Image of Everything About Hopping Remote Controls

Everything About Hopping Remote Controls Leave a comment

Projects
Brief Introduction to Hopping Remotes

Security has always been an important and noteworthy issue in all eras, and humanity has always sought greater security by creating various inventions and innovations. With the widespread adoption of the internet and the free flow of information, security has become even more important and has turned into a sensitive and vital issue.

Imagine if Telegram had a fundamental bug and hackers could access the information of millions of Telegram users—what a disaster that would be—or if hackers could take control of a country’s power plants, that would result in a national and human catastrophe (of course, it’s clear that we mean black-hat hackers by “hackers”).

In this article, we will examine the security of various types of remote controls. So stay with Eicut.

When it comes to installing a remote control for the entrance gate of a home or shop, everyone recommends hopping remotes and argues that these remotes have higher security compared to “fixed code” and “learning code” remotes.  explaining how learning code remotes or fixed code remotes work; for example, learning code remotes have a unique 20-bit code that distinguishes each remote from others, or in fixed code remotes, you can create your desired code by setting 8 base numbers.

  • But how do hopping remotes work to provide higher security?
  • Do hopping remotes really have higher security?
  • Why do this type of remote have higher security?
  • How does their mechanism work to provide more security?

In this article, we will answer these questions.

How to Hack Learning Code Remotes or Door Openers

Both learning code and fixed code remotes have a unique identifier that distinguishes your remote from other remotes. This unique identifier in fixed code remotes (PT2262) can be changed by altering the pin states (see image below). This issue has caused this type of remote to be categorized as having lower security, even compared to learning code remotes.

 

Fixed-code remote control IC (PT2262)
How to Hack Learning Code Remotes

Suppose you are using this type of remote for your car’s alarm system. If a thief can figure out the pin connections (there are various ways to do this, which we won’t go into detail), by purchasing a remote of the same model and changing the relevant pins according to your remote, they can easily and effortlessly control your car’s alarm.

Let’s assume they don’t even know the pin connections! The PT2262 IC used in these remotes uses 8 pins for addressing, which, considering each bit has three states (connected to positive, connected to negative, or unconnected), can create approximately 6,500 different states. If we build a device that generates different states and each state lasts 3 seconds, it can easily find the desired remote code in just 5 hours.

In the old days when all car alarms used this type of remote, such a device was built and set off the alarms of all cars in a university parking lot! In the past, this type of remote was used for building and shop doors, but fortunately, it is no longer used.

Regarding learning code remotes, the situation is somewhat different. The unique code is placed in the remote’s IC by the manufacturer, and the user cannot change it. This small change alone significantly increases security; because people cannot modify the remote’s circuit to make it like other remotes. Additionally, the mentioned code is 20 bits, which can create 1,048,576 different states.

Data frame structure and signal waveform of learning code remotes
Brute Force Attack for Hacking Remotes

However, the way to hack them is still not blocked. Hackers can simulate the remote’s transmission protocol, and if they want to use the above scenario (brute force) to hack the remote, it would take approximately 36 days to reach the desired code by testing different codes. This is probably the worst-case scenario, but it is still possible. On the other hand, a hacker can intercept the signal sent by your remote, decode it, and obtain the correct code! This method is not very time-consuming and only requires the hacker to be in the right place at the right time. This remote also does not have high security, and unfortunately, a large portion of home door remotes use this type.

Hacking always requires creativity. Finding a method that the manufacturer hasn’t anticipated and bypassing the system with it requires not only sufficient knowledge about how the system works and operates but also creativity. A real hacker is a creative person, and when it comes to security, you can never speak with certainty. Fortunately, most people who call themselves hackers are not real hackers and use software and tools created by others and exploit paths discovered by real hackers to penetrate various systems and call themselves hackers. These explanations are provided to say that certainly, no one becomes a hacker with this brief explanation and will not be able to hack your control systems unless they were already a hacker.

Hopping Remotes

The question that arises is: what capability do hopping remotes have that provides more security in their protocol?

Before taking any action, to ensure our examinations are based on reality, we purchased several hopping remotes from the market. We disassembled two of them and examined their chipsets and circuits:

Disassembled rolling code (hopping) remote controls
Hopping Remotes

 

The chip used in both remote models was HCS301, which is produced by Microchip. The mentioned IC has an internal EEPROM (we will explain its application later) that can be programmed by the user. One of the remotes has a suitable port for programming (see image below), while the other unfortunately lacks such a port—I truly hope that the chip was programmed before use.

Close-up of hopping remote PCB
Hopping Remote
Close-up of hopping remote PCB highlighting
Remote Port

Security in Hopping Remotes

Rolling code (or as it’s known in the market, hopping code) uses an algorithm that is resistant to replay attacks. The types of attacks mentioned in previous cases were this type of attack; meaning we tried to obtain the correct code either by interception or by brute force, but this type of remote is resistant to these attacks. But how?

