Rolling Code (KeeLoq) Cryptography and RollJam Attack Architecture in Wireless Access Systems

Table of Contents

1. Legal Disclaimer and Limitation of Liability
2. Terminology
3. Hardware and Conceptual Foundations: The Operating Logic of OOK and ASK Modulation in RF Communication
4. Hardware Asymmetry: The Receiver’s Wideband Filter vs. The Attacker’s Narrowband Filter
5. KeeLoq Cryptography: Key Generation, PRNG, and Sync Counter Logic
6. The Forward Synchronization Windowing Mechanism
7. The Mechanics of the RollJam Attack: Bypassing the Receiver via Broadband Jamming and Narrowband Sniffing
8. Laboratory Simulation Research Note
9. Simulation of the KeeLoq Algorithm and RollJam Attack in a Laboratory Environment
10. Conclusion
11. References

Remote Keyless Entry (RKE) and Passive Keyless Entry and Start (PKES) systems form the foundation of access control mechanisms in the modern automotive industry. The history of remote access technologies in this sector actually dates back to 1982, when Renault first implemented its infrared remote control patent in vehicles. As radio frequency (RF) technology eventually replaced infrared, the early RF-based wireless access systems were built upon a static encryption architecture known as “Fixed Code.”

In this architecture, the password transmitted over the air remains strictly identical every single time the button on the transmitter (key fob) is pressed. Naturally, this static behavior paved the way for “Replay Attacks.” An attacker could easily intercept and record the static password using a basic radio receiver or software-defined radio hardware, and then simply rebroadcast it to the target vehicle at a later time. The fixed code architecture can be likened to a weak security barrier where the exact same password is whispered for every entry; any attacker who records the signal can gain unauthorized access to the system without needing to perform any cryptographic decryption.

To eradicate the inherent flaws of fixed codes and effectively neutralize replay attacks, the industry shifted toward a dynamic encryption approach known as Rolling Code cryptography. These systems operate by generating constantly changing, single-use passwords for every communication between the transmitter and the receiver. To an outside observer, these sequences appear entirely random. This continuous variation is secured through the combined operation of Pseudo-Random Number Generator (PRNG) algorithms and internal synchronization counters (sync counters). By design, the architecture guarantees that an encrypted password is valid for only one use. If an attacker tries to resend a previously recorded valid code, the vehicle’s receiver will categorically reject it.

The KeeLoq algorithm, functioning as the prevailing industry standard in this domain, grounds the rolling code concept in a highly robust mathematical foundation. Within its encrypted data packet, the algorithm offers approximately 4 billion possible code combinations. Under normal daily usage, it would take more than 20 years for a single password to cycle back and become valid again. For many years, KeeLoq and similar rolling code implementations successfully defended communication lines against basic eavesdropping and replay attacks.

However, this solid defensive posture in wireless access security was fundamentally disrupted at the DEF CON 23 security conference in 2015, when researcher Samy Kamkar introduced the RollJam attack architecture. Rather than attempting to mathematically crack the cryptographic encryption algorithm, RollJam operates as an asymmetric cyber-physical attack methodology. It exploits the logical workflow of the communication protocol itself, alongside the physical hardware limitations of the RF receivers. The core architecture of this attack relies on three simultaneous phases: signal jamming, sniffing, and replaying.

A small device, either placed directly on the target vehicle or concealed nearby, initiates an intentional jamming signal—typically consisting of broadband noise—centered on the vehicle’s receiving frequency. When the owner presses the button on their key fob, the transmitter broadcasts a perfectly legitimate and valid rolling code over the air. Deafened by the attacker’s artificial noise floor, the vehicle’s receiver simply cannot detect or process this transmission. Meanwhile, the attacker’s hardware utilizes precise narrowband filters to pluck that exact valid code out of the surrounding noise, silently storing it in memory.

Noticing that the door failed to unlock, the owner instinctively presses the button a second time. At this exact moment, the attacker captures the newly generated second code. Simultaneously, the rogue device replays the “first” code it had intercepted moments ago. Because the vehicle’s receiver never actually heard that initial transmission, it accepts the replayed code as fresh and legitimate, subsequently unlocking the doors. The user assumes the system just had a minor glitch and proceeds normally.
The ultimate outcome of this sophisticated protocol manipulation is highly critical: the attacker walks away holding the unused second code. Since this captured sequence precisely aligns with the vehicle’s expected synchronization counter, it remains completely valid. Consequently, the attacker can replay this stored code at their convenience to achieve full unauthorized access to the vehicle.

