Old Rolling code Keeloq unsupported

Dear Flipper community,

I have a gate remote with an old rolling code supposed from Keeloq, unsupported by current firmware.

The device is emetting at 868.92MHz in a ook modulation at 9600bps.
I receive 4 packets of different sizes. Full time of the send is less than 100ms.

The good news, I have a lot of very high end costly hw to measure anything. So, I can do a lot of measurements.
The bad news (for me) it has rolling code and unsupported by the fw.

I wish to duplicate this, because I have only one remote and 2 people are using it. So, not nice.

Chip is PIC12 : pic12lf1840t48a
Remote is named : Domatis dot fr & ETME on back.
I think this product is obsolete.

When I decode I got for exemple a start :

0x55 0x75 0x5b 0xd9 0xc9 0xdb 0xd9 0xcb 0x49, …

Only the 0x55 stay the same, I guess it should be a preambule.

If I get permission, I can send a few pictures. (It looks like I can’t for now)
I have even waveform from my scope, that can get full BW on this.

If I don’t get help from here, I will try to glitch dump the firmware. I really need a dupe. And this would be good learning process for me.

Kind regards AnonymousOfficial !

1 Like

I got 6 times the push button in read raw:

as long I cannot add files, i used pastebin.
any idea would be welcomed.
Somebody asked if I tried other fw, I did.

Cloning a rolling code remote is not a good idea in most cases. Let’s pretend you made a copy.

  1. The original and the copy are synchronized because you just copied them. Counter = 1000
  2. The original remote is used to open the gate. Counter = 1001
  3. You come home with the copied remote. Your copy broadcasts 1000 but that was already used.

At this point a few different things could happen.

A) The gate may simply ignore the bad code you sent. At that point you could press the remote again and it would open.

B) The gate could flag the remote and lock it out permanently. Both remotes would no longer work.

Scenario B seems less likely to me unless the counters are farther out of sync then 1 but it is a possibility. Perhaps it works for months with one or the other just having to press the remote an extra time. It’s possible however that one day the remote get jostled around or someone just hit’s the button a few extra times because the gate didn’t respond. Now maybe you have to hit the remote several times because one of the remotes is five or six counter codes behind. The chance of both remotes getting lockedf out is now much higher.

TLDR: You risk losing all access when cloning rolling code remotes.

1 Like

If he manages to get the keys out, which he seems to want and be able to, he can then add Flipper as a new remote. I’m not sure whether Flipper allows it - I have a custom KL key in corresponding file, and it is not displayed in Add Manually menu, but with some text editing it may be possible.

There was no indication in the post that the OP has access to the gate controller to add a new remote. That is a requirement unless the plan is to clone.