CuVoodoo

the sorcery of copper

User Tools

Site Tools


megacode

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
megacode [2014/12/28 15:22] – add act-34b kingkevinmegacode [2014/12/30 14:46] – at 31c3 talk kingkevin
Line 1: Line 1:
 The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it.
  
-===== transmitter =====+At [[https://events.ccc.de/congress/2014/Fahrplan/events/6462.html|31c3]] I gave a [[https://media.ccc.de/browse/congress/2014/31c3_-_6462_-_en_-_saal_2_-_201412292245_-_megacode_to_facility_gates_-_kevin_redon.html#video|short talk]] about how to clone and record codes. 
 +In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them.
  
-In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls.+===== transmitter =====
  
 ==== ACT-34B ==== ==== ACT-34B ====
  
-The main target is the [[http://www.linearcorp.com/product_detail.php?productId=867|ACT-34B]].+The main target is the [[http://www.linearcorp.com/product_detail.php?productId=867|ACT-34B]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]].
 The [[http://www.linearcorp.com/product_detail.php?productId=864|ACT-31B]] is the same as the ACT-34B but with only one button. The [[http://www.linearcorp.com/product_detail.php?productId=864|ACT-31B]] is the same as the ACT-34B but with only one button.
   * [[http://www.linearcorp.com/product_detail.php?productId=867|product information]]   * [[http://www.linearcorp.com/product_detail.php?productId=867|product information]]
   * [[http://www.linearcorp.com/pdf/manuals/ACT-31B_ACT-34B.pdf|manual]] ({{:megacode:act-31b_act-34b_manual.pdf|backup}})   * [[http://www.linearcorp.com/pdf/manuals/ACT-31B_ACT-34B.pdf|manual]] ({{:megacode:act-31b_act-34b_manual.pdf|backup}})
   * FCC-ID [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=98433&fcc_id=EF4ACP00872|EF4 ACP00872]] ({{::megacode:act34b-fcc.zip|archive}})   * FCC-ID [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=98433&fcc_id=EF4ACP00872|EF4 ACP00872]] ({{::megacode:act34b-fcc.zip|archive}})
 +
 +internal pictures:
 +
 +{{:megacode:act34b-pcb1.jpg?250|}}
 +{{:megacode:act34b-pcb3.jpg?250|}}
 +{{:megacode:act34b-pcb4.jpg?250|}}
  
 It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010103|PIC12C508]]. It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010103|PIC12C508]].
Line 18: Line 25:
 But code protection was probably used. But code protection was probably used.
 This chip can also come as One Time Programmable, and might be factory programmed. This chip can also come as One Time Programmable, and might be factory programmed.
 +
 +==== 318LIPW1K ====
 +
 +The flashable alternative to the ACT-34B is the [[http://www.transmittersolutions.com/Gates-Garages/Transmitters/318MHz/Monarch%20318LIPW1K/|318LIPW1K]] from the [[http://www.transmittersolutions.com/|Transmitted Solution]] Monarch series.
 +
 +  * [[http://www.transmittersolutions.com/Gates-Garages/Transmitters/318MHz/Monarch%20318LIPW1K/|product information]]
 +  * [[http://www.transmittersolutions.com/manuals/TS-Monarch318LIPw1K.pdf|manual]] ({{:megacode:monarch-318lipw1k_manual.pdf|archive}})
 +  * FCC-ID [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=281502&fcc_id=SU7318LIPW1K|SU7 318LIPW1K]] ({{:megacode:318lipw1k-fcc.zip|archive}})
  
 internal pictures: internal pictures:
  
-{{:megacode:act34b-pcb1.jpg?250|}} +{{:megacode:318lipw1k-pcb1.jpg?250|}} 
-{{:megacode:act34b-pcb3.jpg?250|}} +{{:megacode:318lipw1k-pcb2.jpg?250|}} 
-{{:megacode:act34b-pcb4.jpg?250|}}+{{:megacode:318lipw1k-pcb3.jpg?250|}} 
 + 
 +It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en019829|PIC12F635]]. 
 +The PICkit2 programmer does support the PIC12F family because it's flash based. 
 +But code and data protection were.
  