Legal Disclaimer and Limitation of Liability

All tests and hardware architecture analyses detailed in this report were conducted strictly for educational purposes within a completely isolated laboratory environment. This study has been prepared in compliance with the legal boundaries outlined in the Electronic Communications Law No. 5809 and the Cyber Security Law No. 7545, without encouraging any unauthorized access or system manipulation. Intentional signal jamming simulations were executed exclusively in an isolated test area using dummy loads.

Limitation of Liability: In the event that the technical details, tools, and proof-of-concept (PoC) methods presented in this article are misused against real and unauthorized systems, all legal, penal, and financial liabilities belong directly to the individual executing the action. The author, the affiliated institution, and the publisher assume no responsibility whatsoever for any unlawful use of the provided information.

Terminology

To ensure a comprehensive understanding of the conceptual framework and hardware analyses, the technical and academic terms frequently used in this report are detailed in the tables below.

Cryptographic and Logical Terms

XOR (Exclusive OR)	A fundamental logic gate and cryptographic operation. When comparing two bits, it outputs ‘1’ if the bits are different, and ‘0’ if they are the same. It is heavily utilized in encryption algorithms to mask data with a key.
Sync Counter	An internal registry (typically 16 or 18-bit) in rolling code algorithms that allows the transmitter and receiver to track their position in the password generation sequence.
PRNG (Pseudo-Random Number Generator)	Algorithms that generate sequential numbers using an initial “seed” value and a specific mathematical function. Since both the transmitter and receiver share the same seed, they deterministically know the next password.
KeeLoq	A proprietary block cipher algorithm developed by Microchip Technology, operating with a 64-bit secret key and a 32-bit block size, which has become an industry standard in remote keyless entry systems.

Radio Frequency and Attack Terms:

RollJam	A cyber-physical attack methodology designed to bypass rolling code systems. It involves deliberately jamming the receiver’s listening window while simultaneously sniffing and recording consecutive valid signals from the transmitter, then replaying them to deceive the system’s synchronization logic.
Broadband Jamming	An electronic warfare technique that physically prevents a receiver from detecting legitimate signals by generating high-power RF noise spread across a wide spectrum around the target’s operating frequency.
SDR (Software-Defined Radio)	Flexible RF hardware where radio signal processing components (such as mixers, filters, and amplifiers), traditionally implemented in hardware, are instead executed by software on a computer.
Replay Attack	A form of network attack in which a valid data transmission is maliciously or fraudulently intercepted and then repeated or delayed to gain unauthorized access to the original system.

Hardware and Conceptual Foundations: The Operating Logic of OOK and ASK Modulation in RF Communication

Wireless access systems have found widespread applications in Short-Range Wireless fields such as Home Automation, Industrial Networks, Tire Pressure Monitoring Systems (TPMS), and Remote Keyless Entry (RKE). The most critical engineering constraints in the hardware design processes of such applications are maintaining low system costs, avoiding complex circuit components, and, most importantly, maximizing the battery life of the portable device (key fob). Today, technologies like Bluetooth, ZigBee, or Wi-Fi can offer exceptionally high security and noise immunity over the communication line thanks to capabilities like channel hopping and spread-spectrum. However, implementing these complex protocols increases costs by two to five times and rapidly depletes the energy budget of small battery-operated devices like RKEs due to continuous power consumption. These economic and physical constraints have established Amplitude-Shift Keying (ASK) and its most radical form, On-Off Keying (OOK) modulation techniques, as the industry standard for data transmission in RKE systems.

ASK and OOK modulations operate on the principle of superimposing digital data (‘0’ and ‘1’ bits) onto a radio frequency carrier wave transmitted over the air. In ASK modulation, data transmission is achieved by manipulating the amplitude of the carrier wave. When the transmitting hardware intends to send a digital ‘1’ bit, it broadcasts the carrier wave at a high amplitude; conversely, to send a digital ‘0’ bit, it reduces the carrier wave’s amplitude by a specific ratio. While this method offers higher spectral efficiency compared to FSK (Frequency-Shift Keying) modulation, it remains more susceptible to environmental noise.

