The nearest thing you can get to “unbreakable” . . .

A Rolling Code
4-channel UHF
Remote Control
This is one very clever remote control. With rolling code, it’s close-to-
impossible to electronically “crack”. With four channels, all either
latching or momentary operation, it’s extremely versatile. With a
sensitive prebuilt receiver, it’s long range. With up-to-16 keyring-size
transmitters, it’s go-anywhere. And the kit even includes the keyring!

By Ross Tester

Whether you want to

control a garage door or
gate, a car and/or home
alarm, or perhaps
remotely turn lights or
anything else on or off,
this high-security
system is just what
you’re looking for!
Inset top right are the
pre-built, aligned and
tested receiver (top) and
transmitter (bottom)
modules, shown here
same-size.
18 SILICON CHIP www.siliconchip.com.au
W
e’ve presented a number of actually on 433.9MHz). As with most fact, anything your little heart desires.
remote (radio) control dev- devices of this type these days, it is
ices in the past. None has based on a SAW resonator (that stands The receiver/decoder
been more secure than this one. To for surface acoustic wave, so now you Now we move on to the heart of the
guess the code combination, you’re know!). This keeps the circuit very system, at least the bits you have to
going to need something like 23 bil- simple but enables excellent perform- put together to make it work.
lion years. But don’t bother: the next ance. In fact, there are two parts to the
time it’s used, the code will have Without wanting to get into the receiver as well. There is a 433MHz
changed anyway. nitty-gritty of SAW resonator opera- receiver module which comes assem-
That’s the advantage of a rolling tion, in essence it controls the RF side
bled, aligned and ready to go. This
code (or “code hopping”) system. We of things while a dedicated chip con- solders into an appropriate set of holes
explain what this means, and does, trols the complex digital coding. on the main PC board once you’ve
later in this article. The receiver (which we’ll get to finished assembling that board.
Suffice to say at this stage that it shortly) can handle up to 16 transmit- The main PC board contains the
makes one v-e-r-y secure system. For ters so if you have a really big family
electronics which process the output
all intents and purposes, it is impossi- or maybe have a secure company from the receiver.
ble to electronically “crack”. Go on, carpark you want to give a certain The receiver checks the incoming
give it a go – we’ll see you in a few number of people access to, you can code and if valid, sends a signal to one
million years or so! do so simply by purchasing more of four outputs depending on which
transmitters. button was pressed on the transmitter).
The transmitter The transmitter has four pushbut- From here, depending on how the
It’s probably not necessary to say it tons, one for each of the four channels.
four jumpers are set on the board, the
but there are two parts to this project, Of course you don’t have to use allsignal goes either direct to an NPN
a transmitter and a receiver. four channels – just one will control
transistor relay driver (for momentary
First of all, there is operation – the relay is energised while
the tiny 4-channel the button remains
“key-ring” transmit- SPECIFICATIONS pressed) or to a D-
ter which, fortunat- „ UHF (433MHz) licence-fr type flipflop and
ely, comes 99% pre- ee (LIPD band) opera then to the transis-
„ Long range – prototype tion
assembled. tested to 100m+ tor relay driver (for
We say fortunately „ Pre-built and aligned tra alternate operation –
because it’s just nsmitter & receiver mo press once and the
„ Rolling-code (“code ho du les
about all SMD (sur- pping”) operation (7. relay latches, press
„ Receiver “learns” trans 3 x 1019 codes)
face mount devices) mitter coding again and the relay
which, while not „ Receiver can handle up releases).
impossible for the to 16 remotes The flipflops
hobbyist to work „ Transmitter can handle change state (toggle)
any number of receiv
with, requires some „ 4 channels available, ea ers each time a postive
rather special han- ch either momentary going pulse appears
off) or latching (push (push on, release
dling. You are on, push off) via jum at the clock input.
pers
spared that!
„ Code acknowledge LED This is achieved by
and channel status LE
All you have to „ Each channel relay conta Ds
the connection from
changeover) cts rated at 28VDC/1
do with the trans- 2A (single pole, the Q-bar output to
mitter PC board is „ 12V DC operation (6mA the D input via an RC
solder on the two quiescent; 150mA all network.
relays actuated)
battery connectors The circuit has a
and place it in the case (with battery). power-up reset. When
The battery contacts are slightly dif- most garage door openers, for exam- power is first applied,
ferent: the one with a spring is for the ple – but it’s nice to know there are the Q outputs of the flipflops are reset
negative battery connection – it goes four channels available. low by the 0.1µF capacitor and 1MΩ
on the righthand side of the PC board And before we move off the trans- resistor on the reset (S) inputs.
with the only straight side of the PC mitter, up to three channels can be Reset is caused by sending the reset
board at the bottom. pressed simultaneously and the re- inputs of all flipflops high. Once the
You may find, as we did, that some ceiver will react to all three (it won’t capacitor is charged, the voltage at the
of the holes for the battery connectors handle four at once, though). reset inputs of the flipflops falls to
are filled with solder. This is easily Finally, as well as multiple trans- virtually zero, allowing normal op-
melted during installation. mitters, you can use more than one eration
Once this is done, it’s just a matter of receiver if you wish. It is perfectly acceptable to have a
assembling the board in its keyring case. Each receiver “learns” its trans- mixture of momentary and latched
Incidentally, the keyring case and bat- mitter(s) so you can have a multiple modes amongst the four channels. It’s
tery are all supplied in the kit. system controlling, for example, the up to you.
The transmitter itself is in the li- garage door, the car doors, the car But if you only require momentary
cence-free 433MHz LIPD band (it’s alarm, the home security system – in action (for example, as needed by
www.siliconchip.com.au JULY 2002 19
 2.2k
+5V +12V
IC1, IC2: 4013
10M K RELAY1
D1- D4: 1N4004 0.1 F
LED1  D1
NC
IC1 PIN14, 4 A
IC2 PIN14 COM
5 S 1 J1
D Q C NO
IC1a 4.7k
B Q1
0.1 F 3 2
CLK Q C8050
R E
ANTENNA 6
2.2k
+12V
10M K RELAY2
LED2  D2
170mm

