Inside the car controller

Modern Security

With the remote keyless-entry systems that you find on cars today, security is a big issue. If people could easily open other people's cars in a crowded parking lot at the mall, it would be a real problem. And with the proliferation of radio scanners, you also need to prevent people from "capturing" the code that your transmitter sends. Once they have your code, they can simply re-transmit it to open your car.

The photo below shows you the guts of a typical key-ring controller for a modern car:

You can see that everything has been miniaturized. There is a small chip that creates the code that gets transmitted, and the small silver can (about the size of a split pea) is the transmitter.

The controller chip in any modern controller uses something called a hopping code or a rolling code to provide security. For example, if you read this PDF, it describes a system that uses a 40-bit rolling code. Forty bits provide 240 (about 1 trillion) possible codes. Here's how it works:

  • The transmitter's controller chip has a memory location that holds the current 40-bit code. When you push a button on your key fob, it sends that 40-bit code along with a function code that tells the car what you want to do (lock the doors, unlock the doors, open the trunk, etc.).
  • The receiver's controller chip also has a memory location that holds the current 40-bit code. If the receiver gets the 40-bit code it expects, then it performs the requested function. If not, it does nothing.
  • Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random number generator to pick a new code, which it stores in memory. On the other end, when the receiver receives a valid code, it uses the same pseudo-random number generator to pick a new one. In this way, the transmitter and the receiver are synchronized. The receiver only opens the door if it receives the code it expects.
  • If you are a mile away from your car and accidentally push the button on the transmitter, the transmitter and receiver are no longer synchronized. The receiver solves this problem by accepting any of the next 256 possible valid codes in the pseudo-random number sequence. This way, you (or your three-year-old child) could "accidentally" push a button on the transmitter up to 256 times and it would be okay -- the receiver would still accept the transmission and perform the requested function. However, if you accidentally push the button 257 times, the receiver will totally ignore your transmitter. It won't work anymore.

So, what do you do if your three-year-old child DOES desynchronize your transmitter by pushing the button on it 300 times, so that the receiver no longer recognizes it? Most cars give you a way to resynchronize. Here is a typical procedure:

  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
  • Switch the ignition off.

Given a 40-bit code, four transmitters and up to 256 levels of look-ahead in the pseudo-random number generator to avoid desynchronization, there is a one-in-a-billion chance of your transmitter opening another car's doors. When you take into account the fact that all car manufacturers use different systems and that the newest systems use many more bits, you can see that it is nearly impossible for any given key fob to open any other car door.

You can also see that code capturing will not work with a rolling code transmitter like this. Older garage door transmitters sent the same 8-bit code based on the pattern set on the DIP switches. Someone could capture the code with a radio scanner and easily re-transmit it to open the door. With a rolling code, capturing the transmission is useless. There is no way to predict which random number the transmitter and receiver have chosen to use as the next code, so re-transmitting the captured code has no effect. With trillions of possibilities, there is also no way to scan through all the codes because it would take years to do that.