All About HackingBlackhat Hacking ToolsFree CoursesHacking

Steal That Car in 60 Seconds

In this article we will learn how to Steal That Car in 60 Seconds.

Introduction[Steal That Car in 60 Seconds]:

Cars are everywhere and are being upgraded with new technology as often as any other device we use. With a bit of inspiration from the movie Knight and Day, let’s talk about how to communicate with the remote device used to open and start a newer car.


While cars still use normal manual keys, we are seeing more and more people using a smart key that has a problem.

Car Remote, Picture 1
Car Remote Breakdown(Chip SMC918-4), Picture 2

For this problem we will discuss how we can capture the data supplied from the car remote control and use it to open the car. We can achieve this with some cheap hardware.


  1. Receive the data

For the attack, there is some hardware used to receive the signal and software used to analyze the signal sent by the car’s remote control. Here we use DVB hardware with an Elonics E4000 chip and use the SDRsharp application to see its spectrum.

DVB with chip Elonics E4000 , Picture 3

After we prepared the hardware and software kit with SDRsharp installed, we found that the datasheet located on the chip car remote is hard to find on the internet. As a solution, I tried to find a signal that was transmitted by the remote control to the car manually using the Spectra.

SDRsharp spectrum (Push Lock Button) , Picture 4

The image above shows the spectrum form when I pressed the lock button on the car remote.

SDRsharp spectrum (Push Unlock Button) , Picture 5

The image above is the spectrum image when I pressed the unlock button on the car remote.

Both the above images have a different spectrum. This is because when the lock button is pressed, the remote sends a signal at a frequency of 415.098.612 kHz or 415.098612 MHz. After pressing the unlock button, the remote control will send a signal at the frequency of 415.094.805 khz or 415.094805 MHz. Raw data that is sent roughly as shown below.

Raw Data Transmit, Picture 6
Illustration Receive Data , Picture 7
  1. Sending data remotely to the car to unlock, lock, etc
  2. The car responds and follows commands from the remote control to unlock, lock, etc.
  3. DVB captures the data sent by the remote control to the car.

Note: If anyone wants to try decoding the transmitted data, they can download their audio wave here:


  1. Sending fake data (idea)

After obtaining the information data that is sent from the car remote control, we thought of creating a device that would send the data. But our problem is that it is hard to find a chip with the frequencies that this remote control uses.

Components or equipment to generate a carrier signal with the frequency used by the remote control (410-433 MHz) and documentation on how to encode/decode the data.

Illustration Sending Fake Data , Picture 7
  1. Sending data remotely to the car to unlock, lock, etc
  2. The car responds and follow commands from the remote control to unlock, lock, etc
  3. DVB captures the raw data sent by the remote control to the car
  4. DVB Sending fake data to the car
  5. Car responds and follow DVB commands to unlock, lock, etc.


The conclusion from the above explanation is that communication data that is sent using frequencies can be intercepted and translated using inexpensive hardware. Even if we have experience with microcontroller, we can easily design and duplicate the remote control.

Related article:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023

Leave a Reply

Your email address will not be published. Required fields are marked *