Go Down

Topic: Rolling code hacking (motorized screen), a question for binary experts (Read 385 times) previous topic - next topic

RFman

I'm trying to automate my Screenline Wave Plus motorized screen. Its remote operates on the RF 433.92MHz frequency and I've already written the codes to capture and retransmit the commands. But there's a rolling code implemented. So my captured commands only work once (when the screen has yet to receive them). I need to find a way to calculate them.

I've attached an image of how my code translates the RF commands. I captured the remote by using my USB sound card as an oscillator. What I have so far:
  • Transmission begins with 11 HIGH's of 450-460 us
  • Then there's a HIGH of 4000-4100 us
  • Command starts with a changing pattern of 32 bits, this here is the problem!
  • Next 28 bits are probably the unique remote control ID, these remain always the same
  • Last 5 bits (could be more) implicate the command (down/stop/up)
  • All in all 65 command bits and a radio silence of 15500-15600 us at the end
  • I've translated the HIGH's of 450 us as 0 and HIGH's of 860 us as 1 (if you think this is wrong, please let me know!), to me the format does not look like Manchester encoding or similar (but I could be wrong!)


Here are some captured commands from the remote (in capture order). Down command:
Code: [Select]

10101011001001011011010001111011 1001101101000010000000000000 01000
10010111001001000110101010110010 1001101101000010000000000000 01000
00011100111010010101111111111001 1001101101000010000000000000 01000
01000111000100011110100011011100 1001101101000010000000000000 01000
01100100100001001111000101000010 1001101101000010000000000000 01000
10001100011101101011100101000111 1001101101000010000000000000 01000
10000101000010011111011011011000 1001101101000010000000000000 01000


Up command:
Code: [Select]

10111100011000101100011010110111 1001101101000010000000000000 10000
11111011110110111111100001111101 1001101101000010000000000000 10000
01000101011010111011101110011110 1001101101000010000000000000 10000
11011001010011111010000010001010 1001101101000010000000000000 10000
11010001100101100100111110001010 1001101101000010000000000000 10000
10100111110110111111001000100110 1001101101000010000000000000 10000
10101011111111000100010110110010 1001101101000010000000000000 10000


Stop command:
Code: [Select]

10000010110001100110101111011101 1001101101000010000000000000 11000
11011100110001001010011110111000 1001101101000010000000000000 11000
00110000010001000101100000010001 1001101101000010000000000000 11000
00010000101101111011111100111010 1001101101000010000000000000 11000
01011000010011000011100110011100 1001101101000010000000000000 11000
10010111011100110100110111100100 1001101101000010000000000000 11000
00100100000000101101111000100110 1001101101000010000000000000 11000


I've tried everything, including the usual XOR decrypting and binary to decimal converters. I just can't figure a pattern of how these first 32 bits are formed. So I cannot replicate the commands unless I capture them from the remote each time. This calls for someone smarter than myself. Do these codes make sense to anyone here? I can capture more of them if needed, too.

Finally, thanks to anyone who bothered to read this post!

jremington

Rolling codes can be cracked, but only with great difficulty.

It would be much, much easier to replace the remote transmitter and receiver.

Go Up