Key fob signal analysis, rolling code research, relay attack detection, and immobilizer security testing
NullSec KeyFob provides tools for analyzing the security of automotive keyless entry and immobilizer systems. It supports research into rolling code algorithms, relay attack vectors, and transponder authentication — critical for understanding vehicle access control security.
| Feature | Description |
|---|---|
| Signal Analyzer | Capture and decode key fob RF transmissions (315/433/868 MHz) |
| Rolling Code Analyzer | Analyze KeeLoq, Hitag2, and proprietary rolling code systems |
| Relay Detector | Detect and measure relay/amplification attack viability |
| Transponder Reader | Read and analyze immobilizer transponder data |
| Protocol Decoder | Decode TPMS, RKE, and PKE protocols |
| Vulnerability Scanner | Test for known key fob vulnerabilities |
| System | Protocol | Analysis | Status |
|---|---|---|---|
| KeeLoq | Rolling code | Cryptanalysis | ✅ |
| Hitag2 | Challenge-response | Key recovery | ✅ |
| AUT64 | Transponder | Protocol analysis | ✅ |
| DST40 | Transponder | Known weaknesses | ✅ |
| Megamos | Transponder | Protocol analysis | |
| TPMS | Broadcast | Decode | ✅ |
# Capture key fob signal
nullsec-keyfob capture --freq 433.92M --sdr hackrf -o keyfob_capture.iq
# Analyze rolling code
nullsec-keyfob analyze --input keyfob_capture.iq --protocol keeloq
# Scan for TPMS signals
nullsec-keyfob tpms --freq 315M --duration 60
# Test relay attack range
nullsec-keyfob relay-test --mode measure --timeout 30| Project | Description |
|---|---|
| nullsec-canbus | CAN bus analysis & fuzzing |
| nullsec-carfuzz | Automotive protocol fuzzer |
| nullsec-sdr | Software-defined radio toolkit |
| nullsec-flipper-suite | Flipper Zero payloads (430+ files) |
| nullsec-linux | Security Linux distro (140+ tools) |
For authorized automotive security research only. Testing keyless entry systems without vehicle owner authorization is illegal.
MIT License — @bad-antics
Part of the NullSec Automotive Security Suite