10 NC
A
COM
3 9 S 13 J2
D Q C NO
4.7k
IC1b B Q2
0.1 F 6
CLK Q C8050
11 10
R 12 E
8
9 2.2k
+12V
433MHz 10M K RELAY3
RECEIVER 8
MODULE LED3  D3
4 NC
TEST 4 6 A
COM
POINT 5 S 1 J3
D Q C NO
7 IC2a 4.7k
B Q3
0.1 F 3 2
CLK Q C8050
R E

12 5 6
2.2k
1k +12V
10M K RELAY4
PB1
LEARN A
LED4  D4
 LED5 10 NC
A
COM
K 9 S 13 J4
D Q C NO
4.7k
IC2b B Q4
0.1 F 6 12
CLK Q C8050
R E
8

+12V
1M

REG1 7805 7805

Q1- Q4
+12V IN OUT +5V C8050 LEDS

COM K
0.1 F 100 F 100 F 0.1 F

IN OUT C B E A
IC1 PIN7,
GND IC2 PIN7 D1-4
GND A K

SC
 2002 4-CHANNEL UHF “rolling code” REMOTE CONTROL RECEIVER
Fig.1: the circuit of the “control” section of the receiver unit. We haven’t attempted to show the 433MHz receiver itself, nor
the transmitter, as these are both pre-assembled modules, saving you a lot of difficult work!