OOK modulation takes this amplitude manipulation to its simplest and most energy-efficient extreme. In OOK systems, the transmitting source turns the carrier wave (e.g., in ISM bands like 433.92 MHz or 315 MHz) on at full power to transmit a digital ‘1’ bit. However, to transmit a digital ‘0’ bit, it completely shuts off the carrier wave, meaning it radiates zero RF energy into the air (NO carrier). This architecture, which allows the hardware’s oscillator and amplifier stages to momentarily enter sleep mode while transmitting the ‘0’ bits within the data packet of battery-operated portable key fobs, makes OOK unrivaled in terms of battery life. This communication typically occurs on frequencies allocated to Industrial, Scientific, and Medical (ISM) bands.

The table below provides a comparative overview of the technical parameters of RF modulation hardware frequently used in RKE and TPMS infrastructures within vehicle security systems:

Modulation Type	Digital ‘1’ Representation	Digital ‘0’ Representation	Hardware Complexity and Cost	Energy Efficiency	Noise Immunity
ASK (Amplitude-Shift Keying)	High Amplitude Carrier Wave	Low Amplitude Carrier Wave	Low-Medium Level	Lower than OOK, Higher than FSK	Medium Level
OOK (On-Off Keying)	Carrier Wave On (Full Power)	Carrier Wave Off (Zero Power)	Minimum Level (Lowest Cost)	Maximum Level (Battery Friendly)	Low Level
FSK / PSK (Frequency/Phase-Shift)	Specific Frequency/Phase Shift	Different Frequency/Phase Shift	High Level (Bluetooth/ZigBee architectures)	Low Level	Maximum Level

The process by which the receiver hardware (the Electronic Control Unit – ECU inside the vehicle) decodes this signal generally proceeds through three fundamental functional hardware blocks. The first layer, the Input Bandpass Filter, sifts through the wideband environmental noise spectrum received via the antenna to isolate only the targeted carrier frequency (e.g., 433.92 MHz). However, as will be detailed later, the width of this filter’s design constitutes one of the system’s greatest vulnerabilities.

The second layer, the Envelope Detector, extracts the envelope of the signal passing through the filter, eliminating the high-frequency RF wave and leaving behind only the baseband information signal that represents the amplitude changes. In modern RKE systems, RF power detectors like the MAX9933 are utilized as envelope detectors; thanks to their logarithmic transfer functions, these chips exhibit high sensitivity even to very weak signals at the millivolt level.

The final layer is the Comparator. The comparator creates digital square waves (0s and 1s) by comparing the analog voltage level from the envelope detector against a reference threshold voltage. While this threshold value adapts dynamically in ASK systems, the reference voltage (REF) is fixed in OOK applications. The system’s noise immunity is bolstered by components such as hysteresis resistors (e.g., 300kΩ feedback and 10kΩ input resistors) and capacitors added to the comparator. While this simple three-stage structure ensures hardware affordability, it simultaneously paves the way for the physical-layer success of the RollJam attack.

Hardware Asymmetry: The Receiver’s Wideband Filter vs. The Attacker’s Narrowband Filter

The RollJam attack, introduced to the literature by Samy Kamkar and capable of completely bypassing robust cryptographic architectures like KeeLoq, is predicated on the philosophy of asymmetrically pitting the limited capabilities of communication hardware against one another. At the heart of this attack architecture lies the vast chasm between the mandatory, coarse “Wideband” filtering in the target vehicle’s RF receiver layer and the ultra-precise “Narrowband” digital filtering capabilities of the Software-Defined Radios (SDR) employed by the attacker.

The pressure to reduce costs in remote keyless entry systems has led to the use of highly inexpensive Surface Acoustic Wave (SAW) resonators or Colpitts oscillator circuits as frequency generators in transmitter and receiver circuits, rather than highly stable but expensive crystal oscillators. SAW resonators exhibit instability over time due to factors such as manufacturing tolerances, mechanical stress, time drift, and, most notably, temperature drift. For instance, the signal of a key fob manufactured with a 433.92 MHz center frequency might drop to 433.85 MHz in extreme winter cold, or shift up to 434.05 MHz in the summer heat.

Vehicle manufacturers must be able to capture these drifting frequencies caused by temperature and time, guaranteeing that the vehicle opens under all conditions. Consequently, the Input Bandpass Filter inside the vehicle ECU is designed with an extremely coarse and wide acceptance window, typically featuring a bandwidth of approximately 1.5 MHz. While targeting the 433.92 MHz center frequency, the vehicle receiver is forced to allow hundreds of kilohertz of the surrounding spectrum through its antenna and into the RF detector.

