Hi all, I’m very new to the forum, having received my FLIPPER ZERO just a few days ago. I’m now struggling to find proper documentation regarding the subghz protocols. I own quite a number of CAME gates/garage doors, I recorded a few remotes both as “decoded” and plain RAW signal, and I’m trying to understand the structure/meaning of the RAW datas. I figured out something, yet many things are not clear. What is the meaning of the numbers collected? Are they “signal power levels”? Why some of them are negative? I tried hand-editing one of these RAW file just to discover that for the receiver to work I have to send the RAW code multiple times. It’s certainly funny to try, but it would be immensely useful having a datasheet where all of these information are explained, rather than going trough a non-productive trial-and-error process.
Are you aware of any repositories where to find these information?
Thanks!
Positive values mean send (1) and negative values mean don’t send (0).
Example:
RAW_Data: 2000 -1000 3000 would basically mean send for 2000 microseconds, wait for 1000 microseconds and then send for 3000 microseconds again.
The pulse graph would look something like this:
______________ _____________________
__| |_______| |__
2000 -1000 3000
You can upload your raw file at My Flipper to see a graph for your data.
Thank you very much for the quick, straightforward and much appreciated answer! This is very helpful.
Have a great day!
Hi man
I spent good time with CAME protocol and creating RAW files from the scratch. Let me know if you need any help
I would love to!
I have several CAME remote (at home, work, warehouse, parent’s house, etc) and my first attempt was to prepare one single RAW packet to open all the gates/garage doors.
Reading some RAW remotes files captured with my flippper zero I came across the following conclusions:
- the protocol needs an “initialization” sillence before the transmission of the code itself. From the recordings I have, it something like “-15100 320”. I experimented with shorter pauses, and “-10000 320” seems to work with reliability as well (haven’t tried with shorter ones);
- each line of RAW_DATA can store up to 511 “numbers”, but shorter will work as well (and helps me to keep the file ordered);
- zeros and ones are coded like “-350 650” (ZEROs) and “-700 300” (ONEs);
- originale CAME equipments needs the code to be repeated 4 times, while a different brand with same protocol needs the coded to be repeated only twice.
The resulting file is attacched here, yet “sometimes” I have to play it more than once because it looks like the receiver is missing the code.
Am I doing something wrong?
Did you came across similar conclusions?
Are your timings the same?
How many times do you repeat the code in your file (to be sure to be picked up by the receiver)?
Thanks a lot for your help!
Filetype: Flipper SubGhz RAW File
Version: 1
Frequency: 433920000
Preset: FuriHalSubGhzPresetOok650Async
Protocol: RAW
RAW_Data: -15100 320 -700 300 -350 600 -700 300 -350 600 -350 600 -350 600 -700 300 -350 600 -350 600 -350 600 -350 600 -350 600 -15100 320 -700 300 -350 600 -700 300 -350 600 -350 600 -350 600 -700 300 -350 600 -350 600 -350 600 -350 600 -350 600 -15100 320 -700 300 -350 600 -700 300 -350 600 -350 600 -350 600 -700 300 -350 600 -350 600 -350 600 -350 600 -350 600 -15100 320 -700 300 -350 600 -700 300 -350 600 -350 600 -350 600 -700 300 -350 600 -350 600 -350 600 -350 600 -350 600
RAW_Data: -15100 320 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -700 300 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -700 300 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -700 300 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -700 300 -350 600 -350 600 -350 600 -700 300 -700 300
RAW_Data: -15100 320 -350 600 -350 600 -700 300 -350 600 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -350 600 -350 600 -700 300 -350 600 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -350 600 -350 600 -700 300 -350 600 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -350 600 -350 600 -700 300 -350 600 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -700 300 -700 300
RAW_Data: -15100 320 -700 300 -350 600 -350 600 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -700 300 -350 600 -350 600 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -700 300 -350 600 -350 600 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -350 600 -700 300 -700 300 -15100 320 -700 300 -350 600 -350 600 -700 300 -700 300 -350 600 -350 600 -350 600 -350 600 -350 600 -700 300 -700 300
Hey man! Exactly you got it in each point.
Now my numbers as follow
Initial period : -15078
Starting pulse : 321
Zero : -334 667
One : -664 343
Repetition : 5 ( 4 is enough but for sanity check I use 5)
Of course you can go up and down slightly with these numbers as you said, I never experiment with reduced initial period, but good to know that you can go lower.
Now as my purpose was to send multiple keys (All 12bit combination🙃) I found out that you need to add pause period between each key, not doing that It will cause some of the keys to dropped out (around 10-15% of the keys). I’m not sure if this is a limitation in flipper or the gate, but I think adding that to your RAW file will solve your problem with the gate missing out some keys.
I wrote a python script to generate RAW files for all possible combination, but as far as I know official developers doesn’t like bruteforce, which I completely understand.
My RAW file looks like that
RAW_Data: -50000 50000 (this is the lowest period you can use without key drop out, which is still confusing for me)
RAW_Data: -15078 321 -334 667 -334 667 -334 667 -334 667 -334 667 -334 667 -334 667 -334 667 -334 667 -334 667 -334 667 -664 343 (this is without Repetition)
Glad you shared your experience!
