Citations [wip]

Removed unused function pointers from the Kia V3/V4 protocol structure.

.github/ISSUE_TEMPLATE/01_bug_report.yml

@@ -1,45 +1,77 @@
-name: Bug report
-description: File a bug reports regarding the firmware.
+name: Bug Report
+description: Report a bug in Flipper-ARF firmware.
 labels: ["bug"]
 body:
   - type: markdown
     attributes:
       value: |
-        Thank you for taking the time to fill out an issue, this template is meant for any issues related to the Flipper Zero unleashed firmware.
+        Thanks for reporting a bug in Flipper-ARF. Please fill in as much detail as possible.
+  - type: input
+    id: firmware-version
+    attributes:
+      label: Firmware version
+      description: "ARF version or git commit hash."
+      placeholder: "e.g. ARF 0.1.2 or commit abc1234"
+    validations:
+      required: true
+  - type: dropdown
+    id: hardware
+    attributes:
+      label: Hardware setup
+      description: "Which hardware configuration are you using?"
+      options:
+        - Flipper Zero (stock)
+        - Flipper Zero (modded antenna)
+        - Flipper Zero + external CC1101
+        - Other (describe below)
+    validations:
+      required: true
+  - type: input
+    id: protocol
+    attributes:
+      label: Protocol affected
+      description: "Which protocol is affected, if applicable?"
+      placeholder: "e.g. Kia V3/V4, PSA GROUP, Keeloq, Fiat Mystery"
+  - type: input
+    id: frequency
+    attributes:
+      label: Frequency & modulation
+      description: "RF frequency and modulation used, if relevant."
+      placeholder: "e.g. 433.92 MHz AM"
   - type: textarea
     id: description
     attributes:
-      label: Describe the bug.
-      description: "A clear and concise description of what the bug is."
+      label: Bug description
+      description: "A clear and concise description of the bug."
     validations:
       required: true
   - type: textarea
     id: repro
     attributes:
-      label: Reproduction
+      label: Steps to reproduce
       description: "How can this bug be reproduced?"
       placeholder: |
-        1. Switch on...
-        2. Press button '....'
-        3. Wait for the moon phase
-        4. It burns
+        1. Open SubGhz app
+        2. Load saved .sub file
+        3. Press Send
+        4. Observe error / unexpected behavior
     validations:
       required: true
-  - type: input
-    id: target
+  - type: textarea
+    id: expected
     attributes:
-      label: Target
-      description: Specify the target
-      # Target seems to be largely ignored by outside sources.
+      label: Expected vs actual behavior
+      description: "What did you expect to happen, and what actually happened?"
+    validations:
+      required: true
   - type: textarea
     id: logs
     attributes:
-      label: Logs
-      description: Attach your debug logs here
+      label: Logs / screenshots
+      description: "Attach debug logs (via serial CLI) or screenshots if available."
       render: Text
-      # Avoid rendering as Markdown here.
   - type: textarea
     id: anything-else
     attributes:
-      label: Anything else?
-      description: Let us know if you have anything else to share.
+      label: Additional context
+      description: "Any other information that might help (vehicle model, .sub file contents, etc.)."

.github/ISSUE_TEMPLATE/02_enhancements.yml

@@ -1,20 +0,0 @@
-name: Enhancements
-description: Suggest improvements for any existing functionality within the firmware.
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thank you for taking the time to fill out an issue. This template is meant for feature requests and improvements to already existing functionality.
-  - type: textarea
-    id: proposal
-    attributes:
-      label: "Describe the enhancement you're suggesting."
-      description: |
-        Feel free to describe in as much detail as you wish.
-    validations:
-      required: true
-  - type: textarea
-    id: anything-else
-    attributes:
-      label: Anything else?
-      description: Let us know if you have anything else to share.

