CN101931523A - Inversed chip-stage decoding time synchronization rolling codes - Google Patents
Inversed chip-stage decoding time synchronization rolling codes Download PDFInfo
- Publication number
- CN101931523A CN101931523A CN2010101731468A CN201010173146A CN101931523A CN 101931523 A CN101931523 A CN 101931523A CN 2010101731468 A CN2010101731468 A CN 2010101731468A CN 201010173146 A CN201010173146 A CN 201010173146A CN 101931523 A CN101931523 A CN 101931523A
- Authority
- CN
- China
- Prior art keywords
- time
- remote controller
- rolling codes
- chip
- remote
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60R—VEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
- B60R25/00—Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
- B60R25/20—Means to switch the anti-theft system on or off
- B60R25/24—Means to switch the anti-theft system on or off using electronic identifiers containing a code not memorised by the user
Landscapes
- Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Selective Calling Equipment (AREA)
Abstract
The invention provides a remote control scheme of inversed chip-stage decoding time synchronization rolling codes. Time parameters are added to the operation of the rolling codes. The initial times of remote controllers are set as random numbers. When receivers are in a learning state, the remote controllers send out time values and other parameters, and the receivers use the time values of the remote controllers as initial time values and start to synchronously time with the remote controllers. When the remote controllers are used, if the errors of the time values in remote controller instructions received by the receivers and the time values of the receivers exceed 1%, the receivers can not execute the remote controller instructions of the remote controllers. Because the interval times of keying times are different, the time values are discontinuous numbers, and all remote controllers are different; and although chips are decoded, and the operation method of the rolling codes is divulged, the rolling codes intercepted and captured in a method for tracking and intercepting the rolling codes in the air are a series of irregular rolling codes which can not compare with data operated by violent decoding, therefore, the remote controllers can not be copied. The invention is suitable for automobile anti-theft and access control systems.
Description
The present invention describes a kind of time synchronized rolling code remote control scheme.After being cracked, still can not untie the chip with a collection of product the rolling code of other remote controller.Be applicable to automobile burglar and gate control system.
Rolling code is that those same buttons of general reference are pressed the remote control coding scheme that all can send different sign indicating numbers at every turn.The rolling code remote control scheme of current trend is the Keeloq coding of the U.S. little core company, other also has single-chip microcomputer rolling code that some producers programme separately, AES rolling code, DES rolling code etc., also have RFID chip rolling code, these rolling codes are similar in principle.All be the special algorithm of utilization, the rolling code that makes same button at every turn send has looked significant difference and not significantly contact.And identical rolling code can only be once effective, and is for the second time just invalid.Thereby can prevent to tackle wireless signal in the air, carry out simple learning type decoding.
Existing these rolling codes are invalid with the decoding of simple learning type, so, and also can be invalid behind these chips if cracked? surely not, if after having cracked these chips, more than these rolling codes all can lose efficacy.Crack after the chip, be easy to copy another effective remote controller.As example this viewpoint is described with the HCS301 chip that the most generally uses.The strong encryption pattern of HCS301 is a safe mode, under this pattern, participate in having of rolling code computing: manufacturer code, chip serial number, synchronometer numerical value, identification code, function key code, overflow position, kind subcode, wherein chip serial number, function key code, overflow position are that plain code sends, identification code is low 10 of chip serial number, also is plain code.First row operation becomes coding password to manufacturer code with chip serial number, and coding password becomes the frame hopping part of rolling code again with synchronometer numerical value, identification code, function key code, overflow position, the computing of kind subcode.If cracked receiver decoding program with a collection of product, just can know manufacturer code or coding password, also can know the operation method of Keeloq.Arrived this step, also had synchronometer numerical value and kind subcode not to know, produce at random because plant subcode, each remote controller all is different.Synchronometer numerical value especially one by one button change.So, how to crack all ignorant rolling code of such two operational datas? we know that synchronometer numerical value is to add 1 one by one.The cracker can the tracking target remote controller whereabouts, with the method for aerial interception, continuous several times is gathered the rolling code that the target remote controller sends, the rolling code that collects like this seems that not