Hacking/opening Garage/Car/Barrier using a Raspberry Pi or Flipper zero (Rolling Code Keeloq)

(Page last updated: Aug 13, 2022)

Here is a solution to open any garage door, gate, barrier or car, using any frequency from 0 to 1500 MHz, and using the modulation types AM and FM.

An Android App is making it possible to control a Raspberry Pi via Bluetooth, and handling all keyless remote entry systems on the market.

Quick Jump:

Connecting CC1101 Module
Connecting 433 MHz Module
Supported Remotes
Android App
Setting up Raspberry Pi
Pairing Pi and Android Phone
Cloning/Copying/Grabbing a Remote Control
Cloning/Copying a BFT Remote
Cloning/Copying a FAAC / Genius Amigo Remote
Creating a Keeloq-Remote manually
Brute Forcing a Garage Door
Automatically open approaching Garage in close range 
View / Edit Remote DIP Settings
Remote learning new remotes to receiver with 1 click
Requesting a Seed Brute-Force using the Android App
How Rolling Code Remotes are working
Flipper zero support:
Flipper zero support facts

In cooperation with PandwaRF: 

In cooperation with Flipper zero:


Fixed Code Remote Brute Forcing:

This is useful if you have lost all of your remotes to your garage. (Which happens quite a lot )

Brute Force attack is possible for all fixed code remotes which are using up to 20 bits for the code, which are:

Came, Tedsen, Kaeuferle, Nice, Ruku / Ansonic, Tormatic, Cardin, Dickert, Endress, Marantec, Hoermann, Einhell, Berner, Chamberlain, Rademacher, CDS, Bosch 12 DIP, Bosch 20 DIP.

Supported Fixed-Code Remote details can be seen here: Remote Cloner Compatibility List.


Supported fixed code remotes for copying/generating:

Below list is only a part of known/supported Brands/Vendors.
Much more Brands/Vendors are using same transmissions and are supported too.

Fixed Code Remotes

Brand/Vendor Models Freqs DIP switch


Hormann DH01 / HSM4 26.975 AM 10
Bosch 26.975 AM / 26.995 AM / 40.685 AM 12 / 20 + 2
Berner / Tedsen SM 26.985 AM 9 tri-DIP
Endress BW27 26.985 AM 10
Einhell 26.995 AM 10 tri-DIP
Kauferle/Dickert TX27 / MAHS27 / AHS27 / DX27 27.015 AM 10
Marantec 27.045 AM 10
Nice K1/K4 27.120 AM 10
Chamberlain/Liftmaster 750E 27.145 FM
Chamberlain/Liftmaster 751E 27.145 FM 9
Cardin S466 27.195 AM 9 tri-DIP + 2
Ruku/Ansonic SA40 40.685 AM 10
Ruku/Ansonic SF40 40.662  FM 10
Dickert MAHS40 / AHS40 / DX40 40.685 AM 10
Dickert FHS10 / FHS20 40.685 FM 0
Wecla 806011 40.685 AM 12
Rademacher Rator 40 40.685 AM 10
SMD LW40HS98 40.685 AM 10
Sommer 4050 40.685 AM
Dorma/Tormatic 40.685 FM 10
Toko TO40TX same as Dorma/Tormatic 40.685 FM 10
Linear 310.00 AM 8
Multicode 310.00 AM 12
Stanley 310.00 AM 12
Pulsar 318.00 AM 9
Liftmaster 1 DIP / 4 DIP 389.9 AM 9 tri-DIP
Overhead 390 AM 9 tri-DIP
Liftmaster 60K 433.92 AM
Dickert MAHS433 433.92 AM 10 tri-DIP
Dickert S10 433.92 AM 0
Ruku/Ansonic SA434 433.92 AM 10
Ruku/Ansonic SF433 433.92 FM 10
Ruku/Ansonic SA868 433.92 AM 10
Hormann HSM4 / BiSecur in HSM4 mode 40.685 / 433.92 / 868.3 AM
Marantec/Alulux 433.92 AM
Came Top models 433.92 AM 10
Tedsen/Berner/Elka SKX 433.92 AM 9 tri-DIP
Nice Flo 433.92 AM 10
Kauferle/Dickert TX433 / MAHS433 433.92 AM 10
Chamberlain/Liftmaster 433.92 AM
Ducati 433.92 AM 10
Doepke 433.92 AM 10
Dorma/Tormatic HD43 433.92 AM 10
Cardin S476-TX2 433.92 AM 9 tri-DIP + 2
FAAC TM433 433.92 AM 12
Intertechno ITS150 433.92 AM 16
Brennenstuhl RCS 1000SN 433.92 AM 5
Unitec EIM-821 433.92 AM 5
Intertec 50074 433.92 AM
Voltomat 24687005 433.92 AM
Berner BHS140 868.3 AM
Dickert S10 868.3 AM 10