I still have one question: do you add the “pause line” in between repeating the same code, or only when you change to a new code?
Regarding the timing for the ONEs and ZEROs, I rounded the numbers so that the sum of the negative and positive numbers is exactly 1000, you know I still have the feeling that digital devices like exact timings!
Talking of the bruteforce attack, I think the Flipper Zero is pretty limited. To me, the whole point in a brute force attack that lasts several minutes is to find out the exact key, so that the next time I don’t have to repeat the whole process from start… but as I said, the Flipper Zero is pretty limited. What we would need is a interactive process that would let the user stop the sequence when the gate opens, and then start over with a new sequence closer from when it was stopped before, to refine the search. Some sort of scripting available for the flippernzero would be awesome.
Honestly, what I would do having available only the RAW files is to create a few of them (16? 32?) and then run them one by one. This way, when I find the good one for the gate I need to open, at least the next time I don’t have to go trough a 16 minutes sequence!
That said, is your python code able to generate the sequences with all the repetitions and necessary pauses? Can it be modified to generate partial sequences only (from number A to number B)?
If you could share it that would be great.
I can eventually provide an email address if you prefer not sharing here.
And thanks again for all the info: I hope to move to a new protocol soon!
The pause line between different keys only, so for example
Raw data: 1244…etc
Raw data: -50000 50000
Raw data : 58690… new key
Now for the 16 minutes thing, I have 3 different set of files, first one contains 1000 key in each file, second folder 500 key in each file, third one 100 key in each file. So I start with the 1000 key files, if the gate open I go to the second folder with the 500 key files, then I would go to the 100 file , eventually I will know exactly which file opened the gate but without knowing what is the exact key, as the file which contains 100 keys needs only 25 seconds to run which is not bad, theoretical you can go lower if you like ( 50 key in each file for example which will need 12 second to run) …hopefully I managed to explain it clearly.
The python script generate whatever sequence you need with 12…24bit or even more, add to that the output is .sub files which you need just to copy it to your flipper 
I’m willing to share the code.
Hey, here is the code, let me know if you need any help, its fairly simple and self explanatory
import pandas as pd
split = 1000 # split files according to the keys count (each 1000 in one file)
case = 0
for x in range(0, 4096): # 12bit = 4096 possibilities
binary = "{0:012b}".format(x) #with leading zeros
cmd = ['-15078 ', '321 ']
for char in binary:
if char == "0":
cmd.append('-334 ')
cmd.append('667 ')
if char == "1":
cmd.append('-664 ')
cmd.append('343 ')
joined = "".join(cmd)
Multijoined = joined * 5 #number of repetition
command = 'RAW_Data: ' + Multijoined
padding = "RAW_Data: -50000 50000 "
# split files according to the keys count (each 1000 in one file)
if (x % split) == 0:
case += 1
filecase = f'output{case}.sub'
with open(filecase, 'w') as f:
f.write("Filetype: Flipper SubGhz RAW File\nVersion: 1\nFrequency: 433920000\nPreset: FuriHalSubGhzPresetOok650Async\nProtocol: RAW\n")
# write keys to sub file
def writing(raw, filename, pad):
with open(filename, 'a') as f:
f.write(raw)
f.write('\n')
f.write(pad)
f.write('\n')
writing(command, filecase, padding)Thank you very much, can’t wait to try it!
I add all the files and the script to github
Your code runs very smoothly. It took me a while to test it because I’m on holidays these days with just my android tablet, and I had to figure out how to have python and all the necessary libraries installed. But the final result is worth all the work.
Hi man, I peeked the code you dropped in GitHub and it looks very clean (also, it does no longer need the pandas library, which was a real pain to install in my android tablet!).
I now see that the ALL the timings are VERY different… can I ask you where you find them out?
Ya it got updated multiple times, the original timing was 320, 640, and for the pilot period 36x320. But after some testing we found out it works just fine with 250. Add to that the pause period was not necessarily as it was a limitation to my testing device not the gate. The whole script now run in 4 minutes to test all possible combination
Very cool.
I missed the link in your GitHub repository to the following:
https://github.com/tobiabocchi/flipperzero-bruteforce#optimization
which contains very useful info for other protocols (NICE, Linear), and I’m pasting it here for other to find it more quickly than I did.
Ya this better version with multiple protocols, he optimised everything. I’ll stop updating mine soon and work with him if i found anything new.
I think I’ve found a bug in the signal plotter…
Look at this:
Filetype: Flipper SubGhz RAW File
Version: 1
Frequency: 433920000
Preset: FuriHalSubGhzPresetOok270Async
Protocol: RAW
RAW_Data: -512 +512 +512 -512 -512 +512 +512 -512 -512 +512 +512 -512 -512 +512 +512 -512 -512 +512 +512 -512 -512
It’s 010101010101 (Manchester)…low high,high low,low high, high low,…
I would expect _--__--__--_ and so on…
Instead I get plotted this: _ - _ - - _ and so on…
Signal plotter misunderstand the sequence…
Any idea?