Hacking and opening Garagedoors using a Raspberry Pi (Rolling Code Keeloq)


Please consider a little donation, so I can continue creating such great projects:

I have created a program for the Raspberry Pi, to open any garagedoor, using any frequency from 0 to 1500 Mhz, and using the mudolation types AM and FM.

To control the Raspberry Pi, I have crated an Android App, which is handling all actions using a Bluetooth connection:

Bruting is possible for all fixed code remotes which are using up to 20 bits for the code, which are:

Came, Tedsen, Kaeuferle, Nice, Ruku / Ansonic, Tormatic, Cardin, Dickert, Endress, Marantec, Hoermann, Einhell, Berner, Chamberlain, Rademacher, CDS, Bosch 12 DIP, Bosch 20 DIP.

 

Following Rolling code Remotes can be detected and created:

AERF, Allmatic, Aprimatic TR, Aprimatic TXM, ATA PTX4, Avidsen, Beninca, BFT Mitto, Came Atomo, Cardin S449 FM, Cardin S435 AM, Celinsa, Centurion, Chamberlain/Liftmaster, Chamberlain/Liftmaster2.0, Dea, Dickert 868 Q Model, Ditec, Doormatic, Doorhahn, DTM Neo, Ecostar, Elmes, Elvox, Erreka, ET System Blue, ET System Blue Mix, ETDOOR, FAAC-RC, FAAC XT SLH, Fadini, Genius Bravo, Gibidi, GoModels, GSN, JCM Neo, Key, Kinggates, Merlin FM 433, Mc Garcia, House, Motorline, Mutancode, Nice FloR, Nice Smilo, ormstahl Entrematic, Normstahl RCU, Novoferm, O&O, Pecinin, Prastel, Pujol, Roper, Rossi, Schellenberg, Seav, Skymaster, Smilo, Sminn, Somfy Keetis, Somfy Keasy, Somfy Telis, Sommer 868FM, Space, Stagnoli, Telcoma, V2, Verex, Wisniowski.

Also Check out the Remote Cloner Compatibility List.

 

Requirements:

For sending only you will need a Raspberry Pi up to Version 3, or Pi Zero.
Attention: Raspberry Pi 4 does not work, because of incompatibility with RPITX.
Plug a wire on GPIO 4, means Pin 7 of the GPIO header. This acts as the antenna.
The optimal length of the wire depends on the frequency you want to transmit on.

For receiving signals, you will either need a RTL-SDR Stick, HackRF One, or a simple 433.92 MHz Module working with 3.3 Volt,
and most recently you can also use a CC1101 module with variable frequency selection.

Android App RF Remote:

The Android App is freely downloadable at the bottom of this page, but the usage is limited to 10 tries for every vendor of a remote control.
If the App works to your satisfaction, you can purchase each vendor of a remote for 5.- US$ here, and you will get unlimited usage for the purchased vendor.

A special deal is available for a full version with unlimited access to all vendors for 799 US$:

The App is using permissions for Bluetooth, GPS location, write to external storage and phone accounts.
The permission for phone accounts is needed to retrieve the main email address of the play store,
which is used as login to the server, so please accept if asked to allow access to phone contacts.
GPS location is used to store the current position with a garage code in your phone databse.
Bluetooth is needed to connect with your Pi.
Write to external storage is needed to backup and restore your phone database.

You can also qualify for free vendors or full access in providing missing manufacturer keys or entire vendor systems.

Getting started:

Installing the Android App:

Download the zip file at the bottom of this site. Unzip the APK file inside, and transfer it somehow to your phone, either using Bluetooth or USB file transfer.

In your Phone settings you will need to enable the option: Install unknown Apps in Security settings.
or check out this web-site for more info: https://www.lifewire.com/install-apk-on-android-4177185

Now locate the APK file with a file manager, and click on it to install it.

Setting up Raspberry Pi:

Download and install the latest Raspbian Release for your Pi.
The latest release has Bluetooth already installed.
https://www.raspberrypi.org/software/operating-systems/#raspberry-pi-os-32-bit
For this guide I downloaded Raspberry Pi OS with desktop and recommended software,
filename: 2021-05-07-raspios-buster-armhf-full.zip

Unzip the downloaded file and use Win32DiskImager to transfer the image to a SD Card.

Put SD Card in your Pi and start your PI.

Pi will start up with a desktop, asking you to set your local preferences, and give you the option to add a wireless network, and will start downloading updates, which will take some time.

After the update is finished, start a shell on the pi, and start the raspi-config with:

sudo raspi-config

Go into the Interface Options and enable SSH, so you can access your Pi with your PC and Putty.
If you want to use a CC1101 Module, then also enable the SPI Interface.

