Whatsapp: +8613798528951

123FBI Electronic Technology


HCS300/301 rolling code principle description

 1 Introduction
Traditional security products for one-way transmission mainly use fixed-code integrated circuits, such as PT 2262.
Codec chips such as PT2272, AX5326, and AX5327. But because of the code length of such codec chips
The code format is fixed. It is very easy to capture radio wave code words and scan tracking in the air,
Can only be used in places where privacy and security requirements are not high. -- Experienced engineers and technicians only need to spend,
You can make one-air airwave code copy machine at a cost of 500 yuan, in less than one second.
Crack such a system. Scanning and tracking methods can also be used to crack such systems in just a few dozen minutes.
Microchip's KEELOQ-based HCS series of rolling code encoding chips
Overcoming the shortcomings of the above systems, it has been successfully applied to various security products. Due to the transmission code
Advanced non-linear bit encryption technology was used before, resulting in scrolling coding with extremely high confidentiality. Every time
The code sent is unique, irregular, and non-repeating, allowing any tracking through illegal capture and scanning
The methods of deciphering are all gone. Very suitable for gates, garages, banks and other management systems; automatic anti-theft
Police systems, identification, smart IC cards and other fields.
2. Features of HCS300/301 coded integrated circuit:
1. Confidentiality
Programmable 28Bit serial number
Programmable 64Bit encryption key
Every time the code is sent is only -
Encryption key is not readable
2, internal features a wide range of operating voltage (HCS300
2.0V-6. 3V,
HCS301 5. 5V-13. 0V )
Four function inputs (up to 15 functions can be combined)
Low voltage detection index
3. Principle of HCS300/301 encoder
1, encryption key generation
The HCS300/301 must generate a unique encryption key before it can be used. Key generation process
1): The unique encryption password is formed by the key generation algorithm by the factory code and the serial number, and then written into the slice
Internal EEPROM. The factory code is also known as the serial code or manufacturer code and has a length of 64 Bit. Every manufacturer does not
Again, it is used to generate a unique encryption key corresponding to each encoder. Factory code is the entire system
The key to safety should be standardized and managed. If the factory code is leaked, the entire system does not have any security.
At that time. The serial number is 28Bit, which corresponds to each encoder and can be used as a user code.

The original code, encryption key and synchronization code are encrypted by the KEELOQ algorithm. Produce 32Bit height guarantee
Secret scrolling code. Due to the complexity of the KEELOQ algorithm and the 16-bit sync code being updated each time it is transmitted,
Therefore, each transfer code is completely different from the previous code. It is only possible to repeat after 2' transmissions.
The code is transmitted 10 times a day, with an interval of 18 years.

3, on-chip EEPROM
The HCS300/301 has a 192Bit (16X12) EEPROM for storing encryption keys and sequences.
The number of synchronization values and other information needs to be manipulated before and during use of the HCS300/301.
It needs to be programmed before use. For the sake of confidentiality, only a short time after programming the EEPROM
The readback test can be performed internally, and the other time is forbidden. In use, the EEPROM information is encrypted.
Generate a send code and update the sync value.
4, HCS300/301 code format
The transmission information of HCS300/301 consists of several parts (Figure 3). Each time the code word is coded with a boot code
The logo and header start, followed by the rolling code and the fixed code portion, and finally the guard time for each transmission. roll
The moving code part is 32Bit encrypted data; the fixed code part is 34Bit, including status bit, function bit and 28
Bit serial number. The total code combination is up to 7. 38X10^19 times. 

HCS300/301 sends 66-bit encoded data when each button is pressed. Due to the rolling code and fixed code, the two parts are composed. The rolling code part consists of 4 button states, 2 bits overflow bit, 10 bit discrimination bit and 16-bit sync. The value is generated by encryption. The fixed code consists of a 28-bit serial number, a 4-digit button state, and a 2-bit status bit.

4, the principle of decoding
In order for the transmitter and receiver to work together, the transmitter must first be "learned" to confirm, ‘
After the learning is confirmed, the decoder encrypts the learned serial number and synchronization value and stores it in the EEPROM. The decoder needs the factory code (only the transmitter of the same factory code can learn), and the factory code is usually stored in the ROM. To improve security.
After the decoder obtains the serial number, it first combines with the factory code to generate the same key as the transmitter, and uses this key to decrypt the scrolling data. After receiving the transmission once, the decoder checks whether the serial number has been learned immediately, and if so, performs the decoding process. The rolling code portion is decrypted by the generated key, and the authentication bit is used to judge whether the decryption is valid. If the above is passed, the synchronization value is judged.
Decoder synchronization value judgment process
If the decrypted sync value is in the current operation window (less than 16), the sync value is re-stored and the corresponding operation is performed. If the synchronization value is not in the current operation window, but in the dual operation window, that is, within 32K, the sent synchronization value is temporarily stored, and is returned to wait for the next transmission, if the next received synchronization value and the temporarily stored synchronization value are Continuous, it will be considered that the transmitter just jumped to the dual operation window, so the new synchronization value is stored and the corresponding command is executed. If the transmitter jumps out of the dual operation window, the transmission is considered invalid. After each valid transmission, the entire window is rotated, and the code just used is in the invalid operation window.
This eliminates the possibility that the previously transmitted code was captured and re-transmitted.

Go Back 】 | 【 Print

Deutsch Espanol Francais Italiano Portugues Japanese Korean Arabic Russian