Game Instance


Let the games begin

Cloning MPS-TF2E Remote Controls

A widget for DIY code word generation

Having had limited success with the replication of my old MPS/TF2E remote control signals, I decided to work on reverse engineering the code word from the 10 DIP switch combination. I figured that such an old remote with a circuitry that simple cannot possibly generate more than a rearrangement of the 10 bit switch values. I was right.

The MPS/TF2E remote control. Left - the lid covered 10 DIP switch key, right - the face of the remote. The MPS/TF2E remote control. Left - the lid covered 10 DIP switch key, right - the face of the remote.

The said limited success was caused by carrier frequency differences between the general purpose 433 MHz transmitter and the garage RF unit that expects 433.92 MHz. However, the out-of-band radiation from the small transmitter was sufficient from short distance to actuate the door opening. So, choosing a transmitter with a suitable carrier is of paramount importance before jumping to the next step.

For simplicity, the following widget will guide you to cloning your own MPS/TF2E remote. Reproducing the DIP switch configuration from the back of your remote control will give you the code word. Replace the latter in the corresponding constant within the Arduino sketch presented in the previous post, burn the code and you can use the DIY remote control instead of the original one.

Words of wisdom:
This article and the ones before have the sole purpose of helping DIY enthusiasts decoding and cloning their own remote controls. Using these with unlawful intent constitutes a criminal offence. Second, if you're considering this type of remote control system as the primary means of protecting your valuables, stop right there! Last but not least, if you're already using this to keep your belongings safe, you ought to explore better alternatives.

The security employed by this remote control is weak. It sends the same code every time you press the button, thus exposing the signal to RF sniffing and cloning. Any Rolling Code system is a better alternative. Among the fix code word systems, this isn't the best there is either. The DIP switch key isn't encoded using a hashing algorithm but rather a simple bit rearrangement. That means a brute-force attacker would have to explore only 1024 combinations instead of 137 billion, which is the maximum possible.