HCS412; A Look at my Car's Remote Unlocker

Forewarning: I am not an Electronic Engineer. Please forgive my naiveness.

On Sunday I decided to open up my car's keyless remote out of curiosity because it wasn't working anymore. I didn't care what happened to it because I hadn't been using it for over a year. Honestly at first I thought the issue was a dead battery, but after replacing it there was no difference.

Fast forward 2 years later. I've done some Electronic Engineering reading and decided to look at the circuit board for fun. The first thing I notice is a couple of buttons, a microchip and a transmitter. The first thing I did was Google the microchip's name: HCS421. It turns out this chip is pretty sophisticated. It comes with a hardware built-in KeeLoq de/encryption, which is an algorithm for securely transferring data. We'll get into this shortly. It also includes: 3 switch inputs, pulse-width modulation, battery low detector, 2 transmitters, anticollision of transmissions, can operate from 2.0v to 6.3V, reprogrammable through a pin, LED status pin, and a few other things that include terminology that a few people will understand. Oh, it also includes 288 bits of memory (a whooping 36 bytes)!

Here is a pin-out of the HCS412. 


S0, S1, and S2 are pins that detect buttons essentially. S2 is actually multipurpose. In the datasheet (a document which fully describes the hardware, it was really interesting to read), it can also be used for a weak, battery-less transmitter, or a more powerful one. LC0, LC1 are for the battery-less transmitter. VDD is power coming into the microchip and GND leads to ground. LED is for the LED status indicator and DATA for data.

After reading through the datasheet it became obvious that my manufacturer had left out a neat feature for my key-less remote. There was no LED indicator at all! It there had been one I could tell if it was my car's receiver or the remote that was broken. According to the datasheet it would have been straight forward to hook  up too.


Maybe they didn't include it so owners would have to spend more money to take it to a dealership and figure out what was wrong and pay for repair or replacement. Either way would've been nice. The datasheet makes it seem like if I personally stuck one in there it should work, because the LED pin outputs ~0.4mA when it's transmitting and the circuit looks fairly simple.

Another thing that was odd was that my remote had 5 buttons (switches), whereas the datasheet it was only capable of handling 3 (but up to 7 functions? I guess because of 2^3 combinations of on/off). So they had done something clever to get more switches into there.

During this journey I also discovered an industry standard encryption algorithm: KeeLoq. Apparently KeeLoq was designed in the late 90s. Many automotive manufacturers built their cars' remotes with this encryption algorithm (because they were packaged with the HCS412).

Here's a basic lay down of how KeeLoq works. In each HCS412 microchip, there is an EEPROM (Electrically Erasable Programmable Read-Only Memory) that holds onto the transmitter's serial number, (en)crypt(ion) key, and a "synchronization counter". The sync counter is used as a way to change the encryption data every time, sort of like a random seed for a random number generator. The algorithm combines the sync counter and the crypt key and encrypts 32-bits of data. The HCS412 then transmits that data, the serial number, and button press information to the receiver. 

Here is the process taken from the datasheet.


On the receiving end, the receiver in the car decrypts the encrypted data by:

1) recreating the crypt key from the serial number (I'll get to this in a second)
2) recreating the synchronization counter using the button press information.

The crypt key is originally created from a master key. These master keys are owned by the manufacturers. The master key is combined with the serial number to create a crypt key.

The sync counter is incremented every time a button is pressed.

So it's obvious that the point of weakness here is getting a manufacturer key. If a hacker were able to obtain this, it would significantly reduce the amount of range of data they'd have to try to unlock a car. Otherwise KeeLoq has been known to be a very cheap and effective algorithm for secure key-less remote communication.

Thing is though, it has been cracked.

Thankfully not by some black hat, but by a group of researchers, several times. The great thing is all of their attacks, except their latest one, are not practical at all. Most involve DPA (Discrete Power Analysis) and their last one, SPA (Simple Power Analysis). These are techniques that have been used elsewhere to break other encryption algorithms (they note RSA can be cracked using these techniques). 

Their latest attack is the deadliest though because it allows access to the manufacturer's master key, within a reasonable amount of time. Once they had that, the researchers could break into any car by sniffing a key-less remote's transmission from up to 100 meters away, and later come back and break into the car. They tested this with several manufacturers and had success. Freaking scary shit. I highly recommend reading the paper because it is just so interesting and never knew you could read what a processor was doing by reading its flipping voltage spikes. Crazy world we live in.

So anyways, in theory people could create new crypt keys for themselves since the HCS412's EEPROM is easily reprogrammable, but since the receiver is hardwired to use only crypt keys derived from a master key, it's impossible. I think it would've been ok because you can only reprogram the receiver when you are physically in the car, plus it opens up a ton of possibilities for possible keys.

I never expected to learn so much by typing in the tiny text found inside my car's remote. Feed your curiosity. Keep learning!

Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. Great post! Thanks for sharing! Keep updating, please.
    my Site

    ReplyDelete
  4. Great! It's really useful for me. Thanks for sharing it.

    ReplyDelete
  5. It sounds that your curiosity makes you discover a lot of great things, thanks for share.

    ReplyDelete
  6. curious mind tend to discover and know various things.
    Car Care Total

    ReplyDelete
  7. Thats why im using only stock unlockers for my audi) Xlraceparts

    ReplyDelete
  8. Great article! Find all best for car for less money.

    ReplyDelete

Post a Comment

Popular Posts