Rolling code systems are a cornerstone of modern RF security. They are embedded in gate openers, alarm systems, and a wide range of access control devices. Their purpose is simple: prevent replay attacks by ensuring that every transmitted code is unique and accepted only once.

This article explains, step by step, how Kaiju processes rolling-code-based protocols. We follow the entire workflow, from a raw RF capture performed with PandwaRF to the full reconstruction of the remote’s internal state, including fixed identifiers, rolling counters, and cryptographic keys.

Overview of the Decoding Pipeline

Decoding a rolling code is not a single action but a structured sequence of operations. Kaiju’s workflow can be divided into three main stages.

  1. RF acquisition
  2. Payload extraction
  3. Cryptographic and logical interpretation

Each stage refines the data, transforming an analog RF signal into a fully understood and reproducible logical model of the remote.

1. RF Acquisition

The process begins with the capture of the RF signal.
PandwaRF, or any compatible RF acquisition tool, records the raw signal typically modulated in ASK/OOK or 2-FSK on 433 or 868 MHz. At this step, the data is nothing more than a series of timings and demodulated bit transitions.

 

Kaiju can ingest several types of input:

  • Demodulated RF frames captured by PandwaRF
  • Raw RF captures from external tools
  • SDR-style IQ files, for example produced by software-defined radios and tools like Universal Radio Hacker (URH)

In the example discussed here, the RF capture originates from the excellent Universal Radio Hacker (URH), then is exported and fed into Kaiju for processing.

Payload Extraction

Once the raw signal is available, Kaiju processes it to extract the underlying payload. This stage includes:

  • Timing normalization and synchronization
    Aligning edges, normalizing pulse durations, and compensating for jitter so that symbols and frames can be segmented reliably.
  • Bit decoding
    Applying the appropriate line-code decoding scheme when necessary, such as:
    • Manchester
    • PWM / pulse-width
    • Other protocol-specific encodings
  • Protocol-aware parsing
    Interpreting the bitstream according to the selected protocol profile (for example, KeeLoq or other rolling-code schemes). This involves:
    • Identifying preambles and sync patterns
    • Locating headers and control fields
    • Extracting the fixed and encrypted portions of the frame
  • Field separation
    Splitting the frame into:
    • Fixed portion (serial number, manufacturer ID, optional flags)
    • Variable/encrypted portion (rolling counter, button code, and other protected fields)

The output of this stage is a clean, protocol-aligned representation of each transmitted frame, suitable for cryptographic and logical analysis.

Cryptographic and Logical Interpretation

With the payload parsed, Kaiju applies protocol-specific logic to reconstruct the internal state of the remote. Depending on the protocol, this includes:

  • Recovering the serial number
    Extracting and decoding the unique identifier from the fixed field.
  • Decrypting the encrypted block
    Using the appropriate cipher (for example KeeLoq), Kaiju decrypts the ciphertext to obtain the plaintext, from which it can extract:
    • The rolling counter
    • The button code or function
    • Additional flags (battery status, repetition flags, etc.)
  • Reconstructing the cryptographic key
    Where supported and feasible, Kaiju recovers the unique cryptographic key associated with the remote. This enables:
    • Validation of observed frames
    • Regeneration of future valid rolling codes
    • Full emulation of the encoder’s behaviour

Once these elements are available, Kaiju can emulate the encoder and compute future valid rolling codes exactly as the physical remote would, using the recovered key and counter.

Visual Example: Decoding a KeeLoq Frame in Kaiju

A typical KeeLoq decoding session in Kaiju presents:

  • The reconstructed binary payload for each frame
  • A clear segmentation of fields, including:
    • Fixed ID
    • Button code
    • Encrypted block
  • The decoded rolling counter value
  • The recovered cryptographic key (when available for the given protocol)
    • Additional metadata, such as:
    • Button state and function
    • Battery level or low-battery flags
    • Encoder type / variant
    • Encryption mode or configuration

Kaiju also provides signal-quality indicators, such as:

  • Entropy measurements
  • Autocorrelation and pattern analysis
  • Error and anomaly flags on suspect frames

Together, these views give the analyst a complete and transparent picture of the remote’s RF behaviour and internal logic.

PandwaRF Integration for Physical Capture

PandwaRF acts as the physical acquisition layer in this decoding workflow. When operating in capture mode, it delivers clean, demodulated frames directly to Kaiju.

Key technical advantages include:

  • Reliable capture of ASK/OOK and 2-FSK signals over common sub-GHz bands
  • Automatic chunking of received data into frames
  • Seamless transfer to Kaiju without manual post-processing or hand-crafted scripts
  • Delivery of normalized binary payloads ready for immediate decoding

This integration eliminates the need for analysts to perform low-level RF cleaning or signal conditioning, allowing them to focus on the protocol itself rather than the raw RF domain.

Practical Value

For Law Enforcement Agencies, RF security teams, research laboratories, integrators, and embedded developers, the Kaiju + PandwaRF workflow substantially accelerates the analysis of rolling-code-based systems.

Historically, decoding such systems required:

  • Manual waveform inspection
  • Custom demodulation scripts
  • Repeated trial-and-error on protocol parameters
  • Time-consuming reverse engineering of frame structures

With Kaiju, the same tasks can often be completed in under a minute, with:

  • A reproducible and deterministic workflow
  • Full visibility into the internal state of the remote (fixed ID, counter, keys)
  • Automated emulation of future valid rolling codes
  • A structured view that simplifies documentation and reporting

From protocol research to vulnerability assessment, Kaiju offers a precise, automated, and reliable way to understand and emulate rolling code systems at scale.

If you have questions about the decoding process, supported protocols, or integration with your existing tools, feel free to reach out.

Djamil