Practicing some tactics to abuse Rolling Key Code and replay an RF signal to unlock a vehicle. FYI, there is nothing wrong with this vehicles security system or RKC implementation. It use to be that keyfobs would always send the same message to the vehicle -so the button that pops the trunk had its own message, unlock button had its own message and so on for the other buttons. This made them easy to hack with replay attacks of the captured RF signal. Rolling Key Code is the answer to that problem and has been in use on all modern vehicles for quite sometime now. Vehicles from the 90s and before may still be vulnerable to replay attacks though.

So what’s going on in this video then?

The trick to stealing a useable RKC requires that the receiver on the inside of the vehicle MUST NOT “HEAR” the signal, when a button on the key fob is pressed because that’s what’s making the RKC roll. Both the key fob and the receiver in the vehicle have already negotiated the algorithm to be used for creating 1 time use keys.

So, to exploit RKC, one must -capture the signal from a keyfob while preventing the signal from reaching the vehicle. Once the vehicle gets the replayed message from you, the signal will be valid but it’s also a one time use so it’s kind of a one-and-done situation. Also, at anytime the keyfob transmits and the vehicle receives the signal, the RKC just moves ahead based on the last one sent and now the bad actors captured signal from the keyfob is behind in its order of usage making it invalid.