• Stars
    star
    147
  • Rank 251,347 (Top 5 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 8 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A software implementation of the Security+ system used by garage door openers

secplus

This project is a software implementation of the Security+ and Security+ 2.0 rolling code systems used in garage door openers made by Chamberlain, LiftMaster, Craftsman and others. Sample GNU Radio flowgraphs for receiving and transmitting codes are provided. A stand-alone Python module can be used to build other applications.

Requirements

  • GNU Radio 3.8 or later
  • gr-osmosdr
  • SDR hardware supported by gr-osmosdr (e.g. RTL-SDR, HackRF)

Usage

Receiving:

$ ./secplus_rx.py

Security+:  rolling=2320616982  fixed=876029923  (id1=2 id0=0 switch=1 remote_id=32445552 button=left)
Security+:  rolling=3869428094  fixed=876029922  (id1=2 id0=0 switch=0 remote_id=32445552 button=middle)
Security+:  rolling=2731817112  fixed=876029924  (id1=2 id0=0 switch=2 remote_id=32445552 button=right)
Security+:  rolling=2731817116  fixed=876029924  (id1=2 id0=0 switch=2 remote_id=32445552 button=right)
Security+:  rolling=2615434900  fixed=72906373  (id1=0 id0=0 switch=1 pad_id=1478 pin=1234)
Security+:  rolling=2615434904  fixed=595608121  (id1=0 id0=0 switch=1 pad_id=1478 pin=enter)
Security+ 2.0:  rolling=240124680  fixed=70678577664  (button=16 remote_id=1959100928)
Security+ 2.0:  rolling=240124681  fixed=70678577664  (button=16 remote_id=1959100928)
Security+ 2.0:  rolling=240124682  fixed=62088643072  (button=14 remote_id=1959100928)
Security+ 2.0:  rolling=240124683  fixed=66383610368  (button=15 remote_id=1959100928)
Security+ 2.0:  rolling=240124684  fixed=74973544960  (button=17 remote_id=1959100928)

Transmitting Security+:

$ ./secplus_tx.py --freq 315150000 --rolling 2731817118 --fixed 876029924

The rolling code should be at least 2 higher than the previously transmitted rolling code.

Transmitting Security+ 2.0:

With rolling and fixed codes only:

$ ./secplus_v2_tx.py --freq 315000000 --rolling 0xe50030d --fixed 0x1074c58200

With optional supplemental data (e.g. PIN):

$ ./secplus_v2_tx.py --freq 315000000 --rolling 0xe50030d --fixed 0x1074c58200 --data 0xd204b000

The rolling code should be at least 1 higher than the previously transmitted rolling code.

secplus.py

This Python module encodes and decodes the rolling and fixed codes, provides utility functions to prepare on-off keying sequences for transmission, and pretty-print the codes. It can be used to build stand-alone applications.

secplus.c & secplus.h

This C library implements encoding & decoding of Security+ & Security+ 2.0 messages (both wireless & wireline). It it suitable for use in Arduino and other microcontrollers.

Protocol details

Security+

Much of the Security+ system is described in US patent 6,980,655; the remaining details were determined by analyzing the data transmitted by Security+ remotes.

Transmissions use on-off keying, with an alphabet of three symbols (0, 1, 2) corresponding to three different pulse widths:

  • 0: 1.5ms off, 0.5ms on
  • 1: 1ms off, 1ms on
  • 2: 0.5ms off, 1.5ms on

The payload consists of 40 symbols, which are transmitted in two frames of 20 symbols each. A single synchronization symbol is prepended to each frame: 0 for the first frame, and 2 for the second. 58ms of silence occurs after each frame, but the receiver I tested with accepts as little as 20ms. Remotes repeat the frame pair a minimum of four times, or continuously for as long as the button is held down.

The payload consists of a rolling code and a fixed code, each approximately 32 bits long. These values are combined and encoded into 40 ternary symbols for transmission. Despite being described as such in patents, the encoding is not encryption as there is no key.

