aboutsummaryrefslogtreecommitdiff
path: root/README.md
blob: 98c880f0f2fac22a7142e053e3edd74cfb6db8ca (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
This project is about the Linear's gate control system MegaCode.
Product page: http://www.linearcorp.com/radio_control.php#megacode

The transmission protocol has been reversed, and the firmware for the remote and receiver rewritten.
It can now be used to send and receive custom codes.

megacode
========

The transmission protocol works as follows:

The value is encoded using Linear LLC MegaCode scheme.
It uses AM/ASK/A1D pulse position for the radio signal.

The radio transmission uses the 318MHz frenquency.
The signal is encoded using Linear LLC MegaCode scheme.
It uses AM/ASK/A1D pulse position for the radio signal.
24 bits are transmitted:
- 1 sync bit
- 16 bits for the remote code
- 4 bits for the facility code
- 3 bits for data bits (the channel/button used)

24 bursts are transmitted, plus 1 blank burst, within 150 ms.
Each burst is a 6 ms bitframe.
Withing the burst there is a 1 ms pulse after 2 or 5 ms.
The blank burst does not include a pulse and is used to separate transmissions.
The first pulse is used to synchronize and is always after 5ms within the burst.

sdr
===

This folder contains tools to be used with Software Defined Radio (SDR).

A RTL-SDR has been used to capture the signal.
Use *sdrangelove* to figure out the frequency.
It is around 318MHz, but +/- 100kHz.
Use *rtl_fm* to record the transmission:
	rtl_fm -f 317.962M -M am megacode.pcm
A few remote transmissions have been captured and the recordings are saved in *samples*

*megacode.pcm* will have signed 16 bits little endian sample, at 24000Hz.
Use *decode.rb* to decode this recording:
	./decode.rb megacode.pcm

To record is an opportunistic way (someone uses an unknown remote further away), you have to tweak *rtl_fm*:
	rtl_fm -f 317.9M:318.1M:20k -g 10 -l 700 -M am megacode.pcm

pic
===

This folder contains firmwares for the transmitter and receiver micro-controllers.

318LIPW1K
---------

The Monarch 318LIPW1K(-L) is a compatible/clone of the Linear ACT-31B.
Product page: http://www.communitycontrols.com/Product/?PID=196
Manual: http://s3.amazonaws.com/CommunityControls/PDFs/CC-Monarch-318LIPw1K.pdf
FCCID: SU7318LIPW1K

It uses a re-programmable chip (flash based).
It uses a PIC12F629 (SN package) micro-controller.
Monarch also advertises that the code is programmable.
I could not find the software.
The programming header is even present on the board.
But the micro-controller has read protection enabled.

The firmware has been re-implemented from scratch.
It can send custom codes.
Either change the default code in the *318LPW1K-L.c* source code and reflash the device:
	make flash
Or change the code it in the *eeprom.asm* file and only rewrite the EEPROM:
	make eeprom
Then press the button to send your code.

ACT-34B
-------

The Linear ACT-34B is a gate remote.
Product page: http://www.linearcorp.com/product_detail.php?productId=867
Manual: http://www.linearcorp.com/pdf/manuals/ACT-31B_ACT-34B.pdf
FCCID: EF4ACP00872

The PCB of the ACT-31B is the same than the ACT-34B, with only one switch out of four populated.
It uses a PIC12C508A (SM package) micro-controller.
This micro-controller is EEPROM based (designated by the 'C' in the name) which the PICkit 2 can't program.
It is programmed using the test points, but only once since it's a One Time Programmable (OTP) chip.

A pin compatible flash based chip can be used instead.
Most P12FXXX are, like the PIC12F629/PIC12F675 (simplest alternative), PIC12F617 (more flash but no EEPROM), and PIC12F1840 (high end).
They come in SN packages, which is thiner then the original SM package.
But the pitch is the same and the pins can be soldered on the pads.