This exact hardware engineering necessity enables the “Desensitization / Jamming” phase of the RollJam attack. The attacker’s system (e.g., a combination of two SDRs and a mini-computer, or custom single-board circuits) blasts high-power, broadband noise (Additive White Gaussian Noise – AWGN) directly onto or just at the edge of the vehicle’s 1.5 MHz wide acceptance window. The vehicle hardware cannot exclude this noise because, by design, it must listen to a wide window. The high-energy RF noise leaking into the circuit via the antenna causes a sudden spike in the noise floor of the vehicle circuit’s comparator. When the comparator’s reference threshold shoots up to compensate for this noise, the weak amplitude of the legitimate OOK signal from the key fob is crushed beneath this noise floor. At the hardware level, the vehicle transforms into a deaf listener, unable to hear the whisper of the key, drowning in its own unfiltered noise.

On the attacker’s side, the situation is the exact opposite. The attacker’s hardware (e.g., HackRF One) offers an extraordinary dynamic range and gain management compared to the primitive analog circuits in the vehicle. SDR devices feature multiple precise gain stages, including a Front-End Amplifier (RF Gain – e.g., at 14 dBm) and an Intermediate Frequency Amplifier (IF Gain – finely tunable between 0 and 47 dBm). While transmitting their own jamming noise, the attacker simultaneously digitizes the entire ambient RF spectrum into their computer. Unlike the vehicle circuit, the SDR converts the analog signal into I/Q (In-phase and Quadrature) samples, which are then subjected to mathematical digital filters via software like Universal Radio Hacker (URH) or GNU Radio Companion (GRC).

By configuring a “Narrowband” digital filter in software, the attacker isolates only the specific 20-30 kilohertz OOK band where the key is broadcasting, mathematically discarding the surrounding wideband noise they themselves created. While traditional RollJam attacks require the attacker to blast AWGN at a slight frequency offset to blind the car, modern architectures referred to in literature as “Enhanced RollJam” utilize a far more devastating technique. In enhanced attacks, rather than random noise, the attacker generates a “known noise sequence” and broadcasts it directly over the targeted carrier frequency. Subsequently, using digital signal processing algorithms on their computer, the attacker performs a pinpoint extraction of their “known” noise from the total captured airwaves (digital noise removal). This leaves behind a crystal-clear, pure OOK rolling code signal with a massive Signal-to-Noise Ratio (reaching ~40dB in this new method, compared to ~8dB in the traditional approach).

The table below summarizes this critical asymmetric hardware architecture and the filtering differences between the vehicle receiver and the attacker’s device:

Hardware Parameter	Vehicle Receiver (Target System)	Attacker System (e.g., HackRF One & SDR)	Outcome and Impact on Attack
Filter Type and Bandwidth	Wideband Analog Filter (~1.5 MHz)	Software-Defined Narrowband Digital Filter	The vehicle cannot filter environmental noise, whereas the attacker can perfectly isolate the target signal.
Signal Gain Control	Simple threshold adaptation via the comparator	Advanced RF Gain (14 dBm) and IF Gain (up to 47 dBm)	The attacker can extract and amplify weak signals even from within high-power noise.
Noise Processing Capability	None (Experiences desensitization/blindness when the noise floor is exceeded)	Advanced Digital Noise Removal	The attacker can perform on-frequency jamming, elevating the SNR to ~40dB.
Oscillator Stability	Low (SAW resonators experience temperature and time drift)	High (Precise tuning with TCXO-equipped SDRs)	The vehicle’s structural obligation to use a wide filter lays the foundation for the attack.

In conclusion, regardless of how complex a 64-bit key management architecture encryption algorithms like KeeLoq provide, asymmetric filtering capacities at the hardware layer allow the system’s cryptographic autonomy to be compromised at the physical layer. Once that single-use communication between the vehicle and the key is physically severed in seconds and written to the attacker’s memory, the security promises of tens of thousands of years of password combinations offered by the rolling code algorithm become completely meaningless at the edge of a narrowband filter.

