Copying a fob that uses IR

Hey,

I had a fob that uses IR to open doors and it looks something like this
https://fastfobs.ca/images/Unable/IR_REMOTE.jpg

It uses a button press to open the door. I tried copying it on the Learn New Remote feature on the Flipper Zero. I was able to read and save the signal but when I tried to replay it back on my door it wouldnt open.

I also noticed that everytime I tried to read from the fob I would get a different number of samples, for example sometimes it would say 51 samples then I would read it again and it would say 135, 201 etc. Not sure if that affects anything.

Would anyone be able to help with this issue?

Thanks

I don’t know if there is a IR with a kind of rolling code.
I would start to press a little longer and compare the raw, to get patterns. Than try to calculate the non pattern part.

Im pretty sure it isn’t a rolling code, I just went to someone who copies fobs and handed him my existing fob. He copied and handed me a similar looking fob that also has a button in the middle. I tried the newly copied fob on my door and it worked once, then I tried it again and it didn’t work. I then used the original fob and the door was opened. The strange thing is that the flipper zero cannot read this newly copied fob either, but it still reads the original one.

What kinds of patterns would I be looking for?

I saved a few after reading it a couple times and exported the file. It looks something like this

Filetype: IR signals file
Version: 1
# 
name: 1
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 71 3785 87 3745 135 3729 135 3770 72 3790 77 3784 82 3747 134 3784 81 675 84 3019 138 3726 137 658 82 3055 86 3785 73 3748 138 3803 73 3748 137 657 84 3077 82 3786 75 3748 137 3768 75 3784 83 3744 136 661 78 3058 83 3745 136 3781 86 3780 81 3749 131 3732 132 3777 62 3793 75 7681 83 11497 130 7633 128 3768 78 3751 130 3800 80 19263 91
# 
name: 2
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 80 3782 80 3750 129 7629 81 3752 126 3737 91 7686 78 647 127 3046 74 7652 91 15428 73 7674 90 7666 80 3786 75 11546 81 3807 70 3791 75 3789 71 3797 65 3789 81 3782 81 3748 130 661 80 3027 130 3786 80 3784 78 3783 81 677 81 3062 74 3789 75 3749 135 3764 81 684 67 3066 76 3838 82 3743 138 3767 75 3793 66 3750 139 3767 72 687 70 3069 68 3783 139 4501 139 3043 72 7611 139 3774 64 3791 74 688 67 3826 73 3064 77 3817 78 3787 73 15380 72 7653 77 3764 138 3758 139 3771 66 644 139 6908 69 3748 138 619 139 3000 138 3724 138 664 70 3088 72 3793 68 3796 66 7661 65 3794 69 3829 68 3794 69 3816 66 7612 140 3722 141 11450 138 7686 70 15419 66 3750 138 4480 140 2999 139 7688 67 7659 67 3797 66 4551 70 3827 68 3070 69 3814 67 643 140 2999 140 3770 68 7612 139 7618 141 666 67
# 
name: 3
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 144 7583 143 3719 143 12202 145
# 
name: 233samples
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 141 3723 140 3723 140 3774 64 3796 68 7654 78 3790 68 3813 70 687 72 3064 79 4544 75 6929 71 3791 73 689 66 7688 79 3082 75 3789 73 7612 138 3767 76 3786 77 682 75 3060 82 3786 72 3812 70 7654 76 7653 72 3748 139 4529 67 3068 75 3810 70 3748 140 7666 70 3798 65 3793 72 4550 70 3067 72 688 68 3091 68 3795 68 7613 139 7631 72 688 68 3825 75 3066 70 4570 71 6932 70 3795 68 3748 140 4526 71 3825 73 3064 78 7684 71 3749 138 3725 138 3770 68 7613 139 3767 74 3766 137 621 137 6908 70 644 138 3041 78 3788 72 3748 137 659 81 3062 74 3792 67 689 70 3087 74 3790 73 3749 136 3768 71 3791 75 3783 83 642 132 3042 78 3748 134 3786 79 3749 131 3769 75 3750 133 3731 131 3765 81 3785 73 649 129 3044 78 3769 132 3764 83 3789 65 3825 79 3787 70 3757 129 3769 74 684 75 3059 81 677 81 3078 81 3750 130 3770 72 3791 74 3793 67 3754 132 626 133 3040 81 679 78 3062 77 3770 130 627 132 3047 69 3792 74 3788 77 3750 133 3766 78 684 69 3064 79 641 136 3044 73

