Alexander Tuxen

(or me being to cheap to get one from the administration)

I live in an apartment house with an underground garage, but I don’t have a car, so I didn’t rent a space in there. I do have a bike though, and I want to put it in the basement which is also reachable from the garage. And since I have no parking space in the garage I don’t have a remote for the door. I could have just got one from the administration but where is the fun in that? Also, they wanted 50 € for one and I didn’t want to spend a hundred Euros just to be able to let me and my girlfriend put our bicycles in the basement.

So what I was going to do was borrow one from a neighbor, reverse engineer it, and build my own. Sounds easy enough. I had to pester that poor guy what felt like a hundred times for that stupid remote before I finally got it right!

First I had to find out what was transmitted, and which frequency it was transmitted on. In Europe only 433 MHz and 868 MHz are used for these things, so I spent some quality time with my radioscanner (a very old and cheap one) to try and find the transmission frequency. And, what do you know, soon enough I found it. Or at least so I thought. I got a reasonably clear signal on 433.925 MHz, which is a commonly used frequency, so I assumed this was the frequency being used by the keyfob I was looking at. Well, it wasn’t, but more on that later..

Next thing I did, was hooking up the scanner to a pc to record the signal and have a closer look at it. This is what it looked like in Audacity:

As you can see, there are long and short pulses and also long and short gaps. This signal is repeated at least three times and it doesn’t ever change, regardless of how often you push the button on the remote.
This is good news as it means that the remote uses neither a rolling code nor some kind of challenge response mechanism. So it should be simple to mimic what the original remote is transmitting.

After a bit of transcribing and measuring the timing of the pulses and gaps I had this:

1101001011010101001010110101010010101010110101001010110100110100101101010100101101010101010100101

The ones represent a high state while the zeroes represent low and since the long pulses are exactly twice as long as the short ones, I selected the short period as my standard pulse length. Hence the two ones in the beginning for only one long high pulse.

Now all there is left to do is hook up a 433 MHz-transmitter like this to an Arduino and write a few lines of code, right? Wrong.

After countless times of checking, re-checking, double-checking and comparing my generated signal to the original one, and almost losing my mind in the process, I came to the conclusion that my signal looked at least as good as the original one, in fact, amplitude-wise, it looked even better.

Wait a minute, why should my 434 MHz signal look stronger and healthier than the original 434 MHz signal, unless…

Turns out, the original remote is actually using 868 MHz and the reason I got such a clear signal on ~434 MHz is that it’s (almost) exactly half of 868 and thus a harmonic. What this means is, the signal of the original remote was strong enough on the harmonic to be picked up by my scanner in close range but the original receiver would reject my signal due to better filtering or whatever.

It took me a while until I finally found out about this and I must admit I was a bit angry at the manufacturer at first. But then, who can blame them for using 868 MHz over 434 MHz? It’s clearly the better frequency to use, because 434 MHz is flooded with noise from wireless weather stations, remotely controlled power outlets and all kinds of other cheap shit. There are rules though for the 868 MHz Band: You have to listen in to the frequency you want to transmit on before you transmit anything, to see if there isn’t another transmission going on, and you have to keep your duty cycle below one percent. That means that for 1 second of transmitting you’d have to shut up for 99 seconds before you are allowed to transmit again.

Having this figured out, I picked up a RFM12B 868 MHz transceiver and hooked that up to the ATMega.

I stole this image from here.

I chose the RFM12B because there are a few libraries out there for this device to work with AVR controllers, and even one which works with the Arduino environment. The library (and lots of other cool stuff, and also a very inspiring blog) can be found at http://jeelabs.net/projects/cafe/wiki/RF12. There are also further instructions about how to connect it to an Arduino (or ATMegas in general).

The proof of concept on a breadboard. The little button simply connects the battery when pressed.

The thing about the 868 MHz-Band and the RFM12B is though, that they use FSK, which stands for frequency shift keying, instead of ASK (amplitude shift keying) or OOK (on off keying), the probably simplest form of wireless digital communication: The transmitter is either on (1) or off (0). And what you see in the screenshot above is exactly that. Actually there is a little bit more to it: The signal is encoded in manchester code, but that is irrelevant for the transmission itself, so I won’t go into it right now.

The point is, the original remote uses OOK and the RFM12B isn’t designed to do that. But luckily the RF12 lib has a function for that, so that shouldn’t be a problem.

So I adjusted my code to work with the RF12-lib, uploaded it to the ATMega and went to the garage once again, almost shivering with anticipation.

Standing at the gate I hooked up the battery and, what do you know, the damn thing opened!
IT WORKED! IT ACTUALLY WORKED!!!1 I finally built something that worked!
(wanted to quote Doc Brown there, but to say I invented it would be taking a
 bit too much credit)

My garage door remote

without the case

There is not much to it, just an ATMega 328 (which is total overkill for a task like this), the RFM12B, a button, an LED and a few resistors.