 ===== receiver ===== ===== receiver =====
  
-In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them.+==== MDR ==== 
 + 
 +The main target is the [[http://www.linearcorp.com/product_detail.php?productId=941|MDR]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. 
 + 
 +  * [[http://www.linearcorp.com/product_detail.php?productId=941|product information]] 
 +  * [[http://www.linearcorp.com/pdf/manuals/MDR_MDR-2_MDRM.pdf|manual]] ({{:megacode:mdr-manual.pdf|backup}}) 
 + 
 +internal pictures: 
 + 
 +{{:megacode:mdr-pcb1.jpg?250|}} 
 +{{:megacode:mdr-pcb2.jpg?250|}} 
 +{{:megacode:mdr-pcb5.jpg?250|}} 
 +{{:megacode:mdr-pcb3.jpg?250|}} 
 +{{:megacode:mdr-pcb4.jpg?250|}} 
 +{{:megacode:mdr-pcb6.jpg?250|}} 
 + 
 +It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010122|PIC12C54A]]. 
 +The PICkit2 programmer does not support the PIC16C family because it's EPROM based and requires higher voltage. 
 +But code protection is probably used. 
 +This chip can also come as One Time Programmable, and might be factory programmed. 
 + 
 +==== MDR-U ==== 
 + 
 +The main target is the [[http://www.linearcorp.com/product_detail.php?productId=942|MDR-U]] from the [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]]. 
 + 
 +  * [[http://www.linearcorp.com/product_detail.php?productId=942|product information]] 
 +  * [[http://www.linearcorp.com/pdf/manuals/MDRU.pdf|manual]] ({{:megacode:mdru-manual.pdf|backup}}) 
 + 
 +internal pictures: 
 + 
 +{{:megacode:mdru-pcb1.jpg?250|}} 
 +{{:megacode:mdru-pcb2.jpg?250|}} 
 +{{:megacode:mdru-pcb3.jpg?250|}} 
 +{{:megacode:mdru-pcb6.jpg?250|}} 
 +{{:megacode:mdru-pcb4.jpg?250|}} 
 +{{:megacode:mdru-pcb5.jpg?250|}} 
 + 
 +It uses a [[https://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010122|PIC12C54A]]. 
 +The PICkit2 programmer does not support the PIC16C family because it's EPROM based and requires higher voltage. 
 +But code protection is probably used. 
 +This chip can also come as One Time Programmable, and might be factory programmed. 
 + 
 +===== protocol ===== 
 + 
 +The MegaCode protocol is partially specified in the [[https://apps.fcc.gov/oetcf/eas/reports/ViewExhibitReport.cfm?mode=Exhibits&RequestTimeout=500&calledFromFrame=N&application_id=98433&fcc_id=EF4ACP00872|FCC]] documents [[https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=112614|MegaCode1]] ({{:megacode:megacode_1.pdf|backup}}) and [[https://apps.fcc.gov/eas/GetApplicationAttachment.html?id=112615|MegaCode2]] ({{:megacode:megacode_1.pdf|backup}}). 
 + 
 +It uses Amplitude Modulation (AM) on 318MHz. 
 +There are two levels: on and off. 
 +The transmission uses 24 bit frames and 1 blank cell. 
 +Each is 6 ms long. 
 +Within each bit frame a 1 ms pulse is send. 
 +The pulse is either in the first or second half within the bit frame (after 2 or 5 ms). 
 +This defines if the bit is a 0 or 1. 
 +The first bit frame is used as sync frame and is always a 1. 
 +It is followed by 20 system code bits and 3 data bits. 
 + 
 +===== software defined radio ===== 
 + 
 +This signal can be recorded using a software defined radio (SDR). 
 +I used the inexpensive USB DVB stick [[https://sdr.osmocom.org/trac/wiki/rtl-sdr|RTL-SDR]]. 
 + 
 +First find the exact frequency at which the remote transmits using an FFT software, such as [[https://sdr.osmocom.org/trac/wiki/sdrangelove|sdrangelove]]. 
 +Use this frequency to record and demodulate the signal using [[https://sdr.osmocom.org/trac/wiki/rtl-sdr|rtl_fm]]: 
 +<code> 
 +rtl_fm -f 317.962M -M am megacode.pcm 
 +</code> 