there are rolling code IR transmitters also for some older car types, but you would need more information on the devices/specifications to look into emulating them.

found more information about this fob if it helps

Key Features:

• Transmitter comes in standard 26 bit wiegand format.
• Each transmitter has its own unique code.
• All codes are factory programmed – cannot be compromised!
• 8′ to 50′ range.
• Individual transmitter codes can be easily added or deleted from any access control system.
• Infrared technology increases security by eliminating the phantom door openings associated with radio frequency systems.
• Confidential proprietary OEM wiegand bit formats available.
• Transmitters available in black color.
• Designed for indoor or outdoor use.

That should be a good lead.

also might help, seems to be possible

I would start with the flipper_toolbox → ir_plot.py

Save your file at ~/ir_fob.ir and do:

$ mkdir ~/git && cd ~/git
$ git clone https://github.com/evilpete/flipper_toolbox/
$ ./flipper_toolbox/ir_plot.py -f ~/ir_fob.ir

Unfortunately I don’t know what Button 1, 2, 3 and 4 are. Have you captured 4 times the same button with different length? Are there 4 buttons on the remote?
When I take a look at the plots, the second one seems to be happened.

But a look at the protocol from the last two answers can lead to the answer, as well.

I haven’t found what frequency is used by the Wiegand protocol/remote. a limitation of the Flipper is, the fixed frequency. It can’t read for example a Beolab 4000 remote (from Bang & Olufson), operating at a frequency of 4xx MHz.

Hey! Thanks for the detailed response. Ill run the commands once i get to my computer

Yes i captured the same button 4 times because each time gave a different number of samples im guessing because it has something to do with capturing RAW. When i tried on my fan remote it would show NEC and an address

Yes, if the flipper knows the protocol, it will interpret the signal and save the address/command.
If the flipper dies not know the protocol, it will save the RAW signal. The RAW signal will be a bunch of numbers, that is representing the time between a change from 0 to 1 or 1 to 0.

But if the timing does not match, the signal will be captured, bit broken.
In a nutshell the signal won’t be transferred as light/no light, it will be ‘written on a frequency’. But in raw, disturbing interference could change the signal, too. If you capture the signal, take care of as less signals als possible. Even the sun or a candle can corrupt the signal.

Thanks for the repo, did not play with that one yet.

That’s an excellent point. You don’t want any interference if you can help it. I’ve turned off the lights before and once I even put everything under a pillow. lol

This script was the base repo for my project: Flipper-IRDB to SQLite3 - #5 by LupusE … The plotter is genius, but the math behind is somewhat complicated. So I started all over and tried to write it a little more self explaining.

US8358783B2 - Secure wiegand communications - Google Patents has a interesting chart about timings.
As far as I could read, the Wiegand protocol can be adapted via RFID, IR and even TCP.
The Facility Code and the Card Code should be identical with every key press. The Press should be around 3 seconds. If the command repeats (more than 1 line in the plotter, with repeating signal pattern), we can go deeper in the analysis. If for 4 key press 4 different pattern appear, an easy analysis is nearly impossible.
Maybe possible, if someone could clean the signal. Not in my skill set, right now.

I am about to build a house, so m time is limited right now. But as I already wrote some scripts, I’ll give it a shot.