some door openers/closers) the flip- an acknowledge LED to give a visible The relay contacts could, of course,
flops, along with their associated RC output of what’s happening. also be used to switch higher-rated
network components and the four There is also a “valid signal ac- relays or you could replace the ac-
header pin jumper sets, could be left knowledge” LED attached to the knowledge LED with an opto-coupler.
out of circuit. (You’d then need four 433MHz module, which lights when The relays themselves are single
links on the PC board to directly con- valid code is being received. pole but have normally open (NO)
nect the receiver outputs to their re- Each of the four identical relays has and normally closed (NC) contacts.
spective transistors.) contacts rated at 28VDC & 12A, so can These states refer to the unenergised
Along with spike suppression di- be used to control significant loads. state of the relay (ie, the NC contacts
odes across each relay coil, part of The wide track widths on the PC board go open when power is applied to the
each relay driver circuit also includes also allow high currents. relay coil and vice-versa).
20 SILICON CHIP www.siliconchip.com.au
 ASSEMBLING THE
REMOTE CONTROL:
The photo above shows seven of the
eight parts you should find when you
take the bits out for the remote control
(the battery is missing!).
Above centre shows the two battery
connectors soldered in place on the
top of the PC board, above right shows
the same thing from the other side.
Don’t mix up the connector with
spring and the connector without.
Finally, the photo at right shows the
PC board in place, with battery, in one
half of the keyring case. The blue
pushbuttons are all on one plate – they
fit in as shown but can easily fall out.
As you push the two halves of the case
together, make sure the pushbutton
plate stays in place. The keyring itself
also fits into the notch in the case as
you push the two halves together.

The only other components on the If it does, you can be reasonably sure the LEDs as shown on the component
board are a simple 5V regulated sup- that the transmitter is working prop- overlay. Watch the LED and transistor
ply, consisting of a 7805 3-terminal erly. Put it to one side while we move polarities – each is opposite to its
regulator and a couple of capacitors. on to the receiver. neighbour!
This supply powers the 433MHz mod- The last things to be soldered in
ule and the 4013 flipflops. The relay Receiver board place before the 433MHz receiver
coils are powered direct from the 12V As usual, check the receiver PC module are the four relays and the six
supply. board for any defects before assembly. output terminal blocks. The relays will
Then solder in the resistors, capaci- only go in one way but the terminal
Construction tors, diodes, IC sockets (if used) and blocks could be mounted back-to-
Start by soldering in the two battery the four header pin sets (which select front, making it almost impossible to
terminals to the transmitter PC board, momentary or latching function). get wires into them! (The “open” side
in the positions shown in the photo- If you use IC sockets, make sure of the terminals go towards the edge
graphs. they go in the right way around – the of the board, in case you were won-
Place the completed board in the notch is closest to the edge of the PC dering!)
keyring case, making sure the push- board. At this point, check your assembly
buttons stay in position. The “learn” pushbutton switch sol- for any solder bridges, dry joints or
Push the two halves together with ders in place between the IC sockets. missed joints.
the battery in place (and the right way These have two pairs of pins which You might also now solder in the
around – see pictures), with the are not identically spaced – the switch three wires – two connect 12V power
keyring clip sandwiched between the should be an easy fit in the PC board while the third is the antenna. Make
two halves. if you get it the right way around. If in the power leads the necessary length
One screw holds the two halves of doubt, check the “closed” state with to reach your supply.
the transmitter case together. your multimeter. When the antenna wire is soldered
Press each of the four buttons and Now solder in the semiconductors in, measure exactly 170mm from the
ensure that the LED lights each time. – the regulator, diodes, transistors and PC board and cut the wire to this

www.siliconchip.com.au JULY 2002 21

 REG1 7805
GND +12V Learning and testing
0.1 F

+
Looking at the board with the out-
100 F
LED5 100 F L M 4.7k D1 puts/relays on the left side, move all

RELAY1
VALID + J1 2.2k NC header pins to the right side (latch-
LED1

Q1
DATA 10M

0.1 F
0.1 F COM ing).
1k
TP C8050 NO
Apply power and you should see
IC1 4013
absolutely nothing happen. So far, so
GND

0.1 F
433MHz RECEIVER MODULE

Q2
DOUT NC
1 good.

