Project overview: I will demonstrate how to open certain styles of garage doors using a Yard Stick One transmitter.
Dip switch style garage openers
Early styles of garage doors used dip switch remotes that operate between the 300-400 MHz frequency
range. The radio frequency (RF) signal transmitted by these remotes depend on the configuration of
their internal dip switches. If the correct signal is sent the garage door will open.
Dip switch remotes usually have 8-12 dip switches. Each dip switch can be in one of two states: high or
low. The number of unique signals a dip switch remote can transmit is equal to 2x , where
x = the number of dip switches. This means that all garage doors that use dip switch remotes can be
opened by brute force.
Garage remote with its dip switches exposed
Enlarged view of the dip switches - all 10 dip switches are in a 'high' state
Capturing and analyzing signals
NooElec's R820T Mini is a low cost antenna that's able to receive low frequency RF signals, including
those transmitted by dip switch remotes.
NooElec R820T Mini: USB interface and antenna
RF signals can be visualized on a computer using software defined radio (SDR). One such SDR is
gqrx. When paired with NooElec's R820T Mini, signals
coming from a dip switch remote can be captured and recorded.
gqrx GUI
Captured RF signals in gqrx come in the form of WAV files which can be viewed using
Audacity. Below are 3 signals from
the 10 dip switch remote pictured above. Each of the 3 signals have a different dip
switch configuration.
Garage remote signal: all 10 dip switches in a 'high' state
Garage remote signal: first 5 dip switches in a 'high' state, last 5 dip switches in a 'low' state
Garage remote signal: all 10 dip switches in a 'low' state
A pattern becomes evident when the signals are closely observed. When a dip switch is in a
'high' state, there is a long peak followed by a short valley. When a dip switch is in a 'low' state,
there is a short peak followed by a long valley.
3 signals superimposed and divided by dip switch
Recreating signals
The Yard Stick One is a radio transmitter
that's able to transmit signals in the 300-400 MHz range, the same frequency that dip switch garage
remotes operate.
Yard Stick One transmitter
Dip switch remotes have a fixed number of unique signals (that is, codes) they can produce. In the case
of a 10 dip switch remote there are a total of 1024 unique signals it can transmit (210). This can
be achieved with the Yard Stick One and the RfCat
Python library (note: RfCat is written in Python 2).
Creating signals with the Yard Stick One is pretty straightforward. First an RfCat object is created in Python
and the transmitted signals' frequency, modulation, and baud rate are set:
from rflib import *
d = RfCat()
d.setFreq(300000000) # 300 MHz
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)
Signals are transmitted using the RFxmit function, which takes binary 1's and 0's as input. From the results above,
a dip switch in a 'high' position is a long peak followed by a short valley and a dip switch in a 'low' position
is a short peak followed by a long valley. For a long peak or valley, we can transmit three consecutive 1's or 0's
via RFxmit. For a short peak or valley, we can transmit a single 1 or 0. Thus:
A dip switch in a 'high' position corresponds to RFxmit("1110"):
A dip switch in a 'low' position corresponds to RFxmit("1000"):
For a signal where the first 5 dip switches are 'high' and the last 5 dip switches are 'low', the input
would be:
1110 1110 1110 1110 1110 1000 1000 1000 1000 1000
The binary 1's and 0's can be put in to groups of 8 and then converted to hexadecimal:
EE EE E8 88 88
To transmit this signal in RfCat the syntax would be: RFxmit("/xEE/xEE/xE8/x88/x88")
Signals with the first 5 dip switches 'high' and the last 5 dip switches 'low'
In order to brute force a garage door you will need to transmit all the possible dip switch combinations one by one
until the correct signal is sent.
A brute force script for a 10 dip switch remote can be found here on my Github.