Somewhere in my house lies a 433Mhz passive entry car key. What I would like to do is build or buy some sort of electronic detector tuned to help me home in on it.
Can anyone help or advise please?
Many thanks,
Franko

 

Here is the problem:
Passive Keyless Entry (PKE)

The PKE key fob and the vehicle module both contain transceivers that communicate wirelessly to detect each other. The module in the vehicle continually sends out encoded messages; when the key fob is in range it responds. If the encrypted messages are correct, they identify the vehicle and key fob to each other and the door opens. Current PKE systems often use rolling codes to ensure that a fresh code is supplied each time, preventing the possibility of a replay attack.

Now with the above in mind Short of literally removing the transceiver from the vehicle and dragging it around the house till you get in range of the key fob there is no easy way around this. The problem is also compounded by the rolling code feature.

The question then becomes how can I build a device or transceiver or is there a "hack"? Your best bet may be an automotive forum many of which cover things like lost PKE Key Fobs and locating them.

Ron

 

A metal detector?

 

A metal detector?

Good idea and you may find wealth in your couch cushions which incidentally is where I always find lost keys and key fobs.

Ron

 

Here is the problem:
Passive Keyless Entry (PKE)

Now with the above in mind Short of literally removing the transceiver from the vehicle and dragging it around the house till you get in range of the key fob there is no easy way around this. The problem is also compounded by the rolling code feature.

The question then becomes how can I build a device or transceiver or is there a "hack"? Your best bet may be an automotive forum many of which cover things like lost PKE Key Fobs and locating them.

Ron

Thanks for your advice and explanation Ron.
What you say now allows me to appreciate the extent of my problem.
The ‘rolling code feature’ would seem to be the blocker in my case.
I will have a search in automobile forums as you suggest but fter two days searching though I think I may have to bite the bullet and pay an exorbitant price for a dealer to programme a new key.
Thanks for your sound advice which is much appreciated.
Franko.

 

Here is the problem:
Passive Keyless Entry (PKE)

Now with the above in mind Short of literally removing the transceiver from the vehicle and dragging it around the house till you get in range of the key fob there is no easy way around this. The problem is also compounded by the rolling code feature.

The question then becomes how can I build a device or transceiver or is there a "hack"? Your best bet may be an automotive forum many of which cover things like lost PKE Key Fobs and locating them.

Ron

I’ve always wondered how these rolling code fobs work when you have more than one key fob for the vehicle – how does the fob that has been sitting in your wife’s handbag for over a week know what the current code is?

 

I’ve always wondered how these rolling code fobs work when you have more than one key fob for the vehicle – how does the fob that has been sitting in your wife’s handbag for over a week know what the current code is?

Both the fob and car have 'wheels' filled with secret numbers that spin in synchronization (from the pairing sequence) but may be out of synchronization (a window) by a few number slots over time until they communicate, agree on the code and synchronize again.

The fob(s) in purse keeps spinning (between sleeping to save energy) in sequence so when it transmits the code to the car the numbers 'match' in the designed window of slots in the sequence.

If a person recorded the sequence fob sequence and then played it back later the results would be much like this.

Totally Out of sequence and out of the number slot window tolerance.

 

Both the fob and car have 'wheels' filled with secret numbers that spin in synchronization (from the pairing sequence) but may be out of synchronization (a window) by a few number slots over time until they communicate, agree on the code and synchronize again.

The fob(s) in purse keeps spinning (between sleeping to save energy) in sequence so when it transmits the code to the car the numbers 'match' in the designed window of slots in the sequence.

If a person recorded the sequence fob sequence and then played it back later the results would be much like this.

View attachment 151504
Totally Out of sequence and out of the number slot window tolerance.

...and if one knocks out the receiver and records the fob, they will have valid unused codes....the user presses twice because the first time didn't unlock the door. The invader sends the first code to unlock the door, pacifying the user and keeps the second valid code to gain entry later....now that is about 10 years old and has been written and programed about extensively...please tell me that it does not work that way any more.

Also, I thought (and I really don't keep up on these things) that in PKE the car wakes up the fob on a different frequency (that's why the user does not need to press a button sometimes...just pull on the door handle, for example, which the transceiver in the car recognizes and send a wake up to the fob and starts negotiating. The fob once awake sends an ID at 433 in the OPs case. If that is true, one could conceivably construct a fob finder by sending out the wake up frequency and listening for a 433 burst. No?

 

...and if one knocks out the receiver and records the fob, they will have valid unused codes....the user presses twice because the first time didn't unlock the door. The invader sends the first code to unlock the door, pacifying the user and keeps the second valid code to gain entry later....now that is about 10 years old and has been written and programed about extensively...please tell me that it does not work that way any more.

Also, I thought (and I really don't keep up on these things) that in PKE the car wakes up the fob on a different frequency (that's why the user does not need to press a button sometimes...just pull on the door handle, for example, which the transceiver in the car recognizes and send a wake up to the fob and starts negotiating. The fob once awake sends an ID at 433 in the OPs case. If that is true, one could conceivably construct a fob finder by sending out the wake up frequency and listening for a 433 burst. No?

That was the old "Rolljam" attack crack. If you include a incremental counter in the key fob coded transmission then additional transmissions with the old incremental count are invalid at the receiver. This can be broken too as keyless entry one way systems with limited code space and keys will likely remain vulnerable. Two way communications can offer much better security.