Reverse engineering wired garage door signal (chamberlain / liftmaster)

I (and many others) want to gain local control over my Security+ 2.0 liftmaster garage door openers.

If I succeed, I want to expand it into a community accessible project. My idea is to use an ESP8266 and a custom pcb that will plug directly into the wire ports on the opener and be able to send the door trigger, light trigger and read the door status and obstruction detection sensors. The PCB would provide dry contacts for those that want it, and ESP sketch would implement MQTT, but be open for other APIs.

So on to the problem at hand: The wired button has a two wire interface and pulls the power to ground to send signals back to the opener. I have analyzed the signal and believe it is using a rolling code since the message is similar, but different each time the button is pressed.

secplus is a software implementation of the Security+ 2.0 rolling code algorithm used by the wireless buttons. I was hoping that the wired button used the same algorithm, but the data being sent between the button and the opener is obfuscated, as I cannot find a rolling code pattern embedded. (if there is any interest, I can elaborate)

I have an idea of how to proceed, but I need assistance from someone who has experience with the STM8 family of microcontrollers.

If anyone here thinks they can assist, please reach out.

EDIT: Solution Here

2 Likes

I’m interested in your results (but not familiar with the STM8 microcontrollers. sorry)
Currently, I’m using a dry contact “solution” that’s wired to the main button of my Security+ 2.0 (Chamberlain) opener. It works, but it’s not the most elegant thing.

1 Like

here is some raw message data.

Paste into your favorite spreadsheet

https://pastebin.com/raw/G8gtBF6X

Interesting.

Just a thought, if you (or anyone in any other community) manage to crack the code, then I am pretty sure that Chamberlain / Liftmaster would have to be scrambling to roll out some “Security+ 3.0” devices, and at the same time figure out some way to patch all the Security+ 2.0 garage door openers / buttons / panels / remotes.

I made some more progress. I can debug the chip that controls the opener button and have also extracted the firmware.

Anyone here good with assembler?

1 Like

How does this work? Did you take apart the wireless opener or the one on the wall?

Not trying to answer for Russel, but what you mentioned are both viable solutions.

You can hack your wireless visor remote:

(ref)

(ref)

= = = =

You can also hack your wall button and get rid of the hassle of battery replacement:
(ref)

And I have found a couple of people selling the hacked Security+ 2.0 button:
link 1, link 2, link 3

No affiliation to anything here in this post.

That’s a good answer and exactly the one I would have given.
I’ve used the remote hack mostly for mine because remotes cost less than wall switches if you mess up.
As noted, the problem is replacing the battery from time to time.
Meross will actually send you a prewired remote if you say you have one of those Security 2.0 openers. (You do have to tell them what color the learn button is because they use different remotes.)
Just as an aside, I’ve seen Security 2.0 on Craftsman (from the now-defunct Sears) and on Liftmaster and Chamberlain. (Actually, Liftmaster and Chamberlain are the same company. LiftMaster is the contractor brand and Chamberlain is the retail brand.)

Hi Paul,

I may be able to help with this. I think we would all love to get away from the remote hacks. Would love to discuss.

Another benefit would be the ability to issue an explicit close command. As far as I can determine, the remotes have only one button, which opens when it’s closed, and vice versa.

I would like to have separate buttons for open and close, which only initiate an action if needed (to avoid opening the door by mistake, or vice versa).

I think the MyQ app has separate buttons. It would be great to access this functionality.

I’m curious the utility of this. Why not simply get one of the MyQ WiFi bridges? They aren’t very expensive, and work very, very well.

Reliability and local control! I got an OpenGarage setup because MyQ had some outages and having to go through the cloud slowed it down. With OpenGarage it is quite reliable, but there are some things that MyQ could tell me that OpenGarage can’t (can’t think of them right now, however).

I am confused why everyone here appears to think that “if it is wifi it requires cloud control”.

That is false. The MyQ wifi openers are most assuredly local-control.

Sorry, my mistake. The MyQ connector I have is cloud based.

Ahh, you must have the cheaper one (I had that one first as well - the latency drove me mad)? That one, I think is cloud only. There’s another one that’s like $79 that is HomeKit Compatible. HA autodiscovers it, and then it’s local control.

Easy to see the difference if you open/close the door with the app on your phone, vs issue an open/close command from HA. The difference in latency is quite obvious.

Edit: This one:

Thanks for the link! Now I remember what the MyQ got me and that was the light blinked before it was closing. I hate to spend the money on this when I already bought the OpenGarage.

Ah, yes. And it also beeps incessantly. I sure would like to make it not do that. LOL

Funny, my opener never beeped, just flashed. I went ahead and ordered one of those and will give it a try (found it on eBay for slightly cheaper). I’ll them make sure I block the device from connecting to the Internet.

The beeper could possibly be model-dependent? Could also be a previous owner already disconnected it? I just haven’t climbed up there to find the source yet, but it sure is annoying.

Could be model dependent. I had it installed and I definitely didn’t disconnect it. Mine is about 8 years old.