The rolling code is incremented by three each time the remote button is pressed, and the fixed code remains the same. PIN pads use half of the fixed code symbols to transmit the four-digit PIN that was entered. Receivers accept codes so long as the fixed code corresponds to a programmed remote, and the current rolling code is less than 3072 above the last rolling code. Receivers will also accept any two consecutive rolling codes (and adjust the stored rolling code accordingly) so long as the two codes are not within 1024 below the last rolling code.

Security+ 2.0

Security+ 2.0 is an updated (and incompatible) version released around 2011. Many of the details are described in US patent application US20110317835A1, and the remainder was determined by analyzing packets transmitted by Security+ 2.0 remotes and wireline devices.

The payload consists of 80 or 128 bits, which are split into two 40- or 64-bit halves transmitted in separate packets. Each packet consists of a 20-bit preamble, a two-bit frame ID (which is 00 for the first packet, and 01 for the second), and 40 or 64 payload bits. Each packet is Manchester encoded (with a falling edge representing 0, and a rising edge representing 1).

The fixed code is 40 bits long, and the rolling code is 28 bits. The longer 64-bit packets also carry 32 supplemental data bits; PIN pads use these bits to convey the PIN entered by the user. The rolling code is "encrypted" by reversing its binary bits, then converting the resulting number to base 3. Each base-3 digit is converted to 2 binary bits. The fixed code and encrypted rolling code are then interleaved. Finally, the bits are permuted and inverted, with the permutation and inversion pattern depending on the values of particular base-3 digits of the encrypted rolling code.

The rolling code increases by one with each button press, and is sometimes shared across all buttons on a given remote.

More Repositories

1

sdr-examples

A collection of GNU Radio flow graphs
Python
375
star
2

gr-dsd

GNU Radio block for Digital Speech Decoder
C++
131
star
3

gr-elster

A GNU Radio block that decodes packets transmitted by Elster R2S smart meters
CMake
120
star
4

gr-nrsc5

A GNU Radio implementation of HD Radio (NRSC-5)
Python
101
star
5

gr-qam

A QAM-64 transmitter for GNU Radio. This project was merged into GNU Radio in version 3.7.10.
Python
47
star
6

gr-ham

A collection of GNU Radio blocks useful for amateur radio
Python
37
star
7

contest-sdr

An SDR-based transeciver for amateur radio contests
Python
35
star
8

gr-flarm

FLARM receiver for GNU Radio
CMake
26
star
9

gr-tenna

goTenna Mesh receiver and transmitter for GNU Radio
Python
26
star
10

nrsc-5

Prototype implementation of HD Radio (NRSC-5). Superseded by https://github.com/argilo/gr-nrsc5
Python
21
star
11

pico-jiggler

Simulate periodic mouse movements using a Raspberry Pi Pico
C
18
star
12

BusFollower

Ottawa Bus Follower Android app
Java
16
star
13

gr-queue

GNU Radio queue block, useful for trunked radio systems
CMake
11
star
14

grcon22

Challenges for GRCon 2022
Python
7
star
15

ham-utils

Various amateur radio utilities
Python
6
star
16

gr-dsdcc

GNU Radio block for DSDcc
CMake
5
star
17

bbhn-utils

Utilities that may be useful for Broadband-Hamnet nodes
Python
5
star
18

BlackHatBadgeReader

Read the contents of your Black Hat USA 2012 badge on your NFC-enabled Android phone
Java
4
star
19

pico-projects

Projects for the Raspbery Pi Pico
Python
3
star
20

pi-frontend

A tool to configure a Raspbery Pi as a MythTV frontend
Shell
3
star
21

ringzer0

My solutions for RingZer0 CTF problems
Python
1
star
22

argilo-net

La persona retejo de Clayton Smith
HTML
1
star
23

advent

My solutions for Advent of Code puzzles
Python
1
star
24

anagramoj

Programo por trovi anagramojn en Esperanto
C
1
star
25

irrational-net

The personal website of Clayton Smith
HTML
1
star