Using car key fob as generic remote control

[Dannyx]

Good day folks. It's been a while since I've DIY-d anything, so the other day I was thinking if it's possible to use the key fob of my car as a remote for other automation stuff. I have quite a few generic 433Mhz remotes and modules I picked up on Ali for various projects, but instead of having another remote dangling off the key chain, I thought I could use the car's own fob for more than unlocking my car when I'm near it. Say I come home and wish to switch on a light at my front door.

I already tried putting one of my generic receivers in pairing mode and hitting one of the 2 buttons on the car fob and of course it didn't work, despite being the same frequency (433Mhz). As I later learned, there's the matter of fixed vs. rolling codes, so that's not going to work out of the box, at least not with these modules you find all over the web. I know for a fact my fob uses a PCF7946, but there's little info on it and how it operates. The only thing I require is some device to pick up the signal from the fob and turn on a pair of relays: one for the "unlock" button, one for the "lock" button. Sounds simple. I found some devices which claim to be able to receive "rolling codes" for garage door openers, but I'm not sure those would work either and my skills in RF stuff are a bit lacking. Any suggestions ? Thanks.

[eccerr0r]

probably not much in the RF you need to do, basically you'll be pulling off the shelf items. The single code non-rolling simple fobs are probably easy to decode and use the buttons, just listen for the same code sequence again and again...hence it's vulnerable to replay attacks. Need rolling code to thwart the replay attacks.

[Dannyx]

Forgot to link to some of the stuff I mentioned that claims to read rolling codes, so here it is...

[eccerr0r]

If you get a receiver that knows about your transmitter from the get go, then things are easy once again... I'm sure there are probably multiple distinct examples out there and they're pretty much clones of these so perhaps things would be easier to deal with in this case, but if you have a one off transmitter, it would be quite a challenge to use these.

[Dannyx]

After doing some more reading, I learned (or rather inferred) some more about this particular PCF chip, despite the info being very scarce. It's quite complex. Inside the key fob, the chip isn't actually transmitting anything itself (i.e. it doesn't drive the antenna directly): instead, it "hands off" whatever data needs transmitting to a dedicated transmitter chip, which is what actually does the transmitting.

The PCF chip also handles the immobilizer part, which prevents the car from starting if the key is turned in the barrel, but the fob is not actually IN the barrel. I actually confirmed this myself a while back when I replaced the shell of my fob and tried giving it a turn without the board in the shell: the engine started for a second, but it immediately turned off. I don't care about that part at all and I probably don't care about the encrypted part of the 433Mhz message either - all I want is to pick up the "payload" (?) and work out what button was pushed.

I found something HERE, but again, I'm not sure if it'd work with my particular fob. I need to get myself a receiver and actually try it. I imagine it should pick up SOMETHING at least (it IS 433Mhz after all), even if the info would be encrypted/incomplete. It's not an issue, because as the guy said in the end of his article, we don't care about that data anyway because we don't want to interact with the car itself...

[stj]

your wrong,
the "remote" and immobiliser are seperate.
the immobiliser is an RFID chip encased in epoxy that can be removed from the key and does not require a battery.

i experimented with them a while back to see if i could jam them from a reasonable distance

[Dannyx]

Ok, good to know - that's why I said "inferred" . What threw me off is the antenna coil in the datasheet for the PCF chip, connected to the "IN" pins on the left - apparently those receive something back from the car ? I thought those represented the NFC antenna for the immobilizer...or something.

Is the immobilizer the little coil here ? That's the board the fob for my Renault uses, by the way.

[stj]

the immobilizer looks like a little black wedge - it's not on the pcb

[Dannyx]

Then I think it's THIS. I ran across them when I searching for stuff for this project, but couldn't tell what it is and where it's located. I guess it's in the car then, since it's not in the fob...

[petehall347]

Quote:

Originally Posted by Dannyx

Then I think it's THIS. I ran across them when I searching for stuff for this project, but couldn't tell what it is and where it's located. I guess it's in the car then, since it's not in the fob...

one goes in the key .

