Request to support Chamberlain (rolling code)

FlipThis · May 20, 2022, 5:43pm

I can only post 2 links. I modified my external links and posted the raw captures and the PCB picture in comments.

Frequency: 315MHz, 390MHz
Modulation: Amplitude Modulation (AM)
FCC ID: HBW7964 (link 1)
IC: 2666A-7964 (link 2)

Device Model: 953EV/EVC
Manufacture Date: 02/15
Other Information:

3 buttons
Link below contains information for decoding Sec+ 1.0 and 2.0. (link 3)
Only capturing for 315MHz because 390MHz seems to only be for legacy devices (link 4)

Auto Hopping Read

Button 1 - Tied to Chamberlain garage door motor
Security+ 1.0 42b 315AM
key: 0x917E94EF0000A578 ## This changes at different points in time
id1:1 id0:1 Btn:left
Sn:0x056380C6
Cnt:0xA578 ## This changes at different points in time
Sw_id:0x1

Button 2 - Not tied to anything
Security+ 2.0 62b 315.00 AM ## This seems to do both 315MHz AM and 390MHz AM
Pk1:0x3C045F2FB714 ## This changes at different points in time
PK2:0x3D105753A3D0 ## This changes at different points in time
Sn:0x7F84B164 Btn:0x21
Cnt:0xE500055 ## This changes at different points in time

Button 3 - Not tied to anything
Security+ 2.0 62b 315.00 AM ## This seems to do both 315MHz AM and 390MHz AM
Pk1:0x3C282C125BB2 ## This changes at different points in time
PK2:0x3D06AE335EAD ## This changes at different points in time
Sn:0x7F84B164 Btn:0x20
Cnt:0xE500050 ## This changes at different points in time

Links:
Link 1 - FCC ID Info:

Link 2 - Industry Canada Info:
[https://]industrycanada[.co]/2666A-7964

Link 3 - Chamberlain Sec 1.0 and 2.0 Reverse Engineered:

Link 4 - Chamberlain Frequencies:
[https://]support.chamberlaingroup[.com]/s/article/How-to-get-my-old-garage-door-opener-on-the-same-frequency-as-my-new-opener-1484145611617

Attachments:
Garage Remote Board.jpg - This is a picture of the garage remote PCB
Button1.sub - Raw capture of button associated with my garage door. Physically labeled with a 1 on the button.
Button2.sub - Raw capture of button 2. Not associated with anything. Physically labeled with a 2 on the button.
Button3.sub - Raw capture of button 3. Not associated with anything. Physically labeled with a 3 on the button.

FlipThis · May 20, 2022, 5:45pm

Button1.sub (34.4 KB)

FlipThis · May 20, 2022, 5:46pm

Button2.sub (62.4 KB)
Button3.sub (62.4 KB)

SkorP · May 20, 2022, 6:01pm

I felt that you would ask for it, and I already did.

or what do you want from me?

FlipThis · May 20, 2022, 6:06pm

Well, damn. I am new to the community and I had no idea that all my requests would be done before I asked for them!

FlipThis · May 20, 2022, 6:53pm

I see this was committed to the dev branch. The DFU link created by the Github actions bot leads to a 404 page. So I upgraded to the dev branch on my flipper and it does not seem to work? I cannot save the frequency. It still shows locked.

Was this actually implemented on the dev branch?

Sorry, if I am missing something obvious. I am new.

SkorP · May 20, 2022, 7:27pm

flipper is a mega creation that can predict the desire of ordinary people. yes DEV have everything

FlipThis · May 20, 2022, 11:48pm

Hey sorry to bother you again. It looks like even when I pull the Dev branch it still does not learn my garage code. Security+ 1 & 2, may be implemented but I am still not able to use my garage door opener via the flipper.

Astra · May 21, 2022, 12:17am

You cannot save rolling codes, only read them. This is a legal limitation and we’re not going to remove it.

export · May 21, 2022, 8:37am

Accepting that it is necessary, I am curious to learn more about why this restriction is implemented in this place specifically. Is there a particular law or regulation that prohibits storing dynamic codes? Or do dynamic sub-GHz codes enable / block particularly (legally or morally) hazardous use cases?

I realize this won’t change in official builds: I’m really just interested to benefit from the team’s research into the legal (or moral?) landscape here—so any background you can share would be most welcome!

Astra · May 21, 2022, 12:13pm

In short, rolling codes are still considered secure and are used in a lot of places. Enabling the ability to send them will open the door to a ton of possible misuse cases and possibly legal troubles for us afterwards. This does not apply to static codes, as right now they’re almost universally considered insecure.

So no, there’s no particular law about that, but if someone hacks someone else’s garage and steals all their stuff it may cause a lot of trouble for us, so we’d rather stay on the safe side

FlipThis · May 21, 2022, 7:28pm

It is not my intention to press the issue. Since I am able to have a conversation with one of the developers, I feel like it would be a waste to not at least ask. I really appreciate your time by the way Astra and SkorP.

Does their need to be a complete ban on rolling codes? Instead of cloning a garage door opener, what about going through the learning process to pair the device as an original remote? The flipper zero is just a smarter universal remote and should not carry additional liability. I understand there is effort that goes into something like that, but if there was a patreon or something people would pay.