.github/ISSUE_TEMPLATE/03_feature_request.yml

@@ -1,23 +1,46 @@
 name: Feature Request
-description: For feature requests regarding the firmware.
+description: Suggest a new feature or improvement for Flipper-ARF.
 labels: ["feature request"]
 body:
   - type: markdown
     attributes:
       value: |
-        Thank you for taking the time to fill out an issue, this template is meant for any feature suggestions.
-  - type: textarea
-    id: proposal
+        Thanks for suggesting a feature for Flipper-ARF. Please describe your idea in detail.
+  - type: dropdown
+    id: category
     attributes:
-      label: "Description of the feature you're suggesting."
-      description: |
-        Please describe your feature request in as many details as possible.
-          - Describe what it should do.
-          - Note whetever it is to extend existing functionality or introduce new functionality.
+      label: Category
+      description: "What area does this feature fall under?"
+      options:
+        - New protocol
+        - Protocol improvement
+        - UI / UX
+        - Build system / tooling
+        - Other
+    validations:
+      required: true
+  - type: input
+    id: manufacturer
+    attributes:
+      label: Manufacturer / protocol
+      description: "Which manufacturer or protocol is this related to, if applicable?"
+      placeholder: "e.g. Toyota, Renault, Keeloq"
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: "Describe the feature you're suggesting."
+    validations:
+      required: true
+  - type: textarea
+    id: use-case
+    attributes:
+      label: Use case
+      description: "Why is this needed? What problem does it solve?"
     validations:
       required: true
   - type: textarea
     id: anything-else
     attributes:
-      label: Anything else?
-      description: Let us know if you have anything else to share.
+      label: Additional context
+      description: "Any references, datasheets, links, or examples that support this request."

.github/ISSUE_TEMPLATE/04_protocol_submission.yml

@@ -0,0 +1,111 @@
+name: Protocol / Algorithm Submission
+description: Submit a new protocol decoder, encoder, or cipher implementation.
+labels: ["protocol", "contribution"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Use this template to submit a new protocol implementation or algorithm for inclusion in Flipper-ARF.
+        Include as much technical detail as possible — timing, frame structure, cipher type, and test captures.
+  - type: input
+    id: protocol-name
+    attributes:
+      label: Protocol name
+      description: "Name for the protocol (as it should appear in the firmware)."
+      placeholder: "e.g. Renault V2, Opel Corsa, Nissan V0"
+    validations:
+      required: true
+  - type: input
+    id: manufacturer
+    attributes:
+      label: Manufacturer / vehicle
+      description: "Which manufacturer or vehicles use this protocol?"
+      placeholder: "e.g. Renault Clio 2010-2018, Opel/Vauxhall Corsa D"
+    validations:
+      required: true
+  - type: input
+    id: frequency
+    attributes:
+      label: Frequency & modulation
+      description: "RF frequency and modulation type."
+      placeholder: "e.g. 433.92 MHz FM (FSK)"
+    validations:
+      required: true
+  - type: dropdown
+    id: encoding
+    attributes:
+      label: Encoding
+      description: "How are bits encoded in the RF signal?"
+      options:
+        - PWM (Pulse Width Modulation)
+        - Manchester
+        - Differential Manchester
+        - OOK raw
+        - Other (describe in frame structure)
+    validations:
+      required: true
+  - type: textarea
+    id: timing
+    attributes:
+      label: Timing parameters
+      description: "Provide timing values for the protocol."
+      placeholder: |
+        te_short: 400 us
+        te_long: 800 us
+        te_delta: 150 us
+        Preamble: 16 pairs of alternating short pulses
+        Sync: 1200 us HIGH
+        Gap: 10000 us between bursts
+    validations:
+      required: true
+  - type: textarea
+    id: frame-structure
+    attributes:
+      label: Frame structure
+      description: "Describe the bit layout — field positions, sizes, fixed vs rolling parts."
+      placeholder: |
+        Total bits: 68
+        Bits 0-31: Encrypted (KeeLoq)
+        Bits 32-59: Serial (28 bits)
+        Bits 60-63: Button code (4 bits)
+        Bits 64-67: CRC (4 bits, XOR of nibbles)
+    validations:
+      required: true
+  - type: dropdown
+    id: cipher
+    attributes:
+      label: Cipher / rolling code type
+      description: "What cipher or rolling code scheme does this protocol use?"
+      options:
+        - None (static code)
+        - KeeLoq
+        - AES
+        - TEA / XTEA
+        - Hitag2
+        - Custom / proprietary
+        - Unknown (needs analysis)
+    validations:
+      required: true
+  - type: dropdown
+    id: status
+    attributes:
+      label: Implementation status
+      description: "How far along is the implementation?"
+      options:
+        - Concept only (analysis / documentation)
+        - Decoder working
+        - Encoder working
+        - Both decoder and encoder working
+    validations:
+      required: true
+  - type: textarea
+    id: captures
+    attributes:
+      label: Test captures
+      description: "Paste .sub file contents or raw pulse data for validation. Attach files if too large."
+      render: Text
+  - type: textarea
+    id: references
+    attributes:
+      label: References
+      description: "Links to datasheets, research papers, FCC filings, or related projects."

