Cracking Rolling Code Locks the lazy way

SPOILER ALERT

This write-up actually contains valid working ways of solving the before mentioned challenges. If you are only looking for tips and would like to figure out the problems yourself, stop here and DM me on Twitter (@bananabr). I will try to help as best as I can.

The challenges

Both challenges are very similar, you are given an input field and must enter a number that matches the next output generated by a PRNG.

Model E1337 — Expected number sample
Model E1337 v2 — Hardened Rolling Code Lock expected number
Model E1337 v2 — Expected number sample

Model E1337 — Rolling Code Lock

The first challenge’s PRNG source code is presented below.

Model E1337 v2 — Hardened Rolling Code Lock

To solve the second challenge I had to find a way to basically accomplish the same thing. Given the first two consecutive outputs from a PRNG, get the seed to find the third one. The following snippet contains the source code for the hardened version of the PRNG.

  • The provided seed is now 64-bits instead of 32
  • There are three extra loops for each bit of output
  • Given the first two values V1 and V2 produced by the E1337 v2 PRNG, search through the whole 32 bits space for seed candidates by comparing the first 8 bits generated by each seed to the leftmost 8 bits of V1
  • Once all 8 bits candidates are found, look for those who can produce V1.
  • For every seed that can produce V1, check if the next generated 64 bits output is equal to V2.
  • If the seed is able to generate V1 and V2 as their first two 64 bits outputs, consider that seed valid, print it, and exit.

Final thoughts

I plan on taking the time to understand the mathematical approach to this challenge and recommend everyone to do the same. When v3 is released and the setup function is fixed, hammering the challenge probably won’t do. Even so, I learned a lot of new things solving these, and I hope this write-up could do the same for someone else.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Daniel Santos

Daniel Santos

Security researcher and penetration tester