The base for this analysis is my temporary script from FlipperMgmt/convet_test.py at main · LupusE/FlipperMgmt · GitHub …

The objective is to create a SQL Database for further analysis, so the output is based on that. I have not cleaned it here:

CREATE TABLE IF NOT EXISTS rawdata (btnname,splitvalue,cmdpart,cmdsequence,cmdrepeat,md5hash);
CREATE TABLE IF NOT EXISTS rawheader (divisor,maxdivident,md5hash);
CREATE TABLE IF NOT EXISTS rawmeta (btnname,splitvalues,md5hash);
Getting header and buttons for database /home/lupus/git/FlipperMgmt/flipper_irdblite.db
Count of files to process:  1
INSERT INTO rawdata VALUES ('1', '310', '[1, 61, 1, 60, 2, 60, 2, 60, 1, 61, 1, 61, 1, 60, 2, 61, 1, 10, 1, 48, 2, 60, 2, 10, 1, 49, 1, 61, 1, 60, 2, 61, 1, 60, 2, 10, 1, 49, 1, 61, 1, 60, 2, 60, 1, 61, 1, 60, 2, 10, 1, 49, 1, 60, 2, 60, 1, 60, 1, 60, 2, 60, 2, 60, 1, 61, 1, 123, 1, 185, 2, 123, 2, 60, 1, 60, 2, 61, 1]', '0', '0', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawdata VALUES ('1', '310', '[1]', '1', '0', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawheader VALUES ('62', '241.93548387096774', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawmeta VALUES ('1', '[310]', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawdata VALUES ('2', '241', '[1, 59, 1, 58, 2, 119, 1, 58, 1, 58, 1, 120, 1, 10, 1, 47, 1, 119, 1]', '0', '0', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawdata VALUES ('2', '240', '[1, 119, 1, 119, 1, 59, 1, 180, 1, 59, 1, 59, 1, 59, 1, 59, 1, 59, 1, 59, 1, 58, 2, 10, 1, 47, 2, 59, 1, 59, 1, 59, 1, 10, 1, 47, 1, 59, 1, 58, 2, 58, 1, 10, 1, 47, 1, 59, 1, 58, 2, 58, 1, 59, 1, 58, 2, 58, 1, 10, 1, 47, 1, 59, 2, 70, 2, 47, 1, 118, 2, 58, 1, 59, 1, 10, 1, 59, 1, 47, 1, 59, 1, 59, 1]', '1', '0', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawdata VALUES ('2', '240', '[1, 119, 1, 58, 2, 58, 2, 58, 1, 10, 2, 107, 1, 58, 2, 9, 2, 46, 2, 58, 2, 10, 1, 48, 1, 59, 1, 59, 1, 119, 1, 59, 1, 59, 1, 59, 1, 59, 1, 118, 2, 58, 2, 178, 2, 120, 1]', '2', '0', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawdata VALUES ('2', '240', '[1, 58, 2, 70, 2, 46, 2, 120, 1, 119, 1, 59, 1, 71, 1, 59, 1, 47, 1, 59, 1, 10, 2, 46, 2, 58, 1, 118, 2, 119, 2, 10, 1]', '3', '0', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawheader VALUES ('64', '234.375', '71cd14e50dfa4e5cc518ed58eca8dee3');
INSERT INTO rawmeta VALUES ('2', '[241, 240, 240]', '71cd14e50dfa4e5cc518ed58eca8dee3');

Interesting here are the lines INSERT INTO rawdata. The first Value is the Button name from your file. The second is the split, if a value is very high, compared to the others. To find gaps that lead to a repeated signal.
My logic is not very mathematical: Take the lowest number from the array, divide all values though that and convert to INT. So 1 is the base and the [n]times value of the rest.
(@jmr already gave a more accurate approach, I have not reviewed, now. I have not forgotten, pal )

Your first sample got only one sequence, the second one seems got 4 repeats. On the button name 3, the script killed itself … Needs further analysis.

First interesting detail: The Button 1 has a sequence [1, 60, …], the button 2 has [1, 59, …]. Very similar, maybe the same signal. At the first sight we can ignore the variance of up to 5.