KeeLoq Cryptography: Key Generation, PRNG, and Sync Counter Logic

The KeeLoq algorithm, which forms the beating heart of rolling code systems in modern vehicles, houses a highly complex mathematical infrastructure despite its lightweight architecture. It is a proprietary block cipher algorithm that encrypts 32-bit data blocks using a 64-bit secret cryptographic key. The core operating principle of this algorithm relies on a Non-Linear Feedback Shift Register (NLFSR) architecture executing over 528 cycles. During each cycle, a 5-variable non-linear function (NLF) processes specific bits within the register. The output is then subjected to a logical XOR operation alongside the 0th and 16th bits of the register, as well as the sequential bit of the 64-bit key, before being fed back into the system. This intensive, 528-cycle mathematical obfuscation process ensures that the resulting encrypted signal appears to the outside world as an entirely random dump of data.

The fundamental mechanism that makes the system “rolling” is embedded within the structural components of the 32-bit plaintext intended for encryption. The transmitter (key fob) constructs this 32-bit plaintext from three primary segments before feeding it into the encryption module:

• Sync Counter: Typically 16 bits in length, this value is deterministically incremented by one (1) in the key’s non-volatile memory (EEPROM) with every single button press.
• Discrimination Value: Usually 10 or 12 bits long, this segment serves as a portion of the serial number, enabling the vehicle to uniquely identify the specific key fob.
• Function Information: A 4-bit segment that specifies the exact command being issued, such as unlocking the doors, locking them, or popping the trunk.

The overarching system operates on Pseudo-Random Number Generator (PRNG) logic. When the receiver (vehicle) and transmitter (key) are initially paired, they synchronize over the 64-bit secret key (frequently a unique seed generated from a combination of the manufacturer’s master key and the device’s serial number). Because of the deterministic nature of the PRNG, the vehicle—knowing both the shared mathematical function and the secret key—can precisely calculate exactly what the next encrypted code from the key should be. While a malicious eavesdropper observing the transmission sees absolutely no logical correlation between two consecutive encrypted codes (e.g., steps N and N+1), the vehicle can instantly verify this sequential chain thanks to the PRNG and the KeeLoq NLFSR algorithm.

The Forward Synchronization Windowing Mechanism

Under real-world conditions, users frequently press their key fobs accidentally while out of the vehicle’s range, or children might play with the buttons. This naturally causes the internal synchronization counter of the key to advance, while the vehicle’s counter remains static at the old value. To prevent the system from permanently locking up and becoming entirely unusable during these natural desynchronization scenarios, a highly critical feature known as the “Synchronization Window” (Windowing) mechanism was integrated into the KeeLoq architecture.

The EEPROM on the receiver (vehicle) side establishes the last successfully verified counter value as its strict reference point, subsequently evaluating incoming signals against different acceptance windows:

Open Window (Single Operation): This segment covers the first 16 forward-moving counter steps from the reference value (i.e., codes between N+1 and N+16). If the vehicle receives a valid encrypted code falling within this specific range, it treats the event as normal usage or slight accidental drift. It immediately unlocks the door on the first press and updates its internal counter.

Resync Window (Double Operation): A much broader window encompassing approximately 32,768 (32K) forward steps, beginning immediately after the 16-step Open Window. If a user has pressed the key hundreds of times while away from the vehicle, the counter falls into this expansive range. When the vehicle detects a signal from this window, security protocols dictate that it must not open the doors immediately. Instead, to verify whether the password originated from a legitimate key or was merely a random anomaly, it waits for a consecutive second signal. If this second incoming signal is exactly one mathematical increment higher than the previous one it just heard (proving sequential generation), the vehicle updates its synchronization and executes the requested command.

Blocked Window: This encompasses any older counter codes that lag behind the current reference value. The vehicle categorically and permanently rejects these. This is the system’s primary and most vital defense mechanism against Replay Attacks; a previously used code is simply never accepted a second time.

While this flexible windowing system effectively perfects the daily user experience, it ironically provides the RollJam attacker with the exact logical loophole—the 16-step Open Window option—required to bypass the entire security infrastructure.

The Mechanics of the RollJam Attack: Bypassing the Receiver via Broadband Jamming and Narrowband Sniffing

The RollJam attack is a sophisticated hybrid approach that simultaneously exploits the aforementioned “open window” mechanism alongside the “wide/narrowband filter asymmetry,” rendering highly robust block cipher algorithms like KeeLoq completely obsolete. This attack does not waste computing power trying to crack the cryptography in cyberspace; instead, it manipulates the physical timing of the signal transmission to tilt the mathematical sequence in the attacker’s favor.

