Prius Key Fob Study

Introduction

According to Maxxim semiconductors, about 80% of all North American cars have remote keyless entry (RKE) systems. These include a receiver at 315 MHz +/-2.5 MHz that not only operates the door locks but also has a connection to the horn and lights. But today, these systems are disabled once the car starts rather than helping the driver with road and hazard information. Originally motivated by HR 5734, we call "The Bell the Hybrid Act," that would mandate passive noise generators, it also addresses parts of S. 694, "The Cameron Guibransen Kids and Cars Safety Act of 2007" and HR 1216.

NHW11 Key Fob

The 2001-03, NHW11 Prius has a classic design with a small microprocessor, a surface acoustic wave (SAW) oscillator, four switches and glue logic:

Closer examination reveals:

Labeled IC1: trademark - circle around "N" (National Semiconductor?); D3761 - top identifier; 138E - bottom identifer? It is a surface mount part with 10 legs on each side. It measures .264" (~6.7 mm) long on the side.
The board identifies a SAW filter: 128 - top identifier; 01240223 - bottom identifier.
Labeled IC2: "DHB" is a small part with three pins on one side and two on the other.

There are three push to make switches on one side but only two, "Lock" and "Unlock" can be pressed through the flexible, water-tight cover. The "Panic" button is a membrane switch on the reverse. There is no known function activated by the third switch but Michael Knieser tapped the 300 baud, RS-232 like signal from the "GATEWAY ECU" and detects the third button signal. He is monitoring the decrypted data signal after the key fob signal has been identified and decrypted.

The signal has probably been encrypted using some version of the KeeLoq encryption method described in the various RKE application notes. But one of the best descriptions of KeeLoq encryption comes from "Physical Cryptanalysis of KeeLoq Code Hopping Applications" by Thomas Eisenbarth, Timo Kasper, Amir Moradi, Christof Paar, Mahmoud Salmasizadeh, and Mohammad T. Manzuri Shalmani, Horst Gortz Institute for IT Security, Ruhr University of Bochum, Germany and Deptartment of Computer Engineering and Electronic Research Center, Sharif University of Technology, Tehran, Iran, 02/29/2008. In simple terms, there are three elements:

serial number - unique for each key fob and transmitted in the clear
internal counter - provides the 'seed' for encryption
manufacture key - this pairs with the vehicle key needed to encrypt and decrypt the button push signal

In order to work, each key fob has to be 'taught' to the vehicle that determines the internal counter. Each key press encrypts the function and saves the incremented, internal counter. The vehicle tracks these key fob operations so the decryption returns the clear text, function. The unique key fob serial number is transmitted in the clear. By now, newer key fobs are likely to use more sophisticated data encoding and encryption methods with vendor proprietary systems even between different models.

Atmel Blackbird Transceiver

Atmel makes a family of key fob development kits including unidirection and bi-directional systems. The ATAB5423-3-WB uses a half-duplex, transceiver chip, ATA5823, configured for 315 MHz +/- 2.5 MHz. This chip also has a Received Signal Strength Indicator (RSSI) that can be used to detect any keyfob, regardless of manufacturer, with a receiver frequency sidebands of +/- 75 kHz or about 34, 150 kHz channels. A 13-bit tuning register provides 777 kHz per bit.

The Blackbird uses the ATmega3290/ATmega3290P, an 8-bit, RISC processor with expanded I/O interfaces to handle the ATA5823 chip as well as an LCD display and joy-stick interface. It comes with the source code, assembly language software and utility software to operate the board and chip. Although not designed to reverse engineer key fobs, the basic elements are there including test points for RSSI and the demodulator raw output (DEM_OUT.):

In RKE applications, typical bits rates range from 1 kHz to 20 kHz ASK and up to 40 kHz using frequency shift keying (FSK.) Non-return to zero encoding can also be used. The original demo software provides full range tuning but only a fixed number of bit detector frequencies and decoding options. Still, using AudaCity to capture the RSSI and DEM_OUT, we found the NHW11 keyfob frequency and could see the ASK modulation:

Both NHW11 and NHW20 key fob RSSI signals show the pattern of Manchester encoding. A stream of "0" or "1" result in a primary frequency of the bit rate. Alternating "0" and "1" results in a square wave pattern half of the primary frequency. Manchester encoding, detecting the slope at the bit sampling time, is self-clocking and results in an average zero signal level, no bit pattern can bias the mid-point, signal level.

By holding a key fob close to the antenna, the signal strength is strong enough to show a small jump in the RSSI signal when tuned to one of the 10, pre-programmed bands:

0 - 0x04d0
1 - 0x06f0
2 - 0x0907
3 - 0x0b27
4 - 0x0d40
5 - 0x11e0
6 - 0x1467
7 - 0x16e7
8 - 0x1970
9 - 0x0f57 (float)

Once the nearest channels are identified, 0-8, channel 9 is used to probe the nearest frequencies to find a center between the sideband fall off.

NHW11 Key Fob

In the case of the NHW11 key fob:

Tuning offset: 0x0c4c, 2.446 mHz, very close to the center of the 315 mHz band.
Data encoding: ASK, Manchester encoding at 615.4 Hz
Data xmit: 0.480 sec., ~36 bytes

NHW20 Key Fob

We've just started analysis of the NHW20, silver logo, key fob:

Tuning offset: 0x0140, 0.248 mHz, very close to bottom end of 315 mHz band.
Data encoding: ASK, Manchester encoding at 713.2 Hz
Data xmit: 0.540 sec., ~48 bytes

Tacoma Key Fob

Bought by accident, this fob has a remarkably different transmission and ecoding pattern.

Tuning offset: 0x0c80, close to the center of the 315 mHz band.
Data encoding: ASK, packetized, sync and Manchester encoding

You can begin to see the plain-text, serial number located at the end of each of the data packets.