Search

Cloning a rolling code remote - Flipper Zero

Summary

This guide will show you how to clone an existing ATA PTX4 garage remote control running the KeeLoq cipher with a Flipper Zero. This remote is not supported on any Flipper Zero firmware that I’m aware of by default. Most rolling code remotes that are supported on the Flipper Zero involve creating an essentially blank remote control and then manually pairing it with the garage door opener thereby making an additional remote control.

In this guide I will clone an existing remote without ever having to pair it to the garage door controller. This in itself is a quite scary prospect as this could be performed remotely without needing physical access to the garage door controller. Meaning anyone with the right equipment (a Flipper Zero and a computer) and close enough to read the signal of 2 remote control signals could also potentially perform this attack.

💡
DON’T TRY THIS ON EQUIPMENT YOU DON’T OWN!!!
💡

THIS WAS FOR RESEARCH PURPOSES, I”M NOT LIABLE IF YOU DO CRIMES AND GO TO JAIL!!!

💡

VERY LIKELY YOU CAN DESYNCRONISE YOUR EXISTING REMOTE CONTROL BY DOING THIS, IF YOU PUSH THE BUTTON ON THE FLIPPER ENOUGH TIMES!!!

Pre-requisites

Firmware

I completed this guide using Momentum Dev firmware version 3ef28382. Other firmware's may work but I definitely had previous versions of Momentum that didn’t so I would recommend you use this one.

image

Compatible Garage Door Controller

I’m not exactly sure what the complete list is it’s a combination of whatever is supported on the Flipper Zero along with whatever can be decrypted using the Kaiju website. For more information check both the Momentum firmware repository and the supported device list on Kaiju located Kaiju - Supported Gate Openers

Obtaining the device key

By default, Flipper Zero does not know how to interpret the data from this particular remote as it doesn’t know the device key to decrypt it. The first step is to capture a press of the remote-control button that you wish to clone.

Capturing the signal

  1. Click on the center button on the Flipper Zero to bring up the main menu. Then navigate and select the Sub-GHz menu option.
image
  1. Select Read do not select Read RAW.
image
  1. Once you are in the Read menu select the Left arrow to load the Config.
image
  1. Ensure your options are set the same as below. You may need to change the frequency depending on your location. You can search google to find out more information or use the frequency scanner on the Flipper to find out what frequency is actually in use.
image
image
image
image
image
  1. Once you have confirmed your settings are correct. Press the Back Arrow button to return to the main Read menu.
image
  1. Now while in Read menu we push the button on the garage remote control. Make sure you are close to the garage remote control. The built-in antenna for Sub-GHz on the Flipper Zero doesn’t have great range.
  2. You should see a signal has been captured. You can see here that the first 2 letters KL indicate that the Flipper Zero has detected it is a KeeLoq signal. However, after that we can see Unknown indicating it doesn’t know how to decode this signal.
image
  1. Click on the middle button where we can see further details about the captured signal.
image
  1. Push the Right Arrow to Save the signal. Give the signal a meaningful name then click on Save.
image

Decrypting the Signal

  1. Now that the signal has been saved. Plug the Flipper Zero into the computer and transfer the file to a computer either using qFlipper or by removing the SD card and manually coping off the file.
  2. Here is where the real magic happens. Navigate to https://rolling.pandwarf.com/account/signup/ and create an account.
image
  1. When signed up and logged in go to the AnalyseIQ/Flipper Zero → Then click on the FLIPPER-ZERO button at the top.
image
  1. Now click on Choose file and select the capture file from before then click on the search button.
image
  1. You should see something similar to the below. Click on Task results.
image
  1. Scroll down until you see the Remote Information field. The value we are interested in here is the Device key (Hex). Copy this value.
image

Cloning the remote

OK so now we have the device key which we can use to allow the Flipper Zero to automatically decode future captures of this remote. Firstly, we need to transfer this to the Flipper Zero.

Adding the device key

  1. Either mount the SD card from your Flipper Zero or just use the qFlipper application. For this example, I’ll be using the qFlipper application.
  2. Connect your Flipper Zero to the computer and using the File Manager feature of qFlipper navigate to SD Card/subghz/assets. Right click on the keeloq_mfcodes_user.example file and select Download.
image
  1. Open this file in an editor like notepad++ this is required as a standard editor will not show us the correct line endings (CR/LF or LF). In notepad++ go to the View menu then Show Symbol then ensure that the option Show End of Line is selected.
image
  1. It should look like the one below.
image
  1. Now we just modify one of the example lines as shown below. The first value is the device key that we got earlier. This is followed by the value 1 then the last value is what you want to call the device key this can be anything. Make sure as described in the file itself that you have an empty line at the bottom (Line 16 in the example). The second example line can be deleted.
image
  1. Now we need to change the line endings to be CR/LF. In notepad++ select EditEOL ConversionWindows (CR LF).
image
  1. The file should look like the one below. We can now save the file.
image
  1. Now we need to rename the file to be keeloq_mfcodes_user instead of keeloq_mfcodes_user.example. Then we simply upload it to the same SD Card/subghz/assets/ folder that we used before. It should look like below once it has been done.
image
  1. Now we need to reboot the Flipper Zero. If you still have to capture the decrypted signal after a reboot maybe try a Power OFF & Power ON.
image

Decoding a signal

  1. Click on the center button on the Flipper Zero to bring up the main menu. Then navigate and select the Sub-GHz menu option.
image
  1. Select Read do not select Read RAW.
image
  1. The Flipper Zero should now be ready to read the signal.
image
  1. Push the button on the remote control. You should see that the recently captured code now has the text Test234 beside it which is the same as was put into the keeloq_mfcodes_user file to name the device key.
image
  1. Select this capture by pressing the Middle button on the Flipper Zero. It should look somewhat similar to the capture below.
image
  1. Now we can push on the Middle button to send the signal. It may take a press or two, but it should activate the garage door. You should also see the values update after each press.
image
  1. From here you can save the remote and continue to use it however the original remote will almost certainly eventually get out of synch, and you would have to pair it to the garage again or push it a bunch of times.