[tivert]

> These keys are generated and tracked using a counter which has to stay in sync between the remote and the car. This ensures that the car doesn’t reuse an old key, and that the remote always generates fresh keys.

Something I've always wondered about is, how do learning remotes defeat this?

My car has a couple of built-in garage door buttons, and I'm pretty sure I programmed it by just hitting the remote button in the garage while the car was in a learning mode. Is that a much more sophisticated feature than you would assume (e.g. decoding the signal, recognizing the type, then initiating a pairing with the opener, instead of just replaying the signal)?

[tkems]

This sounds like HomeLink and is indeed more complex. My understanding of it is that they partner with lots of companies to support their rolling/fixed codes and remotes so that they can be paired to your garage door.

I linked this in a sub comment, but the largest garage door maker in the US is Chamberlain [0] (which owns a ton of other brands) and uses known rolling code algorithms that can be decoded. [1]

[0] https://www.chamberlain.com/ [1] https://github.com/argilo/secplus

[seidleroni]

My understanding is that most garage door openers do not use rolling keys, they send the same code each time.

[mdip]

They've been in use since the 90s, actually[0].

My understanding is that the earlier rolling code systems are easily defeated and I think this can be done (possibly with stock firmware) using a Flipper Zero.

Prior to that, garage doors had a set of DIP switches (16, or 32, I can't remember). You matched the switch configuration on your opener with the switch configuration on the controller. And as you might imagine, in a typical suburban area about 80% of the garage doors are set to all zeros.

Because the range of the devices was "lucky if you can open the door from the bottom of your driveway", most people didn't notice this. Of course that meant you could open a large number of garage doors by sending the "0" signal for each manufacturer with enough wattage.

Compatible models are made by reverse engineering each individual model's rolling code implementation (in the early days) and making an accessory that had the necessary seed value or other component to allow it to be "paired" with a compatible door head unit. Considering it wasn't uncommon for the higher-end models to charge $150 for an accessory remote, manufacturers had a bit of incentive to roll their own slightly incompatible implementations.

This is from memory and minimal memory at that, but -- late 90s or early 00s, I think, "HomeLink" was created, which basically allowed car manufacturers to integrate a door opener into the car. If you bought a higher-end model, your visor might have the buttons in it. I believe licensing allowed third-parties to easily create fully compatible accessories at that point (pay a fee, get the patent license/datasheets sort of arrangement).

[0] Genie thinks they were first in 1995 but I seem to recall we had a rolling code door installed as early as 1993.

[buescher]

There were also so-called "learning codes" that overlapped substantially with the introduction of rolling codes. Think fixed-code remotes with a random preprogrammed code instead of dip switches. Chamberlain's "billion code" is representative. They have to be paired with the opener receiver in the same way as rolling code remotes.

[tkems]

The largest garage door manufacture in the US uses the Security+ and Security+ 2.0 algorithms that are rolling, but can be fairly trivially decoded to gain the serial number and rolling value of a remote. [0] This is how the flipper zero decodes remotes for playback later.

[0] https://github.com/argilo/secplus

[jjtheblunt]

They use rolling frequencies at least our 2021(?) garage opener does, to retry in the presence of narrow band noise from fcc violating devices. We seem to have neighbors blasting rf in the band that our previous builder installed 2014 model used, because it rarely worked unless super close.

[tyingq]

Mine has rolling codes and a "learn button" on the head end to accept a new remote.

[porkbeer]

They have been rolling codes since the early 2000s. 80s and most 90s doors are static codes.

[throwaw33333434]

my 2016 gate use rolling codes.

[sgerenser]

You have it backwards, the main garage opener is doing the learning, the cars button is just transmitting a signal. Doing this process, you’re telling your garage door opener “hear this new remote? Please allow him to open the door as well.” Presumably the car side buttons just cycle through a few common protocols (realistically there’s only 4-5 ones in common use, almost all garage door openers I the U.S. are made by Chaimberlain/Liftmaster or Genie).

[sgerenser]

Actually I take it back, there might be learning on the car side as well, where you press a button on an existing remote, but all that does is tell the car “Oh, this is a Chamberlain SecurityPlus 1.0 remote, I’ll start acting like one of those.” The actual rolling code and security algorithm is never decoded/cloned on the car side.

[tzs]

Let's start with fixed code systems. In those the remote sends the same signal every time. There will usually be some way to customize this signal, such as a set of DIP switches in the remote and in the head unit so that you can set your system to a different fixed signal than you neighbor's fixed signal.

A learning remote for such a system could work by simply replaying whatever it heard when it recorded during learning. So if you press the "learn" button, press the button on your current remote, and then do whatever tells the learning remote you are done it could save everything its radio picked up during that few seconds, and then play that back whenever you press the open/close button.

