I’ve been playing with Nice FloR-S rolling codes recently and this info might be of use.
I’ve used non official firmware so that I can save and generate new keys at specific counts but the info that i’m posting is general.
1 - On systems that i have access to when a serial is inserted on a system any BIGGER count value works and invalidates all prior count keys,
DOS attack - If you have non official flipper firmware and you grab a valid NiceFloR-S transmission you can save that, use the DEBUG option to advance forward the counter for example by 10 (so you have to click less times) - move it to near FFF0 for example and if the count on tyhe original remote is lower you will INVALIDATE it. This is because for example if original remote is at 0AAA and you send a FFF0 valid key the system will accept that and invalidate all other codes moving the ncounter to FFF0 so the original remote owner will have to click on the remote over and over to get it re-sync as he is no9t aware of the attack he will think the remote is broken (no one is going to press 6000 times the remote button in hope for it to work).
2 - If you have a valid key that you did grabb you can do an attack where the owner isn’t aware of it. You need a SINGLE capture of a valid remote. Generate key/valid signal for FFFF and then make it go back to 0000 and 0001, 0002. On the systems that i was checking the rule is as long as the count that you send is BIGGER the system will accept it and move it’s counter up. This wouldn’t work on systems that only obey to a certain margin of count difference, But on my case if i have for example 0003 on count and I send FFFF the door will open and the count will go up to FFFF so … Send the FFFF and then the lower values, the gate/door will open with FFFF and then you set the counter on something like 0003, so that you don’t do a denial of service on the original remote !!! Because original remote will be above 0003 and will work when pressed making the count go up to it’s value.
3 - Insert a new remote. If you have non-official firmware generate a new remote for Nice FloR-S. (you can do this with OFW as well). Now pick up your grabbed signal and use that as valid code or you can use FFF0 count as a valid signal. For that use FFF0 and make sure it did open the door and re-sync the garage to FFF0, now wait for it to close, get yourself as near as possible of the reciever, at least 3 meters and do the following :
- Open the new “virtual” NiceFloR-S remote on flipper and advance the counter from 0003 to something like 0005 or 0006 to test it and see if it’s running and increasing fine, if so wait for a while, you might want to wait for door to close if it’s still open and press “send” on the virtual remote you want to programm for at least 5 sec. release it, open the valid signal that it’s working on the system/garage/door and send it 3 incremental times SLOWLY like pressing SEND for 1 sec or 2 and release. Now quicklty open the virtual remote on flipper and send the signal one more tile slowly (keeping send press for 2 sec). If you can see the reciever led wait for it to turn off but if not because for example the box is closed just wait 1 minute and try the new remote. If your system have available memory (there is a limit on how many remotes/serials you can programm depending on the system configuration/memory) and if the remote programming in not disabled by software then your new flipper virtual remote will act as a working registered one. - To end you might want to “rotate” the original signal back to 0003 so that when the owner uses his remote is not far away from sync…
Enjoy and ONLY DO THIS ON YOUR OWN SYSTEMS OR SYSTEMS YOU HAVE AUTORIZATION TO PLAY WITH.