 So this talk is going to be my story about how I started with the Yardstick one It's going to be mostly a beginner's guide and I'm hoping it can help you guys a little bit although that might be hard without projector I'm 18 years old right out of high school I pretty much knew nothing about the Yardstick one when I started nothing about cars nothing about key fobs nothing so My goal is to find a summer job. I ended up working with can bus hack It was founded in 2010 They work with OEM suppliers aftermarket companies and they reverse engineer and analyze vehicle systems It was founded by Robert Leigh Ali based in Detroit If you want if you're interested you can go to their website www.canbushack.com and They're basically leading the car hacking village right now So to start talking about Yardstick one and RF You have to know about remote keyless entry systems basically your key fob works by Transmitting an RF code normally encrypted and it normally uses rolling code to the car and if the car agrees with what it receives Then it's going to work. Otherwise, it's not going to work. Obviously and You have to know a little bit about RF to a lot of the time It's just simple. There are different types of modulation. They have to know about the simplest is probably oak It's just on-off keying where Basically, it's binary a one-repper a Hypulse represents a one a low represents a zero and You can use that to convert it to hex you can view it with RF cat and the yardstick More tools you'll need you'll need Python and Linux basically because RF cat only supports Python scripting and It only runs in a Linux environment So they're both pretty simple to learn actually I didn't know anything about them when I started and now I do Hardware you're obviously going to need a computer a car and key fob and then it really helps if you have a software to find radio or SDR But that's not necessary. You can do it without one and then a yardstick one or some other RF cat support or dongle probably Yeah cat no cat. Sorry tango T All right, and then for software you're going to need Linux to be running on your computer. I Used GQRX for my software to find radio, although you can use whatever you prefer I used audacity for wave files viewing them and then obviously RF cap for the yardstick and For RF cat it really helps if you also have ipython installed on your computer It allows for tab completion and just other useful functions So starting off with the hardware the RTL SDR. It's cheap You can probably get a dongle for I think $20 on Amazon and all it really does is receive RF signals. It's that simple You want to be using it with GQRX which is your software that converts the RF signals to something that you can view basically So I have a picture of it here on the slide. Obviously. There's no projector here But you'll be able to see all of this on car hacking village website including the code I have Basically, it's the other half of the software to find radio So it allows you to demodulate with AM FM Frequencies all that fun stuff modulation. Sorry and What you really want it for is it can save whatever you're transmitting as a wave file Which you can then open an audacity and that's why you want audacity for viewing wave files when you look at it, it'll be just like a Basic wave function type thing And what you want to use audacity for is finding the baud rate normally. That's what I do and Also, it helps when you're looking at what modulations being used And It's also helpful once you actually have your RF cat. Yeah, sorry yardstick one working It's also useful for comparing the signals that you're transmitting to the signals that you're receiving and making sure that Everything's working the way you want it to all that stuff Yardstick one it can receive signals It can act as kind of an SDR in that respect But it's really useful for transmitting your signals and that's what I used it for I've been using it to jam signals from the key fob and to emulate the signals basically a roll jam attack Which is what I'm gonna kind of go over here So RF cat is basically to the yardstick one what gqrx is to the SDR. It's the software that makes the hardware work I Python really helps you can't do tab completion without it. It's a ton of other features. It just adds basically a Python scripting environment What I did I my script actually only works on my car I Probably could have done more if I had more time with it, but right now It only works on the O2 Chevy Impala Basically my key fob it has pulse width modulation, which is a special type of on-off keying where it bases You get a one with one one zero transmitted and a zero with one zero zero transmitted So it's basically the same. It's just a little different and you have to take that into account when you're writing your Python script Half of my signal is it's key locked encrypted and Then half of that signal is rolling code. The other half is just static the serial number. What button you press? voltage monitor all that fun stuff and All that I guess starting getting started Actually hacking the key fob So what you first want to do you want to find your FCC ID on the key fob It should be there somewhere if it's not you can find it online but FCC requires all of the key fobs that it eat that you that can be sold to be registered and Basically, you can just type FCC.io forward slash the key fob are that sorry the FCC ID and You can find everything you need there. Normally you have the frequency that transmits that Sometimes you can find the type of modulation that's being used Baud rate is occasionally there. I found the schematic