How I hacked my shutters - Mickyleitor/RollerShutterControlPanel GitHub Wiki

When I first looked up and start researching how I can interface with my shutters to make a domotic system there are basically two ways to achieve that, via wiring or radio-frecuency (using the hand transmitter). There are about 6 buttons in my room, two pairs per shutter (up and down).

My first thought was about committing it via wiring... shouldn't be very hard, right?

Interfacing via Mechanical switchs

As you can see the factor limiting here is the space available for the whole system. To get an idea of the system I modelled the environment and placed all elements before make any purchase (or just to know the viability of the project).

Note: In that moment I never produced a pcb so maybe I could do the pcb containing the relays in an even more compacted space. Could be an affordable approach later, maybe?.

Emulating a Radio frecuency hand transmitter

All my shutters was installed with its own hand transmitter and I know that almost every of this kind of controller have a rolling key algoritm for encrypt the messages. This rolling key is checked in both ends (shutter and hand transmitter) and it makes sure the subsecuent key follow a pseudo-random serie according to a known generator.

Theorically we could decrypt the message and emulate the hand transmitter at our own knowing the pseudo-random generator, check Veritasium channel applying the same principle to open a garage.

Getting the signal

I connected my scanner frequency (Yaesu VR-120D) to my PC using a 3.5 mm audio jack and configured the device as a LINE IN channel (like a microphone). In this way the signal received in the 433 Mhz frecuency (which is one of the ISM bands) will be streamed to the computer.

As I'm not an audio expert, I downloaded Audacity to record the signal and clearly see all the pulses in the message. Later I tunned the scanner to 433 Mh, start recording the audio in Audacity and repeated the same command (for example, open the shutter) from the hand transmitter a few times.

And... this is what I get:

Replicating the signal

The next step was replicate the command by using a cheap 433 Mhz transmitter module. For this I had another 3.5mm audio jack with free ends so I connected the audio L/R channel to the DATA pin of the module and both ground connections. The reason i did this was for pure curious, just to know what would happen.

This was the point where I thought something is going wrong with my thoughts as it doesn't follow any rolling key algoritm.

Why? Because if it were a rolling key algoritm then the message should be different than what we sent and the shutter controller wouldn't accepted the "replicated"-key as valid.

Decrypting the signal

I tested again with three more commands and successfully worked so I researched a bit some non-rolling key algorithms but since I'm not a security expert I chose record the raw signal, save it and reproduce when needed.

It's desirable, in the future, know the encryption algorithm so I can make a more efficient MCU memory usage.

Recording all commands

I created an excel containing all bits of each message. This task wasn't easy to do and I needed to automate the proccess in someway. Therefore i measured the bit period which is approximately 490 uS (bitrate ~2 Kb/s):

The code is literally a loop which is delaying 490 uS each bit and saving in an array the logic level state of the receiver pin from the 433 Mhz module, printing the array in the console so I can quickly get all commands, saving a lot of time:

Making a prototype

The next step was modify the 3d model. Instead of using relays we will use radio modules so a proper representation of the new model could be something like this:

After some time programming the functions (and thinking on how to compact all key code information in an Atmega 328P), I sucessfully tested the Radio frecuency commands using the prototype:

With all functions tested and a Minimum Viable product done, I designed and produced a new PCB containing the RF modules so that's hopefully what will be used in the final product, there are more information of the 3D printing proccess and the new PCB in the wiki sections.

The future

As i'm advancing in the project I'm learning a lot of engineering knowledge ranging from 3d printing tricks to encryption algoritms. The most intuitive part of this was replicating the signal but as I wrote before, it should be better know the encryption algorithm so I can program a new way to generate the messages by using a library.

PS1: The protocol used by the remote controller is the RTS: Radio Technology Somfy, according to the Roller shutter portfolio. This needs to be investigated and tested.