The chronological sequence of the attack and the systemic bypass of the receiver unfold through the following specific steps:

1. Broadband Jamming and Desensitization: Using SDR hardware, the attacker broadcasts a high-power noise signal directly onto or immediately adjacent to the vehicle’s receiving frequency. Due to the physical limitations of its hardware design, the vehicle’s receiver captures this noise through its wideband filter (~1.5 MHz), causing its baseline noise floor to spike dramatically. The vehicle is now effectively deafened at the RF physical layer.
2. Generation of Signal 1 and Narrowband Sniffing: The user approaches the vehicle and presses the key fob. The key broadcasts a completely legitimate and properly encrypted “Signal 1,” carrying the N+1 counter value. Because the vehicle is deafened, it cannot hear this transmission. However, utilizing its advanced digital narrowband filtering capabilities, the attacker’s system effortlessly plucks “Signal 1” from within its own artificial noise and records it flawlessly into memory.
3. Second Attempt and Replay: Observing that the vehicle failed to unlock (and typically assuming a weak battery or missed connection), the user instinctively presses the key fob a second time. This time, the key generates “Signal 2,” carrying the N+2 counter—the subsequent stage in the KeeLoq PRNG cycle.
4. Bypassing the Receiver and Synchronization Drift: The exact moment the user initiates the second press, the attacker captures “Signal 2” from the air using the narrowband filter and commits it to memory. Synchronously with this capture, the attacker momentarily drops the jamming noise and blasts the previously recorded “Signal 1” (N+1) back to the vehicle at full power.
5. Conclusion (Deceiving the User and Stealing the Code): Because the artificial noise floor has vanished, the vehicle clearly hears the attacker’s “Signal 1.” Since “Signal 1” sits exactly one step ahead (N+1) of the N value stored in the vehicle’s memory, it successfully passes the strict KeeLoq cryptographic verification. Operating under the “Open Window” rule, the vehicle unlocks the doors. The user, assuming the vehicle simply responded to their second press, suspects absolutely nothing.

At the conclusion of this sequential operation, the underlying cryptographic algorithm remains unbroken. However, the attacker is left holding a perfectly valid and legitimate “Signal 2” (N+2) that the vehicle has never seen. Because the vehicle accepted Signal 1 and updated its internal counter to N+1, the “Signal 2” (N+2) currently in the attacker’s possession represents the exact next step according to the vehicle’s synchronization reference, fitting flawlessly into the 16-step “Open Window” rule. When the attacker eventually replays this stored signal to the targeted vehicle—hours or even days later—the KeeLoq algorithm will process the code as a completely legitimate user request and unlock the doors. By weaponizing hardware asymmetry, RollJam successfully defeats the mathematics without ever having to break the algorithm.

Laboratory Simulation Research Note

All signal generation, capture, and demodulation processes detailed below were conducted exclusively for educational and security research purposes, within a fully isolated hardware laboratory environment completely shielded from external frequencies.

Simulation of the KeeLoq Algorithm and RollJam Attack in a Laboratory Environment

In the initial phase of this simulation, conducted within an isolated laboratory environment, a Flipper Zero device was utilized to model the behavior of a legitimate transmitter employing the KeeLoq encryption algorithm. A virtual KeeLoq transmitter was created via the Flipper Zero’s “Sub-GHz” module by selecting the “KL: DoorHan” profile, which broadcasts on the industry-standard 433.92 MHz frequency. This virtual transmitter functioned as our reference source, consistently incrementing its synchronization counter according to protocol rules with each trigger and generating valid RF packets encrypted via the KeeLoq algorithm.

To capture and analyze the On-Off Keying (OOK) RF signals emitted by the virtual transmitter, a HackRF One Software-Defined Radio (SDR) was deployed on the hardware side, paired with the Universal Radio Hacker (URH) tool on the software side. Tuned to a center frequency of 433.92 MHz, the HackRF One converted the over-the-air analog waveforms into digital I/Q samples. Utilizing the URH software, OOK demodulation was applied to these raw signals, successfully reducing the analog amplitude variations down to logical digital “1” and “0” bits at the baseband level. This process constitutes the fundamental first step in physically intervening with the signal’s encrypted structure at the hardware layer.