for my key fob, which was really helpful actually because that allowed me to find the Documentation for the chip and that was really helpful actually figuring out what the code was supposed to be saying So the easy part is using the SDR all you have to do you set that up in GQRX Find the right frequency Hit record your choose actually choose where you want to record it file to first hit record and it'll save it for you as a wave file and Sorry, I also set it to AMD modulation and then record the wave file Then you want to open in that way file that you just recorded up in audacity Mine was pulse with modulation. So it would look a little different from on off keying or any of the other modulation types but basically what you want to do is you find the baud rate, which is going to be the amount of bits per second and You can do that. It has a little timer thing on audacity does it has a little timer thing and you can measure from where one bit Starts to the next. It's just either the blip the one or the zero on or off And you can use that to find out your baud rate, which you'll need for your yardstick one once you start an RF cap So the yardstick one is where it gets a little bit more difficult You have to set everything up all your settings your baud rate your frequency type of demodulation you want to be using All that fun stuff you have to be setting you have to set that up before you can even receive the signal It runs with Python scripts so you can import your Python scripts Which is really helpful later on once you actually start doing doing replay attacks and roll gem attacks and It's just The hardest part I really is RF cat because there's no documentation for it So you kind of have to work your way through it if you're interested in Doing it something with it. You have to go through the source code figure out what it's trying to say and then how you want to do it But I guess I should probably start with the first attack that I did It was just a really easy signal replication attack Basically take your keyfab out of range of the car so the car won't be able to receive the signal and jump a counter on the rolling code And you can use the RF cat to record that signal. I could show you but no projector. Sorry You can come talk to me after two if you want I can try and show you but you can record the signal that's transmitted and Basically just transmit it right back out So that's the easiest way to do it A more complicated attack is the roll jam attack so the concept here is When whoever you're attacking presses the button on their keyfab you jam that and steal the code from it and Then they're confused why didn't my car unlock all that stuff So they press the button again and this time you transmit the first code you received and take the second code so now their cars unlocked and you have the next code and the Rolling code counter so Then obviously you can just unlock your car got unlocked their car with the press of a button and The hardest part of this part was actually the timing because the way RF cat receives packets it receives an entire packet and Then it can transmit it can't be in receive and transmit mode simultaneously It can only be in one So you either have to receive the entire packet and then try to transmit it out transmit out your jamming signal before it reaches the car which is just about impossible or You have to find a modify RF cat a little bit to get it to record only part of the code or Whichever you however you want find that it works with your key fob the way I did it with my key fob The first part of the code that's transmitted is actually the rolling code So I was able to cut it off that there and just grab that rolling code and add the static code on the end and There's a CRC obviously checking just to make sure that all of the codes right But what I found with my key fob is that it only has four possible CRC values so I could just kind of throw them on to the end and throw the code out there and One of those was gonna work So that was basically my roll jam attack Better if I could showcase it. Yes No, I was not recompiling the source code. There's a function or not a function a feature of RF cat that lets you choose the length that you want your packet to be and That way I was able to just say hey take half of this packet So I know how long the packet is it's gonna be the same length every time take half of it The first half and then ignore the second half just start jamming Yeah, they have there's a Very large amount of functions, so you can do pretty much anything Basically since I can't show you guys anything on the slide. This is the end of my presentation I Am gonna give some credit where credit stew the hack five team on YouTube helped me out a ton with their introductory videos Videos on the yardstick one Michael Osmond obviously made the yardstick one wouldn't be possible without him Atlas of doom for RF cat Sandy camcar who actually I believe he was at Def Con a little while a couple years ago who did a talk on this exact same idea He didn't do it with the yardstick one. He had his own device that he made But the roll jam attack was all his idea Andrew McPherson, I got some code ideas from him I believe he has a blog Andrew Nohawk and then obviously Robert Leigh alley for hiring me for the summer Making me work. So if you guys want to know any more I can try and help you out Take a look at what I have if you want Yeah We've got a couple minutes in here I can do it right. Yeah, it looks fine And otherwise we can probably go back to the car hacking village and set up somewhere. That's it for my presentation