Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
megacode [2014/12/28 22:12] – [MDR] kingkevin | megacode [2021/08/28 11:10] – [MDR-U] add aaronsp777's project kingkevin |
---|
The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. | The [[http://www.linearcorp.com/|Linear]] [[http://www.linearcorp.com/radio_control.php|remote control]] solution from the [[http://www.linearcorp.com/radio_control.php#megacode|MegaCode series]] was used in the facility complex I was living for a short while, and I wanted to know how secure it is. Thus I reverse engineered it. |
| |
| At [[https://events.ccc.de/congress/2014/Fahrplan/events/6462.html|31c3]] I gave a [[https://media.ccc.de/browse/congress/2014/31c3_-_6462_-_en_-_saal_2_-_201412292245_-_megacode_to_facility_gates_-_kevin_redon.html#video|short talk]] about how to clone and record codes. |
In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them. | In [[https://www.cuvoodoo.info/?post_type=podcast&p=69|episode #004]] I presented how the transmitting part works, and how to clone the radio remote controls. In [[https://www.cuvoodoo.info/?post_type=podcast&p=41|episode #005]] I presented how the receiving part works, so to record codes and analyze them. |
| |
The recorded data can be view in audio editing tools such as [[http://audacity.sourceforge.net/|audacity]] by importing it as raw data, 24kHz, mono, 16 bits little endian. | The recorded data can be view in audio editing tools such as [[http://audacity.sourceforge.net/|audacity]] by importing it as raw data, 24kHz, mono, 16 bits little endian. |
| |
The code can also be extracted using [[https://git.cuvoodoo.info/kingkevin/megacode/blob/master/sdr/decode.rb|decode.rb]] | The code can also be extracted using [[https://git.cuvoodoo.info/megacode/plain/sdr/decode.rb|decode.rb]] |
<code> | <code> |
./decode.rb megacode.pcm | ./decode.rb megacode.pcm |
{{:megacode:318lipw1k-header3.jpg?250|}} | {{:megacode:318lipw1k-header3.jpg?250|}} |
| |
The firmware is available in [[https://git.cuvoodoo.info/kingkevin/megacode/tree/master/pic/318LPW1K-L|git]]. | The firmware is available in [[https://git.cuvoodoo.info/megacode/plain/pic/318LPW1K-L|git]]. |
You can define the code to transmit in [[https://git.cuvoodoo.info/kingkevin/megacode/blob/master/pic/318LPW1K-L/eeprom.asm|EEPROM]]. | You can define the code to transmit in [[https://git.cuvoodoo.info/megacode/plain/pic/318LPW1K-L/eeprom.asm|EEPROM]]. |
| |
==== ACT-34B ==== | ==== ACT-34B ==== |
{{:megacode:act34b-replace3.jpg?250|}} | {{:megacode:act34b-replace3.jpg?250|}} |
| |
The firmware is available in [[https://git.cuvoodoo.info/kingkevin/megacode/tree/master/pic/ACT-34B|git]]. | The firmware is available in [[https://git.cuvoodoo.info/megacode/tree/pic/ACT-34B|git]]. |
The two right buttons are used to send codes defined in the source. | The two right buttons are used to send codes defined in the source. |
I planned to use the two left buttons to brute force codes but did not finish the implementation. | I planned to use the two left buttons to brute force codes but did not finish the implementation. |
The {{:megacode:mdr_schematic.pdf|schematic}} describes how the micro-controller is connected. | The {{:megacode:mdr_schematic.pdf|schematic}} describes how the micro-controller is connected. |
| |
The firmware receiving and recording codes is available in [[https://git.cuvoodoo.info/kingkevin/megacode/tree/master/pic/MDR|git]]. | The firmware receiving and recording codes is available in [[https://git.cuvoodoo.info/megacode/tree/pic/MDR|git]]. |
How it works and how to use it further is described in the [[https://git.cuvoodoo.info/kingkevin/megacode/blob/master/README.md|README]]. | How it works and how to use it further is described in the [[https://git.cuvoodoo.info/megacode/tree/README.md|README]]. |
All codes are read out over I²C when the board is powered up. | All codes are read out over I²C when the board is powered up. |
They can be recorded/transferred on the PC using a logic analyzer. | They can be recorded/transferred on the PC using a logic analyzer. |
| |
| The original way the codes are recorded by the device in the EEPROM is described in the [[https://git.cuvoodoo.info/megacode/tree/README.md|README]] |
==== MDR-U ==== | ==== MDR-U ==== |
| |
Same as for the MDR, I de-soldered the PIC16C54A micro-controller and replaced it with a pin compatible PIC16F1847 (SOIC version). | Same as for the MDR, I de-soldered the PIC16C54A micro-controller and replaced it with a pin compatible PIC16F1847 (SOIC version). |
The firmware is the same as the MDR. | The firmware is the same as the MDR. |
| |
| ==== RF module ==== |
| |
| aaronsp777 [[https://github.com/aaronsp777/megadecoder|implemented a receiver]] using a generic 315 MHz module, and an Arduino. |