have rule be clocklike in fact, all is that synchronometer numerical value adds 1 sequence arrangement one by one.The rolling code data comparison that generates with " Brute Force " then will find to meet a string data of order, so, and the pairing synchronometer numerical value of this string data and plant subcode and just come out.If add the more subcode computing of planting, perhaps other parameter also adds computing, as long as these parameters be fix or clocklike, still can adopt above-mentioned same quadrat method, crack chip earlier with a collection of product, after learning operation method, calculating a series of data again, is a plurality of rolling codes that the collection of tracking target remote controller is sent continuously at last, and comparison meets one group of data of order, solve all parameters, duplicate remote controller.Computer technology develop rapidly now accomplishes that " Brute Force " is not difficult matter, and also in the swift and violent quickening in the ground that makes rapid progress, this crack method can be more and more easier for the arithmetic speed of computer.For instance: planting subcode is under the situation of 00000000H, and corresponding synchronometer numerical value is one group of sequence arrangement from 0000H to FFFFH; Planting subcode is under the situation of 00000001H, and corresponding synchronometer numerical value is one group of sequence arrangement from 0000H to FFFFH, by that analogy, always total 4G group, every group has 64K data, is 256TB data altogether.If adopt 4 nuclears, the 64 bit CPU computings of 3G frequency, whenever endorse and in 10 clock cycle, calculate 1 data, 44 nuclear CPU work simultaneously, approximately can calculate 256TB data in 7.4 hours.This also is the slowest method, if find out certain regular data wherein arranged, can also crack this kind rolling code quickly, contact is associated in fact because the continuous rolling code of each time successively seems not, just synchronometer numerical value has increased by 1, and its operation method is again known, should be not difficult to find out crack method faster.RFID chip remote controller also is not difficult to crack, because receiver and remote controller complete response signal have had answer signal just to increase the clue that cracks.
Rolling code of the present invention is time parameter to be joined in the computing of rolling code go.Remote controller and receiver have been put manufacturer code at the Shi Douyu that dispatches from the factory.The initial time value of remote controller is set to random number, after remote controller re-powers, just from then on the initial time value picks up counting, time of day can can also be other unit for dividing also for second, clocking method can be add 1, subtract 1, parity count, to counting number, index counting, pseudo random number counting etc.Remote controller and receiver write the current time value such as one minute in the clockwise EEPROM at regular intervals.Receiver is when learning state, and remote controller sends chip serial number, synchronometer numerical value, time value, function key code, kind subcode, and receiver is the initial time value and begins and the remote controller time synchronisation with the time value of remote controller.When learning state finished, receiver is in holding state can receive remote command.In the use, receiver is except comparing other parameter, and whether the time value error that also will compare time value and this machine in the remote command surpasses certain limit, and such as having surpassed 1%, receiver just can not carried out the instruction of remote controller.Only in both time value error less than 1% o'clock, receiver just can be carried out the instruction of remote controller.The maximum of time can design greatly especially, and such as 1,000,000,000,000 years, so, remote controller just can be set the initial time value in the scope in 1,000,000,000,000 years at random when dispatching from the factory.The initial time value of each remote controller can be not identical in the time of so just can guaranteeing to produce in enormous quantities.When remote controller is changed battery in user's use, or other is former thereby the electricity went off, when re-powering, contain power cut-off information in the rolling code that first three time sent, receiver is solving after the chip serial number of remote controller, synchronometer numerical value, manufacturer code, kind subcode conform to, and will be worth also whether big little and time value this machine is with the time value that received last time the proving time, then carry out the instruction of remote controller and come this machine time value synchronously, otherwise do not carry out with this time value.When re-powering again after the receiver outage, when receiving first remote controller code after the outage, be worth time value whether big and reception last time proving time, be, then carry out the instruction of remote controller and the time value of coming synchrodyne self, otherwise do not carry out the instruction of remote controller with this time value.In actual use, the receiver powering-off state seldom occurs, and it is also few that remote controller changes the chance of battery, so the time synchronized state of this programme exists in most cases.The continuation of time synchronized is guaranteed.