RELAY2
10M
+5V

LED2
J2 2.2k COM Now press the “learn” button once,
TP

L M 4.7k
VT

0.1 F D2
NO
then within 15 seconds press button
D0

PB1
one on the keyring transmitter for a
LA

LEARN D3
NC
D1

L M 4.7k
second or so. Button one is the one all
NC

RELAY3
J3 2.2k COM by itself on one side of the transmitter.
D2

LED3

Q3
D3

10M The receiver then learns the encryp-

0.1 F 0.1 F NO
ANT tion from the keyring transmitter –
IC2 4013 C8050 NC
and remembers it.
Q4

COM Now all four buttons on your trans-

ANT

RELAY4
10M
GND

LED4
J4 2.2k NO mitter should alternately close and
L M 4.7k open the appropriate relay and light/
TX1 1M
D4 switch off its associated LED.
Change the four jumpers over to the
length. This makes it resonant at Fig.2 (above): the
433MHz. component overlay
You should not have any bare of the receiver
wire(s) emerging from the end of the module with the
full-size
antenna – this could short onto some-
photograph at
thing nasty and do you/it/something right. Just to
else some damage! If necessary, wrap confuse you, we’ve
a little insulation tape around the end shown the board
of the antenna wire – just in case! turned 180°
Plug the two ICs into their sockets, compared to the
again watching the polarity. The diagram above!
notches should line up with the
notches in the sockets (assuming you
got the sockets right!)
OK, we’re almost there. Place the
receiver module in its appropriate
holes along the edge of the PC board.
It will only go one way (incidentally,
take care not to move the coil or touch
the trimmer capacitor).
Solder each of the module pins into
position (there are 13 of them – don’t
forget the two by themselves) and your
receiver is finished.
time the battery voltage changed only opposite way and all four buttons
Power supply a few tens of millivolts – probably not should now pull in a relay and light a
The receiver unit is designed for much more than you would expect LED while ever they are pressed – and
12V battery operation and power re- during shelf life. release it/dim it when let go.
quirements are pretty modest. At rest, Therefore, just about any 12V bat- And that’s just about it. Now all you
(ie, no relays operating), it draws only tery would be acceptable, even a cou- have to do is select the jumpers the
6mA and even with all relays actu- ple of 6V lantern batteries in series or way you want them and connect the
ated, the current is just a smidgeon even 10 C or D-size Nicads. external devices you wish to control.
under 150mA. Of course, you could also use just Note that each relay has a normally
Therefore, most alarm-type batter- about any garden-variety 12V or 13.8V open and normally closed connection
ies (eg, SLAs) will be more than ad- DC (nominal) plug-pack supply. as well as common, so you have a lot
equate. The relays won’t worry about a few of flexibility at your disposal.
We had it operating for a couple of extra volts and the circuit has the on-
weeks on a 7Ah 12V gell cell, periodi- board 5V regulator to ensure the elec- Want even more security?
cally pressing the remote control just tronics get the right voltage. Any DC We mentioned before the one major
for the hell of it, without recharging plugpack over about 200mA capacity drawback with any remotely control-
the battery. In fact, at the end of this should be fine. led security application, whether that
22 SILICON CHIP www.siliconchip.com.au
 What is “Code Hopping” or “Rolling Code”
These two names usually refer to the same thing – in a nutshell, What this does is simply present a different code every time the
a security system for a security system. transmitter button is pressed. Of course, that’s the easy part. The
It’s a way of preventing unauthorised access to a digital code really clever part is that the receiver “learns” the algorithm which
which might be transmitted via a short-range radio link to do controls the code so it knows what code to expect. Once learnt, the
something: open a garage door, lock or unlock a car and perhaps receiver is effectively “locked” to that transmitter.
turn its own security system on and off – and much more. Actually, it’s even cleverer than that, because the transmitted
But before we look at these terms, though, let’s go back in time code is, for all intents and purposes, random (as far as any
to the days before code hopping and rolling code. external device is concerned). But the receiver can still work out
Short-range radio-operated control devices have been around what the code is going to be in advance. If it gets the right code, it
for a couple of decades or so (at least, in any volume). The earliest actuates. If not – you’re out in the cold, baby!
ones that I remember simply used a burst of RF, at a particular The chances of the same code being transmitted twice in a
frequency, with an appropriate receiver. person’s lifetime is possible – but remote (at four transmissions
It’s not hard to see the shortcomings of such devices. Simply per day, every day, it’s reckoned to be about 44 years!)
sweeping the likely band(s) with an RF generator attached to an Heart of this system is a Microchip proprietary IC, the HC301. It