.github/ISSUE_TEMPLATE/05_key_recording_submission.yml

@@ -0,0 +1,99 @@
+name: Key Recording Submission
+description: Contribute captured keyfob recordings for protocol analysis.
+labels: ["recording", "data"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Use this template to submit captured keyfob recordings (.sub files or raw data).
+        These recordings help with protocol reverse engineering, decoder validation, and cipher analysis.
+
+        **Tips for useful captures:**
+        - Record 10+ sequential presses per button without long gaps
+        - Note the exact button pressed for each capture
+        - If possible, capture from multiple buttons on the same fob
+        - Include the vehicle make, model, and year
+  - type: input
+    id: vehicle
+    attributes:
+      label: Vehicle / device
+      description: "Make, model, year, and any relevant trim info."
+      placeholder: "e.g. 2015 Fiat Panda 1.2 Pop"
+    validations:
+      required: true
+  - type: dropdown
+    id: protocol
+    attributes:
+      label: Protocol (if known)
+      description: "Which protocol was detected, or select Unknown if not yet identified."
+      options:
+        - Unknown / new protocol
+        - VAG GROUP
+        - Cayenne
+        - PSA GROUP
+        - Ford V0
+        - Fiat SpA
+        - Fiat Mystery
+        - Subaru
+        - Siemens (Mazda)
+        - Kia V0
+        - Kia V1
+        - Kia V2
+        - Kia V3/V4
+        - Kia V5
+        - Kia V6
+        - Suzuki
+        - Mitsubishi V0
+        - Keeloq
+        - Other (specify below)
+    validations:
+      required: true
+  - type: input
+    id: frequency
+    attributes:
+      label: Frequency & modulation used
+      description: "The frequency and modulation setting used during capture."
+      placeholder: "e.g. 433.92 MHz AM650"
+    validations:
+      required: true
+  - type: input
+    id: buttons
+    attributes:
+      label: Button / function
+      description: "Which buttons were recorded and what they do."
+      placeholder: "e.g. Lock (Btn A), Unlock (Btn B), Trunk (Btn C)"
+    validations:
+      required: true
+  - type: input
+    id: num-captures
+    attributes:
+      label: Number of captures
+      description: "How many presses were recorded per button?"
+      placeholder: "e.g. 10 sequential presses per button"
+    validations:
+      required: true
+  - type: dropdown
+    id: capture-method
+    attributes:
+      label: Capture method
+      description: "How were the signals captured?"
+      options:
+        - SubGhz Read RAW
+        - SubGhz decoded (saved .sub)
+        - External SDR (HackRF, RTL-SDR, etc.)
+        - Other
+    validations:
+      required: true
+  - type: textarea
+    id: capture-data
+    attributes:
+      label: Capture data
+      description: "Paste .sub file contents here, or attach files. For multiple files, use separate code blocks labeled by button."
+      render: Text
+    validations:
+      required: true
+  - type: textarea
+    id: notes
+    attributes:
+      label: Notes
+      description: "Any observations — counter gaps, time between captures, battery changes, multiple fobs, etc."

