Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
megacode [2014/12/28 19:08] – mdru kingkevin | megacode [2014/12/28 19:49] – restructure kingkevin |
---|
The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. | The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. |
| |
===== transmitter ===== | In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them. |
| |
In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. | ===== transmitter ===== |
| |
==== ACT-34B ==== | ==== ACT-34B ==== |
The PICkit2 programmer does support the PIC12F family because it's flash based. | The PICkit2 programmer does support the PIC12F family because it's flash based. |
But code and data protection were. | But code and data protection were. |
| |
===== receiver ===== | ===== receiver ===== |
| |
In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them. | ==== MDR ==== |
| |
====== MDR ====== | |
| |
The main target is the [[http://www.linearcorp.com/product_detail.php?productId=941|MDR]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. | The main target is the [[http://www.linearcorp.com/product_detail.php?productId=941|MDR]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. |
This chip can also come as One Time Programmable, and might be factory programmed. | This chip can also come as One Time Programmable, and might be factory programmed. |
| |
====== MDR-U ====== | ==== MDR-U ==== |
| |
The main target is the [[http://www.linearcorp.com/product_detail.php?productId=942|MDR-U]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. | The main target is the [[http://www.linearcorp.com/product_detail.php?productId=942|MDR-U]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. |
But code protection is probably used. | But code protection is probably used. |
This chip can also come as One Time Programmable, and might be factory programmed. | This chip can also come as One Time Programmable, and might be factory programmed. |
| |
| ===== protocol ===== |
| |
| The MegaCode protocol is partially specified in the [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=98433&fcc_id=EF4ACP00872|FCC]] documents [[https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=112614|MegaCode1]] ({{:megacode:megacode_1.pdf|backup}}) and [[https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=112615|MegaCode2]] ({{:megacode:megacode_1.pdf|backup}}). |
| |
| It uses Amplitude Modulation (AM) on 318MHz. |
| There are two levels: on and off. |
| The transmission uses 24 bit frames and 1 blank cell. |
| Each is 6 ms long. |
| Within each bit frame a 1 ms pulse is send. |
| The pulse is either in the first or second half within the bit frame (after 2 or 5 ms). |
| This defines if the bit is a 0 or 1. |
| The first bit frame is used as sync frame and is always a 1. |
| It is followed by 20 system code bits and 3 data bits. |