CarTeck Drive 600 Garage Door

M3r · August 25, 2022, 8:48am

Model: CarTeck Drive 600

I’m trying to capture the signal from my remote control to my garage door but it wont seem capture anything for any of the possible ranges.

However, if I use the Frequency analyzer tool it will show as 868,349 MHz whenever I press a button. See image:

When reading RAW, and setting the frequency to 868,35 and modulation to AM650, and pressing record - now when I press any of the buttons on the remote control, it will record it.

Why doesn’t the regular Sub-GHz read feature, using the same frequency and modulation, capture anything?

See teardown photos of the remote PCB, garage door motor PCB etc:

I’ve also attached the Sub-GHz RAW capture whilst pressing a button three times:
Raw_signal_1.sub (174 Bytes)

SkorP · August 25, 2022, 10:33am

set the frequency to 868.35 and the modulation to FM476. and check Read

M3r · August 25, 2022, 11:45am

It didn’t record anything, neither in RAW or regular read.

SkorP · August 25, 2022, 12:02pm

try again on FM

M3r · August 25, 2022, 12:03pm

Do you want me to try FM476 again?

M3r · August 25, 2022, 12:08pm

I tested multiple attempts (10+) for all of the modulations (AM270, AM650, FM238, FM476) both in RAW and regular read mode. However, only in RAW am I able to capture some spikes using AM650 and 868,35 MHz.

M3r · August 25, 2022, 12:49pm

After reading multiple documents, some in Swedish, all appear to refer to the frequency and technology of: SOMloq2 (FM 868,95MHz).

Also, although I’m trying to hijack/“steal” the signal of my remote control, perhaps I have to tell the receiver to accept my Flipper? Cause even if I replay the signal that I caught in RAW using 868,35 MHz and AM650 it wont open or close the door.

SkorP · August 25, 2022, 2:25pm

so the frequency must be set to 868.95.

M3r · August 25, 2022, 3:29pm

It looks like it, however, I cannot see that frequency in the options. Also, isn’t it odd that the frequency analyzer registers 868,349 MHz in that case then?

Spildit · August 25, 2022, 7:29pm

Frequency analyzer uses the setting_user file to get the frequency to scan for, so if you don’t add it up to setting_user the analyzer will not display it correctly as well.

Does this help ?

M3r · August 26, 2022, 6:16am

Thanks @Spildit! I added Frequency: 868950000 and attempted frequency analyzer again, it now says its 868,949 and quickly changes over to 868,890 and again quickly into 868,790.

I attempted to read the signal from the garage remote control again, I set the frequency to the added 868,95 and modulation to FM476 as previously suggested, it did not register any keypresses at all. So I checked all the other modulations and the one that did work was AM270 - which is indeed very odd considering the information that I’ve read is that it uses FM 868,95 and @SkorP also suggested using FM476. Whats even more odd is that the information the Flipper registered from the reading seem to hint FM476 as well, look at line “MF:Sommer(fsk476)” in this photo for example.

SkorP · August 26, 2022, 6:43am

the tult that I analyzed was on FM. the label needs to be corrected. everyone does who cares what

M3r · August 26, 2022, 7:28am

I didn’t quite understand what you wrote. Do you mean that the information FM 868,95 is incorrect and should be corrected to AM 868,95?

SkorP · August 26, 2022, 7:53am

no, not on AM there are remotes working on FM modulation

M3r · August 26, 2022, 10:14am

In my case, which contradicts that, is that my remote seem to be working on frequency 868,95, modulation AM270.

Spildit · August 26, 2022, 7:23pm

I think that what @SkorP was trying to say is that each manufacturer do what he wants so you have protocol as one thing, frequency as another and modulation as another meaning that they don’t depend on each other, you can have the same protocol working on diferent frequency and modulation, the case that was analyzed by @SkorP was most likely the same protocol on another modulation…

AS EXAMPLE ONLY :

Same KeeLoq on another frequency/modulation. This one if from a tobbaco vending machine unlocker devive. By norm this is ROLLING CODE so you will not be able to save/send for security reason and to avoid de-sincronization with the original remote. I can’t help you any further as that would be against the rules of this forum. My tobaco machine is a rare case that do accept a reply of the same rolling code but it wouldn’t work on you case anyway as it’s expected to be a secure lock/remote…

What needs to be corrected is the (fsk476) info on your flipper screen capture/photo.

Rosso_Demarchi · June 28, 2023, 11:00pm

Hi there! I have the same remote: SOMMER TX55-868.
It seems to be somloq2 which i guess it’s just keeloq 128 AES (keeloq advanced or ultimate):

Do you think I could copy that remote with the flipper and use the flipper instead?
Or program it somehow and authorize it in the base station?
Have any other keeloq 128 been analyzed with the flipper?
This is the fob’s MCU documentation, the chip has an onboard transmitter capable of FSK and OOK modulation:

Also the specs of that fob mention 2 frequencies for somloq2: FM 868,8 MHz, FM 868,95 MHz

Rosso_Demarchi · June 29, 2023, 12:53am

I think what you are seeing there is channel hopping or bidirectional communication on those frequencies: FM 868,8 MHz, FM 868,95 MHz
That it works with AM modulation might be related to OOK.
Not sure though, just guessing.

Rosso_Demarchi · June 29, 2023, 8:51pm

So… What’s next how do you implement / add that somloq2 or keeloq 128 AES protocol in the flipper?
Any tutorial?
Is the next step to get the 128 bit manufacturer key?:

maqumih · June 30, 2023, 6:41pm

Implementing the protocol is a waste of time unless you have the manufacturer key, so the ordering you suggested is questionable.
And I’d recommend you not to crosspost.