Reverse Engineering my RF Gate Opener to Create an Arduino Clone.

I watched an excellent youtube video by hardware hacker, Samy Kamkar who reversed engineered his friend’s remote-controlled doorbell to see if he could pull a ding-dong-ditch from afar. I decided to try it myself but to open my gate. Could I reverse engineer my gate code and trigger it to open using an Arduino and a cheap RF module? I gave it a shot and sure enough, worked like magic.

In the following post I will retrace my steps (in a general overview) as I:

  • Recorded my original gate code from my gate opener using SDRSharp and a cheap SDR dongle.
  • Using Audacity, measured the timing bits of the digital data captured from SDRSharp from the original remote.
  • Flashed a modified version of Samy’s Arduino sketch to my ATtiny85 with the new codes.
  • Added a few other passive components and housed it all in an old case.

1) Discovering the radio frequency of my original gate remote.

This is actually really interesting. I first figured it out by popping open the original remote and discovered the number “HD R295M” written on the back of the saw resonator. This was enough info to know that it is transmitting on 295MHz. The resonator is used in the circuit for RF frequency. You can also lookup the device by its FCC ID# located on the back of the remote as seen in the image above. All commercial RF devices that are sold in the US are required to submit public record documentation to the FCC that includes information on what frequency it transmits on. You can find other info too, like the schematic and images of the open device. You can use this website: http://fcc.io/ to assist looking up FCC ID’s. Here is a link to the documentation about my particular gate opener: link to the FCC page for my remote device. Reading through the submitted documentation confirms that this device is transmitting RF on 295MHz. From here I can tune SDRSharp to 295MHz A.M. and capture the digital data that is sent.

2) Recording the digital data from the original gate opener using SDRSharp.

I just tuned into 295MHz, pressed “play” in SDRSharp and started watching while triggering the remote. After seeing where the exact frequency shifted, I clicked “AM” to change the radio setting (on the left panel) and moved the guide thing to where the radio frequency is located on the bandwidth viewer in SDRSharp so I could better hear the signal (the signal is usually a little off-target so you need to adjust frequency – this signal fell at 295.076.000 or so).

Notice the left panel recording options in the image above. Very basic, I just hit record, pressed the gate opener button and it dumped out 2 audio files in the SDRSharp directory when you press stop. I’m only interested in the file ending in, “…_AF.wav”.

3) Import the audio file into Audacity or any audio editing software to reverse engineer the data.

I won’t go into detail in this part because that’s what Samy’s video is for. But I went ahead and imported the audio capture into Audacity, snipped off the unwanted parts of the .wav file, moved the audio file so the first bit starts at “0.000”, zoomed way in and started measuring the timing of the ON/OFF digital data signals as seen in the image above. I spent a good amount of time checking and rechecking my measurements as I wrote them down in seconds. My measurements look something like this: “.0000, .0051, .0102, .0178, …” and so on as I took note of the rising edge of each bit when it occurred, with a “bit period” of about 800 microseconds. There are 30 bits of data (not including the off bits) transmitted in one button press from my particular gate remote, so I ended up with 30 numbers to eventually add to Samy’s sketch. His sketch calculates all of the off bits based on the position of the on bits. It’s a great piece of code.

4) Prepare the RF module / ATtiny85.

From here I went ahead and desoldered the 295MHz saw resonator from the original remote. It’s almost impossible to find this resonator value on the web so I reused it to replace the 315mhz resonator on a cheap 315MHz RF module purchased on Amazon – easy to find. I also went ahead and prepared an Arduino Uno to use as a programmer for the ATtiny85. You can use any microcontroller for this, but I went with the smallest one I had. The original used an 8 pin PIC. Check out the schematic found on the FCC site to see exactly what components were used.

You can find plenty of info on the web on how to program an ATtiny85 so I won’t touch on it here. Programming the ATtiny85 is always simpler than you remember… Also, notice that I went with an external 16kHz crystal. I have plenty of them and decided I might as well. It will help improve the performance of the clock when sending digital data to the RF module. The original remote did not use one so I probably didn’t need to either.

With everything ready to go, I just needed to update/upload the Arduino sketch.

5) Prepare/upload Samy’s Arduino sketch to the ATtiny85.

Samy’s original sketch can be found here: https://github.com/samyk/dingdong/blob/master/doorbell-no-fona.ino. I didn’t do much else to it other than add the timing in the data bits gathered from step #3 above. Here is the final code I used:

// more details at http://samy.pl/dingdong

#define led 1

#define TX_PIN 0
#define BIT_PERIOD 800
#define TIMES 30

float times[TIMES] = {
 .0000, .0051, .0102, .0178, .0204, .02550, .0305, .0356, .0432, .0482,  
 .0534, .05591, .0610, .0661, .0712, .0788, .0839, .0890, .0915, .09665,
 .1017, .1093, .1142, .1170, .1246, .12715, .13475, .13985, .1424, .15005
};

void setup() {
  pinMode(TX_PIN, OUTPUT);
  pinMode(led, OUTPUT);
}

void open_gate()
{
  int last = 0;

  // go through each "1" bit
  for (int i = 0; i < TIMES; i++)
  {
    // calculate microseconds (us)
    int us = times[i] * 1000000;
    if (i != 0)
      delayMicroseconds(us - last - BIT_PERIOD);

    // send a "1" for our BIT_PERIOD which is around 700-800us 
    digitalWrite(TX_PIN, HIGH);
    delayMicroseconds(BIT_PERIOD);
    digitalWrite(TX_PIN, LOW);

    last = us;
  }
  delay(20);
}

/**
 * Trigger the open_gate() function every 20 milliseconds
 * when the voltage is applied to the ATtiny85 (or any Arduino).
 */
void loop() {

  open_gate();
  delay(10);
  digitalWrite(led, HIGH);
  delay(10);
  digitalWrite(led, LOW);

}

I flashed that to the ATtiny85 using the Arduino IDE and connected the RF module to pin “0”:

6) Wire the RF Module to the ATtiny85, open SDRSharp, tune into 295MHz, record a sample and compare it to the original waveform.

Simple as that. After flashing the sketch to the new ATtiny85 chip, I wired up the RF module and recorded the new RF signal in SDRSharp exactly as I did in step 2. I then brought the new recording into Audacity, snipped off the unneeded parts of the waveform and lined it up/compared it to the original signal captured from the original remote. It lined up ok – but notice as time progresses the original waveform falls behind (original waveform on the top):

I’m thinking that this is because the ATtiny85 version I just built is using that 16kHz crystal which is actually keeping better time than the original remote – which lacked an external crystal clock. So I’m thinking it’s a good thing.

I took it outside for a test run and it worked great!

Here’s a final version, with an RF transmit module, a 9v battery, a 3.3v regulator, a button (that closes the circuit) and an LED – wrapped up in an old plastic case (Note: according to the datasheet, the ATtiny85 should be powered at 5v when using an external 16kHz crystal, but I only had the 3.3v regulator on hand and it seems to work fine):

Holding down the button closes the circuit, juicing up the ATtiny85, triggering the code and transmitting it at 295MHz RF every 20 milliseconds.

Conclusion.

Other than waiting for the cheap RF transmitter to arrive in the mail, the whole project took a couple of hours to complete. I highly recommend trying it out.

I really enjoy learning about radio communication and how so many of our devices that use RF, use it to communicate digitally in a similar manner. Do note: this method won’t work on devices that use “rolling codes” and other security tactics. There are laws about RF transmitters and this sort of thing so be wise.

Leave a Reply

Your email address will not be published. Required fields are marked *