Next revision | Previous revisionNext revisionBoth sides next revision |
megacode [2014/12/28 11:05] – created kingkevin | megacode [2014/12/28 20:08] – [sdr] kingkevin |
---|
The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. | The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. |
| |
| In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them. |
| |
===== transmitter ===== | ===== transmitter ===== |
| |
In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. | ==== ACT-34B ==== |
| |
| The main target is the [[http://www.linearcorp.com/product_detail.php?productId=867|ACT-34B]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. |
| The [[http://www.linearcorp.com/product_detail.php?productId=864|ACT-31B]] is the same as the ACT-34B but with only one button. |
| * [[http://www.linearcorp.com/product_detail.php?productId=867|product information]] |
| * [[http://www.linearcorp.com/pdf/manuals/ACT-31B_ACT-34B.pdf|manual]] ({{:megacode:act-31b_act-34b_manual.pdf|backup}}) |
| * FCC-ID [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=98433&fcc_id=EF4ACP00872|EF4 ACP00872]] ({{::megacode:act34b-fcc.zip|archive}}) |
| |
| internal pictures: |
| |
| {{:megacode:act34b-pcb1.jpg?250|}} |
| {{:megacode:act34b-pcb3.jpg?250|}} |
| {{:megacode:act34b-pcb4.jpg?250|}} |
| |
| It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010103|PIC12C508]]. |
| The PICkit2 programmer does not support the PIC12C family because it's EPROM based and requires higher voltage. |
| By accidentally reading the code it erased it. |
| But code protection was probably used. |
| This chip can also come as One Time Programmable, and might be factory programmed. |
| |
| ==== 318LIPW1K ==== |
| |
| The flashable alternative to the ACT-34B is the [[http://www.transmittersolutions.com/Gates-Garages/Transmitters/318MHz/Monarch%20318LIPW1K/|318LIPW1K]] from the [[http://www.transmittersolutions.com/|Transmitted Solution]] Monarch series. |
| |
| * [[http://www.transmittersolutions.com/Gates-Garages/Transmitters/318MHz/Monarch%20318LIPW1K/|product information]] |
| * [[http://www.transmittersolutions.com/manuals/TS-Monarch318LIPw1K.pdf|manual]] ({{:megacode:monarch-318lipw1k_manual.pdf|archive}}) |
| * FCC-ID [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=281502&fcc_id=SU7318LIPW1K|SU7 318LIPW1K]] ({{:megacode:318lipw1k-fcc.zip|archive}}) |
| |
| internal pictures: |
| |
| {{:megacode:318lipw1k-pcb1.jpg?250|}} |
| {{:megacode:318lipw1k-pcb2.jpg?250|}} |
| {{:megacode:318lipw1k-pcb3.jpg?250|}} |
| |
| It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en019829|PIC12F635]]. |
| The PICkit2 programmer does support the PIC12F family because it's flash based. |
| But code and data protection were. |
| |
===== receiver ===== | ===== receiver ===== |
| |
In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them. | ==== MDR ==== |
| |
| The main target is the [[http://www.linearcorp.com/product_detail.php?productId=941|MDR]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. |
| |
| * [[http://www.linearcorp.com/product_detail.php?productId=941|product information]] |
| * [[http://www.linearcorp.com/pdf/manuals/MDR_MDR-2_MDRM.pdf|manual]] ({{:megacode:mdr-manual.pdf|backup}}) |
| |
| internal pictures: |
| |
| {{:megacode:mdr-pcb1.jpg?250|}} |
| {{:megacode:mdr-pcb2.jpg?250|}} |
| {{:megacode:mdr-pcb5.jpg?250|}} |
| {{:megacode:mdr-pcb3.jpg?250|}} |
| {{:megacode:mdr-pcb4.jpg?250|}} |
| {{:megacode:mdr-pcb6.jpg?250|}} |
| |
| It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010122|PIC12C54A]]. |
| The PICkit2 programmer does not support the PIC16C family because it's EPROM based and requires higher voltage. |
| But code protection is probably used. |
| This chip can also come as One Time Programmable, and might be factory programmed. |
| |
| ==== MDR-U ==== |
| |
| The main target is the [[http://www.linearcorp.com/product_detail.php?productId=942|MDR-U]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. |
| |
| * [[http://www.linearcorp.com/product_detail.php?productId=942|product information]] |
| * [[http://www.linearcorp.com/pdf/manuals/MDRU.pdf|manual]] ({{:megacode:mdru-manual.pdf|backup}}) |
| |
| internal pictures: |
| |
| {{:megacode:mdru-pcb1.jpg?250|}} |
| {{:megacode:mdru-pcb2.jpg?250|}} |
| {{:megacode:mdru-pcb3.jpg?250|}} |
| {{:megacode:mdru-pcb6.jpg?250|}} |
| {{:megacode:mdru-pcb4.jpg?250|}} |
| {{:megacode:mdru-pcb5.jpg?250|}} |
| |
| It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010122|PIC12C54A]]. |
| The PICkit2 programmer does not support the PIC16C family because it's EPROM based and requires higher voltage. |
| But code protection is probably used. |
| This chip can also come as One Time Programmable, and might be factory programmed. |
| |
| ===== protocol ===== |
| |
| The MegaCode protocol is partially specified in the [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=98433&fcc_id=EF4ACP00872|FCC]] documents [[https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=112614|MegaCode1]] ({{:megacode:megacode_1.pdf|backup}}) and [[https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=112615|MegaCode2]] ({{:megacode:megacode_1.pdf|backup}}). |
| |
| It uses Amplitude Modulation (AM) on 318MHz. |
| There are two levels: on and off. |
| The transmission uses 24 bit frames and 1 blank cell. |
| Each is 6 ms long. |
| Within each bit frame a 1 ms pulse is send. |
| The pulse is either in the first or second half within the bit frame (after 2 or 5 ms). |
| This defines if the bit is a 0 or 1. |
| The first bit frame is used as sync frame and is always a 1. |
| It is followed by 20 system code bits and 3 data bits. |
| |
| ===== software defined radio ===== |
| |
| This signal can be recorded using a software defined radio (SDR). |
| I used the inexpensive USB DVB stick [[https://sdr.osmocom.org/trac/wiki/rtl-sdr|RTL-SDR]]. |
| |
| First find the exact frequency at which the remote transmits using an FFT software, such as [[https://sdr.osmocom.org/trac/wiki/sdrangelove|sdrangelove]]. |
| Use this frequency to record and demodulate the signal using [[https://sdr.osmocom.org/trac/wiki/rtl-sdr|rtl_fm]]: |
| <code> |
| rtl_fm -f 317.962M -M am megacode.pcm |
| </code> |
| The recorded data can be view in audio editing tools such as [[http://audacity.sourceforge.net/|audacity]] by importing it as raw data, 24kHz, mono, 16 bits little endian. |
| |
| The code can also be extracted using [[https://git.cuvoodoo.info/kingkevin/megacode/blob/master/sdr/decode.rb|decode.rb]] |
| <code> |
| ./decode.rb megacode.pcm |
| </code> |
| This decodes the transmissions and lists the 3 bytes values. |
| <code> |
| # egdes: 0 |
| # pulses: 0 |
| # groups: 1 (1) |
| # transmissions: 0 |
| # values: 0 |
| # egdes: 1822 |
| # pulses: 167 |
| # groups: 9 (24, 24, 23, 13, 10, 24, 24, 24, 1) |
| # transmissions: 5 |
| # values: 5 |
| values: |
| - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) |
| - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) |
| - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) |
| - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) |
| - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) |
| </code> |