Because the blanking time of each button is different in size, so time value is discontinuous numeral, even be cracked with a collection of other remote controller chip that dispatches from the factory, the rolling code operation method is also divulged a secret, still, the time value of each remote controller is different, and change at any time, adopt to follow the tracks of the method for interception rolling code, intercepting and capturing be a succession of random rolling code, cannot with the data that generate comparisons, also reproducible remote controller not just certainly.In the solution of the present invention, the rolling code that at every turn sends not only seems not contact, and in fact also be really not have contact, because be separated with the long weak point that has between the time, even aerial interceptor has the remote controller of same model on hand, can not determine specifically sending the time of each rolling code, can't determine that certain rolling code is to send last one minute or this minute.
Remote controller of the present invention partly constitutes main control unit with the plug-in AT24C02 of SN8P2501B single-chip microcomputer, and 315M or 433M wireless transmission single tube transmitter unit, the B utmost point of transmitting tube are attached to the I/O mouth of SN8P2501B as the FSK sign indicating number control utmost point.The external 32K crystal oscillator of SN8P2501B is as the clock source of time counting, and the RC oscillator of inner 16M is as the CPU work clock.When no button was pressed, CPU was operated under the 32K clock frequency, and electric current is about 100uA, to the almost not influence of life-span of battery.When button was pressed, CPU was operated under the 16M clock frequency, can finish cryptographic calculation fast.Receiver section also constitutes main control unit with the plug-in AT24C02 of SN8P2501B single-chip microcomputer, 315M or 433M wireless receiving adopt Armstrong circuit, the outside 32K crystal oscillator of SN8P2501B is as the clock source of time counting, and the RC oscillator of inner 16M is as the CPU work clock.The computing of rolling code can be with AES or DES algorithm.
Claims (4)
1. inversed chip-stage decoding time synchronization rolling codes is characterized in that: remote controller and receiver employing time synchronized.Temporal information participates in the rolling code computing.With this machine temporal information and the comparison of remote controller temporal information, exceed error range and then do not carry out remote command during decoding.
2. inversed chip-stage decoding time synchronization rolling codes as claimed in claim 1 is characterized in that: the maximum of time is set greatly especially.The initial time value of different remote is set in maximum range at random.
3. inversed chip-stage decoding time synchronization rolling codes as claimed in claim 1 is characterized in that: remote controller non-volatility memorizer spare interval value writing time, the time value from last registration after re-powering picks up counting.Contain power cut-off information in the rolling code that remote controller sends, have only the time value of judging remote controller when receiver in certain particular range the time, just can carry out the instruction of remote controller.
4. inversed chip-stage decoding time synchronization rolling codes as claimed in claim 1 is characterized in that: time counter is the non-linear count method.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101731468A CN101931523A (en) | 2010-05-10 | 2010-05-10 | Inversed chip-stage decoding time synchronization rolling codes |
| PCT/CN2010/000749 WO2011140683A1 (en) | 2010-05-10 | 2010-05-26 | Anti chip-level-break synchronous rolling code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010101731468A CN101931523A (en) | 2010-05-10 | 2010-05-10 | Inversed chip-stage decoding time synchronization rolling codes |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101931523A true CN101931523A (en) | 2010-12-29 |
Family
ID=43370460
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010101731468A Pending CN101931523A (en) | 2010-05-10 | 2010-05-10 | Inversed chip-stage decoding time synchronization rolling codes |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101931523A (en) |
| WO (1) | WO2011140683A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107393277A (en) * | 2017-08-28 | 2017-11-24 | 江苏赫奕科技有限公司 | Method of sending and receiving based on low-power consumption safe mode des encryption rolling code |