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1 @@
 blank_issues_enabled: true
-contact_links:
-  - name: Telegram
-    url: https://t.me/flipperzero_unofficial
-    about: Unofficial Telegram chat
-  - name: Discord
-    url: https://discord.unleashedflip.com
-    about: Unofficial Discord Community

.github/pull_request_template.md

@@ -1,13 +1,25 @@
-# What's new
+## Summary
 
-- [ Describe changes here ]
+<!-- What changed and why? Keep it concise. -->
 
-# Verification 
+## Protocol(s) affected
 
-- [ Describe how to verify changes ]
+<!-- Which protocol(s) does this PR touch? e.g. Kia V3/V4, PSA GROUP, none -->
 
-# Checklist (For Reviewer)
+## Type of change
 
-- [ ] PR has description of feature/bug
-- [ ] Description contains actions to verify feature/bugfix
-- [ ] I've built this code, uploaded it to the device and verified feature/bugfix
+- [ ] Bug fix
+- [ ] New protocol
+- [ ] Protocol improvement (encoder/decoder/display)
+- [ ] Build system / infrastructure
+- [ ] Other
+
+## Testing
+
+<!-- How was this verified? Include hardware used, captures tested, etc. -->
+
+## Checklist
+
+- [ ] Built with `./fbt COMPACT=1 DEBUG=0 updater_package` (no errors)
+- [ ] Flashed and tested on Flipper Zero
+- [ ] No regressions in other protocols

README.md

@@ -34,7 +34,7 @@ This project may incorporate, adapt, or build upon **other open-source projects*
 | PSA (Peugeot/Citroën/DS) | PSA GROUP | 433 MHz | AM/FM | Yes | Yes |
 | Ford | Ford V0 | 315/433 MHz | AM | Yes | Yes |
 | Fiat | Fiat SpA | 433 MHz | AM | Yes | Yes |
-| Fiat | Fiat Mystery | 433 MHz | AM | No | Yes |
+| Fiat | Fiat Marelli | 433 MHz | AM | No | Yes |
 | Subaru | Subaru | 433 MHz | AM | Yes | Yes |
 | Mazda | Siemens (5WK49365D) | 315/433 MHz | FM | Yes | Yes |
 | Kia/Hyundai | Kia V0 | 433 MHz | FM | Yes | Yes |
@@ -175,7 +175,54 @@ Contributions are welcome if they:
 > Non-automotive features are considered out-of-scope for now.
 
 ### This code is a mess!
-![Talk is cheap, submit patches](arf_pictures/send_patches.jpeg) 
+![Talk is cheap, submit patches](arf_pictures/send_patches.jpeg)
+---
+
+## Citations & References
+
+The following academic publications have been invaluable to the development and understanding of the protocols implemented in this firmware.
+
+### Automotive RKE Security
+
+- **Lock It and Still Lose It — On the (In)Security of Automotive Remote Keyless Entry Systems**
+  Flavio D. Garcia, David Oswald, Timo Kasper, Pierre Pavlidès
+  *USENIX Security 2016*
+  https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_garcia.pdf
+
+- **Clonable Key Fobs: Analyzing and Breaking RKE Protocols**
+  Roberto Gesteira-Miñarro, Gregorio López, Rafael Palacios
+  *International Journal of Information Security, Springer, May 2025, 24(3)*
+  DOI: [10.1007/s10207-025-01063-7](https://doi.org/10.1007/s10207-025-01063-7)
+
+- **The Role of Cryptographic Techniques in Remote Keyless Entry (RKE) Systems**
+  Jananga Chiran — Sri Lanka Institute of Information Technology
+  *November 2023*
+  DOI: [10.5281/zenodo.14677864](https://doi.org/10.5281/zenodo.14677864)
+
+### Immobiliser & Transponder Systems
+
+- **Dismantling DST80-based Immobiliser Systems**
+  Lennert Wouters, Jan Van den Herrewegen, Flavio D. Garcia, David Oswald, Benedikt Gierlichs, Bart Preneel
+  *IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES), 2020, Vol. 2*
+  DOI: [10.13154/tches.v2020.i2.99-127](https://doi.org/10.13154/tches.v2020.i2.99-127)
+
+### RFID & Protocol Analysis Tooling
+
+- **A Toolbox for RFID Protocol Analysis**
+  Flavio D. Garcia
+  *IEEE International Conference on RFID, 2012*
+  DOI: [10.1109/rfid.2012.19](https://doi.org/10.1109/rfid.2012.19)
+
+### Relay & Replay Attacks
+
+- **Implementing and Testing RollJam on Software-Defined Radios**
+  *Università di Bologna (UNIBO), CRIS*
+  https://cris.unibo.it/handle/11585/999874
+
+- **Enhanced Vehicular Roll-Jam Attack Using a Known Noise Source**
+  *Inaugural International Symposium on Vehicle Security & Privacy, January 2023*
+  DOI: [10.14722/vehiclesec.2023.23037](https://doi.org/10.14722/vehiclesec.2023.23037)
+
 ---
 
