob/media/src/fob/pcb_front.jpg b/content/posts/nissan-keyfob/media/src/fob/pcb_front.jpg new file mode 100644 index 0000000..9790f23 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/pcb_front.jpg @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56c7fcb15a5b99049d817d7f3e3375a2e2060fe93fbd81ed2cb8c853b46f0d9c +size 2228816 diff --git a/content/posts/nissan-keyfob/media/src/fob/pcb_front.jpg.hash b/content/posts/nissan-keyfob/media/src/fob/pcb_front.jpg.hash new file mode 100644 index 0000000..93bf253 --- /dev/null +++ b/content/posts/nissan-keyfob/media/src/fob/pcb_front.jpg.hash @@ -0,0 +1 @@ +60b63f29468d759916b592856d84e244