| CN109166218A (en) * | 2018-09-03 | 2019-01-08 | 北京航空航天大学 | A kind of automobile key means of communication based on time encryption |
| CN117315826A (en) * | 2023-10-12 | 2023-12-29 | 山东泽鹿安全技术有限公司 | Automobile key data interaction method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007019662A1 (en) * | 2005-08-18 | 2007-02-22 | Tsui Philip Y W | Transmitter for operating rolling code receivers |
| CN101270620A (en) * | 2007-03-23 | 2008-09-24 | 成都途筏达科技有限公司 | Remote control device and method adopting true random sequence as unlocking cipher of remote control lock |
| CN101390138A (en) * | 2006-01-03 | 2009-03-18 | 约翰逊控制技术公司 | Transmitter and method for transmitting an RF control signal |
| CN101662363A (en) * | 2008-08-30 | 2010-03-03 | 怀化学院 | Multi-layer rolling code encryption and decryption technology |
-
2010
- 2010-05-10 CN CN2010101731468A patent/CN101931523A/en active Pending
- 2010-05-26 WO PCT/CN2010/000749 patent/WO2011140683A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007019662A1 (en) * | 2005-08-18 | 2007-02-22 | Tsui Philip Y W | Transmitter for operating rolling code receivers |
| CN101390138A (en) * | 2006-01-03 | 2009-03-18 | 约翰逊控制技术公司 | Transmitter and method for transmitting an RF control signal |
| CN101270620A (en) * | 2007-03-23 | 2008-09-24 | 成都途筏达科技有限公司 | Remote control device and method adopting true random sequence as unlocking cipher of remote control lock |
| CN101662363A (en) * | 2008-08-30 | 2010-03-03 | 怀化学院 | Multi-layer rolling code encryption and decryption technology |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107393277A (en) * | 2017-08-28 | 2017-11-24 | 江苏赫奕科技有限公司 | Method of sending and receiving based on low-power consumption safe mode des encryption rolling code |
| CN109166218A (en) * | 2018-09-03 | 2019-01-08 | 北京航空航天大学 | A kind of automobile key means of communication based on time encryption |
| CN117315826A (en) * | 2023-10-12 | 2023-12-29 | 山东泽鹿安全技术有限公司 | Automobile key data interaction method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2011140683A1 (en) | 2011-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105530263B (en) | A kind of extra lightweight RFID mutual authentication methods based on tag ID | |
| US10347059B2 (en) | Information processing apparatus, information processing method, program, and information processing system | |
| CN105450620B (en) | A kind of information processing method and device | |
| US20170243424A1 (en) | Information processing apparatus, information processing method, and program | |
| CN106761052B (en) | A kind of automobile door control remote-control key radio frequency Replay Attack system of defense based on timestamp | |
| CN104050402A (en) | Mobile terminal security certification method and system and mobile terminal | |
| CN100461669C (en) | Public key code hopping safety system and method | |
| EP3266146A2 (en) | Side channel analysis resistant architecture | |
| CN101931523A (en) | Inversed chip-stage decoding time synchronization rolling codes | |
| US20150186676A1 (en) | Real-time clock (rtc) modification detection system | |
| CN105416234B (en) | Control instruction safe transmission method and automobile anti-theft remote controller | |
| CN106971482A (en) | A kind of real-time intelligent anti-theft magnetic snap system based on low-power consumption bluetooth | |
| US8717174B2 (en) | Monitoring apparatus for a tag having an engaged and a non-engaged mode | |
| CN104616374A (en) | Car key remote control system radiofrequency signal interception method | |
| CN202475454U (en) | Encryption device of remote controller | |
| CN106453363A (en) | Network coding and decoding system based on bus technology for plurality of 2nd-generation ID cards | |
| CN104135366A (en) | Data authentication system and data authentication method | |
| KR20140063753A (en) | Code hopping based system with increased security | |
| WO2016173371A1 (en) | Gis-based remote distributed monitoring system | |
| CN103049947A (en) | Electronic key | |
| CN117437722B (en) | Split type prepayment water meter management method and system thereof | |
| JP2015232861A (en) | Radio communication system | |
| CN102509127B (en) | Passive radio frequency identification safety certification system and method | |
| JP6080662B2 (en) | Game system | |
| CN202059436U (en) | Information security protection system for advertising kiosk |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20101229 |