Following Rolling code remotes can be detected/created/copied:

Keeloq Remotes

Brand/Vendor Models Encryption/Decryption remote learning Flipper support
ACM TX2 / TX4 simple custom bit

ADYX 433-HG Bravo      
AERF Compact / Hy-dom / Sabuton / Saturn / ST /Terra / Tmp / Unitech custom 10 bit    
Allmatic Bro.Over / Brown / Brown Mini / Pass / Tech simple 10 bit
Ansonic SA 868 R simple 10 bit
Aperto TX4020 / TX03 normal 10 bit
Aprimatic TR / TM 4 / TX-E / TX2P / TX4S / TXM simple 10 bit
ATA PTX4 normal 12 bit
Balan 4013 / BFM 404 / FM404 / S435 / S449
Beninca Apple / Cupido / Azul / IO / LOT WCV / Rollkey / T4WK / T4WV / Togo WK/WV simple XOR
Bernal TX Pico B 440.504-S1 868.5 MHz (not fully supported yet) normal custom bit
BFT B-RCA / BRC-B / Mitto / TRC / Kleio / RB secure 32 bit Seed 10 bit
Breda 4013
Casali JA33 Amigo
Casit Be Happy RS / MTE / VTM
Came Space simple 10 bit
Cardin S449 / S486 normal (10 bit receiver/12bit remote)
Celinsa Movecode / X-2 / Z-2 simple 12 bit
Centurion NOVA-TX normal 10 bit
Clemsa Mutancode / Mutancode Mini normal 12 bit
Comunello Keep 2/4 / Victor 2/4 normal 10 bit
Crawford EA433K/KM / T-433
Cyacsa Neo / Twin
Dea GT2 / Genie R 273 / GOLDR / MIO TR / Punto simple 10 bit
Detumando DTM Roll normal (10?) bit
Dickert S10 A4K00 simple 8 bit
Dickert S8Q 868 Mhz simple 8 bit
Dmil Neo / Twin
Doorhan TX simple 10 bit
Doormatic Mileny normal 10 bit
DTM Neo / Tip  / Victory simple 12 bit
Ecostar RSC2 / RSE2 / RSZ normal 10 bit
Eikia custom
Elmes DWB100HT / UMB100HT
Elemat Hibrid Plus / Twin
Elvox ERT / ETR normal 10 bit
Emetteur TX 43-2 02035231332 (French unknown Brand) simple 10/12 bit
EMFA MAP / Neo / Twin
Erreka IRIS / LIRA / Roller / SOL / Vega secure 32 bit Seed 8 bit
ET System Blue / Mix normal 10 bit
ETDOOR Maguisa / Mimosa custom
Extel ATEM800021
FAAC RC normal 12 bit
FAAC SLH / XT2 (greetings to Silvia ) secure 32 bit Seed 12 bit
Fadini Birio / Jubi / SITI simple 12 bit
Forsa Neo / Twin
Genie custom
Genius Bravo normal 10 bit
Genius Echo / Kilo normal 12 bit
Genius Amigo secure 32 bit Seed 12 bit
Gibidi AU1600 / AU1680 / Domino simple 10 bit
GSN TR 300 / TR 500 / TX normal 10 bit
HCS101 same as Pax custom
IL-100 same as Sea simple 10 bit
Jarolift normal 10 bit
JCM Neo RC / Go Pro / Twin / Cubells / Forsa / DMIL / HYDOM / Hybrid simple 8 bit
Jolly Motor Tx Mini
Key SUB-44R / PLAY4R / TXG-44R / TXB-44R simple / custom bit
Kinggates Stylo 4 K simple 8 bit
Ligur same as Schellenberg normal 12 bit
Linear HCT / MCT / ACT simple 10 bit
Mc Garcia simple 10 bit
Merlin normal custom  bit
MHouse GTX / GTXC / Moovo / RT3 / TX4 simple 8 bit
MHZ1100N same as Doorhan simple 10 bit
Motorlift 9433xE/EML
Motorline MX4SP normal 10 bit  
Nice Smilo simple 8 bit
No-Name Emetteur TX 43-2 02035231332 (French unknown Brand) simple 10/12 bit
No-Name HS-2 (Aldi/Lidl Remote) simple 8/10 bit
Normstahl RA3433 / RCU 2K / 4K / Entrematic / T433 normal 10 bit / simple 8 bit
Norton Neo / NOR 20 / TXCD
Nova same as Centurion normal 10 bit
Novoferm MHS43-02 / MxHS / Novotron 502 / 302 simple 10 bit
O&O TX-RC simple 8 bit
Open Out AU1600 / AU1680 / Domino
Pax-II / Pax-2E 600N / 800N / 1000N / 1200N
Pecinin 3C simple 12 bit
Proem ERC4/ACS
Profelm same as ETDoor custom
Puertas Norton / Cubells / Roper / JCM 2nd custom 12 bit
Pujol Neo / Twin / Universal / Vario simple 8 bit / custom
Rademacher Rator 4385 (not fully supported yet) normal
RCG12C same as ATA PTX
Rolltore MPSTP2E
Roper Neo simple 8 bit
Rosh simple 12 bit
Rossi CT simple 12 bit
Ruku SA 868 R simple 10 bit
Sabutom Bro / Broover / Brostar / Novo / Present / Compat / TT
Sea Head simple 10 bit
Seav Be Good / Be Smart / Be Happy RH/RS normal 12 bit
Schellenberg 60853 normal 12 bit
Schellenberg 60851 (not fully supported yet) normal
Silvelox ECO TSM2/4 simple 10 bit
Siminor CVXNL / Mitto / SIM433
Skymaster MHZ / TX4 simple 10 bit
Sommer 4020 TX03 / 4025 / 4026 / 4031 normal 10 bit
Space SP simple 10 bit
Stagnoli Venus simple XOR
Starline A2-A4 / A6-A9 / B6-B9 custom bit
Steelmate normal 12 bit
Subaru custom 10 bit
Telcoma FM402 custom
Tormatic MCHS / MNHS / Novotron
Toyota Rush simple 10 bit
Wayne Dalton TX02433
Wisniowski Lunar / 4GO / Pulsar RTS normal 12 bit

