Keen Electronics Key Fob
Source: Dev.to
The Product
It’s a small keychain fob with two buttons and a green LED. It features the company name Keen Electronics Ltd. (dissolved as of November 2025) with the phone number 01296 423203 on the front and a serial‑number sticker on the back reading 000984.
- The rubber buttons have become extremely soft; they stay permanently deformed when pressed.
- Inside, the fob uses an NM21/23 12 VDC battery.
- The PCB is marked “AMTX2B‑4‑ER”, which yields only generic information.
The unit still works: the green LED is bright but flickers slightly, and when the fob is shaken the LED appears to strobe in sync with the RF signal.
There are two buttons (referred to here as left and right) and a panic mode activated by pressing both simultaneously, which acts as a third button.
The Radio
The fob transmits around 433.83 MHz. Data is encoded with On‑Off Keying (OOK) using Pulse Distance Modulation (PDM): the on‑pulses have a fixed short length, while the distances between pulses convey the data.
- Pulse duration: ~460 µs (half of this, 230 µs, serves as the base timing).
- The SAW resonator causes the carrier frequency to drift during transmission, but the timing remains relatively stable.
The Data
Three distinct packets are sent, corresponding to left button, right button, and both buttons (panic).
Derived symbols:
"S" = 00111111111111111000000000000000
"0" = 1100
"1" = 1100000Using these symbols, the packets become:
S 10000111 10000011 10000000 00010101 01010000 01010100 00000000
S 10000111 10000011 10000000 00100101 01010000 01010100 00000000
S 10000111 10000011 10000000 00110101 01010000 01010100 00000000
^^ (button‑specific bits)Each packet consists of 7 complete bytes; the only differences are the two bits indicating which button(s) were pressed. A transmission repeats the packet up to six times, followed by a final sync symbol “S”.
Full transmission example:
The Protocol
Research into Texas Instruments PDM implementations (see their Infrared Remote Control Implementations document) shows that the leading sync symbol (“S”) is analogous to the “leading code” defined in milliseconds, while the remaining data is quantised.
Observations:
- No checksum present
- No rolling code
- Vulnerable to replay attacks
- Can be duplicated with a simple fob duplicator
To Be Continued
Further investigation is needed, ideally with access to the receiver and additional fobs. Open questions include:
- Which bits identify the fob ID?
- Are there other fobs with more button functionality using the same encoding?
- Is there a “master” ID that bypasses individual fob IDs?
- Does the receiver support extra RF commands that the fobs don’t transmit?
- Does the serial‑number label on the back relate to the transmitted code?