I chose two different-looking remotes to purchase, but it turned out that they are both made by Yaoertai. They are models YET2114AIO and YET2130AIO, which seem to be quite similar in capabilities, but slightly different shape. Both of these are supposed to handle a range of frequencies between 280MHz to 868MHz, but I have seen others that work on just a single frequency.
Both of them are based on an STM8L151G micro, and a TI CC110L transceiver (sans any logos, maybe not made by ST or TI?). At least they made no attempt to disguise them - I've encountered CC110L before with the top ground off in a RC receiver.
There are four pads in a row, with the ends ones marked "GND" and "VCC", the other two go to the STM8 SWIM and NRST pins. I did not bother to check, but expect it to be readout-protected. It might be possible to erase it and reprogram it though.
I tried using it to clone a fixed-code remote and as expected it worked. I don't have a vast array of rolling-code remotes to try it on, but it does successfully "copy" my ATA PTX4 (Keeloq classic, HCS301). My take on what they do is use the "copy" process to establish which key from their set of manufacturer keys to use, to then generate the transmitter key.
They do not copy the Keeloq transmitter serial number, nor do they use a constant serial number. Instead, it seems they generate a random serial number (over many tests, the high order 12 bits of the 28-bit serial number were always zero though).
Having done the "copy" you then have to get the receiver to "learn" to accept the new remote, same as you would for any other new remote.
For some brands of remotes, the "copy" process is a little more complicated, if the manufacturer has chosen to use what Microchip calls the "secure learn" process, where you have to press a special button, or combination of buttons, on the remote to get it to send a "seed" value which is used when forming the transmitter key.
It is not surprising that they do not copy the transmitter serial number. Most people who would buy one of these would be likely to still want to use their original remote in addition to the new one, and trying to use two transmitters with the same serial number on the same receiver would have problems due to the transmission sequence number checking. However, a device which did copy the serial number, and added say 100 to the sequence number, would have a less honourable use. It would be able to eavesdrop when a door is opened, and then be able to open the door later - at least for systems which don't implement "secure learn", and that is more than half of all the remotes listed as being compatible for the YET2130.
Creating a device like that would require only a trivial change to the code in the device. I wonder if such devices already exist, kept under the counter for special customers. For all I know, perhaps these devices like I have can already do that, by pressing some magic sequence of buttons.
When I was testing the YET2114, I did actually once see that it had copied the serial number. I don't think I had accidentally found some hidden function though. Rather I believe all that happened was that for some reason it had mistakenly decided that it was dealing with a fixed code had just duplicated it.
In light of what they are doing, one of these devices would be an attractive target for somebody wanting to get hold of manufacturer keys. Why buy a whole array of different brands of receivers, and torturing each one of them to divulge one key, when instead you could get a whole lot of keys out of one of these devices? I have no idea whether the process is any more difficult on a STM8 than on the PIC processors typically used in Keeloq receivers, though.
Home
Help
Search
Login
Register