Are we able to convert the sequence [1, 119, 1, 58, 2, 58, 2, 58, 1, 10, 2, 107, 1, 58, 2, 9, 2, 46, 2, 58, 2, 10, 1, 48, 1, 59, 1, 59, 1, 119, 1, 59, 1, 59, 1, 59, 1, 59, 1, 118, 2, 58, 2, 178, 2, 120, 1] to a useable format in @jmr s converter link? Is there any number printed on the remote (maybe under the battery), that can be recognized after the conversion?

I unscrewed the fob and got something like this

[Album] imgur.com

Theres a number here that is 35009.

I also opened up the second fob and that number was 43654 so this number on the white sticker is probably unique to each fob

@trance Were you ever able to successfully emulate the transmitter? I have the same one for my building and am looking to do the same.

I have not found a solution yet.

Not sure if @LupusE or @Sir_Fap_A_Lot could give another crack at it?

We know a lot about this device. But I don’t want to scrap all information by myself.

I wish a clear state of both known remotes.
One dump with 4 times the same button.
One dump with one time every button.

So we’ll get 4 files
35009_Btn1-4_times.ir
35009_Btn1_to_4.ir

43654_Btn1-4_times.ir
43654_Btn1_to_4.ir

Maybe this will get us an insight about how the wiegand encoding is used here.

@LupusE let me see if I can provide some more information on the device. I am a novice at this, but have a strong technical background, so your insight is very useful.

First of all, there is only one button on the device. It is in the center of the unit. Below is a photo of the single button.

image647×868 68.4 KB

I’ve opened up the device as well. It’s identical to @trance fob on the outside but internals are from a different manufacturer. It looks like mine is from Viscount, and has the identifiers PC-1315-21, REV 1, STD-3, 94V-0. Below is a photo of the internal board displaying this information.

Here is a link to what I believe to be the fob pictured in my post.

From this page the notable information seems to be that it is a IR TX VISC Transmitter, and it has a bit format of 32/26.

When reading the remote output (pressing the button into the IR sensor of the flipper) It appears that I get a different number of samples. I should note that when pressing the IR fob into the remote most times It does not capture the signal immediately, and I have to press the button a few times for it to be read. I am doing this in a dark room so there shouldn’t be interference. When reading I commonly getting 3, 5, and 7, once getting 15. I’ve saved these inputs to a remote and have as follows:

Filetype: IR signals file
Version: 1
# 
name: RAW_7_1
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 90 7763 91 19564 90 7781 86
# 
name: RAW_3_1
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 85 7802 86
# 
name: RAW_7_2
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 88 7745 88 39197 92 7796 91
# 
name: RAW_3_2
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 91 3093 89
# 
name: RAW_7_3
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 86 7781 87 31334 90 3828 88
# 
name: RAW_5_1
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 91 3092 90 46988 86
# 
name: RAW_15_1
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 91 3094 87 7777 92 62689 86 16348 88 22799 87 8585 86 3884 85

I’m kind of stuck at this point, and am not sure what next steps I can take to decode the information. Any pointers to help me would be greatly appreciated.

The codes seems to be very short. Not much to decode.

Mostly we’ve got an header and two signals for a 0 or 1 … So in your example only the last one looks like ‘something’.

Let’s say 91 is the beginning ‘on’, very short, but we need a start. Than the signal is 3100 ms off, 90ms on, 7800ms off, 92ms on, 62000ms off.
To decode, there is a small burst around 90ms and different timings of off behind.

~~Assumption: One IR LED is the trimmer, the other sends an different signal.
Could you cover the left LED and press the button for 2 to 4 seconds. Two times. Repeat this with the right LED covered.

Now we want to see if the 2 datasets are similar or not.~~ (correction, because the PCB already shows the IR LEDs are connected in series and therefore cand send 2 different signals. Obvious the markdown for ‘line trough’ does not work in this forum).

Could you press the button for 2to 4 seconds, because all buttons except the last one are not useable for reversing.