There are not enough RF experts like you guys around. I want to support this project however possible. I am sure I am going to get some response in the negative about rolling codes, which is fine. If anything you get from this comment, please open a patreon. I want to continue to support the project even if the only way I can is through monetary donations.

Astra · May 21, 2022, 10:47pm

You can actually generate a random sendable dynamic signal on your Flipper via the “Add Manually” function, and then pair that to your garage as you would any other fob. The problem is capturing someone else’s key code and using it.

FlipThis · May 21, 2022, 11:38pm

I can logically follow that, but not sure how to technically implement. I will try a few things and see what I can break.

Thank you for your time.

digitalcircuit · May 23, 2022, 3:42am

I appreciate you asking, as I was unsure of this as well. Given the clarification (new random remotes are okay, cloning is not), I’ve filed an issue on the Flipper Zero firmware repository to help track this:

github.com/flipperdevices/flipperzero-firmware

subghz: "Add Manually" menu missing Security+ 1.0/2.0 protocols

opened 03:40AM - 23 May 22 UTC

digitalcircuit

feature request

**Is your feature request related to a problem? Please describe.** In the SubGh…z app, the `Add Manually` menu doesn't include the option to create new/random Security+ 1.0 or 2.0 remotes. [According to what's been shared on the Flipper forums](https://forum.flipperzero.one/t/request-to-support-chamberlain-rolling-code/3157/13 ), this should not be a legal issue since it's creating a unique remote to train with your garage door opener, much like buying a new replacement remote from a store. **Describe the solution you'd like** The SubGhz app gains support for creating random Security+ remotes [alongside existing dynamic code generation](https://github.com/flipperdevices/flipperzero-firmware/blob/f04d0eea9683d45cea6b8761f4598fcbf07e023d/applications/subghz/scenes/subghz_scene_set_type.c#L11-L24 ). **Describe alternatives you've considered** * Creating a new static (non-dynamic) remote code and teaching that to the garage door * Static codes are a security risk **Additional context** Access the menu via Flipper desktop → `OK` button → `Sub-GHz` → `Add Manually`. The relevant patents as mentioned in [a Security+ reverse-engineering repository](https://github.com/argilo/secplus ) are either [expired for Security+ 1.0](https://patents.google.com/patent/US6980655B2/ ) or [abandoned for Security+ 2.0](https://patents.google.com/patent/US20110317835A1/ ), so creating *new/unique* remotes (again, **not** cloning existing remotes) seems unlikely to be an issue. I am not a lawyer though.

EDIT: Apologies, I misunderstood the distinction here between random but still static and random and dynamic/rolling code. This issue isn’t valid.

export · May 23, 2022, 8:36am

Thanks—this is actually an extremely helpful clarification. If I understand you correctly, the issue is, at least in part, that rolling codes are often a best-available (albeit far from ideal) security technology. In view of this, the optics of stock firmware that readily captures and clones such codes are poor, especially when the feature would serve little educational or research purpose above and beyond the extant capture and decode capabilities.

Is this a fair way to characterize why the line was drawn here, even while emulating a variety of other RFID, NFC, 1-wire, and sub-GHz technologies?

(And again, just to underscore the point, I do not mean to implicitly push back on the team’s doubtless well-informed judgment here. It is simply a question of improving my own understanding!)

Astra · May 23, 2022, 8:55am

Yes, because for other technologies there are existing popular tools for their bypass/cloning/emulation (proxmark3, iKey, etc), but for the rolling codes this was mostly limited to a very niche group of codegrabbers, and we don’t want to expand that group.

jason_meredith · May 23, 2022, 4:44pm

haha “will open the door…” well this is what I was here to find out… bummer.

SkorP · May 26, 2022, 5:39pm

github.com/flipperdevices/flipperzero-firmware

SubGhz: Сreating and delivering Security+ 2.0

flipperdevices:dev ← flipperdevices:skorp/security_plus_2_0

opened 03:48PM - 26 May 22 UTC

Skorpionm

+649 -150

# What's new - SubGhz: Сreating and delivering Security+ 2.0 - SubGhz: fix m…essage error - Unit_test: add Security+ 2.0 encoder # Verification - Сompile and download, create a new remote control with the Security+ 2.0 protocol and test the emulation by linking it to the garage door operator # Checklist (For Reviewer) - [ ] PR has description of feature/bug or link to Confluence/Jira task - [ ] Description contains actions to verify feature/bugfix - [ ] I've built this code, uploaded it to the device and verified feature/bugfix

github.com/flipperdevices/flipperzero-firmware

SubGhz: Сreating and delivering Security+ 1.0

flipperdevices:dev ← flipperdevices:skorp/security_1_0_tx

opened 08:34AM - 24 May 22 UTC

Skorpionm

+360 -11

# What's new - SubGhz: fix frequency reset on incomplete exit from the transm…ission menu - SubGhz: fix incorrect shutdown of CC1101 if it was not turned on - SubGhz: consciousness and transmission support Security+ 1.0 - Unit_test: add test encoder Security+ 1.0 # Verification - Сompile and flash, create a new LiftMaster and test the emulation # Checklist (For Reviewer) - [ ] PR has description of feature/bug or link to Confluence/Jira task - [ ] Description contains actions to verify feature/bugfix - [ ] I've built this code, uploaded it to the device and verified feature/bugfix

punker_817 · May 26, 2022, 6:53pm

Thank you I can confirm the Sec+ 1.0 works with adding a new door opener using this firmware