[Protocol Request] [Manual Remote Add] Linear Garage Door Remotes

Hello all! I would like to request that the protocols be added for the Linear 318MHz garage door openers for the “Add Manually” function.

After some struggles with the Linear 318MHz openers, I have been able to get the “Read” function to work on the remotes. If anyone else is struggling to get it working, I have found the following settings work well:

• Freq: 318MHz
• Modulation: AM270
  Then you have to hold the button on the remote for around 4-5 seconds. This opener stops broadcasting as soon as you release the button and the Flipper seems to need a good sample to read it.

Now the FCC ID on this is EF4-DNT00089 and the openers operate on 318 MHz using the MegaCode format. All openers I have read indicate that only the last 6 digits of the key being utilized (ex. Key: 00 00 00 00 00 25 25 25).

So the request I have is just adding a new Linear format to the “Add Manually” function of Sub-GHz. Right now there is just “Linear 300MHz”, but these garage door openers do not work on that frequency. There is also no other option in “Add Manually” that works on this frequency.

In the meantime, for anyone else wishing to add control of a Linear system that operates on 318Mhz without rolling codes, download the file I have attached to this post. Then open in in a text editor and randomize the last 6 digits of the key (ex. Code Key: 00 00 00 00 00 00 00 00 → Key: 00 00 00 00 00 34 69 42). Rename the file to whatever you please and then upload it onto the Flipper’s SD Card under subghz. Now press the “Learn” button on your opener and then emulate your new Linear opener from the Flipper. The “Learn” light should turn off on the opener and then you should have a newly programed remote for your opener.
Linear_318MHz_Template.sub (161 Bytes)

Very cool. Have you attempted to edit anything outside the last 6 digits just to see if it still works? I wonder if the rest of the code space is usable but they lazily increment the codes instead of randomizing them as proper security practices would dictate. Incrementing is a common flaw in databases that has been exploited.

I have attempted using all bits and it seems to still work. I don’t know if the opener actually cares about all the bits though. I want to say it does though, I did try editing all the 00’s in a working key to something else and then emulating it and the door did not open.

As for incrementing, I am fairly sure that is not the case. From reading up on documentation on Linear openers, they essentially set a “random” code from the factory that is non-changeable by the user. The learn function on the opener pretty much just listens for the next device to transmit a key in the right format on the right frequency and then stores that in a sort of “Allowed Devices” list. No dip-switches to match, no having to get a special remote made if you lose yours, etc. I just wish it had a way to delete a specific remote from that list rather than wiping it all away.

For unsecure openers, this is actually not too bad of an end user experience but in someways is less secure than dipswitches.
Pros:

• You can add a remote with no real technical knowledge or finding something small to fiddle with dipswitches
• You could grant someone temporary access pretty easily without them needing a different remote (as long as the one they have is MegaCode on 318MHz). Press learn, press the button on their remote, clear all remotes to revoke access and add yours back.
• Works with almost any universal openers including the ones built into cars
• Can have as many remote as you may need

The cons list outweighs any of this from a security standpoint. The big one is that the learn button is easily accessible and the programming of it is so easy and quick. With less than 2-3 seconds spent in the garage, I can walk out with a working remote. All you need to do is walk in, click the button and walk out. While your walking away, click the button on your remote (Or emulate one you made for the Flipper) and you now have a working remote with no-one being the wiser.

I have discovered something interesting though; There is also a code that can be sent that turns the light on/off. I wont share the code as my testing has indicated that it is not universal, but I stumbled on it while trying to brute force my own door.

Comparing the light code to the open code:

* Not my actual codes, just shows that the difference between the actual codes is only +02 on the last segment.

I do not know if the fact that the key is only different by the last bit being +02 of the opener is in any way actually related. I think it is, but I haven’t fully figured it out yet. When clearing the openers memory, emulating the light control does not work, but when I add the remote that is similar to the light control, then it works again. I tried duplicating and editing another opener file for the garage to add +02 to the last segment of the key, but that did not work. The only other difference is the Facility and Btn numbers being different, but I am not sure how to change those in the .sub file.

Thanks for all the detail. I have been reading up on car fobs and those chips use a horrible process for removing remotes. They have four memories with a first in first out protocol. The chip just writes to the next memory slot. If you have three fobs and you lose one the only way to get rid of the lost fob is by writing over it. So they recommend putting the car into learning mode and relearn both remotes twice.

My pleasure, just trying to share my findings and knowledge to everyone as we journey through discovering our world via the Flipper!