 # Disclaimer

lib/subghz/protocols/kia_v3_v4.h

@@ -1,37 +1,31 @@
 #pragma once
 
-#include "kia_generic.h"
+#include "base.h"
+#include "../blocks/math.h"
 
+#define SUBGHZ_PROTOCOL_KIA_V3_V4_NAME "KIA/HYU V3/V4"
 
-#define KIA_PROTOCOL_V3_V4_NAME "Kia V3/V4"
+typedef struct SubGhzProtocolDecoderKiaV3V4 SubGhzProtocolDecoderKiaV3V4;
+typedef struct SubGhzProtocolEncoderKiaV3V4 SubGhzProtocolEncoderKiaV3V4;
 
 extern const SubGhzProtocol subghz_protocol_kia_v3_v4;
 
-// Decoder functions
-void* kia_protocol_decoder_v3_v4_alloc(SubGhzEnvironment* environment);
-void kia_protocol_decoder_v3_v4_free(void* context);
-void kia_protocol_decoder_v3_v4_reset(void* context);
-void kia_protocol_decoder_v3_v4_feed(void* context, bool level, uint32_t duration);
-uint8_t kia_protocol_decoder_v3_v4_get_hash_data(void* context);
-SubGhzProtocolStatus kia_protocol_decoder_v3_v4_serialize(
+void* subghz_protocol_decoder_kia_v3_v4_alloc(SubGhzEnvironment* environment);
+void subghz_protocol_decoder_kia_v3_v4_free(void* context);
+void subghz_protocol_decoder_kia_v3_v4_reset(void* context);
+void subghz_protocol_decoder_kia_v3_v4_feed(void* context, bool level, uint32_t duration);
+uint8_t subghz_protocol_decoder_kia_v3_v4_get_hash_data(void* context);
+SubGhzProtocolStatus subghz_protocol_decoder_kia_v3_v4_serialize(
     void* context,
     FlipperFormat* flipper_format,
     SubGhzRadioPreset* preset);
 SubGhzProtocolStatus
-    kia_protocol_decoder_v3_v4_deserialize(void* context, FlipperFormat* flipper_format);
-void kia_protocol_decoder_v3_v4_get_string(void* context, FuriString* output);
+    subghz_protocol_decoder_kia_v3_v4_deserialize(void* context, FlipperFormat* flipper_format);
+void subghz_protocol_decoder_kia_v3_v4_get_string(void* context, FuriString* output);
 
-// Encoder functions
-void* kia_protocol_encoder_v3_v4_alloc(SubGhzEnvironment* environment);
-void kia_protocol_encoder_v3_v4_free(void* context);
+void* subghz_protocol_encoder_kia_v3_v4_alloc(SubGhzEnvironment* environment);
+void subghz_protocol_encoder_kia_v3_v4_free(void* context);
 SubGhzProtocolStatus
-    kia_protocol_encoder_v3_v4_deserialize(void* context, FlipperFormat* flipper_format);
-void kia_protocol_encoder_v3_v4_stop(void* context);
-LevelDuration kia_protocol_encoder_v3_v4_yield(void* context);
-
-// Encoder helper functions for UI
-void kia_protocol_encoder_v3_v4_set_button(void* context, uint8_t button);
-void kia_protocol_encoder_v3_v4_set_counter(void* context, uint16_t counter);
-void kia_protocol_encoder_v3_v4_increment_counter(void* context);
-uint16_t kia_protocol_encoder_v3_v4_get_counter(void* context);
-uint8_t kia_protocol_encoder_v3_v4_get_button(void* context);
+    subghz_protocol_encoder_kia_v3_v4_deserialize(void* context, FlipperFormat* flipper_format);
+void subghz_protocol_encoder_kia_v3_v4_stop(void* context);
+LevelDuration subghz_protocol_encoder_kia_v3_v4_yield(void* context);