-  Remote learning is automated in the Android App and can learn remotes to receivers with 1 click!


Keeloq Go Models

Brand/Vendor Models remote learning
CYACSA Go / Mini Go
Elemat Go / Mini Go
EMFA Go / Mini Go
Forsa Go / Mini Go
JCM Go Cubells / Dmil / Elemat / Forsa / Roper / Mini
Norton Go / Mini Go
Roper Go / Mini Go


Other Rolling Code Remotes

Brand/Vendor Models remote learning


Aprimatic TXM
Avidsen 104250 / 104257 / 104350 / 10470x / 654xxx / RMC
Came Atomo
Cardin S435 / S437 TX / S438 TX
Chamberlain 1 5433 / 75EML / 8433 / 9433
Chamberlain 2.0 89xLM / 89xMAX / 95xEV / TX4RUNI
Ditec BIX / GOL4
Horman BiSecur (not fully supported yet)
Kinggates Stylo 4
Kinggates Stylo 4 K (Stylo 4 K is using Keeloql )
Liftmaster 8433 / 9433 / TX4RUNI
Nice Era-Flor / Ergo / FloR-S / INTI / On xE / Very
Prastel BFOR / MPSTLE / MTE / TC4E
Ryobi GDA100 / GDA200 (not fully supported yet)
Sminn Balea / Duo / Duplo / Quatro
Somfy Keasy / Keytis / Telis
V2 Handy / Match / Phoenix / Phox / TRC / TSC / TXC


Car Rolling Code Remotes Non-Keeloq

Brand/Vendor Models Protection
Kia K3 11-19 / K3S 14-19 / K5/Sportage R 15 / K4 13-16 crc8
Kia Sorento 2010 - 2017 none
Hyundai OKA-870T crc8
VW Golf  (signal reception-decoding only!) unknown
Audi (signal reception-decoding only!) unknown
Mercedes SL 500  (signal reception-decoding only!) unknown


Weather / Temperature - Devices

Brand/Vendor Models  


Auriol AFT77B2
Infactory TH
Hideki TS04
Solight TE44
Conrad S3318P
Digitech XC0324
Oregon THN132N
Nexus TH
La Crosse TX141THBv2
GT WT 02 WT02
Fineoffset WH2
Alecto V1
Ambientweather F007TH


Car  TPMS Tire-Pressure Sensors

Brand/Vendor Models  




Restaurant Food Pagers

Brand/Vendor Models  


LRS Coaster Call RX-CS6 / CS7 /  US 467.75 MHz
LRS Coaster Call RX-CS6 / CS7 /  DE 446.15625 MHz
LRS Coaster Call RX-CS6 / CS7 /  UK 459.1 MHz



Also Check out the Remote Cloner Compatibility List.


