KeeLoq Remote Keyless Entry systems make use of radio frequency transmissions to operate and have many known weaknesses. A 64-bit manufacturer key is used in transmissions to encrypt an incrementing transmission sequence number in order to provide replay protection. This presentation is a journey into bringing existing research together to make Keeloq attacks practical, ultimately repurposing a commercial receiver as part of a home automation system integration project.
I will demonstrate how I recovered the manufacturer key by extracting and reverse engineering the receiver’s firmware using a JTAG adapter and Ghidra.
Next, I will cover decoding and decrypting the KeeLoq transmissions (verified using a logic analyzer), cloning the captured serial and sequence numbers to a new transmitter, and finally, how to export the received transmissions to a home automation system via an add-on WiFi-capable microcontroller.