Project
Mini Cooper Forced Entry System
SDR-based security research demonstrating RF signal capture, jamming, and replay attacks on a 2016 Mini Cooper's keyless entry system. Uses HackRF hardware and GNU Radio to analyze wireless vulnerabilities at 433 MHz.
A CSE 4820 final project at Florida Institute of Technology with teammates Cody Manning and Curtice Gough. Starting from a half-joking "what if we just hacked the car?", we used a HackRF SDR and Universal Radio Hacker to investigate keyless entry vulnerabilities in a 2016 Mini Cooper. A naive replay attack failed immediately — BMW implements rolling codes on the fob, so each captured signal is single-use. We pivoted to a Roll-Jam attack: jam the car's receiver, capture two successive fob codes, then replay the first to let the owner in while retaining the second for later use. We successfully jammed the channel and captured the signals, but the replay did not unlock the car and instead permanently desynced the fob from the car, requiring a dealer reset. The project confirmed that rolling codes block replay attacks, the 433 MHz channel is still fully jammable (a denial-of-service in itself), and the Roll-Jam and RollBack techniques remain viable vectors on similar systems — just not in our hands this time.
The fob's operating frequency was found by looking up the FCC ID printed on the fob at fccid.io. All testing was done on hardware we owned, in the IoT lab at Florida Tech.
The first approach was straightforward: capture the unlock signal from the fob with HackRF while out of range of the car, then replay it later to unlock the door.
After capturing the signal and loading it into Universal Radio Hacker, we replayed it outside the Mini Cooper — and got no response. Multiple captures gave us the same result. This is because BMW implements rolling codes on the key fob: each press generates a unique one-time token, so a captured signal cannot be reused.
The replay attack failed by design. This pushed us toward a different angle.
The Roll-Jam attack, originally demonstrated by Samy Kamkar, works around rolling codes by jamming the car's receiver while simultaneously recording the fob's signal. The owner sees the car didn't unlock and presses the fob a second time — the attacker records that signal too and releases the first one to unlock the car normally, keeping the second valid code in reserve.
We successfully jammed the Mini Cooper's receiver and captured the fob signals. However, an unintended side effect occurred: the jammer permanently desynced the fob from the car. The rolling code counter drifted far enough that the car stopped accepting the fob entirely, requiring a dealer reset.
We never achieved remote entry, but we demonstrated the jamming stage of the attack and confirmed the desync vulnerability. There are many documented instances of Roll-Jam succeeding on similar systems.