antenna would more often than not achieve the desired result combines a 32-bit hopping code generated by a nonlinear
(desired for the intruder, that is). encryption algorithm with a 28-bit serial number and six informa-
It didn’t take long for crooks to latch on to this one (do you like tion bits to create a 66-bit code word. The code word length
that metaphor?). So manufacturers decided to make it a bit harder eliminates the threat of code scanning and the code-hopping
for them by modulating the RF at a frequency (or indeed multiple mechanism makes each transmission unique, rendering code
frequencies in some cases) “known” to the receiver. capture and resend techniques useless.
Some used the standard DTMF tones generated by phone Even if it didn’t code-hop, 66 bits allows 7.3 x 1019 combina-
keypads because they were very cheap and made in the millions. tions, which according to Microchip would only take
“Oh, gee,” said the crooks. Now we’ll have to use an RF 230,000,000,000 years to scan!
oscillator with a modulator. Or maybe even a DTMF keypad!” The chip itself is also protected against intrusion. Several
Duh! (Still, it probably seemed like a good idea at the time. . .) important data are stored in an EEPROM array which is not
Ever one step ahead, the manufacturers went with this (then) accessible via any external connection. These include the crypt
new-fangled digital stuff and made each transmitter send a par- key, a unique and secret 64-bit number used to encrypt and
ticular code which was matched to the receiver. This was usually decrypt data, the serial number and the configuration data.
done by way of DIP switches in both transmitter and receiver. The EEPROM data is programmable but read-protected. It can
With eight DIP switches (probably the most common because be verified only after an automatic erase and programming opera-
8-way DIP switches were common!), you would have 28 or 256 tion, protecting against attempts to gain access to keys or to
codes available. So you and your next-door neighbour could have manipulate synchronisation values.
the same type of garage door opener on the same frequency and If the code is changed every time a button is pressed on the
the odds would be pretty good that their door would stay down transmitter, what happens if, say a child starts playing with the
when you pressed your button. remote control and continually presses buttons away from the
The problem with this, though, is that the transmitter spurted receiver? OK, here’s where it gets really clever (and you thought it
out exactly the same code every time (unless, of course, both sets was clever enough already, didn’t you?).
of dip switches were changed). Enter the crooks again. If the button is pressed say 10 times while out of range of the
With a suitable receiver, called a “code grabber”, if they got receiver, no problem. But if it is pressed more than 16 times,
within a few tens of metres of you they could scan for the RF signal synchronisation between the two is lost. However, it only takes
and record your code without you knowing anything about it (for two presses of a button in range to restore sync. No, we don’t
example, as you left your car in a carpark and pressed the button know how either. That’s Microchip’s secret!
on your remote to lock the doors and turn on the alarm). And speaking of button presses, there are a couple of other
Once you’d gone, they simply “played it back” using the same clever things they’ve done. At most, a complete code will take
code grabber. Presto, one missing car. Or one house burgled, etc 100ms to send (it could be as low as 25ms). But if you manage to
etc. hit the button and release it before 100ms (difficult, but possible),
Even without a code grabber, a smart intruder with the right it will keep sending that complete code. If you hold down the
equipment using digital techniques and trying eight combinations button, it will keep sending that same code. And if you press
per second, could crack the code in no more than 32 seconds – another button while the first is held down, it will abort the first and
and probably much quicker. send the second.
It’s hard to believe the gall of some organisations openly As you can see, KEELOQ is a very robust system. Sure, it’s not
flogging such devices, euphemistically disguising them (justifying absolutely foolproof – nothing is (eg, there’s not much protection
them?) with names such as vehicle lockout recovery systems or if they simply steal your transmitter!). But for most users, it gives
disabled vehicle recovery systems. Then again, lock picks are sold almost total peace-of-mind. That’s why the system has been
for professional locksmiths, aren’t they? adopted by so many vehicle entry/exit and alarm system manufac-
Now we move on a little. Microchip, the same people who turers, access controllers and so on.
brought you those ubiquitous PICs, invented a system called And that’s the system that’s used in the remote control unit
KEELOQ – better known to you and me as a rolling code. presented here.