Seed Code brute force is also possible for all Rolling Code Remotes using the Android App for these Seed Remotes:

BFT (all models), FAAC (XT/SLH), Genius Amigo, Erreka, SMiNN and Aprimatic TXM
The bruting takes just a few seconds using GPU processing.

For recovering the Seed-Code, see the guide for: Requesting a Seed Brute-Force using the Android App



How Rolling Code Remotes are working:

To avoid simple signal capturing and replaying of the same signal to enter your garage,
Rolling-code remotes are using a counter which is increasing by 1 with each button-press,
and are encrypting this new counter value before sending the signal to the receiver.
The receiver is decrypting the current counter value, and prohibiting all recently used counter values before.

This means, if you create an exact copy of your remote, you won't be able to use both remotes properly.
If you use one remote for example for 10 times, the counter in the receiver will have increased by 10,
so your other remote won't work until you have pressed it 10 times to get it in sync.

That's why most regular Cloners don't make exact copies of Rolling-Code remotes, and use a different serial code for the copy,
which needs to be registered to the receiver first, to get it to work.

With this solution you will be able to create 100% copies of rolling code remotes,
but remember that the original remote will get out of sync!!!

(BTW: Same might apply, why your remote doesn't work anymore!
Somebody probably captured the signal of your remote with this solution, and increased the counter by about a 100 times ore more,
which makes your original remote useless!)




For sending only you will need a Raspberry Pi up to Version 3, or a Pi Zero.
Attention: Raspberry Pi 4 does not work, because of incompatibility with RPITX.
Also a Pi Zero is not the best choice, because it is very slow and might cause trouble in creating signal frames.

Plug a wire on GPIO 4, means Pin 7 of the GPIO header. This acts as the antenna.
The optimal length of the wire depends on the frequency you want to transmit on.

You can also add an external antenna like those 433 MHz antennas below:

Attention about sending signals with Raspberry Pi:
In most countries it might be restricted to use the Raspberry Pi as a sending device, especially on certain frequencies, because sending devices usually need a governmental certificate for transmitting signals over the air.
According to my experience, these laws are working on a try and get caught system.
So please check your local laws , and give your best to not get caught

Above does not apply for sending using a sending module for a specific frequency (like a 433 MHz module) or a CC1101 module.


For receiving signals, you will either need a RTL-SDR Stick, HackRF One, or a simple 433.92 MHz Module working with 3.3 Volt,
and most recently you can also use a CC1101 module.

Available on Ebay:

Bild 1 - RXB6 433Mhz Superheterodyne Funk Empfänger Modul Arduino Receiver FHEM Arduin... Bild 1 - CC1101 Module SMA Antenna Wireless RF Transceiver Module Arduino TE298 CP06017

Attention for CC1101: Do not purchase old  version 1 modules which have a green color and only 8 connectors!
Those modules have a very bad reception, and are a waste of money and time.
Only get new version 2 boards with blue color and 10 connectors!

Connecting the CC1101 and Raspberry Pi SPI:

CC1101 moduleRaspberry PiPi Pin Nr Wiring Pi
VCC 3V3 17  
GND GND 20  
GD2 GPIO25 22 6
GD0 GPIO27 13 2
CSN SPI_CS0 24  
   Bild 1 - CC1101 Module SMA Antenna Wireless RF Transceiver Module Arduino TE298 CP06017



Note: The CC1101 can be used for receiving and sending!
Sending works now for AM and FM signals.
CC1101 Frequency bands: 300-348, 387-464, 779-928 MHz.
If the sending frequency does not fit into one of the CC1101 frequency bands, RPITX will be used automatically for sending.

In the config file: /home/pi/rf/rfcomm-server-cfg.ini you can enable the usage of this module, by setting the receive and sending pin to which you have connected GD2 and GD0 of this module:


The configuration: CC1101InitFreqConfig=1 uses a predefined frequency setting for the CC1101 at startup.

