How do "keyless entry" systems work on new cars?

[sohcrates]

I have a key fob that opens/locks the doors and trunk of my new car. What frequencies do they work at? I think early on some of them were infrared (which sucked), but they are now radio wave??

Also, is there encryption with the signal, or could anyone with the right equipment simply re-produce that frequency?

I've always wondered this....

Thanks!

 

[Mingon]

I think you'll find that they are radio waves. The encryption system works by changing each time but as they are both changed together they always matched. To unlock the car you would need to scan the frequency and then know what the formula is for the changing the code to its next step.

 

[dszd0g]

Try doing a Web search. You would find stuff like the following:

http://members.accessus.net/~090/awh/cad96rke.html
Europe keyless frequencies
Anti-Scanning and Anti-Code Grabbing
Code grabbing - cars and garage doors

Some luxury cars sold in the early 90s, like the Mercedes S Class, used infrared keyless entry. There's actually a program for the Palm pilot (the ones with intrared) that can unlock cars using this technique. That's pretty sad in my opinion.

Basically, from what I've read newer systems are pretty good. You want to make sure your system employs a good anti-scanning and anti-code grabbing technique.

 

[blahblah99]

keyless entry uses radio waves with code hopping. before code hopping was implemented, there used to be thieves with rf snoopers picking up on the signals sent to unlock the car. They would capture that signal and reproduce it and BAM, their in the car without any break ins. But with code hopping, its next to impossible to determine the next security code because its psuedo-random generated and sent when you lock/unlock the car. The frequency in which they operate, I believe, is in the junk band, 900mhz or 400's, although I may be wrong.

 

[Moohooya]

It may be hard to figure out the next code, but what does it take to sync a remote with the car when the battery has been replaced? Could this be done unknowingly to the owner? On my car I thought it was somthing like 'press the right combination of buttons while the car is unlocked.' Easy enough to do while the owner is exiting the vehical. Then when they are gone, press the unlock button and voila!

 

[HeadshotHarry]

OK explain this My Toyota LandCuiser is brand new and came with two remote keys, they both work how does this "Updated signal" get sent to my key sittign at home under my bed?

 

[dszd0g]

They use a form of one time keys. I have not been able to find the details on what is used in vehicle keyless entry. They are probably using security through obscurity and not publishing specs on it. If I had to wager the history of companies not familiar with encryption doing encryption, there are probably flaws in the encryption algorithms they use. However, I have not seen information on anyone breaking it.

Most one time key systems keep a real time clock on both the server and client sides. The clocks have to be close to in sync, how close depends on the system. Generally, the key changes once per minute and the server accepts the prior and next key. Once the server gets the key for that minute, it will not work again until the next minute. I do not know how in relation to this, car keyless entry works. However, if I was designing a system that accepts multiple keys the time approach would seem a valid solution.

 

[clockhar]

<< OK explain this My Toyota LandCuiser is brand new and came with two remote keys, they both work how does this "Updated signal" get sent to my key sittign at home under my bed? >>



My guess is that there could be two key combinations accepted at any time. When one is used, the coresponding key entry in the remote is changed. When the other is used, it is changed.
... sounds logical. Whether it is true or not is another story

 

[HeadshotHarry]

sounds good to me

 

[Moohooya]

That is correct. The two remotes each have their own 'next' key. The car will accept either key, and when it received one of the keys it then bumps onto the next valid key for that remote.

I don't believe there is a clock involved. I decided to open mine up and take a quick look. Very simple. Two ICs. One has only 4 pins and could be the transmitter. A transistor and a dozen or so very small resistors/capacitors. Most of the baord is clear. Then the big (well not really) 16 pin IC. I guess this is the one that does the work.

The inside claims I should press lock and unlock for 7 seconds to reset. As I said earlier, I believe this must be done when the car is unlocked in order for the car to accept the reset. However, just come up to a car when the driver is getting out. Sure, it might beep, flash lights etc when it is reset. So the driver gets confussed, checks the doors are locked and leaves. You follow the driver around the corner, come back and unlock. Simple. (Just don't do this to my car!)

 

[Peter]

Infrared remotes first popped up in the early eighties - in French cars (I own one of those ). Three problems with that approach. It doesn't have much range, you have to be very close to the car. With foggy or dirty windows it doesn't work either. And finally, these early things did use a code, but a constant one. You can steal the code with any generic "self learning" programmable TV remote.

Later ones use HF transmitters, with increasingly safer coding. Latest ones use constantly changing codes, both the car and the key know what code to expect from the "right" partner on the next transmission, everything else is ignored. Yes you get two remotes, the car can tell them apart and memorizes where it was with either.

The French are just starting to produce cars that don't have a conventional key and lock at all anymore. Next will possibly be biometrics.

regards, Peter

 

[Moohooya]

Oh, obvious I hope, but just incase someone was wondering. The car will recognise and accept not just the next key from either remote, but the next several keys. That way if you press a button when not near your car and the remote key gets changed, the car will accept the key, skipping the missing key.

 

[thraxes]

Had a rental car this weekend: Renault Laguna (the latest and greatest from france)

No key involved at all... there was a card the size of a PCMCIA card with a few buttons on it but you didn't need them: the car is looked but when you touch the door and have the card with you (in pocket or wherever) it unlocks itself Same for locking it, just walk away from the car with the card and as soon as you are 2M away it locks. Starting the car is also fun: put the card in the illuminated slot in the central console and the whole dashboard lights up like a christmas tree, press the "Start Engine" button next to the steering wheel and away you go but before you do that a nice female computer voice tells you "All Systems operational"... It's like friggin Star Trek!! Oh yeah the same voice bugs you after 3 minutes of driving to buckle up

 

[Degenerate]

about having two keys what happens if you press only one for many times (like use it for a couple of months, cus the other is for backup) while the other is at rest?

 

[Peter]

thraxes, the Laguna currently is the most advanced one in that regard.

degenerate, that's simple (and answered further above already): The car keeps track of the standings for each of the remote controls separately.

 

[Degenerate]

arh thanks. So if you order another remote key, it thereofr means that your car has more than a few Controllers?

 

[Mark R]

Some systems can be programmed to recognise any controller of the same family.

So, you can simply buy another transmitter from off the shelf, put the car into 'program mode', and press the button twice - from two in-sequence codes, the car can workout the remainder of the sequence that that particular controller will use.

This system is more flexible, but generally much less secure than systems that come programmed with a set of accepted controllers from the factory. The sequences have to be simple enough that the whole sequence can be predicted from just two transmitted codes - so anyone who knows the algorithm, could easily use a radio 'snooper' device, to code a new transmitter.

Some companies program their cars to accept codes from a set of controllers (usually a fairly small number such as 5 or 6). Some of these controllers are supplied with the car, others can be ordered from the manufcaturer at a later date, and are coded at the factory from their master list of codes which is cross referenced with the vehicle's chassis number.

The main advantage of this is that, the sequences can be extremely complex - sufficiently complex that even if you knew the algorithm, it would be impractical to predict the next code in the sequence, even if you had 100 or 1000 of the preceding codes - therefore making cloning of controllers impractical.

The other is that the car can never be recoded to work with a transmitter that was not specifically coded to work for that specific car - meaning that if the car is stolen, and you failed to steal the controller, the only way you can get one is direct from the manufacturer.