www.siliconchip.com.au JULY 2002 23

be for a car, a building or anything
else: what happens if someone pinches Parts List –
your remote control?
It is possible to protect yourself
4-Channel Code-Hopping Remote Control
against the casual button pusher on a
stolen control – at least to some de- 1 TX-4312RSA 4-channel keyring rolling code transmitter assembly
gree. 1 RX3302D A1.5 433MHz rolling code receiver module
Having four channels at your dis- 1 PC board, coded K180, 86 x 78mm
posal, in this remote control system, 4 miniature relays, SPDT, PCB mounting, 12V coils (Millionspot H5000xx)
gives you the possibility of increasing 1 ultramini pushbutton switch, PC mounting, N-O contacts
security rather significantly, simply 6 interlocking 2-way terminal blocks, PC mounting
by using a combination of keys on 2 14-pin DIL IC sockets (optional)
your remote. 4 3-way header pin sets, PC mounting
It is “normal” to use one button to Red & black insulated hookup wire for power connection
achieve a certain function. But what if 1 200mm length insulated hookup wire for antenna (see text)
you used two buttons? It’s possible Semiconductors
because when you press the second 2 4013 dual “D” flipflops (IC1, IC2)
button, even while holding down the 4 NPN general purpose transistors (C8050 or similar) (Q1-Q4)
RELAY 1 7805 3-terminal regulator (REG1)
1
RELAY C NO
4 1A power diodes, 1N4004 or similar (D1-D4)
1 NO
C CIRCUIT 4 red LEDS, 5mm (LED1-LED4)
NC
TO BE
SWITCHED
1 green LED, 5mm (LED 5)
C
NC NO
Capacitors
CIRCUIT RELAY NC
TO BE 2
2 100µF, 16VW PC mounting electrolytics
SWITCHED
7 0.1µF polyester or ceramic (monolithic 5mm)
Fig.3a (left): conventional device Resistors
control with one relay. Adding a 4 10MΩ
second relay in series (fig 3b, right) 1 1MΩ
increases security against the casual 4 4.7kΩ
button pusher. Both buttons must be
OR
4 2.2kΩ
pressed at the same time for the
device to actuate. 1 1kΩ

first, the second button’s code is sent. achieve a thing.

So if you made one button a “mo-
mentary” and linked another button’s
Only you know which two buttons
(or even three buttons) have to be
Wheredyageddit?
This project and the PC board are
relay contacts through the first but- pressed to achieve a certain function. copyright © 2002 Oatley Electron-
ton’s relay contacts, you have the situ- Fig.3 shows what we mean – the ics.
ation where pressing single buttons exact combination of buttons is en- Oatley have made separate kits
(as most people would do) wouldn’t tirely up to you! SC available for both the transmitter
and receiver, due to the fact that
you might want more than one of
each (as explained in the text).
Rolling Code Transmitter Kit:
Complete with pre-assembled
transmitter module PC board, bat-
tery contacts, battery, clamshell
case and keyring clip: (TX4) $25.00.
Rolling Code Receiver Kit:
Has the 433MHz receiver module,
PC board and all on-board compo-
nents as described in this article:
(K180) $54.00.

Oatley Electronics can be con-

tacted by: Phone (02) 9584 3563;
Fax (02) 9584 3561; Mail (PO Box
89. Oatley NSW 2223); Email (sales
@oatleyelectronics.com); Or via
their website: www.oatleyelectro-
A close-up look at the receiver module soldered into the main PC board. Do this nics.com
last, as explained in the text.
24 SILICON CHIP www.siliconchip.com.au