0 = 433 MHz optimized for Keeloq receiving
1 = 433 MHz FM optimized for Cardin FM Keeloq receiving
2 = 868.35 MHz with 500 Hz Bandwidth
3 = 868.35 MHz with 125 Hz Bandwidth
4 = 433.42 MHz for Somfy receiving
5 = 433 MHz optimized for sensitivity
6 = 310 MHz
7 = 315 MHz

With the Android App, you can switch to a different configuration at any time:

The Android App also offers Menu-Entries to set a free chosen frequency, and to play around with the CC1101 registers:

Connecting a 433 MHz Module and Raspberry Pi:

TransmitterReceiverRaspberry PiPi Pin Nr Wiring Pi
VCC VCC 3V3 1  
DATA   GPIO17 11 0
  DATA GPIO18 12 1

You can connect up to 3 different modules using different frquencies for receiving.
In the config file: /home/pi/rf/rfcomm-server-cfg.ini you can enable the usage of these modules, by setting the receive pin to which you have connected DATA of each module:

RecievePin1Name=Mod1 433AM
RecievePin2Name=Mod2 433FM
RecievePin3Name=Mod3 868

New in version 1.4:

You can connect up to 3 different modules using different frquencies for sending.
In the config file: /home/pi/rf/rfcomm-server-cfg.ini you can enable the usage of these modules, by setting the transmit pin to which you have connected DATA of each module:



Android App RF Remote:

Due to a lot of abuse, the Android App is no longer free.
It can be purchased for 39.- US$.

You will receive a download link for the Android App, which has the ability to handle all known fixed code transmission systems, and to encrypt and decrypt all known rolling code systems.

With your purchase you will have one Brand/Vendor included for free.
Each further Brand/Vendor can be purchased for 5.- US$

This App is programmed to work with Android versions 4.2 (Jelly Bean) and up, and is confirmed to work until version 11.
If you can confirm upcoming newer versions of Android, please let us know.

Refund policy for the App:
Once the App has been delivered, no refund will be issued at any time.

Refund policy for single remote vendors:
If the purchased vendor-system will not work for your garage/gate/car, you can ask for a refund.

The App is using permissions for Bluetooth, GPS location, write to external storage and phone accounts.

The permission for phone accounts is needed to retrieve the main email address of  your phone,
which will be used to authenticate to our servers, so you don't need to create a login and password.
Your other phone-contacts are never accessed by this app at any time!

GPS is used for many features which are provided by this app.
Bluetooth is needed to connect with your Pi.
Write to external storage is needed to backup and restore the database of your created garages/gates/cars.

You can also qualify for free vendors or full access in providing missing manufacturer keys or entire rolling code systems.


Getting started:

Installing the Android App:

Download the given zip file. Unzip the APK file inside, and transfer it somehow to your phone, either by using Bluetooth or USB file transfer.

In your Phone settings you will need to enable the option: Install unknown Apps in Security settings.
or check out this web-site for more info: https://www.lifewire.com/install-apk-on-android-4177185

Now locate the APK file with a file manager on your Android-Phone, and click on it to have it installed.


Setting up Raspberry Pi:

Setting up the Raspberry Pi is explained on a separate page here.


Cloning/Copying/Grabbing a Remote Control into the database:

To copy your own remote, connect a RTL-SDR device or HackRF One to your Pi, and start my module on the Pi.
Then start the Android App, and connect with your Pi.
In the up right Menu, choose to set the listening frequency for the RTL-SDR device, and set it to the frequency of your remote.

The App will now be listening for recognized signals, so press the button of your remote control.
In my case, I am pressing button 1 of my Nice Flor 433.92 Mhz:

The App will detect the signal, and decode the encrypted values of the remote, and ask you if you want to store it to your database.

In the Database-View you can see all your stored remotes:

If you press short on a database entry, the app will send the signal of the stored remote to open the garage if your Pi is connected.

To edit/delete the database entry, press and hold the desired entry, and an action menu will appear and allow you to edit or delete an entry.


Creating a remote manually:

Creating a Keeloq-Remote manually:

As example we will be creating a "Beninca" remote manually, which is using Keeloq-Rolling-Code:

To create a Keeloq remote manually, go to the Database-View and choose the Menu-Entry: "Add Garage":

In the Address-Field you can name the remote to anything you like. Lets name it "test"

As System choose "Keeloq" :

As Vendor choose "Beninca"

Leave the fields "Retries", "Channel" and "Frequence" as they are.
The Pi-Module will use the stored default frequency for this remote automatically.
If you would like to use a different frequency like 868.5 MHz, you would enter: 868500000 in the "Frequence" field.