Now you can use a SSH Client like Putty on your PC, and perform further settings using your PC.
Connect to your Pi using SSH, and login with:

user: pi
password: raspberry


Now install RPITX as follows:

mkdir rpitx
cd rpitx
mkdir src
cd src

git clone https://github.com/F5OEO/librpitx
cd librpitx/src
make

cd ~

Now install some needed blootooth libraries:

sudo apt-get install libbluetooth-dev

Now we need the rtl-sdr libraries:

sudo apt-get install librtlsdr-dev rtl-sdr build-essential autoconf cmake pkg-config

We have to fix an issue with blootooth startup, so lets edit the bluetooth.service file:

sudo nano /lib/systemd/system/bluetooth.service

go to the line: ExecStart=/usr/lib/bluetooth/bluetoothd
and append -C at the end:

ExecStart=/usr/lib/bluetooth/bluetoothd -C

Save and exit with:

Ctrl+o -> Enter -> Ctrl+x

The changes will take effect after a reboot or by using these commands:

systemctl daemon-reload
sudo /etc/init.d/bluetooth restart

Install Soapy:

git clone https://github.com/pothosware/SoapySDR.git
cd SoapySDR && mkdir build && cd build && cmake ..
make -j4
sudo make install
sudo ldconfig #needed on debian systems

cd ~

If you have a HackRF One, install the HackRF library:

sudo apt-get install hackrf libhackrf-dev
git clone https://github.com/pothosware/SoapyHackRF.git
cd SoapyHackRF
mkdir build
cd build
cmake ..
make
sudo make install

cd ~

Now download and install my module from my server:

mkdir rf
cd rf
wget http://www.ifoedit.com/rfcomm-server.tar
tar xvf rfcomm-server.tar

Now you can start it with:
sudo ./rfcomm-server

If you have a RTL-SDR Stick or HackRF One connected, you can also specifiy a listening frequency like this for 433.92 Mhz:

sudo ./rfcomm-server -f 433920000

If the module is starting without major errors, the first step is done.
Quit the program with CTRL-C, because we need to pair the Pi with the Android Phone.

On the Pi, start the bluetooth helper tool bluetoothctl:
sudo bluetoothctl
agent on
default-agent
scan on

Now start the Android App, and choose from the Main Menu: Pair BT:
Click the Button: Enable Discoverable,

and wait until your Pi shell is showing your phone as new device.



Once it shows your phone device, you can see the MAC address in the same line. Copy the MAC address of your phone, and use it in following lines and replace the xx:xx:xx:xx:xx:xx with your phones MAC address:

pair xx:xx:xx:xx:xx:xx
trust xx:xx:xx:xx:xx:xx
exit

On your phone you will have to accept the pairing request.

Now you can connect to my module using your phone, so lets start up the module again:

sudo ./rfcomm-server

In the Android App, go to Grab Signal, and hit the connect button.
Then choose the Pi you just paired, and it should connect without problem.
If your Pi does not appear in the list of paired devices, repeat the pairing process as above.



To automatically start my module on powering up the Pi, lets edit the autostart by doing this:

sudo nano /etc/rc.local

You will see this:


#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
printf "My IP address is %s\n" "$_IP"
fi

exit 0






add your script to start, before the exit line like this:




#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
printf "My IP address is %s\n" "$_IP"
fi


sudo /home/pi/rf/rfcomm-server >> /home/pi/rf/autosniffrf.txt

exit 0



Save and exit with:

Ctrl+o -> Enter -> Ctrl+x
 

If you want to start my module manually using a SSH Shell, you'll need first to quit the auto started module, by using the Android App, connecting to the Pi, and then choose the menu entry: Pi->Exit Server:


 

Cloning/Copying/Grabbing a Remote Control into the database:

To copy your own remote, connect a RTL-SDR device or HackRF One to your Pi, and start my module on the Pi, or if the module starts automatically, reboot the Pi.
Then start the Android App, and connect with your Pi.
In the up right Menu, choose to set the listening frequency for the RTL-SDR device, and set it to the frequency of your remote.

The App will now be listening for recognized signals, so press the button of your remote control.
In my case, I am pressing button 1 of my Nice Flor 433.92 Mhz:

The App will detect the signal, end decode the encrypted values of the remote, and ask you if you want to store it to your database.

In the Database-View you can see all your stored remotes:

If you press short on a database entry, the app will send the signal of the stored remote to open the garage if your Pi is connected.

To edit/delete the database entry, press and hold the desired entry, and an action menu will appear and allow you to edit or delete an entry.

 

Brute Forcing a Garage Code:

First go the main Page "Home / Grab Signal", and connect with your Pi:

Change to the Brute page, and select the System you would like to Brute.
Came is very common and widly used:

Press the "Play Button" to start the Brute process.

The bruting will start and display the current progress and estimated time:

When the door/gate/barrier is opening hit the Pause/Stop Button:

If it's a door that's closing after a certain amount of time automatically, wait until the door has closed.
At this time you still don't have the correct code to open the door, but you are close.
Now either hit the Back button manually a few times, until the door opens again,

or use the reverse button which will brute backwards but not so fast,

and wait until the door opens again.
Wait until the door has closed, and use this button to send the same code again.
If the door does not open, adjust by using the Next and Previous Buttons until the door opens.

Due to an Android Bug, it can happen that the bluetooth connection gets lost at this point.
For this case a Reconnect Button will show up:


Use it to finished the job.
 

Once you have the right code, you can save it to your database with the menu entry "Add Code to DB":
 

My App will automatically select the current adress using GPS and street data from google and recommend its name for the database entry.

In the database Page you can edit this new garage entry as you like:

This Button will update the GPS coordinates at any time.

 

In the Map View, you will be able to see a Marker for your new added address.

If you are connected to your Pi and click on this Marker, my App will send the signal to open the garage door.

 

Version History:

Version Date Changes Download
v1.0 25 Jun 2021

 - first Release

 


Hit counter

For suggestions or comments send an email to Derrow@yahoo.com


Copyright 1997-2016 Decision Developments.
All rights reserved. Unauthorized usage of shown material is prohibited.

Free Web Hosting