I'm trying to use my Arduino Uno to control my garage door but i ran into a problem. I found out that my remote uses an HCS301 chip that uses an encryption algorithm called Keeloq. I found some code on this forum and in a russian arduino forum and some people said it works. However, im not sure on how to use this. From what I understand, i just need to connect a RF receiver on my board, run the code, press a button on my remote, extract the Serial + Rolling Code from that code, and then use a RF transmitter with an encoding code (the algorithm is already published in the web). Is this correct ?
Decoding code that i found (allegedly working, pastebin) here
Original post, developer of the code (in russian) here
Keeloq Algorithm in C/C++ here
I've got my own code for capturing the "code word" out of the air (via 433.92MHz receiver), and it's working well enough to get reliable data.
The big problem is figuring out the 64-bit "manufacturer's code" - it's the secret key to the encryption that's programmed into the remote. The receiver (from the same manufacturer) must know how to turn the transmitter's 28-bit serial number into the same 64-bit key that the remote is using to encrypt the data, or it can't decrypt the encrypted half of the code word it's sent and verify the sequence number. (Assuming they're using the "Normal Learning" algorithm. There's also a "Secure" algorithm that puts a 32-bit secret seed into the remote that you have to send to the receiver by pressing all the buttons at once... but I haven't seen it used.)
So there's a critical bit of algorithm here that isn't specified, and is intended to change for each manufacturer: How to convert a 28-bit serial number into a 64-bit encryption key.
There are a number of papers online about how to break the encryption key, but the "fast" solutions all need math skills I don't have, loads of computer power, and/or access to a bunch of FPGAs. The discovery of those weaknesses are bad for the big manufacturers, because they use the same code for many cars, so it may be worthwhile for someone to break their key for each model of car. It doesn't help us much, because we don't have that kind of compute power available.
I'm wondering if the cheap chinese receivers are all using some extremely simple/dumb manufacturer's key, but I haven't managed to guess it yet.