The important values are now "Serial", "Sync", and "Key Code".

Give your "Beninca"-Remote a new serial like 12345:

The Sync value will stay at 0 for a new remote.
This value will increase in future with each button press of the remote!

You can leave the "Key-Code" at 2, which is the default for Button 1 of a Beninca remote.
(Different Vendors are using different Key-Codes. Ask if you require further help)

Save this new entry, and you will see it in your database:

If you are connected with your Pi, and press this new entry, a new rolling code will be generated, and send by the Pi:

To open your door, first you have to "learn" this new remote to your receiver.
Press the learning button on your receiver, and then press the new entry in the database to send the new signal.
(For the "learning" process, it could be useful to increase the "Retries" value of how often the signal sending should be repeated. Set it to 20, and restore it to 10 once the learning is completed.)
This new remote will be stored in your receiver, and open your garage/gate/car from now on.


Brute Forcing a Garage Code:

In case you have lost all of your remotes, and can't enter your garage, you can use brute forcing to find the correct code and open your garage again.

First go the main Page "Home / Grab Signal", and connect with your Pi:

Change to the Brute page, and select the System you would like to Brute.
Came is very common and widely used:

Press the "Play Button" to start the Brute process.

The bruting will start and display the current progress and estimated time:

When the door/gate/barrier is opening hit the Pause/Stop Button:

If it's a door that's closing after a certain amount of time automatically, wait until the door has closed.
At this time you still don't have the correct code to open the door, but you are close.
Now either hit the Back button manually a few times, until the door opens again,

or use the reverse button which will brute backwards but not so fast,

and wait until the door opens again.
Wait until the door has closed, and use this button to send the same code again.
If the door does not open, adjust by using the Next and Previous Buttons until the door opens.

Due to an Android Bug, it can happen that the Bluetooth connection gets lost at this point.
For this case a Reconnect Button will show up:

Use it to finished the job.

Once you have the right code, you can save it to your database with the menu entry "Add Code to DB":

My App will automatically select the current address using GPS and street data from Google and recommend its name for the database entry.

In the database Page you can edit this new garage entry as you like:

This Button will update the GPS coordinates at any time.


In the Map View, you will be able to see a Marker for your new added address.

If you are connected to your Pi and click on this Marker, my App will send the signal to open the garage door.

Automatically open approaching Garage in close range:

New feature added in version 1.1:

If the Map View is open, and position tracking and AutoOpenCloseGarage is enabled, Garages that you approach within a distance of 50 Meters will be opened automatically,
 without the need to press any button.
The App must be connected to the Pi using Bluetooth, and must have an internet connection.


View Edit Remote DIP Settings:

New feature added in version 1.1:

Now you can edit / view the DIP Settings of your original Remote:

You can reach this option in the Database View, by selecting an entry and choosing the action menu item: Show/Edit DIPs:



Remote learning new remotes to receiver with 1 click:

New feature added in version 1.4:

Now you can add / learn new "remotes" remotely to a receiver with 1 click:
(This is working only if a remote learning feature is supported and enabled by the receiver!)

In the database view, select two Entries with the same brand/vendor.
The first selected entry will be the "Master"-remote, and the second will be your new "Slave"-remote, which you want to add.
(The Master-remote must be already working with the receiver!)

In this example, the brand Beninca will be used:

From the action menu, select: "Remote-learn":

You will get a reminder-dialog, which will also show the two selected entries:

Another dialog will show the standard procedure to learn a new remote for this brand / vendor:
(This is just for your information)

After clicking on "START LEARN", the learning process will do everything automatically:

Here the hidden button of the "Master"-remote will be pressed for 3 seconds:

Now the button which should be used will be pressed on the "Master"-remote:

Finally the same button on the "Slave"-remote will be pressed:

Depending on the brand, wait 5 seconds up to one minute, until the receiver ends the programming procedure, and your new remote should open the door.


Requesting a Seed Brute-Force using the Android App

New feature added in version 1.4:

Now you can submit a brute force request to the server, to recover the Seed-Code of your remote.

