Cloning a CAME parking-gate remote with a Flipper Zero — why static Princeton codes are a security own-goal

Cloning a CAME parking-gate remote with a Flipper Zero — why static Princeton codes are a security own-goal

A surprising number of buildings hand each tenant a little plastic fob to open the parking barrier — and a surprising number of those fobs are not what you'd call secure. If the building installer cheaped out (or just picked the default jumper settings), the remote sends a fixed sub-GHz signal every single time. No rolling code, no challenge, no cryptography. Just the same packet, on the same frequency, every press.

Which means anyone with a Flipper Zero and a few minutes can clone it.

Here's a 90-second demo of doing exactly that on a CAME barrier — and the technical context for why it works.

The setup

The gate is a CAME-branded barrier, the kind you see at almost every apartment compound parking entrance. Every tenant is given a static remote — not rolling code. Why?

• Cheaper. Static encoders like Princeton's PT2262 (and the dozens of clones — SC2262, HX2262, etc.) cost cents per remote. Rolling-code receivers cost more, and pairing each new tenant remote is more work.
• "It's just a parking gate." The threat model the installer cares about is "random person walking up to the gate." Not "someone with $169 of pentesting hardware in their pocket."

That second assumption is the one that's been quietly aging out for the last few years. Flipper Zero made sub-GHz capture and replay something a curious teenager can do. So if your building's barrier still trusts static codes, your "key" is closer to a "publicly broadcast password."

What the Flipper actually does — step by step

You don't need to know radio theory to follow this. Here's the exact workflow from the video, in plain English:

1. Open Sub-GHz on the Flipper. From the main menu, pick the Sub-GHz application — that's where all the radio-band tools live.
2. Run Frequency Analyzer. Hold your existing tenant remote about 10-30 cm from the Flipper and tap its button a few times. The Flipper sweeps the common sub-GHz bands (315 / 433 / 868 / 915 MHz, depending on region) and locks onto whichever one your remote is using. For CAME barriers in most regions, this lands on 433.92 MHz.
3. Press OK to capture the frequency. The middle (circle) button locks the analyzer's reading. The Flipper now knows which channel your remote talks on.
4. Switch to Read. Same Sub-GHz menu — go into "Read." The frequency you just captured is already highlighted. Now press your remote one more time.
5. Flipper decodes the protocol. This is the magic moment. The Flipper looks at the raw signal and tries to match it against a library of known protocols. For a static CAME-style remote, it instantly identifies Princeton — the encoder family with the famous 24-bit fixed code.
6. Save the capture, walk to the gate, hit Send. The Flipper replays the same bits on the same frequency. The gate motor sees what looks like a normal remote press, and the boom arm lifts.

The whole sequence takes under a minute. There is no cracking, no brute force, no decryption — there's nothing to crack. The remote is just announcing the password in the clear, and the Flipper is recording it.

Why Princeton (and its clones) are this easy

Princeton's PT2262 — and the family of compatible chips installed in millions of cheap remotes — encodes a fixed 24-bit pattern that's set at the factory using a tiny array of jumpers or tri-state pins. There are three reasons it's catastrophically replayable:

• The code never changes. Same press, same bits, every time. A capture from yesterday works tomorrow, next month, next year — until the building rekeys (which they almost never do).
• The keyspace is small. 2^24 is about 16 million combinations, but each remote only ever sends one. You don't need to brute-force the space — you just need to capture the one valid code, once.
• There's no challenge-response. The receiver has no way to tell a real remote from a replay. To it, both look identical at the radio level.

The fix that the rest of the industry moved to is rolling code (KeeLoq, AES-rolling, etc.) — every press uses a new code derived from a shared secret and a counter. Replay a captured signal and the receiver rejects it because the counter has moved on. Garage door openers from the last 15 years use rolling code. Car key fobs use it. Apartment barriers… often don't.

If you're a curious learner

The Flipper Zero is a genuinely good way to learn sub-GHz radio, encoding protocols, and why the security choices we make at install time matter ten years later. The interface is friendly, the community is huge, and the Sub-GHz app surfaces concepts (frequency analyzers, protocol decoders, replay attacks) that you'd otherwise have to fight with GNU Radio to even see.

Just keep the experiments on your own hardware, or on systems where you have explicit written permission to test.

⚠️ Disclaimer (please read)

This walkthrough is for security research and education. Cloning, replaying, or otherwise using radio signals to access barriers, doors, gates, vehicles, or any other system you do not own or are not explicitly authorized to test is illegal in most jurisdictions and can carry serious penalties — including trespass, theft, and computer-misuse charges. Use this material to understand and harden what you have, not to interfere with anyone else's property. Don't be that person.

Watch the build

The video is 90 seconds — just the demo, no fluff. If you want to follow along on your own (legitimately-owned) gate, that's enough to walk through the entire capture-and-replay flow on your Flipper Zero. The longer "why" lives in this post.

If you enjoyed this, drop a 👍 and subscribe to H4hacks on YouTube for more hardware, hacking, and security-flavored builds.