Im just confuse which Sub-GHz to use to brute force any garage doors (CAME 12bit 433MHz,NICE 12bit 433MHz,CAME 12bit 868MHz …) and what is difference between all that diffrend MHz?
Within the ISM Band the vendor of a wireless remote is free to choose a frequency, regulated by the law of the country.
If I want to sell my garage door opener worldwide, I need to choose a very specific frequence or build multiple transmitter for each country …
The flipper has only limited power, so if you add as much information as possible in the transmitted signal, it will decrease the runtime of the attack.
Imagine a password. If you try every single combination if a 8 character password, it will take a while. If you already know there are just numbers or just letters, the number of possible combinations will decrease.
I don’t think the flipper will be able to Brute Force every possible CAME variation, so you need to preset the frequency of your target.
Even if Brute Force is no very elegant.
I used it in the past, if the CFO again forgot to document the password for the annual report… And every year I was a little faster, because I knew how he combined his passwords.
There are smarter ways to get into the garage, if you already knew the type/frequency. Ask yourself what information you could also could collect, with physical access.
4 Likes
The previous reply covered things pretty well accept for one thing possibly lost in translation.
I think they meant something more like.
The Flipper can only generate a limited number of codes in a time period. When the codes are more complex or if you have to try the same code on multiple frequencies(MHz) it will take longer to brute force the code.
Flipper Sub gigahertz radio is capable of 300MHz to 928MHz but some frequencies are locked out for legal reasons based on the country you are in. Check what frequencies are legal in your country because those are the ones you need to focus on.
5 Likes
Hello, I am trying to brute force my garage door. I know it uses CAME 12bit 433.92mhz (I have cloned the transmitter, but I want to see if I can brute force it).
Do i just “Add Manually” in Subghz and use this protocol, will it then spam codes at the door until it opens? Or is there something more I need to do, to get this to work?
Thanks for your help
2 Likes
Add manually is the process you do to have the Flipper pretend to be a real remote. Then you would follow the pairing process your garage uses to add the Flipper as a real remote. It has nothing to do with bypassing any security. Brute force is a very different thing. You will want to look for one of the Brute force files on GitHub. There are many repositories with interesting stuff. Here is one of those that should contain what you want under SubGhz. I’m not linking directly to the section because i think it will be interesting to you to see what else is there. I’d encourage you to poke around.
This is another one specifficaly for IR codes.
1 Like
Thank you, I know what to do now, and lots of other cool stuff to play with here too 
1 Like
Maybe wanna check UberGuidoz collection, i think he made some CAMEbrute sub files you could play without using sub brute applications.
Yep I’ve been checking all that stuff out, got some of the IR stuff working, turned my AC on and off, and annoyed my wife by messing with the TV volume.
A weird thing happened when I tried the bruteforce on the garage door. The subghz command I have from copying my actual garage remote says CAME 12bit 433.92mhz, but I tried all the codes and none of them worked. Just on a whim I tried the 868.35 and strangely that did work, though it seems to have sent two signals because the door started to open and then immediately stopped.
Wonder why that happened.
Same! 
Best guess is you were very close to the remote and picked up a harmonic. Transmitters tend to resonate at multiple frequencies. They typically use filters to remove the harmonics but they don’t always do it well. Next capture put the Flipper in one hand and the remote in the other. Keep them apart arms distance and retry the capture. I’m guessing you don’t live in the US and 868 is the real frequency.
1 Like
I wonder why does this world has two highly popular frequencies differing almost precisely 2x. Does it make anything simpler, or only adds to confusion?
As far as I remember from the CB time, the 433MHz frequency range is free to use in most countries. So a company can build one for all solutions without much licensing and yearly fee for each region.
When the transmitter sends with less than 10mW … But this is enough for most garage doors, gates, window blinds, …
The Automobil industry has enough money and power to go through the registration process.
This band is very crowded/noisy. And the MCUs are more powerful, the Oszillator more precise and the power sources more efficient. In short: today we can go higher.
And 868 is the first harmonic (I don’t know the exact translation of the German ‘oberton’). So I assume the law is extender at this frequency as well.
Just a thought.
1 Like
It might make the transmitters and receivers easier to produce. An IF mixer could double the frequency. The antenna would not need to be changed because the same antenna would be resonant on both frequencies. Then only software would need to be changed to turn the IF mixer on or off. A simple 1 or 0 in code would be enough.
We don’t use 868MHz as one of the free bands in the US. Instead we use a band in the 900MHz range just a little above. There is a nice table of ISM bands on Wikipedia.
We have our CB band way down in the 26MHz range. That gives it very different properties. It can skip if the weather is right and go 1000miles easily although in normal conditions 6 miles is more common unless you have a very high antenna.
1 Like
Somehow didn’t think of it. Thanks for explanation.
1 Like
Good old times, when your phone was still located in a static place in your house. I had a 27mc box in one of my first cars, back then it was pretty cool 
I was wrong. The thing that worked was the sub that is called CAME_bruteforce_all.sub
But as mentioned, it sends, I think, two signals, so it opens the door but then stops again after a second or so.
This is where it gets interesting. I looked at this file, and it is 433 so that part was correct. Whats funny is I compared this “All” file to the 4096 (in theory, also “all”) file for 433 and they have the same amount of lines, but it’s not the same data.
So in theory neither of these files actually has the full range of codes to bruteforce the 433.
Suppose I take this “All” file and break it down into smaller files, that way I can narrow down which code is correct (which I guess is the point of the other files in there).
If someone who understands the content of these files a little better can explain to me why they are different I would be ever grateful
UPDATE: The “ALL” file starts each chunk of codes with -11520, But the 4096 file that is supposed to be all 433 codes starts each chunk with -9000. Other than that each “piece” seems to be made of similar combinations of numbers.
1 Like
Are you specifically trying to brute CAME devices? What do you want to brute-force? On what bandwidth , what modulationtype ? is it ASK/OOK/FSK etc… ? Can you explain something more about the target device you are testing?
I am trying to bruteforce my garage door. I’m fairly certain its a CAME 12bit 433mhz, that’s about all I know.
1 Like
If it is really a 12bit bitshift registery ASK it should be easy to trigger it.
https://drive.google.com/drive/folders/17WNjPZygFVRjpYoDHf7iVchta0zUtbCz?usp=sharing
Try the 433mhz subs from that gdrive, if it is bitshift 12 bit retro it should work (the 16bit ask one) , otherwise you would want to try a application that is able to do this , there are multiple githubs that offer these applications specifically for things like this including multiple CAME implementations.
1 Like
what aboput this thing its median is 915 but 905-925 i believe 2FSK-F1D