The firmware can be flashed on a PIC12F617 using:
	*make all*
The code is hard coded in the *ACT-34B.c* source file.
Button functions:
- big top right button: send a primary code
- red bottom right button: send a secondary code (e.g. security code to open all doors)
- smaller top left button: start sending random codes
- black bottom left button: stop sending random codes

MDR

MDR
---

The MDR is a MegaCode receiver which can activate the gate motors if the right code is received.
Product page: http://www.linearcorp.com/product_detail.php?productId=941
Manual: http://www.linearcorp.com/pdf/manuals/MDR_MDR-2_MDRM.pdf

Codes can be programmed in the receiver by pressing the "learn" button and activating the remote, which will transmit the signal.
The device requires a 24V power source, but it can go down to 17V.

The board uses only trough hole components, and is one-sided.
This makes it very easy to trace path, measure a different points and pin, and exchange parts.
The MDR only has 1 "channel", while the MDR-2 has 2.
The board is the same.
The only hardware difference is that the MDR has a switch and a relay which are not populated.
The main different is that the MDR-2 can allow 2x10 codes to be programmed instead of 10.
But this is only an artificial software limitation.

A PIC16C54A micro-controller is used to provide the main function.
A TLC555CP timer is used as clock to match the 318MHz frequency on which the codes are transmitted.
A LM358N opamp is used to get the pulses out of the received signal.
A 24LC254 I²C EEPROM is used to store which code is allowed.
It can not be programmed in circuit because a pull-up resistor is missing on SCL.
The PIC implement I²C as software bit banging by driving the pins (not using open collectors).
A LM78L05ACZ voltage regulator will provide 5V for the logic, except the relay.
The PICkit2 does not provide enough current to power the logic, but a USB port does.

The MDR-U is a more compact and semi-SMT version of the MDR.
Product page: http://www.linearcorp.com/product_detail.php?productId=942
Manual: http://www.linearcorp.com/pdf/manuals/MDRU.pdf

It plugs in a wall socket instead of requiring 24V.
Beware, the neutral blade is used as GND on the board.
Do not connect an oscilloscope earth to the PCB ground as you will short the mains.
Either use the difference between two oscilloscope probes, or provide yourself 5V (e.g. on the voltage regulator pins)

A PIC16F1847 replaces the original PIC16C54A to help the custom firmware.
To flash it (in circuit and with external power) use:
	make all
The firmware saves the MegeCodes codes it receives in EEPROM.
The codes are read out when the MDR is powered up so a logic analyzer can capture them.
The unique codes are stored as 3 bytes one behind each other.
It can same 256 (kb) x 1024 (b/kb) / 8 (b/B) / 3 (B/code) =10922 codes.
Every time a code is received, the LED blinks.
If the code is new the LED stays on.
Switch the LED off by pressing the button.
Hold the button for 5s (it will blink 20 times) to clear the EEPROM from all codes.

eeprom
======

This folder contains traces from the MDR I²C communication.

The bus pirate was not able to sniff the complete traffic.
I used hardware version 3.6 sparkfun 2/11/2010 with software version 6.1.
The last byte is probably not detected because the stop condition is missing.

I used a Saleae Logic 16 logic analyzer to monitor the traffic.
	sigrok-cli --driver saleae-logic16 --output-format hex --channels 0,1 --protocol-decoders i2c:sda=0:scl=1 --config samplerate=1M --continuous | grep ":"

The EEPROM contains the programmed/learned codes which will activate the relay.
If the code 0xABCDEF is tranmitted, the microcontroller with read the byte at address 0x(B&7)ECD.
The bits in this byte will tell which even value D is authorized (odd values are rounded down).
If the byte = 0x01, only F = 0x0 (and 0x1) is authorized.
If the byte = 0x02, only F = 0x2 (and 0x3) is authorized.
...
If the byte = 0x80, only F = 0xe (and 0xf) is authorized.
If the byte = 0x03, only F = 0x0, 0x1, 0x2, and 0x3 are authorized.
If the byte = 0x07, only F = 0x0, 0x1, 0x2, 0x3, 0x4, 0x5 are authorized.

This is quite clever as the ID is used as address.
It saves space, although there is by for too much available.
It also increases the checking speed as it does not need to go through the memory.
To verify how many codes have been saved, the whole memory is read once in the beginning and the number of codes counted (to enforce the software limit).