 +The recorded data can be view in audio editing tools such as [[http://audacity.sourceforge.net/|audacity]] by importing it as raw data, 24kHz, mono, 16 bits little endian. 
 + 
 +The code can also be extracted using [[https://git.cuvoodoo.info/kingkevin/megacode/blob/master/sdr/decode.rb|decode.rb]] 
 +<code> 
 +./decode.rb megacode.pcm 
 +</code> 
 +This decodes the transmissions and lists the 3 bytes values. 
 +<code> 
 +egdes: 0 
 +# pulses: 0 
 +# groups: 1 (1) 
 +# transmissions:
 +# values: 0 
 +# egdes: 1822 
 +# pulses: 167 
 +# groups: 9 (24, 24, 23, 13, 10, 24, 24, 24, 1) 
 +# transmissions:
 +# values: 5 
 +values:  
 +- value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) 
 +- value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) 
 +- value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) 
 +- value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) 
 +- value: 13178818 (0xc917c2), system code: 598776 (0x922f8), databits: 2 (0x2) 
 +</code> 
 + 
 +===== transmitting ===== 
 + 
 +==== 318LIPW1K ==== 
 + 
 +The 318LIPW1K can be flashed using a PICkit2 micro-controller. 
 +The {{:megacode:318lipw1k_schematic.pdf|schematic}} describes how the micro-controller is connected. 
 + 
 +A pin header can be soldered on the board: 
 + 
 +{{:megacode:318lipw1k-header2.jpg?250|}} 
 +{{:megacode:318lipw1k-header1.jpg?250|}} 
 +{{:megacode:318lipw1k-header3.jpg?250|}} 
 + 
 +The firmware is available in [[https://git.cuvoodoo.info/kingkevin/megacode/tree/master/pic/318LPW1K-L|git]]
 +You can define the code to transmit in [[https://git.cuvoodoo.info/kingkevin/megacode/blob/master/pic/318LPW1K-L/eeprom.asm|EEPROM]]. 
 + 
 +==== ACT-34B ==== 
 + 
 +de-soldered the PIC12F508A micro-controller and replaced it with a pin compatible (slimmer) PIC12F1840: 
 + 
 +{{:megacode:act34b-replace1.jpg?250|}} 
 +{{:megacode:act34b-replace2.jpg?250|}} 
 +{{:megacode:act34b-replace3.jpg?250|}} 
 + 
 +The firmware is available in [[https://git.cuvoodoo.info/kingkevin/megacode/tree/master/pic/ACT-34B|git]]. 
 +The two right buttons are used to send codes defined in the source. 
 +I planned to use the two left buttons to brute force codes but did not finish the implementation. 
 + 
 +===== receiving ===== 
 + 
 +==== MDR ==== 
 + 
 +I de-soldered the PIC16C54A micro-controller and replaced it with a pin compatible PIC16F1847: 
 + 
 +{{:megacode:mdr-replace1.jpg?250|}} 
 +{{:megacode:mdr-replace2.jpg?250|}} 
 +{{:megacode:mdr-replace3.jpg?250|}} 
 + 
 +The {{:megacode:mdr_schematic.pdf|schematic}} describes how the micro-controller is connected. 
 + 
 +The firmware receiving and recording codes is available in [[https://git.cuvoodoo.info/kingkevin/megacode/tree/master/pic/MDR|git]]. 
 +How it works and how to use it further is described in the [[https://git.cuvoodoo.info/kingkevin/megacode/blob/master/README.md|README]]. 
 +All codes are read out over I²C when the board is powered up. 
 +They can be recorded/transferred on the PC using a logic analyzer. 
 + 
 +The original way the codes are recorded by the device in the EEPROM is described in the [[https://git.cuvoodoo.info/kingkevin/megacode/blob/master/README.md|README]] 
 +==== MDR-U ==== 
 + 
 +The MDR-U is basically the same as the MDR. 
 +The board is different, but the peripheral and connections around the micro-controller. 
 +It uses more surface mount components. 
 +It is powered through the mains (CAUTION: neutral is used as 0V). 
 + 
 +Same as for the MDR, I de-soldered the PIC16C54A micro-controller and replaced it with a pin compatible PIC16F1847 (SOIC version). 
 +The firmware is the same as the MDR.
megacode.txt · Last modified: 2024/01/07 17:49 by 127.0.0.1