Brute forcing gate remotes is usually a tedious, time-consuming task. This project tackles that challenge head-on by combining RF protocol reverse engineering with a clever hierarchical brute force strategy. Instead of blindly cycling through thousands of remote codes, it uses structured subsets to zero in on the correct code much faster.
What the flipperzero-gate-bruteforce project does
This tool is a Python-based generator of Flipper Zero .sub files specifically designed to brute force gate remotes using three sub-GHz RF protocols: UNILARM, SMC5326, and PT2260. These protocols each encode 16-bit DIP switch combinations, followed by 8 or 9 bits of instructions, using distinct pulse timing patterns for binary 0 and 1 values.
The project reverse engineers these protocols and encodes all possible DIP switch states—6561 total combinations, since each of the 8 DIP switches can be in one of three states (3^8 = 6561). It generates corresponding .sub files organized in a hierarchical folder structure that supports a binary-search-style approach.
Instead of sending all 6561 codes sequentially, the user tests progressively smaller subsets of codes. This approach narrows down the correct combination by dividing the search space repeatedly, reducing brute force time from hours to potentially minutes.
The tool documents the pulse timings clearly for each protocol:
- UNILARM: 150μs high and 650μs low represent 0; 550μs high and 250μs low represent 1
- SMC5326: 300μs high and 900μs low represent 0; 900μs high and 300μs low represent 1
- PT2260: 300μs high and 850μs low represent 0; 850μs high and 300μs low represent 1
This level of detail is crucial for generating accurate sub-GHz signals compatible with the targeted gate remotes.
Why the hierarchical brute force approach matters
The standout technical strength of this project is its hierarchical folder structure that implements a binary search over the DIP switch combinations. Instead of a brute force approach that would sequentially try all 6561 codes, the codes are grouped into folders representing subsets of the search space:
6561 → 2187 → 729 → 243 → 81 → 27 → 9 → 3 → 1
Each folder contains .sub files corresponding to a subset of DIP switch codes. By testing one subset at a time and observing whether the remote responds, users can eliminate large portions of the search space with each test.
This hierarchy exploits the ternary nature of the DIP switches (three states per switch) by effectively applying a divide-and-conquer strategy. It’s a tradeoff between the upfront effort of generating and organizing thousands of files and the overall time saved during brute forcing.
The code quality appears pragmatic and focused: the Python scripts generate .sub files with precise timings and encoding rules. The repo is well-documented regarding the RF protocols and the brute force methodology, which is essential given the complexity of signal timing and protocol-specific encodings.
A limitation is that this approach is protocol-specific. It only supports the three protocols (UNILARM, SMC5326, PT2260), so gate remotes using other or proprietary protocols are not covered. Users need a Flipper Zero device to use these .sub files to emit the corresponding signals.
Explore the project
The repo’s README provides detailed descriptions of the RF protocols, DIP switch encoding, and the hierarchical folder structure. While there isn’t a direct installation or quick start section with commands, the project is mainly a generator script that produces .sub files for use with Flipper Zero.
To get started, you would clone the repo, review the Python scripts that generate the .sub files, and then load the generated files onto your Flipper Zero device for testing.
The folder structure is hierarchical, so exploring these folders helps understand how the subsets are organized. Each folder corresponds to a level in the binary search hierarchy, with smaller folders representing more refined guesses.
The README’s pulse timing tables and encoding explanations are a good reference when modifying or extending the tool for other protocols or different DIP switch configurations.
Verdict
This project is a solid example of practical RF protocol reverse engineering combined with a smart brute force optimization strategy. It’s most relevant for security researchers, RF enthusiasts, and anyone working with Flipper Zero to audit or test gate remote security.
The hierarchical brute force approach reduces brute force time dramatically, which is a real-world improvement over naive sequential brute forcing. However, it’s limited to the supported protocols and requires familiarity with using Flipper Zero and handling sub-GHz signals.
If you are comfortable with Python and RF signal concepts and want to experiment with systematic brute forcing of gate remotes, this repo offers a well-documented, focused toolset. It’s worth understanding even if you don’t adopt it wholesale, as the hierarchical search pattern can inspire similar optimizations in other brute force contexts.
→ GitHub Repo: Hong5489/flipperzero-gate-bruteforce ⭐ 654 · Python