lib/subghz/protocols/kia_v5.h

@@ -1,36 +1,36 @@
 #pragma once
 
-#include "kia_generic.h"
-#include <lib/toolbox/manchester_decoder.h>
+#include "base.h"
+#include "../blocks/math.h"
 
-
-#define KIA_PROTOCOL_V5_NAME "Kia V5"
+#define SUBGHZ_PROTOCOL_KIA_V5_NAME "KIA/HYU V5"
 
 typedef struct SubGhzProtocolDecoderKiaV5 SubGhzProtocolDecoderKiaV5;
 typedef struct SubGhzProtocolEncoderKiaV5 SubGhzProtocolEncoderKiaV5;
 
-extern const SubGhzProtocolDecoder kia_protocol_v5_decoder;
-extern const SubGhzProtocolEncoder kia_protocol_v5_encoder;
 extern const SubGhzProtocol subghz_protocol_kia_v5;
 
-// Decoder functions
-void* kia_protocol_decoder_v5_alloc(SubGhzEnvironment* environment);
-void kia_protocol_decoder_v5_free(void* context);
-void kia_protocol_decoder_v5_reset(void* context);
-void kia_protocol_decoder_v5_feed(void* context, bool level, uint32_t duration);
-uint8_t kia_protocol_decoder_v5_get_hash_data(void* context);
-SubGhzProtocolStatus kia_protocol_decoder_v5_serialize(
+void* subghz_protocol_decoder_kia_v5_alloc(SubGhzEnvironment* environment);
+void subghz_protocol_decoder_kia_v5_free(void* context);
+void subghz_protocol_decoder_kia_v5_reset(void* context);
+void subghz_protocol_decoder_kia_v5_feed(void* context, bool level, uint32_t duration);
+uint8_t subghz_protocol_decoder_kia_v5_get_hash_data(void* context);
+SubGhzProtocolStatus subghz_protocol_decoder_kia_v5_serialize(
     void* context,
     FlipperFormat* flipper_format,
     SubGhzRadioPreset* preset);
 SubGhzProtocolStatus
-    kia_protocol_decoder_v5_deserialize(void* context, FlipperFormat* flipper_format);
-void kia_protocol_decoder_v5_get_string(void* context, FuriString* output);
+    subghz_protocol_decoder_kia_v5_deserialize(void* context, FlipperFormat* flipper_format);
+void subghz_protocol_decoder_kia_v5_get_string(void* context, FuriString* output);
 
-// Encoder functions
-void* kia_protocol_encoder_v5_alloc(SubGhzEnvironment* environment);
-void kia_protocol_encoder_v5_free(void* context);
+void* subghz_protocol_encoder_kia_v5_alloc(SubGhzEnvironment* environment);
+void subghz_protocol_encoder_kia_v5_free(void* context);
 SubGhzProtocolStatus
-    kia_protocol_encoder_v5_deserialize(void* context, FlipperFormat* flipper_format);
-void kia_protocol_encoder_v5_stop(void* context);
-LevelDuration kia_protocol_encoder_v5_yield(void* context);
+    subghz_protocol_encoder_kia_v5_deserialize(void* context, FlipperFormat* flipper_format);
+void subghz_protocol_encoder_kia_v5_stop(void* context);
+LevelDuration subghz_protocol_encoder_kia_v5_yield(void* context);
+void subghz_protocol_encoder_kia_v5_set_button(void* context, uint8_t button);
+void subghz_protocol_encoder_kia_v5_set_counter(void* context, uint16_t counter);
+void subghz_protocol_encoder_kia_v5_increment_counter(void* context);
+uint16_t subghz_protocol_encoder_kia_v5_get_counter(void* context);
+uint8_t subghz_protocol_encoder_kia_v5_get_button(void* context);