megacode
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
megacode [2014/12/28 19:08] – mdru kingkevin | megacode [2014/12/30 14:46] – at 31c3 talk kingkevin | ||
---|---|---|---|
Line 1: | Line 1: | ||
The [[http:// | The [[http:// | ||
- | ===== transmitter ===== | + | At [[https:// |
+ | In [[https:// | ||
- | In [[https:// | + | ===== transmitter ===== |
==== ACT-34B ==== | ==== ACT-34B ==== | ||
Line 42: | Line 43: | ||
The PICkit2 programmer does support the PIC12F family because it's flash based. | The PICkit2 programmer does support the PIC12F family because it's flash based. | ||
But code and data protection were. | But code and data protection were. | ||
+ | |||
===== receiver ===== | ===== receiver ===== | ||
- | In [[https:// | + | ==== MDR ==== |
- | + | ||
- | ====== MDR ====== | + | |
The main target is the [[http:// | The main target is the [[http:// | ||
Line 67: | Line 67: | ||
This chip can also come as One Time Programmable, | This chip can also come as One Time Programmable, | ||
- | ====== MDR-U ====== | + | ==== MDR-U ==== |
The main target is the [[http:// | The main target is the [[http:// | ||
Line 87: | Line 87: | ||
But code protection is probably used. | But code protection is probably used. | ||
This chip can also come as One Time Programmable, | This chip can also come as One Time Programmable, | ||
+ | |||
+ | ===== protocol ===== | ||
+ | |||
+ | The MegaCode protocol is partially specified in the [[https:// | ||
+ | |||
+ | It uses Amplitude Modulation (AM) on 318MHz. | ||
+ | There are two levels: on and off. | ||
+ | The transmission uses 24 bit frames and 1 blank cell. | ||
+ | Each is 6 ms long. | ||
+ | Within each bit frame a 1 ms pulse is send. | ||
+ | The pulse is either in the first or second half within the bit frame (after 2 or 5 ms). | ||
+ | This defines if the bit is a 0 or 1. | ||
+ | The first bit frame is used as sync frame and is always a 1. | ||
+ | It is followed by 20 system code bits and 3 data bits. | ||
+ | |||
+ | ===== software defined radio ===== | ||
+ | |||
+ | This signal can be recorded using a software defined radio (SDR). | ||
+ | I used the inexpensive USB DVB stick [[https:// | ||
+ | |||
+ | First find the exact frequency at which the remote transmits using an FFT software, such as [[https:// | ||
+ | Use this frequency to record and demodulate the signal using [[https:// | ||
+ | < | ||
+ | rtl_fm -f 317.962M -M am megacode.pcm | ||
+ | </ | ||
+ | The recorded data can be view in audio editing tools such as [[http:// | ||
+ | |||
+ | The code can also be extracted using [[https:// | ||
+ | < | ||
+ | ./decode.rb megacode.pcm | ||
+ | </ | ||
+ | This decodes the transmissions and lists the 3 bytes values. | ||
+ | < | ||
+ | # egdes: 0 | ||
+ | # pulses: 0 | ||
+ | # groups: 1 (1) | ||
+ | # transmissions: | ||
+ | # values: 0 | ||
+ | # egdes: 1822 | ||
+ | # pulses: 167 | ||
+ | # groups: 9 (24, 24, 23, 13, 10, 24, 24, 24, 1) | ||
+ | # transmissions: | ||
+ | # values: 5 | ||
+ | values: | ||
+ | - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) | ||
+ | - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) | ||
+ | - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) | ||
+ | - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) | ||
+ | - value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) | ||
+ | </ | ||
+ | |||
+ | ===== transmitting ===== | ||
+ | |||
+ | ==== 318LIPW1K ==== | ||
+ | |||
+ | The 318LIPW1K can be flashed using a PICkit2 micro-controller. | ||
+ | The {{: | ||
+ | |||
+ | A pin header can be soldered on the board: | ||
+ | |||
+ | {{: | ||
+ | {{: | ||
+ | {{: | ||
+ | |||
+ | The firmware is available in [[https:// | ||
+ | You can define the code to transmit in [[https:// | ||
+ | |||
+ | ==== ACT-34B ==== | ||
+ | |||
+ | I de-soldered the PIC12F508A micro-controller and replaced it with a pin compatible (slimmer) PIC12F1840: | ||
+ | |||
+ | {{: | ||
+ | {{: | ||
+ | {{: | ||
+ | |||
+ | The firmware is available in [[https:// | ||
+ | The two right buttons are used to send codes defined in the source. | ||
+ | I planned to use the two left buttons to brute force codes but did not finish the implementation. | ||
+ | |||
+ | ===== receiving ===== | ||
+ | |||
+ | ==== MDR ==== | ||
+ | |||
+ | I de-soldered the PIC16C54A micro-controller and replaced it with a pin compatible PIC16F1847: | ||
+ | |||
+ | {{: | ||
+ | {{: | ||
+ | {{: | ||
+ | |||
+ | The {{: | ||
+ | |||
+ | The firmware receiving and recording codes is available in [[https:// | ||
+ | How it works and how to use it further is described in the [[https:// | ||
+ | All codes are read out over I²C when the board is powered up. | ||
+ | They can be recorded/ | ||
+ | |||
+ | The original way the codes are recorded by the device in the EEPROM is described in the [[https:// | ||
+ | ==== MDR-U ==== | ||
+ | |||
+ | The MDR-U is basically the same as the MDR. | ||
+ | The board is different, but the peripheral and connections around the micro-controller. | ||
+ | It uses more surface mount components. | ||
+ | It is powered through the mains (CAUTION: neutral is used as 0V). | ||
+ | |||
+ | Same as for the MDR, I de-soldered the PIC16C54A micro-controller and replaced it with a pin compatible PIC16F1847 (SOIC version). | ||
+ | The firmware is the same as the MDR. |
megacode.txt · Last modified: 2024/01/07 17:49 by 127.0.0.1