R/C Tech Forums - View Single Post - OpenStint laptiming decoder
Thread: OpenStint laptiming decoder
View Single Post
Old 03-23-2026 | 02:19 AM
  #30  
zsellera
Tech Initiate
 
Joined: Nov 2024
Posts: 39
Default RC4 support, help needed
RC4 SUPPORT - HELP NEEDED
@Oldfan suggested and implemented a scheme to learn RC4 messages, similarly to how RCHourGlass does this. Before committing to further work, I'd like to verify that the scheme indeed works.

First off, RC4 was designed to make reverse-engineering hard, and we do not pursue it neither. It sends many different unique messages, probably sending a random sequence (IV) in each message, then obfuscated with a block-cipher (I would have implemented it in a similar way myself).

I have access to a single RC4-hybrid transponder. Based on that, the RC4 messages are 3-modal (3 distinct types and repetition rates):
  • The most frequent messages contain (?) voltage and temperature information. There is exactly 80 different unique messages of them at a time, and they keep changing as voltage and temperature fluctuates. A power-cycle clears them, and a new set of 80 messages is sent. As such, it makes no sense to build a memory based on these.
  • There is a long-tail of messages that do not repeat within a reasonable timeframe. One can listen for hours to detect a repetition. Again, building a memory on these is not practical.
  • There are 160 pcs of unique messages, accounting for ~25% of all messages detected, which do not change and do survive power-cycles. It makes sense to build a memory on these.
The problem is I do not really believe these messages are indeed unique. I makes no sense to me, and if I were designing such a protocol, these messages would not exists. I have a feeling these serve a different purpose than transmitting transponder ids.

Histogram:



HELP VERIFY THE UNIQENESS OF THESE MESSAGES

The best doing it on a Windows laptop, there is a special build for it.
  1. Place the transponder near the loop, and keep it stable (simulate a car parked on the loop). The decoder switches into "Learning mode", and is indicated by a message "L 9042 START". If you change the position of the transponder, the learning mode is interruped ("L 13984 INTERRUPTED"), so keep it stable.
  2. After a while (RC4Hybrid: 20-25 sec, RC4 probably half the time) the decoder reads enough messages to finish learning ("L 70192 DONE 1001 320"). A "<transponder_id>.rc4" file is placed into the directory you started the program from. RC4Hybrids can read the transponder id, while regular RC4 follow a scheme of "1001.rc4", "1002.rc4", etc. You can rename these files to the actual transponder id, the program automatically reloads the changed files.
You can keep the measurement setup actually very simple:


PLEASE COLLECT DATA FROM AS MANY TRANSPONDERS AS YOU CAN, AND EMAIL THE FILES TO ME

My email address: [email protected]
The files are a few kB in size, and contain the repeating messages of a 8196 sample, in a human-readable way.

This experiment is important, as it dictates how future support around this feature is done. I'd like to collect data from at least 30 transponders.
  • If there is no repetition (the messages are unique), I'll call it a day and ship the feature.
  • If there is repetition, I'll do some math. If there is a chance larger than 50% of having a "collision" in a random set of 8, I simply do not want to waste time on this (put what we have now behind an option flag).
  • Otherwise something inbetween.
Thanks in advance
zsellera is offline  
Reply