MegaCode garate gate opener firmware (remote and gate) for PIC micro-controllers

Go to file

King Kévin 9f6fc7480e add MDR information and EEPROM encoding		2014-07-20 18:07:53 -07:00
eeprom	add MDR information and EEPROM encoding	2014-07-20 18:07:53 -07:00
pic	port 318LPW1K-L code for ACT-34B remote	2014-07-19 12:58:16 -07:00
sdr	add recorded rtl_fm samples	2014-07-12 18:15:45 -07:00
.gitignore	specifiy files to ignore	2014-07-12 19:04:48 -07:00
README.md	add MDR information and EEPROM encoding	2014-07-20 18:07:53 -07:00

README.md

The Linear ACT-34B is a gate remote. product page: http://www.linearcorp.com/product_detail.php?productId=867 manual: http://www.linearcorp.com/pdf/manuals/ACT-31B_ACT-34B.pdf FCCID: EF4ACP00872 The Linear ACT-31B is the same than the ACT-34B, but have only one button instead of four.

The Monarch 318LIPW1K(-L) is a compatible/clone of the Linear ACT-31B. product page: http://www.communitycontrols.com/Product/?PID=196 manual: http://s3.amazonaws.com/CommunityControls/PDFs/CC-Monarch-318LIPw1K.pdf FCCID: SU7318LIPW1K

megacode

The value is encoded using Linear LLC MegaCode scheme. It uses AM/ASK/A1D pulse position for the radio signal.

The radio transmission uses the 318MHz frenquency. The signal is encoded using Linear LLC MegaCode scheme. It uses AM/ASK/A1D pulse position for the radio signal. 24 bits are transmitted:

1 sync bit
16 bits for the remote code
4 bits for the facility code
3 bits for data bits (the channel/button used)

24 bursts are transmitted, plus 1 blank burst, within 150 ms. Each burst is a 6 ms bitframe. Withing the burst there is a 1 ms pulse after 2 or 5 ms. The blank burst does not include a pluse and is used to separate transmissions. The first pulse is used to synchronize and is alwasy after 5ms within the burst.

sdr

This folder contains tools to be used with Software Defined Radio (SDR).

A RTL-SDR has been used to capture the signal. Use sdrangelove to figure out the frequency. It is around 318MHz, but +/- 100kHz. Use rtl_fm to record the transmission: rtl_fm -f 317.962M -M am megacode.pcm A few remote transmissions have been captured and the recordings are saved in samples

megacode.pcm will have signed 16 bits little endian sample, at 24000Hz. Use decode.rb to decode this recording: ./decode.rb megacode.pcm

To record is an opprotunistic way (someone uses an unknown remote further away), you have to tweak rtl_fm: rtl_fm -f 317.9M:318.1M:20k -g 10 -l 700 -M am megacode.pcm

pic

This folder contains firmwares for the transmitter and receiver microcontrollers.

The PCB of the ACT-31B is the same than the ACT-34B, with only one switch out of four populated. It uses a PIC12C508A (SM package) microcontroller. This microcontroller is EEPROM based (designated by the 'C' in the name) which the PICkit 2 can't program. It is programmed using the test points, but only once since it's a One Time Programmable (OTP) chip.

A pin compatible flash based chip can be used instead. Most P12FXXX are, like the PIC12F629/PIC12F675 (simplest alternative), PIC12F617 (more flash but no EEPROM), and PIC12F1840 (high end). They come in SN packages, which is thiner then the original SM package. But the pitch is the same and the pins can be soldered on the pads.

The 318LIPW1K uses a re-programmable chip (flash based). It uses a PIC12F629 (SN package) microcontroller. Monarch also adversitve that the code is programmable. I could not find the software. The programming header is even present on the board. But the microcontroller has read protection enabled.

receiver

The MDR is a megacode receiver which can activate gate motors if the right code is received. Codes can be programmed in the receiver by pressing the "learn" button and activating the remote, which will transmit the signal. The device requires a 24V power source, but it can go down to 17V.

The board uses only trough hole components, and is one-sided. This makes it very easy to trace path, measure a different points and pin, and exhange parts. The MDR only has 1 "channel", while the MDR2. The board is the same, The only hardware difference is that the MDR has a switch and a relay which are not populated. The main is that the MDR2 can allow 2x10 codes to be programmed instead of 10. But this is only an artificial software limitation.

A PIC16C54A microcontroller is used to provide the main function. The chip can be program in circuit if enough power is provided to the board. A TLC555CP timer is used as clock to match the 318MHz frequency on which the codes are transmitted. A LM358N opamp is used to get the pulses out of the received signal. A 24LC254 I²C EEPROM is used to store which code is allowed. It can not be programmed in circuit (without the PIC) because a pull-up resistor is missing on SDA. A LM78L05ACZ voltage regulator will provide 5V for the logic, not including the relay. The PICkit2 does not provide enough current to power the logic, but a USB port does.

eeprom

This folder contains traces from the MDR I²C communication.

The bus pirate was not able to sniff the complete traffic. I used hardwae version 3.6 sparkfun 2/11/2010 with software version 6.1. The last byte is probably not detected because the ACK is missing.

I used a Saleae Logic 16 logic analyzer to monitor the traffic. sigrok-cli --driver saleae-logic16 --output-format hex --channels 0,1 --protocol-decoders i2c:sda=0:scl=1 --config samplerate=1M --continuous | grep ":"

The EEPROM contains the programmed/learned codes which will activate the relay. It is code in a clever way. If the code 0xABCDEF is tranmitted, the microcontroller with read the byte at address 0x(B&7)ECD. The bits in this byte will tell which even value D is authorized (odd values are rounded down). If the byte = 0x01, only D = 0x0 (and 0x1) is authorized. If the byte = 0x02, only D = 0x2 (and 0x3) is authorized. ... If the byte = 0x80, only D = 0xe (and 0xf) is authorized. If the byte = 0x03, only D = 0x0, 0x1, 0x2, and 0x3 are authorized. If the byte = 0x07, only D = 0x0, 0x1, 0x2, 0x3, 0x4, 0x5 are authorized.