The HCS301 chipset is a KeeLoq encoder that has the capability to encode transmitted data using the KeeLoq protocol.

KeeLoq encryption block diagram used in HCS301 rolling code remotes
Security in Remotes

 

The KeeLoq encryption system uses a 64-bit key for data encryption. In fact, programming the IC is for setting this very key. The user can set their desired key for the data sent by the remote, in such a way that only the intended receiver that has the key can decode the data received from the remote. But how does this encryption help increase security? To clarify, look at the image below:

KeeLoq rolling code transmission structure
KeeLoq Encryption System

As you can see in the image, the codes sent from the remote have three separate sections:

  1. Initial section which, according to the datasheet, is 6 bits containing 4 bits for the status of pressed keys and 2 bits for the remote’s status (like low battery).
  2. Next 28 bits are the remote’s serial number. These sections are not encrypted and can be easily simulated.
  3. Next 32 bits contain encrypted information. These 32 bits create a significant difference in the security of this type of remote. Encryption is done using the 64 bits of data stored in the EEPROM.
KeeLoq HCS301 66-bit transmission frame
Transmission Frame

As shown in the image above, the encrypted data contains 16 bits counter and 10 bits DISC (which itself includes other bits) and 4 bits for the remote keys’ status. But how do these data contribute to security?

Perhaps the most important part is the existence of the counter in the data sent from the remote. The counter increments by one each time a key is pressed. If the encryption key is set, any receiver that receives the data cannot decrypt the encrypted section and cannot extract its data. To make this clearer, let’s explain the previous learning code remote example using this type of remote:

Suppose a hacker with the appropriate device is intercepting the signals sent from your remote, and let’s assume your remote’s counter value is 10. The data sent is received by the receiver and the alarm is deactivated. When getting out of the car, you press the remote key to activate the alarm, the counter becomes 11, the code is sent, and the alarm activates. The hacker tries to deactivate the car alarm by resending and simulating the first code. If your car used learning code or fixed code remote technology, the alarm would deactivate, but with hopping remotes, this doesn’t happen. The remote receives the hacker’s sent signal, decodes the encrypted part, and extracts the counter value from it. Yes, the value is 10.

The last code received was 11, so it identifies 10 as invalid and ignores it. For the hacker to deactivate the alarm, they must send a code with a counter value of 12, but this is impossible because they don’t have the encryption key and cannot generate the data.

This is how this type of remote has greater resistance against hacking, but remember: nothing is impossible, not even the impossible!

⚠️Serious Warning

Unfortunately, it has been observed that some manufacturers sell hopping remote controls without setting the encryption key, which makes them easily hackable despite the advanced technology and provides no security for you.
Buying a state-of-the-art safe to protect documents is not enough. You must also lock the safe door for it to be effective!

FAQ – Everything About Hopping Remote Controls

What are “Hopping” or “Rolling Code” remotes?

Remotes that change their transmitted code every single press using a synchronized counter and strong encryption (usually KeeLoq). The receiver only accepts codes that are within a small future “window” of the expected counter value.

Why are fixed-code and learning-code remotes insecure?

• Fixed code: Only ~6,500 combinations — brute-forceable in hours
• Learning code: Up to 1 million combinations, but the code is static → vulnerable to replay attacks (record & replay) and brute-force (worst case ~36 days)

How does a rolling code prevent replay attacks?

Every transmission contains a 16-bit rolling counter encrypted with a 64-bit secret key. The receiver keeps track of the last valid counter and only accepts codes that are higher (within a small forward window, usually 256–65536). Old or repeated codes are instantly rejected.

Which chip is most commonly used in hopping remotes?

Microchip HCS301 (and HCS200/201/362) — implements the proprietary KeeLoq block cipher with 66-bit transmission, 32-bit encrypted hopping code, and manufacturer-specific keys.

Can hopping remotes be cloned or hacked?

Only if:
• The manufacturer left the encryption key at default (0x00000000) — very common in cheap clones!
• The attacker knows the secret key (via supply-chain attack or reverse engineering)
Otherwise, replay, brute-force, and simple sniffing attacks fail.

Are all “hopping” remotes sold in the market actually secure?

No! Many cheap manufacturers ship HCS301-based remotes with the encryption key set to zero or default. In this case, the counter is transmitted in clear text — making them just as vulnerable as learning-code remotes. Always verify that the key is programmed!

Is KeeLoq still considered secure in 2025?

Classic KeeLoq has known cryptographic weaknesses (attacks exist since 2007–2008), but when the manufacturer key is truly random and kept secret, practical attacks require physical access or massive precomputation. For residential gates and garages, it is still good enough against casual thieves.

What should I look for when buying a hopping remote?

• Uses HCS3xx family with properly programmed manufacturer key
• Receiver supports synchronization window and resynchronization procedure
• Avoid generic clones with default key (0x00000000)

Meicut

Leave a Reply