Introduction to How Remote Entry Works

If you have one of those "remote entry" devices for your car on your keychain, then most likely there have been two questions floating in the back of your head since you first u­sed it:

  • What the heck does this thing do when I push the buttons? How does it unlock the door from 20 feet away?
  • How secure is it? Can I open someone else's car with it, or can other people get into my car with theirs?

In this article, you'll learn exactly how one of these little devices lets you get in and out of your vehicle securely -- the hopping codes used in modern remote-entry systems are extremely sophisticated!

adAfterBody

The Basics

The two most common remote keyless-entry devices are:

Some home security systems also have remote controls, but these are not so common.

The fob that you carry on your keychain or use to open the garage door is actually a small radio transmitter. When you push a button on the fob, you turn on the transmitter and it sends a code to the receiver (either in the car or in the garage). Inside the car or garage is a radio receiver tuned to the frequency that the transmitter is using (300 or 400 MHz is typical for modern systems). The transmitter is similar to the one in a radio-controlled toy. See How Radio Works for details on radio waves and radio transmitters.

Dip switches

In the very early days of garage door openers, around the 1950s, the transmitters were extremely simple. They sent out a single signal, and the garage door opener responded by opening or closing. As garage door openers became common, the simplicity of this system created a big problem -- anyone could drive down the street with a transmitter and open any garage door! They all used the same frequency and there was no security.

By the 1970s, garage door openers had gotten slightly more sophisticated. You can see this level of sophistication in the photos below. The first shows a controller chip (black) and a DIP switch (blue). A DIP switch has eight tiny switches arranged in a small package and soldered to the circuit board. By setting the DIP switches inside the transmitter, you controlled the code that the transmitter sent. The garage door would only open if the receiver's DIP switch were set to the same pattern. This provided some level of security, but not much. Eight DIP switches provide only 256 possible combinations. That's enough to keep several neighbors from opening each other's doors, but not enough to provide any real security.

The transmitter

The transmitters in these circa-1970 garage door openers were also very simple:

As you can see, the transmitter consisted of two transistors and a couple of resistors, and not much else. A two-transistor transmitter like this, powered by a 9-volt battery, is as simple as a radio transmitter gets. It's the same transmitter that you find in a $10 pair of low-power walkie-talkies.

Remote-entry transmitters have gotten a lot more sophisticated since then. Let's take a look at a modern setup.

adAfterBody

Inside the car controller

adAfterSmallInset

Modern Security

With the remote keyless-entry systems that you find on cars today, security is a big issue. If people could easily open other people's cars in a crowded parking lot at the mall, it would be a real problem. And with the proliferation of radio scanners, you also need to prevent people from "capturing" the code that your transmitter sends. Once they have your code, they can simply re-transmit it to open your car.

The photo below shows you the guts of a typical key-ring controller for a modern car:

You can see that everything has been miniaturized. There is a small chip that creates the code that gets transmitted, and the small silver can (about the size of a split pea) is the transmitter.

The controller chip in any modern controller uses something called a hopping code or a rolling code to provide security. For example, if you read this PDF, it describes a system that uses a 40-bit rolling code. Forty bits provide 240 (about 1 trillion) possible codes. Here's how it works:

  • The transmitter's controller chip has a memory location that holds the current 40-bit code. When you push a button on your key fob, it sends that 40-bit code along with a function code that tells the car what you want to do (lock the doors, unlock the doors, open the trunk, etc.).
  • The receiver's controller chip also has a memory location that holds the current 40-bit code. If the receiver gets the 40-bit code it expects, then it performs the requested function. If not, it does nothing.
  • Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random number generator to pick a new code, which it stores in memory. On the other end, when the receiver receives a valid code, it uses the same pseudo-random number generator to pick a new one. In this way, the transmitter and the receiver are synchronized. The receiver only opens the door if it receives the code it expects.
  • If you are a mile away from your car and accidentally push the button on the transmitter, the transmitter and receiver are no longer synchronized. The receiver solves this problem by accepting any of the next 256 possible valid codes in the pseudo-random number sequence. This way, you (or your three-year-old child) could "accidentally" push a button on the transmitter up to 256 times and it would be okay -- the receiver would still accept the transmission and perform the requested function. However, if you accidentally push the button 257 times, the receiver will totally ignore your transmitter. It won't work anymore.

So, what do you do if your three-year-old child DOES desynchronize your transmitter by pushing the button on it 300 times, so that the receiver no longer recognizes it? Most cars give you a way to resynchronize. Here is a typical procedure:

  • Turn the ignition key on and off eight times in less than 10 seconds. This tells the security system in the car to switch over to programming mode.
  • Press a button on all of the transmitters you want the car to recognize. Most cars allow at least four transmitters.
  • Switch the ignition off.

Given a 40-bit code, four transmitters and up to 256 levels of look-ahead in the pseudo-random number generator to avoid desynchronization, there is a one-in-a-billion chance of your transmitter opening another car's doors. When you take into account the fact that all car manufacturers use different systems and that the newest systems use many more bits, you can see that it is nearly impossible for any given key fob to open any other car door.

You can also see that code capturing will not work with a rolling code transmitter like this. Older garage door transmitters sent the same 8-bit code based on the pattern set on the DIP switches. Someone could capture the code with a radio scanner and easily re-transmit it to open the door. With a rolling code, capturing the transmission is useless. There is no way to predict which random number the transmitter and receiver have chosen to use as the next code, so re-transmitting the captured code has no effect. With trillions of possibilities, there is also no way to scan through all the codes because it would take years to do that.