ICT 433MHz Transmitter

puffyfish · August 31, 2022, 1:36pm

I see, sadly I don’t have access to a sdr, maybe I’ll get one soon and continue this thread. But I appreciate the help y’all have provided

puffyfish · August 31, 2022, 3:17pm

Found some more info about the k110B3 chip.
It looks like it appeared in a car remote: key problem | Peugeot Forums
And in that forum the person included the datasheet!
infineon-tdk5100-ds-v01-01-en-2802267.pdf (616.1 KB)

And based on the pinout and the PCB it looks like all the ASK pins are disconnected, so it seems like it indeed is operating on FSK

SkorP · August 31, 2022, 4:18pm

very strange chip) but it’s still unclear what the deviation of the signal is

puffyfish · August 31, 2022, 4:29pm

Ok, I placed an order for an SDR, hopefully should have more results in coming days.

Peppy_on_Tour · August 31, 2022, 6:43pm

Typical deviation for this Chip is 30khz.

Spildit · August 31, 2022, 7:23pm

Would you be able to provide a Custom_preset for the 30khz deviation, 2-FSK ? Maybe @puffyfish can try that ?

Peppy_on_Tour · September 1, 2022, 4:29am

#2-FSK 200khz BW / 135kHz Filter/ 12.69Khz Deviation + Ramping
Custom_preset_name: FSK12k
Custom_preset_module: CC1101
Custom_preset_data: 02 0D 03 47 08 32 0B 06 15 30 14 00 13 00 12 00 11 32 10 A7 18 18 19 1D 1D 92 1C 00 1B 04 20 FB 22 17 21 B6 00 00 00 12 0E 34 60 C5 C1 C0

#2-FSK 200khz BW / 135kHz Filter/ 25.39Khz Deviation + Ramping
Custom_preset_name: FSK25k
Custom_preset_module: CC1101
Custom_preset_data: 02 0D 03 47 08 32 0B 06 15 40 14 00 13 00 12 00 11 32 10 A7 18 18 19 1D 1D 92 1C 00 1B 04 20 FB 22 17 21 B6 00 00 00 12 0E 34 60 C5 C1 C0

#2-FSK 200khz BW / 135kHz Filter/ 31.73Khz Deviation + Ramping
Custom_preset_name: FSK31k
Custom_preset_module: CC1101
Custom_preset_data: 02 0D 03 47 08 32 0B 06 15 42 14 00 13 00 12 00 11 32 10 A7 18 18 19 1D 1D 92 1C 00 1B 04 20 FB 22 17 21 B6 00 00 00 12 0E 34 60 C5 C1 C0

Here are my custom presets for narrow FM. one of these should work.

Rgds - Marco.

Spildit · September 1, 2022, 7:46am

Very cool ! Thanks for sharing that !

puffyfish · September 2, 2022, 2:06am

Got the SDR in the mail today. Heres what im seeing for RF spectrum:
Screen Shot 2022-09-01 at 9.25.46 PM
So it looks like its 2FSK.

My understanding is that deviation is peak to peak? In which case is 33Khz
Included recording from SDR
sample.wav.zip (3.2 MB)

Tried these two configs, but still nope (maybe i wrote it wrong or the calculated deviation wrong?):
#2-FSK 200khz BW / 135kHz Filter/ 34.91Khz Deviation + Ramping
Custom_preset_name: FSK34k
Custom_preset_module: CC1101
Custom_preset_data: 02 0D 03 47 08 32 0B 06 15 43 14 00 13 00 12 00 11 32 10 A7 18 18 19 1D 1D 92 1C 00 1B 04 20 FB 22 17 21 B6 00 00 00 12 0E 34 60 C5 C1 C0

#2-FSK 200khz BW / 135kHz Filter/ 38.08Khz Deviation + Ramping
Custom_preset_name: FSK38k
Custom_preset_module: CC1101
Custom_preset_data: 02 0D 03 47 08 32 0B 06 15 44 14 00 13 00 12 00 11 32 10 A7 18 18 19 1D 1D 92 1C 00 1B 04 20 FB 22 17 21 B6 00 00 00 12 0E 34 60 C5 C1 C0

SkorP · September 2, 2022, 6:13am

the deviation is calculated as follows, the channel width between the peaks /2

SkorP · September 2, 2022, 7:07am

Record in SDRSHARP long button presses for 10+ seconds. and everything will be clear

puffyfish · September 2, 2022, 2:44pm

Recorded IQ file with the baseband recorder in SDRSharp (10s long button press), file is too large so zipped and uploaded to dropbox: Dropbox - 10-31-59_434000000Hz.zip - Simplify your life

Spildit · September 2, 2022, 6:31pm

Try to READ with flippern now … but use 434.000 mHz instead of 433.900 …

Peppy_on_Tour · September 2, 2022, 6:31pm

This is clearly keeloq protocol

Spildit · September 2, 2022, 6:32pm

I don’t understand much about this but to start i would try to use flipper on the correct frequency … If it still doesn’t READ even with the correct frequency and deviation so there is some difference on the protocol that doesn’t allow flipper to correctly parse the package.

puffyfish · September 2, 2022, 6:47pm

Nice, got it to work,

Added 433 and the following config for deviation:

#2-FSK 200khz BW / 135kHz Filter/ 15.86Khz Deviation + Ramping
Custom_preset_name: FSK15k
Custom_preset_module: CC1101
Custom_preset_data: 02 0D 03 47 08 32 0B 06 15 32 14 00 13 00 12 00 11 32 10 A7 18 18 19 1D 1D 92 1C 00 1B 04 20 FB 22 17 21 B6 00 00 00 12 0E 34 60 C5 C1 C0

It is reading as “KL Unknown”

Peppy_on_Tour · September 2, 2022, 7:19pm

Perfect so it is fm and keeloq. But keeloq unknown, so the correct manufacturer key is not in your keystore.

SkorP · September 2, 2022, 8:31pm

that’s what I said, the flipper can do everything, it just needs to be directed in the right direction. write me a Raw file and I will check it against my databases

puffyfish · September 2, 2022, 8:51pm

thanks,

I did 10 button presses, each for 1second:

RAW_1.sub (147.2 KB)

puffyfish · September 3, 2022, 1:16am

Some weird updates, I used a firmware that will remain unnamed to capture the key and replay it.
I was able to open up my gate every single try… It looks like although the remote is using Keeloq, the receiver doesn’t seems to implement any sort of hopping???
I dont know if this is generalizable to all these ICT remote…
Anyone have any ideas?