And yes, cars are a whole different beast, especially if you don’t have fancy dealer tools. Pro tip on the cars: on many you can resync a known remote to a car by sticking the key in the ignition, turning it to “On” (but not start) and the holding the lock or unlock button until you here a beep, see an indicator on the dash, or here the locks actuate. I may have accidentally desynced my girlfriend’s car key playing with my Flipper which necessitated my learning of this process

LOL, I’ve seen a lot of people do that and ask how to fix it. I’m thinking about trying to acquire a few of the chips they put in the cars and the fobs for research. I believe I could even make a Flipper add on board that would allow it to be used as a key fob. I would prefer to implement everything in code without an additional board but I’m not sure if I have the skill to do that.

If you do ever figure that out, I would love to hear about it and how to do it myself! Being able to use the Flipper Zero as a backup car key would be awesome! I know the devs are hesitant to add support for car key protocols since they can be used for illegal purposes, but I don’t see the risk of adding it only in a way where we can program our keys to a car the same way factory keys get programmed.

As for acquiring the chips I hope that’s possible. If you can use programmed chips for your purposes, you could buy some replacement fobs from ebay, but I wouldn’t be surprised if the manufacturers of the chips lock down who can purchase them.

There is no illegal application for what I’m researching that you couldn’t accomplish easier with a legitimate key fob so there are no moral quandaries. If I have to I can pull the chips from old broken fobs. I only need a few.

I came across your post yesterday and though it’d be fun to revers engineer the protocol from scratch just for fun. Since I have lots of different models of Linear transmitters and receivers lying around.

I’m sure someone has done this already. But I just wanted to post this for others that maybe interested in the protocol.

I’m sure someone will read this and disagree with the formula I came up with. Or the processes I used to come up with it. But it seams to work properly.

I don’t know much about coding. But I kind of hope maybe someone finds my formula useful. Or maybe able to use it some how implement a way to selectively manually add remotes directly on the flipper based on decimal numbers for facility code, transmitter, and button

This may be helpful if someone needs to generate a key without internet access as well as understand how a Linear MegaCode key can be generated.

How to use Google Sheet to automate the calculations and conversion of Linear MegaCode to hex.

01] Copy the formula into any cell other than A3 or B3 or C3. (e.g. D3)
	
	=DEC2HEX((SUM(B3*8)+8388608)+(A3*524288)+C3)

02] Then enter a facility code into cell A3. (e.g.3)
03] Then enter a transmitter number into cell B3. (e.g.17316).
04] Then enter a button number into cell C3 (default button number for a single button remote is 2
05] If configured correctly 9A1D22 should be displayed in cell D3
06] Done -- make or edit file using the generated key 9A1D22

---->
Filetype: Flipper SubGhz Key File
Version: 1
Frequency: 318000000
Preset: FuriHalSubGhzPresetOok650Async
Protocol: MegaCode
Bit: 24
Key: 00 00 00 00 00 9A 1D 22
---->
=DEC2HEX((SUM([Transmitter number]*8)+8388608)+([Facility code]*524288)+[Button number])

Manually calculate

(e.g 1) a transmitter with the number 17316 and a facility code 3 Button 2.

01] To convert Facility number to hex use formula (math in DEC)---->  (( 17316 * 8 ) + 128 ) = 152
02] To convert transmitter number to hex use formula (math in DEC)-->  (( 17316 * 8 ) + 2 ) = 138530
03] Now convert the facility number 152 from step one to HEX. You should get -------> 98
04] Now convert the transmitter number 138530 from step two to HEX. You should get --> 21D22
05] Now when the two numbers are combined we see ---> 98 21D22 that's sevin digits. But six is needed.
06] So to shrink sevin digits down to six. Take the last digit of the facility code (8) and first digit of transmitter (2) and add them together (remember this math is HEX)--> 8 + 2 = A
07] Now take the number generated in step six and replace the last digit of the facility number (remember this is HEX)---> 9A
08] Now append the leftover digits of card number (this is HEX) --> 9A 1D 22
09] To complete the key, append ten zeros before the number generated. Make sure there is a space after every two digits. --->   00 00 00 00 00 9A 1D 22
10] Done - create or modify file 

Note: If card and facility are less than 6 then fill the digit between facility code and transmiter code with 0’s
(e.g Transmitter 1, Facility 0, Button 2 = 80A. 80 is the facility A is the transmitter. So to correct it, it would be 80 00 0A

Optional:
If a button other than 2 is desired the last digit can be changed by adding or subtracting the list digit. (0-7) (Two is factory default for single button transmitters)

B1] To change button to 1 subtract 1 from the last digit (this is HEX)  ---> 00 00 00 00 00 9A 1D 21
B2] To change button to 2 leave the last digit alone (this is HEX)  -------> 00 00 00 00 00 9A 1D 22
B3] To change button to 3 add 1 to the last digit (this is HEX) -----------> 00 00 00 00 00 9A 1D 23
B4] To change button to 4 add 2 to the last digit (this is HEX) -----------> 00 00 00 00 00 9A 1D 24
B5] To change button to 5 add 3 to the last digit (this is HEX) -----------> 00 00 00 00 00 9A 1D 25
B6] To change button to 6 add 4 to the last digit (this is HEX) -----------> 00 00 00 00 00 9A 1D 26
B7] To change button to 7 add 5 to the last digit (this is HEX) -----------> 00 00 00 00 00 9A 1D 27

What does this mean? I’m trying a python implementation.

