How to copy a garage keyfob and send it with an Arduino

Garage door openers primary operate on 433 MHz frequency band. The technology of these fobs is very basic and crude, and have no security or encryption in place. This makes it relatively easy to copy the ASK modulated signal and re-transmit it.

In this post, we will show you how to do it by using Arduino and some extra components. The complete system will cost you only about 12 €.

Components

Nano V3.0 Controller Board Atmega328 Compatible with Arduino Nano CH340 USB Driver

This is the element that will run de code. You can find it here.


Nano V3.0 Controller Board Atmega328 Compatible Arduino Nano CH340

433 MHz Wireless Transceiver for Arduino

These are the transmit-receive modules, that you can also get for very cheap. In this post, we will only use the TX, as we will record the fob signal with an SDR dongle.

433 MHz transceiver for Arduino

Male-female, 20cm jumpers dupont 2,54 for Arduino protoboard

You can use these cables to connect the tranceiver modules to the Arduino board.

Male-Male USB 2.0, 1 meter (a1641)

We use this cable to compile the code from our PC to the Arduino.

RTL-SDR dongle

You will also need an RTL-SDR dongle and the software HDSDR, as shown here. Also, it’ll be useful to have Matlab.

Connections

The following driagram shows the connections you need to make so you can
retransmit the key fob signal:

Arduino connected to 433 MHz TX module

Code you need to edit

The main tool we will use for this development is the RC-Switch library, which is open source and you can easily download from GitHub or you can directly download our edited project here.

RCSwitch.cpp

We have modified the protocol section:

#ifdef ESP8266
static const RCSwitch::Protocol proto[] = {
#else
static const RCSwitch::Protocol PROGMEM proto[] = {
#endif
  { 315, {  0, 0 }, {  1,  4 }, {  3,  2 }, false },    // protocol 1
  { 295, {  0, 0 }, {  1,  1 }, {  0,  1 }, false },    // protocol 2 preamble
  { 100, { 30, 71 }, {  4, 11 }, {  9,  6 }, false },    // protocol 3
  { 380, {  1,  6 }, {  1,  3 }, {  3,  1 }, false },    // protocol 4
  { 500, {  6, 14 }, {  1,  2 }, {  2,  1 }, false },    // protocol 5
  { 450, { 23,  1 }, {  1,  2 }, {  2,  1 }, true }      // protocol 6 (HT6P20B)
};

The meaning of the previous code is:

Protocol 2 is the Preamble:

Here the short value is 295 us, so the digits are the times we multiple that pulse {low level, high level} by:

  • Sync bit: {0,0}
  • Zero bit: {1,1} first digit is a low level pulse, second digit is a high level pulse
  • One bit: {0,1}

Protocol 1 is the Data:

Here, 315 us is the short value

  • Sync bit: {0,0}
  • Zero bit: {1,4} =205 and 205×4 us first digit is a low level pulse, second digit is a high level pulse
  • One bit: {3,2}

In order to get those pulse lengths, you will use the Matlab code provided here. We explain how to use it in the next section.

Fob.ino

You can find the pulse height by recording the fob signal with an RTL-SDR dongle and the free tool HDSDR, as shown here. Then, you can open that .wav file in Audacity (also free to download) and check:

Visual inspection with Audacity

As you can see in the previous image, we have written the corresponding 1s and 0s according to the pulse lengths we defined the protocols of RCSwitch.cpp. Once you have this information, you can edit the .ino code “send” section:

//Start Frame
 //PreAmble
mySwitch.setProtocol(2);
mySwitch.send("111111111111111111111111");
 //Data
mySwitch.setProtocol(1);
mySwitch.send("111111011001000001110110100001");
mySwitch.send("110010111110110000001110100101");
mySwitch.send("11010011010000100001");

The code above represents the fob signal we will transmit.
The rest of the code, including the file to compile in Arduino and the Matlab code to find the pulse length are in our GitHub repository, so you can download them for free here.

How to copy your fob and transmit it

There is a video below showing the process, but basically, the steps to follow are:

  • Record your fob signal using the SDR dongle and HDSDR and store it as a .wav file in the same folder as you have pulselength.m
  • Rename the .wav file to Fob.wav
  • Run the pulselength.m in Matlab to get the pulse lengths in the array “y”
  • Open the .wav file in Audacity so you can check the sequence of short/long length pulses
  • Adjust the protocols in the RCSwitch.cpp code to match your signal according to what you see in the values obtained from the Matlab script pulselength.m
  • Adjust the sequence of 1s and 0s you want to send in the Fob.ino file according to the signal levels you can see in Audacity
  • Upload the .ino file in the Arduino
  • … volià! 🙂

If you want to check the Arduino signal is valid, you can do as we did in our video (being near the receiver and see whether it’s activated) or you can record that signal using the RTL-SDR dongle again, open it with Audacity and check.

In next posts, we will show you how do this process more efficiently (automatic and faster), so stay tunned!

Add a Comment

Your email address will not be published. Required fields are marked *