I come from a long line of radio engineers (my father’s brother, his father before him, and before that they hadn’t invented radios, so they were just normal engineers). I’m even licensed as a hamateur radio operator, KF5NJG. However, I’ve never operated on my own, seeing as I have never had a radio.
This has changed – for my birthday I received a HackRF One software-defined radio.
I could do an unboxing video. But I already unboxed it, and if the coolest thing about something is taking it out of the box, you need cooler things. Or a cat.
So, following Michael Ossmann’s great SDR tutorials, I decided to decode my apartment’s gate-opening code…. (as part of the homework for one of his tutorial videos)
The first step was to check the FCC database. Apparently the FCC stores the frequency that basically every devices operates on, here for my garage remote.
So, it’s licensed at 318MHz. Time to go look at what’s there.
With a little bit of GNU Radio Companion-fu, I managed to dump an amplitude-modulated waveform the gate remote was transmitting:
That’s all the code required to capture the complex (I and Q) samples from the HackRF One and do two things: 1) send it to a FFT plot and 2) determine the amplitude modulation and send it to an oscilliscope-like plot.
With some speedy clicking and some luck, I managed to freeze the scope frame on a single packet that the remote was transmitting (it continuously transmits while you hold the button, making it easier):
You’ll note that in the scope on top you can see the end of the first packet, a second packet, and then the start of a third packet. The packets repeat roughly every 70ms.
The user’s manual for this device (also from the FCC website) advertises a 16-bit fixed code per remote, plus a 4-bit “facility code”. The question being, how are these encoded in the scope signal?
On the back of my remote is printed, fairly prominently, “FC001 SN03286”, which (and here’s the leap of faith) *could* mean “serial number 3286”.
If you want to try to decode the waveform, now’s your chance! I’m about to spoil it!
From the leap of faith, and a little trial-and-error, the scheme I came up with is that the packet is divided into roughly 3ms bittimes. Each bittime starts and ends low (off), and contains a ~1ms pulse either at the start or the end of the bittime, indicating a 0 or a 1, respectively.
If you do that, this is how you can partition the bits:
…and there’s a match for 0000’1100’1101’0110 = 3286, the serial number printed on the back. (and, the first 4 bits are 0001, which equals the “FC001” printed next to the serial number)
I haven’t tried to replay the data to open the gate yet, or sit out by the gate and record everybody’s gate codes, but that’s just a matter of time.