2014-07-13 04:05:32 +02:00
|
|
|
The Linear ACT-34B is a gate remote.
|
|
|
|
product page: http://www.linearcorp.com/product_detail.php?productId=867
|
|
|
|
manual: http://www.linearcorp.com/pdf/manuals/ACT-31B_ACT-34B.pdf
|
|
|
|
FCCID: EF4ACP00872
|
|
|
|
The Linear ACT-31B is the same than the ACT-34B, but have only one button instead of four.
|
|
|
|
|
|
|
|
The Monarch 318LIPW1K(-L) is a compatible/clone of the Linear ACT-31B.
|
|
|
|
product page: http://www.communitycontrols.com/Product/?PID=196
|
|
|
|
manual: http://s3.amazonaws.com/CommunityControls/PDFs/CC-Monarch-318LIPw1K.pdf
|
|
|
|
FCCID: SU7318LIPW1K
|
|
|
|
|
|
|
|
megacode
|
|
|
|
========
|
|
|
|
|
|
|
|
The value is encoded using Linear LLC MegaCode scheme.
|
|
|
|
It uses AM/ASK/A1D pulse position for the radio signal.
|
|
|
|
|
|
|
|
The radio transmission uses the 318MHz frenquency.
|
|
|
|
The signal is encoded using Linear LLC MegaCode scheme.
|
|
|
|
It uses AM/ASK/A1D pulse position for the radio signal.
|
|
|
|
24 bits are transmitted:
|
|
|
|
- 1 sync bit
|
|
|
|
- 16 bits for the remote code
|
|
|
|
- 4 bits for the facility code
|
|
|
|
- 3 bits for data bits (the channel/button used)
|
|
|
|
|
|
|
|
24 bursts are transmitted, plus 1 blank burst, within 150 ms.
|
|
|
|
Each burst is a 6 ms bitframe.
|
|
|
|
Withing the burst there is a 1 ms pulse after 2 or 5 ms.
|
|
|
|
The blank burst does not include a pluse and is used to separate transmissions.
|
|
|
|
The first pulse is used to synchronize and is alwasy after 5ms within the burst.
|
|
|
|
|
|
|
|
sdr
|
|
|
|
===
|
|
|
|
|
|
|
|
This folder contains tools to be used with Software Defined Radio (SDR).
|
|
|
|
|
|
|
|
A RTL-SDR has been used to capture the signal.
|
|
|
|
Use *sdrangelove* to figure out the frequency.
|
|
|
|
It is around 318MHz, but +/- 100kHz.
|
|
|
|
Use *rtl_fm* to record the transmission:
|
|
|
|
rtl_fm -f 317.962M -M am megacode.pcm
|
|
|
|
A few remote transmissions have been captured and the recordings are saved in *samples*
|
|
|
|
|
|
|
|
*megacode.pcm* will have signed 16 bits little endian sample, at 24000Hz.
|
|
|
|
Use *decode.rb* to decode this recording:
|
|
|
|
./decode.rb megacode.pcm
|
|
|
|
|
|
|
|
To record is an opprotunistic way (someone uses an unknown remote further away), you have to tweak *rtl_fm*:
|
|
|
|
rtl_fm -f 317.9M:318.1M:20k -g 10 -l 700 -M am megacode.pcm
|
|
|
|
|
|
|
|
pic
|
|
|
|
===
|
|
|
|
|
|
|
|
This folder contains firmwares for the transmitter and receiver microcontrollers.
|
|
|
|
|
|
|
|
The PCB of the ACT-31B is the same than the ACT-34B, with only one switch out of four populated.
|
|
|
|
It uses a PIC12C508A (SM package) microcontroller.
|
|
|
|
This microcontroller is EEPROM based (designated by the 'C' in the name) which the PICkit 2 can't program.
|
|
|
|
It is programmed using the test points, but only once since it's a One Time Programmable (OTP) chip.
|
|
|
|
|
|
|
|
A pin compatible flash based chip can be used instead.
|
|
|
|
Most P12FXXX are, like the PIC12F629/PIC12F675 (simplest alternative), PIC12F617 (more flash but no EEPROM), and PIC12F1840 (high end).