If a button other than 2 is desired the last digit can be changed by adding or subtracting the list digit.

What’s a "list digit?

(0-7) (Two is factory default for single button transmitters)

Here is a quick implementation in python

# Python implementation 2023 jmr based on the work of Justin_T
# Inspired by AdvJosh and his research
# Linear garage door remotes calculator
# We would love to see it ported to the Flipper
# Fill out the following variables
# Enter a facility code
fc = 3
# Enter a transmitter number. (e.g.17316).
tn = 17316
# Enter a button number (0-7) (default button number for a single button remote is 2
bn = 2
# Leave this alone unless you need a different frequency
# in mHz
frequency = 318


# DON"T TOUCH ANYTHING BELOW
frequency = frequency * 1000000


# If a button other than 2 is desired the last digit can be changed by adding or subtracting the list digit.


# Filetype: Flipper SubGhz Key File
# Version: 1
# Frequency: 318000000
# Preset: FuriHalSubGhzPresetOok650Async
# Protocol: MegaCode
# Bit: 24
# Key: 00 00 00 00 00 9A 1D 22

# Original formula
# =DEC2HEX((SUM(B3*8)+8388608)+(A3*524288)+C3)


dec2hex = (((tn*8)+8388608)+(fc*524288)+bn).to_bytes(8, "big").hex(" ").upper()

print("Filetype: Flipper SubGhz Key File")
print("Version: 1")
print("Frequency: " + str(frequency))
print("Preset: FuriHalSubGhzPresetOok650Asyn")
print("Protocol: MegaCode")
print("Bit: 24")
print("Key: " + str(dec2hex))

the last digit to the hex value. So in the example I used 9A 1D 22.

9A 1D 21 = button 1
9A 1D 22 = button 2
9A 1D 23 = button 3
9A 1D 24 = button 4
9A 1D 25 = button 5
etc.

That make sense. The code seems to do that just fine. From what you wrote I believe the options are 0-7. The equation seems pretty simple to emulate programmatically. It also sounded like this might work with more then just garage doors. I need to get back into C programming so I can create Flipper apps. Great work figuring this out!

That’s Awesome!

I ran your code and tried 15 of so different Tr , Fc, button combinations and its printing out properly for mimicking all the handheld Linear MegaCode transmitters available on the market that I know of.

One thing I noticed I didn’t take into consideration with the formula is the boundaries needed for this formula to also mimic the Linear MegaCode wireless keypads. But that maybe a few days before Im able figure out the rest of the formula for that. I’m kind of on the fence about publicly publishing that portion of the formula once I figure out how to get it implemented into this existing formula.

The benefit of appending the boundaries in the formula would be that it keeps all the potential handheld code combinations in check within a single formula that can be used anywhere, without external conditions or coding. But would also automatically calculate the wireless keypad Hex also.

Here is one last version on github for easy modification by others. The changes include a simple cleanup, a better user interaction, and the ability to save a sub file. The file will save to the same directory as the python program currently. I have no idea if I will continue to work on this version but there are some interesting things that could be done to improve it like saving the file directly to a Flipper and expanding the functions as mentioned in the post above.

Nice job. That’s definitely cleaner to use. It took me a lang minute to find the saved file buried in vscode. But I found it.
I hope you or others are able to be utilized maybe else were.
Ill work on getting the rest of the formula figured out. It maybe a few days before I have time to work on it agin.

to answer the comment about his protocol being used for more than garage doors. Answer is yes this protocols is implemented in all kinds of products not just under the Linear brand. Everything from residential light switches and wireless entrapment sensors , to commercial access control systems.

After a little more testing my formula actually already works to mimic wireless keypad. So your program as is fully functional beyond any MegaCode hex generator available. Because all other generators cap out 65535.

To mimic a MegaCode wireless keypad.The FC needs to be 0 and Btn needs to be 1. Then an entry code between 1 and 999999 can be used in place of Transmitter number.

Cool! I’ll update some prompts. My focus now will be porting this to a C library that can be included in a Flipper app.

My abilities in C are very limited. I’ve forgotten so much since I last used it. Practically starting from scratch.

Thanks to the following authors for the hex translation code.
Decimal to Hexadecimal in C - Sanfoundry

I updated the python repo to guide the user through the keypad generation process.