HCS301 Rolling Code Remote Control on Oscilloscope

Have you ever wondered what information or data actually transmitted when you click your garage or gate opener remote? why your door open or closes while your neighbours’ doesn’t? in this post we will have a rough idea of how HCS301 rolling code chip’s data look like, of course with the help of oscilloscope.


Above photo is taken on Aug 2nd 2013 which shows complete wave form generated by SR-M1 remote control, which uses Microchip HCS301 technology. Oscilloscope has been adjusted to be 5ms each grid, as you can see total 18 grids in X axis, which means total 90ms time-span in whole screen dimension. In Y axis, you can see the unit is measured by mV – which is a voltage unit, and the basic idea is to capture the voltage change at certain timeline, high rise can be 1 while low can be 0. so the encoded data has been recorded as 010101…

The two grids from left is composed of many low time-span 01 signals called data preamble, which is not a actual data but like a protocol between transmitter and receiver, preamble is pretty much equals to transmitter says I’m HCS301 and is ready to transmit the data. The protocol in HCS301 is 23bit data in sequence of 10101010101010101010101.. each 0 or 1 time segment is called a Te – which is a basic unit in HCS301 data form.


Above is a zoomed in photo of the preamble part, you can see each segment is a fixed time span around 350-400us, no matter data 0 or 1, although the wave is not a perfect square wave as supposed to be, but it is totally fine to be pickup and recognized by receiver as preamble.

Followed by preamble, the grid 3 – see photo 1 – is a gap called header which seperates preamble and actual data and tell the receiver to be ready for receiving the data.

The data part takes most bits – actually is 66 data bits or 198 Te as in the following data part, one data bits will be 3 Te time span. the data 1 is encoded as 100 – one high and two low and data 0 is encoded as 110 – two high and one low, as you can see from photo below, the data bits for example is 110100110100 – which actually means 1010 – this data transformation is commonly seen in rolling code HCS301 chips, there are other options such as Manchester encoding, but is rarely used.


The data basically is the identifier in fixed code and keeps transmitting the same data each and every time button on transmitter is pressed, an identifier code is most important as it distinguishs different transmitter and receiver pair, so you will never open your neighbours’ door because you two have different identifier or serial number.

This identifier is called serial number, just as you can see on many other products, its a number that will not repeat in very long time, and also we have to put button code in data form, so the receiver knows which button has been pressed, imagine you can operate 4 doors with a 4 button transmitter, and they won’t interfere with each other.

HCS301 is different from fixed code, however, because it also add a rolling part, which changes every time you press the transmitter button, and receiver will decode the rolling part into something called counter, the counter is data that keeps log of your button pressing times, for example the button press is the 100th time being pressed.

Counter is the key to Keeloq rolling code encryption, as it keeps sync in both transmitter and receiver the counter value, so they should be the same everytime, and receiver will check if it is the same to either proceed to open the door or reject the operation, but sometimes for instance there is a signal jamming or you have pressed the button out of receiver’s working range, the transmitter counter added but the receiver keeps the old value, for example, transmitter pressed 100 times, but receiver only records 90 times.

So in the design of rolling code, they have a mechanism to have a grace value between the two, if the counter on transmitter and receiver are different and the margin is less than 20 times, for example – the receiver will still recognizes the transmitter and update it’s counter in next operation.

But when the margin is more than 20 times or the receiver’s counter value is larger than transmitter’s – which could not happen in normal condition, the receiver will reject the transmitter and mark it as lost, that why sometimes we say the code has lost, and the only way is to re-program and sync again.

So in conclusion, HCS301 rolling code data has two parts, one is encrypted part that changes every time button is pressed, and the encrypted info is mainly the counter – which keeps log of every button press, and the other part is fixed part, which basically contains serial number and button code, as a identifier in data transmitting. and fixed code is simpler as it only has fixed serial number part, which serves as identifer.