|
|
|
|
They come in SN packages, which is thiner then the original SM package.
|
|
|
|
But the pitch is the same and the pins can be soldered on the pads.
|
|
|
|
|
|
|
|
The 318LIPW1K uses a re-programmable chip (flash based).
|
|
|
|
It uses a PIC12F629 (SN package) microcontroller.
|
|
|
|
Monarch also adversitve that the code is programmable.
|
|
|
|
I could not find the software.
|
|
|
|
The programming header is even present on the board.
|
|
|
|
But the microcontroller has read protection enabled.
|
2014-07-21 03:07:53 +02:00
|
|
|
|
|
|
|
receiver
|
|
|
|
========
|
|
|
|
|
|
|
|
The MDR is a megacode receiver which can activate gate motors if the right code is received.
|
|
|
|
Codes can be programmed in the receiver by pressing the "learn" button and activating the remote, which will transmit the signal.
|
|
|
|
The device requires a 24V power source, but it can go down to 17V.
|
|
|
|
|
|
|
|
The board uses only trough hole components, and is one-sided.
|
|
|
|
This makes it very easy to trace path, measure a different points and pin, and exhange parts.
|
|
|
|
The MDR only has 1 "channel", while the MDR2.
|
|
|
|
The board is the same,
|
|
|
|
The only hardware difference is that the MDR has a switch and a relay which are not populated.
|
|
|
|
The main is that the MDR2 can allow 2x10 codes to be programmed instead of 10.
|
|
|
|
But this is only an artificial software limitation.
|
|
|
|
|
|
|
|
A PIC16C54A microcontroller is used to provide the main function.
|
|
|
|
The chip can be program in circuit if enough power is provided to the board.
|
|
|
|
A TLC555CP timer is used as clock to match the 318MHz frequency on which the codes are transmitted.
|
|
|
|
A LM358N opamp is used to get the pulses out of the received signal.
|
|
|
|
A 24LC254 I²C EEPROM is used to store which code is allowed.
|
|
|
|
It can not be programmed in circuit (without the PIC) because a pull-up resistor is missing on SDA.
|
|
|
|
A LM78L05ACZ voltage regulator will provide 5V for the logic, not including the relay.
|
|
|
|
The PICkit2 does not provide enough current to power the logic, but a USB port does.
|
|
|
|
|
|
|
|
eeprom
|
|
|
|
======
|
|
|
|
|
|
|
|
This folder contains traces from the MDR I²C communication.
|
|
|
|
|
|
|
|
The bus pirate was not able to sniff the complete traffic.
|
|
|
|
I used hardwae version 3.6 sparkfun 2/11/2010 with software version 6.1.
|
|
|
|
The last byte is probably not detected because the ACK is missing.
|
|
|
|
|
|
|
|
I used a Saleae Logic 16 logic analyzer to monitor the traffic.
|
|
|
|
sigrok-cli --driver saleae-logic16 --output-format hex --channels 0,1 --protocol-decoders i2c:sda=0:scl=1 --config samplerate=1M --continuous | grep ":"
|
|
|
|
|
|
|
|
The EEPROM contains the programmed/learned codes which will activate the relay.
|
|
|
|
It is code in a clever way.
|
|
|
|
If the code 0xABCDEF is tranmitted, the microcontroller with read the byte at address 0x(B&7)ECD.
|
|
|
|
The bits in this byte will tell which even value D is authorized (odd values are rounded down).
|
|
|
|
If the byte = 0x01, only D = 0x0 (and 0x1) is authorized.
|
|
|
|
If the byte = 0x02, only D = 0x2 (and 0x3) is authorized.
|
|
|
|
...
|
|
|
|
If the byte = 0x80, only D = 0xe (and 0xf) is authorized.
|
|
|
|
If the byte = 0x03, only D = 0x0, 0x1, 0x2, and 0x3 are authorized.
|
|
|
|
If the byte = 0x07, only D = 0x0, 0x1, 0x2, 0x3, 0x4, 0x5 are authorized.
|
|
|
|
|