At first, please follow the guide to get a remote signal into the database:
Cloning/Copying/Grabbing a Remote Control into the database

Copy between 2 or 4 signals into the database like below:

Select the new entries, and choose on the top right action menu: "Brute Seed":

A Dialog will appear and ask if it is a BFT or Erreka remote:

After selecting BFT or Erreka, a short message will tell you if the request was successfully transmitted:

At this point, give the server some time, and later you can check at any time if the bruting was successfull:
Select any of your copied signals, which was already changed to the selected brand/vendor (BFT in this example),
and choose from the action menu: "Check bruted Seed":

If your request is still pending, you will see this:

Sometimes it can happen that multiple possible seed-codes matched at bruting-time.
In such cases, please repeat all steps above with new copied signals, and repeat the bruting request:

If the seed was successfully recovered, you can store it to your database entry with a click on "STORE":

If the seed is correct, the copied signal will be decoded and updated in the database:

If you check your database entry, you can see the recovered seed:

This new entry should now open your door/gate/barrier :)


Copying/Cloning a BFT Remote

New feature added in version 1.4:

Start the App and connect with your Pi:

If your Remote has a hidden button, press the hidden button, otherwise keep pressing button 1 and 2 until the Seed-Code has been received:

At this point, the Seed-Code will be stored for all future receptions, until another Seed-Code reception is detected, or a Seed-Brute-Force gets requested.

Now press the button of the Remote, you would like to copy:

Your remote will be detected, and the signal decoded.

Now you can store it to the database:

Clicking this entry will open your door/gate/barrier.

To copy this remote to a remote-cloner device, or to learn it into a receiver, you will need to transmit the Seed-Code first.
You can do this by selecting the database entry, like you would like to edit it:

From the action menu choose: "Send Seed Code":

The Seed-Code will be transmitted for 3 seconds:

After this, press the database entry to send the button signal of this remote, and it is learned to the receiver or copied to a cloner.


Copying/Cloning a FAAC / Genius Amigo Remote

New feature added in version 1.4:

Start the App and connect with your Pi:

For FAAC / Genius Amigo, you will have to repeat these steps for each button:

Press button 1 and 2 until the LED of the remote starts flashing.
Now press the button, which you would like to copy, to transmit the Seed-Code of this button:

At this point, the Seed-Code will be stored for all future receptions, until another Seed-Code reception is detected, or a Seed-Brute-Force gets requested.

Now press the same button of the Remote again to transmit the signal:

Your remote will be detected, and the signal decoded.

Now you can store it to the database:

Clicking this entry will open your door/gate/barrier.

To copy this remote to a remote-cloner device, or to learn it into a receiver, you will need to transmit the Seed-Code first.
You can do this by selecting the database entry, like you would like to edit it:

From the action menu choose: "Send Seed Code":

The Seed-Code will be transmitted for 3 seconds:

After this, press the database entry to send the button signal of this remote, and it is learned to the receiver or copied to a cloner.


Flipper zero support facts:

As there is a high demand on having all above systems working with Flipper zero, there will be a possibility to use the Android App with Flipper zero soon.

Using Flipper zero with some Keeloq remotes, which are using "Normal decrypt" is already possible by getting a device key for your remote for a little donation, which you can request by Email.

At first you will need a custom firmware for your Flipper, which is available here: https://github.com/Eng1n33r/flipperzero-firmware/releases

With that firmware you can catch the raw signals of your remote, which can be used to identify the used device key of your remote.
By putting the identified device key into Flipper, you will be able to control your garage with Flipper.

An exact guide with screenshots will follow shortly.



Version History:

Version Date Changes Download
v1.5 Aug 2022  - added new Remotes: Kinggates Stylo 4 K; IL-100; HCS101; FAAC TM433; SMD LW40HS98; Multicode; Stanley; Pulsar; Overhead
   Kia K3 11-19 / K3S 14-19 / K5/Sportage R 15 / K4 13-16; Hyundai OKA-870T

 - added de Bruijn bruting algorythm.

coming up...

v1.4 24 Apr 2022  - added 1-button remote learning into receiver for supported receivers
 - added buffering of rolling codes for offline usage
 - added Server Seed brute forcing
 - added Seed Code transmission detection
 - added sending ability for CC1101 module

USD 39.-

v1.3 20 Apr 2022  - added many new supported rolling code remotes
 - added some new features
v1.1 18 Aug 2021

 - added many new features
 - fixed a few bugs

v1.0 25 Jun 2021

 - first Release


Hit counter