[Dannyx]

Ok, I just had a go with these RXB6 modules and I get absolutely nothing out of them. The program the chap shows in his article uploaded fine, but I get no data in the serial monitor at all. I tried both my car fob which I'm most interested in and also a generic 433Mhz remote. I was expecting to see at least some garbage in the serial monitor. It could be any number of things: either the remotes don't match this module at all, or the code doesn't pick them up. It's worth noting my board is a Mega, unlike the Uno used in the article, so perhaps something else doesn't match.

I'll try some other resources to see if I get this module to pick up ANYTHING for a proof of concept test...

[stj]

it's in the fob, it interacts with a coil around the ignition barrel.

[Dannyx]

There isn't anything else on the PCB, as you can see in the pic I showed (the other side only has the battery), hence why I think the PCF chip in the fob handles the immobilizer too...

That's not important anyway. I just ordered some 433Mhz receiver boards and will try this project. Obviously the fob will be different, but it should give me something I can work with...

[NiHaoMike]

Rather than trying to defeat the security of the key, what about install a transmitter in the car connected to the door locks? Lock your car when it's near your house and it turns on the lights if it's dark.

[stj]

Quote:

Originally Posted by NiHaoMike

Rather than trying to defeat the security of the key, what about install a transmitter in the car connected to the door locks? Lock your car when it's near your house and it turns on the lights if it's dark.

if you read the first post,
it's not about the car, he wants to re-use the keyfob for other things.

[Dannyx]

Quote:

Originally Posted by stj

if you read the first post,
it's not about the car, he wants to re-use the keyfob for other things.

Correct.

[NiHaoMike]

Quote:

Originally Posted by stj

if you read the first post,
it's not about the car, he wants to re-use the keyfob for other things.

The problem is getting a receiver to interpret the encrypted communications, so the simplest solution would be to make use of the receiver in the car that's already set up for that purpose.

Using an Arduino compatible microcontroller and some sort of transmitter module, it would be quite easy for it to send packets when the doors are locked/unlocked, when a door is opened/closed, and when the car is started/stopped (to name a few events) just by connecting the GPIOs using voltage dividers to divide down the 12V to the 5V or 3.3V the Arduino uses.

[Dannyx]

Quote:

Originally Posted by NiHaoMike

The problem is getting a receiver to interpret the encrypted communications, so the simplest solution would be to make use of the receiver in the car that's already set up for that purpose.

Using an Arduino compatible microcontroller and some sort of transmitter module, it would be quite easy for it to send packets when the doors are locked/unlocked, when a door is opened/closed, and when the car is started/stopped (to name a few events) just by connecting the GPIOs using voltage dividers to divide down the 12V to the 5V or 3.3V the Arduino uses.

Again, it's not about using the car as a receiver, since it's too far from anything (I live in in an apartment complex, so it's down in the parking lot) - it's about using the car's fob as a remote for stuff around the house.

Anyway, I don't even know where the receiver for the fob is located in the car and it's most likely potted in epoxy anyway. I'm not going to fiddle with that. Think I'll just stick with an additional remote on the keychain after all. This PCF chip seems to be quite tricky to crack.

[redwire]

Check the RXB6 pinout, it has an enable pin 6 which floats high to enable data, not power save.
Some of those 433MHz RX modules have extremely weak data output 10uA (!) so a low value pullup or LED there will prevent any signal from being seen.
The SYN470R/SYN480R IC is totally gutless for output and try shut off the Arduino internal pullup resistor, no pullups anywhere and see if you get data.
There is always RX noise blips to be seen.

To troubleshoot- I took a CMOS inverter CD4049 etc. and connected it to the 433MHz RX module's output, as a buffer to then drive other gates for an LED and a speaker, and Arduino.
You can listen for what the module is picking up, beeps and boops or noise.