Car (Key) Hacking (Not Really)

Step Zero: Recon

Step One: Getting a Trace

#define FOB_PIN A0void setup() {
Serial.begin(115200);
pinMode(FOB_PIN, INPUT);
// Setup ADC on A0
ADCSRA = (1<<ADEN) | (1<<ADATE) | (1<<ADPS2);
ADCSRB = 0;
ADMUX = 1<<REFS0;
// Start conversions
ADCSRA |= 1<<ADIE;
ADCSRA |= 1<<ADSC;
}
ISR(ADC_Vect) {
Serial.print(micros());
Serial.print(", ");
Serial.print(ADCL | (ADCH << 8));
Serial.println(";");
}
void loop() {}
#define FOB_PIN 3...void loop() {
Serial.print(micros());
Serial.print(", ");
Serial.print(digitalRead(FOB_PIN);
Serial.println(";");
}
#define NSAMPLES 256
#define FOB_PIN 3
unsigned int timeDiffs[NSAMPLES];
unsigned long lastTime = 0, currTime;
unsigned char prodIdx = 0, consIdx = 0;void setup() {
Serial.begin(115200);
pinMode(FOB_PIN, INPUT);
cli();
PCICR |= 4; // turn on PC interrupts for port d
PCMSK2 = 1 << fobPin; // enable PC interrupts for pin 3
sei();
}
ISR(PCINT2_vect) {
if (prodIdx - consIdx == NSAMPLES) {
Serial.println("dropped sample!");
PCICR ^= 4; // disable PC interrupts
return;
}
currTime = micros();
timeDiffs[prodIdx] = currTime - lastTime;
lastTime = currTime;

++prodIdx;
}
void loop() {
if (!(prodIdx - consIdx)) // wait until there are produced samples
return;
Serial.println(timeDiffs[consIdx]);
++consIdx;
}

The Same Thing But Now With RF

Trying (and failing) to Get the Key

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store