Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
megacode [2014/12/28 17:56] – [318LIPW1K] kingkevin | megacode [2014/12/28 19:49] – restructure kingkevin |
---|
The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. | The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. |
| |
===== transmitter ===== | In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them. |
| |
In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. | ===== transmitter ===== |
| |
==== ACT-34B ==== | ==== ACT-34B ==== |
The PICkit2 programmer does support the PIC12F family because it's flash based. | The PICkit2 programmer does support the PIC12F family because it's flash based. |
But code and data protection were. | But code and data protection were. |
| |
===== receiver ===== | ===== receiver ===== |
| |
In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them. | ==== MDR ==== |
| |
| The main target is the [[http://www.linearcorp.com/product_detail.php?productId=941|MDR]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. |
| |
| * [[http://www.linearcorp.com/product_detail.php?productId=941|product information]] |
| * [[http://www.linearcorp.com/pdf/manuals/MDR_MDR-2_MDRM.pdf|manual]] ({{:megacode:mdr-manual.pdf|backup}}) |
| |
| internal pictures: |
| |
| {{:megacode:mdr-pcb1.jpg?250|}} |
| {{:megacode:mdr-pcb2.jpg?250|}} |
| {{:megacode:mdr-pcb5.jpg?250|}} |
| {{:megacode:mdr-pcb3.jpg?250|}} |
| {{:megacode:mdr-pcb4.jpg?250|}} |
| {{:megacode:mdr-pcb6.jpg?250|}} |
| |
| It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010122|PIC12C54A]]. |
| The PICkit2 programmer does not support the PIC16C family because it's EPROM based and requires higher voltage. |
| But code protection is probably used. |
| This chip can also come as One Time Programmable, and might be factory programmed. |
| |
| ==== MDR-U ==== |
| |
| The main target is the [[http://www.linearcorp.com/product_detail.php?productId=942|MDR-U]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. |
| |
| * [[http://www.linearcorp.com/product_detail.php?productId=942|product information]] |
| * [[http://www.linearcorp.com/pdf/manuals/MDRU.pdf|manual]] ({{:megacode:mdru-manual.pdf|backup}}) |
| |
| internal pictures: |
| |
| {{:megacode:mdru-pcb1.jpg?250|}} |
| {{:megacode:mdru-pcb2.jpg?250|}} |
| {{:megacode:mdru-pcb3.jpg?250|}} |
| {{:megacode:mdru-pcb6.jpg?250|}} |
| {{:megacode:mdru-pcb4.jpg?250|}} |
| {{:megacode:mdru-pcb5.jpg?250|}} |
| |
| It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010122|PIC12C54A]]. |
| The PICkit2 programmer does not support the PIC16C family because it's EPROM based and requires higher voltage. |
| But code protection is probably used. |
| This chip can also come as One Time Programmable, and might be factory programmed. |
| |
| ===== protocol ===== |
| |
| The MegaCode protocol is partially specified in the [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=98433&fcc_id=EF4ACP00872|FCC]] documents [[https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=112614|MegaCode1]] ({{:megacode:megacode_1.pdf|backup}}) and [[https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=112615|MegaCode2]] ({{:megacode:megacode_1.pdf|backup}}). |
| |
| It uses Amplitude Modulation (AM) on 318MHz. |
| There are two levels: on and off. |
| The transmission uses 24 bit frames and 1 blank cell. |
| Each is 6 ms long. |
| Within each bit frame a 1 ms pulse is send. |
| The pulse is either in the first or second half within the bit frame (after 2 or 5 ms). |
| This defines if the bit is a 0 or 1. |
| The first bit frame is used as sync frame and is always a 1. |
| It is followed by 20 system code bits and 3 data bits. |