Upon examining the sequential bit strings demodulated via the URH interface, the anatomical structure of the KeeLoq data packet was clearly observed. When comparing consecutive packets transmitted by the Flipper Zero, it was determined that the Serial Number (UID) and function bits—located in the unencrypted portion of the general data frame—remained entirely static across every broadcast. In stark contrast, because the background Sync Counter deterministically increments with each trigger of the transmitter, it was documented that the 32-bit Encrypted Payload block assumed a completely different bit sequence in every consecutive packet. This observation provided laboratory-grade verification of the KeeLoq algorithm’s pseudo-random number generator (PRNG) architecture and its robust data obfuscation capabilities.

The target desensitization phase—the most critical sequence of the RollJam attack—was simulated using a second HackRF device integrated with PortaPack (Mayhem) hardware. Via the HackRF PortaPack, Broadband Jamming was blasted directly over the 433.92 MHz center frequency monitored by the target receiver. As a result of this operation, the Input Bandpass Filter of the receiver circuit in the laboratory was exposed to high-energy RF noise, causing the system’s baseline noise floor threshold to spike dramatically. Simultaneously, the legitimate signals transmitted by the Flipper Zero were crushed beneath this artificially created RF noise floor and could not be detected by the receiver, thereby executing a successful Denial of Service (DoS) condition. This stage perfectly modeled the physical vulnerability within the RollJam architecture, demonstrating how an attacker actively prevents the target vehicle from hearing the legitimate transmission while covertly intercepting that exact initial signal in the narrowband.

Conclusion

Powered by its Pseudo-Random Number Generator (PRNG) and Sync Counter mechanisms, the KeeLoq algorithm successfully thwarts traditional Replay Attacks at both the hardware and software levels. The generation of single-use, unpredictable encrypted packets during every transmission has effectively eradicated fixed-code vulnerabilities from the security landscape. However, rather than attempting to mathematically breach this formidable cryptographic wall, the RollJam attack vector presents an asymmetric threat that specifically targets the inherent hardware limitations at the system’s physical layer.

The broadband filter, which the target receiver is fundamentally compelled to employ to tolerate hardware drift and variations, is rendered defenseless against the precise narrowband signal isolation capabilities of the attacker’s Software-Defined Radio (SDR). By deafening the receiver with artificial noise while simultaneously plucking the perfectly valid encrypted packet from the air, RollJam manipulates the timing and security window logic of the communication protocol rather than the cryptography itself. Consequently, it successfully neutralizes the robust security architecture of modern vehicle access systems entirely at the physical layer.

As a result, Rolling Code is a dynamic encryption technology in wireless access systems that prevents replay attacks by regenerating itself with every signal transmission. Instead of attempting to crack this complex encryption algorithm, the RollJam attack induces hardware blindness by intentionally deafening the target vehicle’s wideband receiver with radio noise. Simultaneously, by plucking the valid encrypted codes transmitted by the user from the air using ultra-precise narrowband filters, the attacker gains unauthorized access to the vehicle by exploiting the system’s non-cryptographic, physical hardware vulnerabilities.

References

• Bogdanov, A. (2007). “Attacks on the KeeLoq block cipher and authentication systems”. Conference on RFID Security.
• Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., & Shalmani, M. T. M. (2008). “Physical Cryptanalysis of KeeLoq Code Hopping Applications”. IACR Cryptology ePrint Archive.
• Courtois, N. T., Bard, G. V., & Wagner, D. (2008). “Cryptanalysis of the KeeLoq block cipher”. Information and Communications Security.
• Kamkar, S. (2015). “Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars”. DEF CON 23.
• Bianchi, S., et al. (2023). “Vehicular Roll-Jam Attack Analysis and Enhanced Architectures”. NDSS Symposium.
• Microchip Technology Inc. (2001). “HCS360 KeeLoq Code Hopping Encoder Datasheet” and “HCS512 KeeLoq Code Hopping Decoder Datasheet”.
• Analog Devices. (2009). “I’m OOK. You’re OOK? ASK/OOK Receiver Hardware Architecture”.
• Pohl, M., & Schuba, M. (2018). “Universal Radio Hacker: A Suite for Wireless Protocol Analysis”. USENIX WOOT.
• Republic of Türkiye. (2008). Electronic Communications Law No. 5809. Official Gazette of the Republic of Türkiye.
• Republic of Türkiye. (2024). Cyber Security Law No. 7545 (Relevant articles). Official Gazette of the Republic of Türkiye.