You probably wouldn't want to take that bare bones approach though. The recording might include other things. Suppose while you are setting it up someone happens to come to your house and press the button on your wireless doorbell, which just happens to operate in the same band as your garage opener. That gets picked up and is part of your recording.

You don't notice this when you test the recording afterwards because you are in the garage and can't hear the doorbell, but your spouse inside is getting spurious doorbell dings. It might take a while for someone to realize that your plague of spurious doorbell rings is connected to the garage door.

You'd want to at least look at the recorded signal and crop it down to just the part with the actual door signal. If the signal has both a door signal and something else like the aforementioned wireless doorbell the new remote might pick the wrong one, but in that case you'll know right away and can try again.

Better would be if the new remote could actually decode the signal to get the code, and then generated a new signal with that code every time. The record and replay method, even if cropped down to the right signal, might have recorded a weak or noisy signal which might be hard for the header for end to handle. By figuring out the code and generating a clean strong signal every time you'll get better performance.

That approach does require understanding the details of the code systems of each manufacturer whose remotes you want to be able to clone.

Nearly every home garage door opener company in the US switched to rolling codes for their new models during the '90s, and so if you are dealing with any system installed less than ~25ish years ago it almost certainly uses rolling codes.

These typically work like this. They have a pseudorandom sequence determined by a seed value. The seed is determined by the remote. I don't know if the seed is built in at manufacturing time or selected at random by the remote when it is first powered up or what. The remote generates the sequence and keeps track of where it is in the sequence. Each press of the open/close sends the next value.

The head end has a "learn" mode. You put it in learn mode and then press the open/close button a couple of times on the remote. The head sees those, recognizes they are in the right format for its system, and is able to figure out what seed would have had to been used for that system's sequence function to produce those two consecutive values. It adds that to a table of known remotes.

In operation when you press open/close, the head decodes the signal to get the sequence value, checks its table to see if that matches the value it expects from any of the known remotes. If it does the door operates and it updates its idea of where that remote is in its sequence.

There's some slack in there so that it will accept a sequence value several values ahead of what it last saw from a remote so if say your bored kid on a trip pressed the remote button a dozen times you won't get home and find your garage won't open.

You could make a learning remote that could clone an existing rolling code remote by following the same procedure the head follows for learning a remote. The learning remote would have to know the rolling code systems for all the systems it supports, but that would be doable.

The problem would be if you got the learning remote because you wanted an additional remote. To the head end the cloned remote is the original remote. Say you have one remote and two people, and you clone the remote this way. As long as neither of you goes too long without using their remote it would be fine. But if for some reason one of you doesn't use yours for a while the other might advance the sequence past the slack that I mentioned earlier and yours would stop working.

You'd have to re-pair it with the head end. How well that would work would depend on details of the system. If the pairing works by recovering the initial seed value, and that is used as the key for the head's table of remotes, it might cause problems because the two remotes have the same seed but are farther apart in their sequences than the slack.

(I suppose you could clone the old remote, then take the battery out of the old remote long enough for it to re-seed when you put the battery back in--assuming the seed isn't fixed at manufacturing time--and then pair it with the head).

The way every universal remote for rolling codes that I've seen works is that you don't use an existing remote to teach them. They have a way to tell them what your head end is. You do that, then you pair them with your head just like you would pair a new remote bought from the head's manufacturer.

These things don't usually have rich user interfaces. Telling it what system you have will probably mean looking up a number in a table in the manual, and then pressing some button on the remote (probably hidden in the battery compartment so it won't accidentally be hit), then pressing the button you want to program N times where N is the number you looked up in the manual.

You might need several tries because some manufacturers have changed code systems multiple times. If you don't know what year yours was made you might have to try them all. Even knowing the year might not help. Genie for example has one from 1995, one from 2005, and one that I think is from 2011, and they didn't stop using the old ones when the new ones came out.

It could be a nice feature if the universal remote could look at the signal from your existing remote to learn what rolling code system your head end uses. But it would also mean the universal remote would need a receiver, and that would be the only thing the receiver is used for so it is hard to justify. Pairing with the head and telling the head to open/close the door is strictly one way: remote to head.

[bigiain]

Samy Kumar did a project about 10 years back, where he worked out how to brute force a 12 bit garage door code in under 10 seconds, using a childs toy: http://samy.pl/opensesame/

My garage door opener uses a 12 but dip switch config (and my last place used an 8 dip switch config, and I'm pretty sure still does).

Re reading that OpenSesame post was fun. It reminded me of a few names I need to go find out what they're up to these days (Travis Goodspeed and Michael Ossmann are names I remember seeing doing/writing-up some really cool stuff), and that the Mattel IM-ME toy he was using uses that same CC1110 "sub gHz"

[buescher]

OpenSesame is really cool. It depends on the receiver using a shift register and the protocol not having stop bits (or equivalent), otherwise running a DeBruijn sequence that contains all the possible codes won't work.