Reverse engeneering a RF remote

Post your cool example code here.
User avatar
Rintin
Posts: 16
Joined: Sat Jan 23, 2016 11:20 am

Reverse engeneering a RF remote

Post by Rintin » Fri Jan 29, 2016 5:58 pm

Hi,

I've got this RF mini controller for the WS2812b.

I figured out that it sends on 433Mhz.

I connected one of these Rf-receivers to an USB soundcard and recorded the signal with Audacity.

I connected a transmitter to my STM32 board and wrote this code that simulates some button presses:

Code: Select all


#define PIN PB5
#define LED PC13

void setup() {
  pinMode(PIN, OUTPUT);
  pinMode(LED, OUTPUT);
}

int ledstatus = 1;

void send(int length, uint8_t *data){
  // toogle LED
  digitalWrite(LED, ledstatus);
  ledstatus = 1 - ledstatus;

  digitalWrite(PIN, LOW);
  delayMicroseconds(1000);
  digitalWrite(PIN, HIGH);
  delayMicroseconds(2000);

  // send Button sequence 4 times
  for (int z=0;z<4;z++){
    digitalWrite(PIN, HIGH);
    delayMicroseconds(7000);
    digitalWrite(PIN, LOW);
    delayMicroseconds(3500);

    // send sequence
    int level = 1;
    for (int c=0;c<length;c++){
       int v = data[c];
       delayMicroseconds(515*v);  
       digitalWrite(PIN, level);
       level = 1 - level;
    }
  
    delayMicroseconds(1400);
    digitalWrite(PIN, LOW);
  }
}

// Button sequences
// wait x times before toggleing the output pin
uint8_t data_ON[]   = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,1,1,1,1,3,1,3,1,1,1,3,1,1}; // ON
uint8_t data_AUTO[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,3,1,3,1,3,1,1,1,1}; // AUTO
uint8_t data_OFF[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,1,1,1,1,3,1,1,1,1}; // OFF

uint8_t data_SP[]   = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,1,1,1,1,1,1,3,1,3,1,3,1,3,1,1}; // S+
uint8_t data_MP[]   = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,1,1,1,1,1,1,3,1,1,1,3,1,1,1,1}; // M+
uint8_t data_BP[]   = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,3,1,1,1,1,1,1,1,3,1,1,1,3,1,3,1,1}; // B+

uint8_t data_SM[]   = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,1}; // S-
uint8_t data_MM[]   = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,3,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,1}; // M-
uint8_t data_BM[]   = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1}; // B-

uint8_t data_C11[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,3,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1}; // Red
uint8_t data_C12[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1}; // Green
uint8_t data_C13[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,3,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}; // Blue

uint8_t data_C21[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,1,1,3,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,1}; // Yellow
uint8_t data_C22[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,3,1,3,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,1}; // 
uint8_t data_C23[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,1}; // 

uint8_t data_C31[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,3,1,3,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,1}; //
uint8_t data_C32[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,3,1,3,1,1,1,1,1,1}; // 
uint8_t data_C33[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,3,1,3,1,1,1,1,1,3,1,3,1,3,1,1,1,3,1,1}; // 

uint8_t data_C41[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,3,1,3,1,3,1,3,1,1,1,1}; //
uint8_t data_C42[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,3,1,3,1,1,1,1,1,3,1,3,1,3,1,3,1,3,1,1}; // 
uint8_t data_C43[]  = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1}; // 

void loop() {
  // put your main code here, to run repeatedly:
  delay(2000);
  send(sizeof(data_ON), data_ON);

  delay(2000);
  send(sizeof(data_C11), data_C11);
  delay(2000);
  send(sizeof(data_C12), data_C12);
  delay(2000);
  send(sizeof(data_C13), data_C13);

  delay(2000);
  send(sizeof(data_OFF), data_OFF);
}
Attachments
audacity.png
audacity.png (12.6 KiB) Viewed 904 times
1454088888672.jpg
1454088888672.jpg (13.17 KiB) Viewed 904 times
1454088804737.jpg
1454088804737.jpg (12.9 KiB) Viewed 904 times
#legalizeawoo

User avatar
RogerClark
Posts: 6679
Joined: Mon Apr 27, 2015 10:36 am
Location: Melbourne, Australia
Contact:

Re: Reverse engeneering a RF remote

Post by RogerClark » Fri Jan 29, 2016 7:55 pm

Very interesting...

Did it work ?

Can you tell me how you connected the receiver to analyse the data.

It looks like you used one of those USB audio dongles that uses the C-Media chip.
Did you bypass the input capacitor?
Did you need to level shift the input voltage e.g. with a resistor divider etc?

Thanks

Roger

User avatar
Rintin
Posts: 16
Joined: Sat Jan 23, 2016 11:20 am

Re: Reverse engeneering a RF remote

Post by Rintin » Fri Jan 29, 2016 8:20 pm

RogerClark wrote:Very interesting...

Did it work ?
Yes
Can you tell me how you connected the receiver to analyse the data.
I connected everything directly.

The data pin is connected to the microphone and power is taken from the USB port.
It looks like you used one of those USB audio dongles that uses the C-Media chip.
Its detected as generic USB sound card. The chip is covered by a black blob.
Did you bypass the input capacitor?
Did you need to level shift the input voltage e.g. with a resistor divider etc?
No to both.
I was not expecting the DC-part to be that important.

For recording I have to set the volume to the lowest setting and its still quite loud. A voltage divider might be better...
Thanks

Roger
Attachments
2016-01-29_21-13-11_682.jpg
2016-01-29_21-13-11_682.jpg (208.67 KiB) Viewed 897 times
#legalizeawoo

User avatar
ahull
Posts: 1578
Joined: Mon Apr 27, 2015 11:04 pm
Location: Sunny Scotland
Contact:

Re: Reverse engeneering a RF remote

Post by ahull » Fri Jan 29, 2016 11:22 pm

A neat trick, I'll need to remember that one. :D

I decoded a couple of junk box 433 MHz PIR sensors a couple of years back, but I had the luxury of an oscilloscope.

I bought a USB sound card, similar to the one you used a while back too, with a view to using it as a quick and dirty oscilloscope, but I have to admit it is languishing in my junk box. Too many other distractions. You might just have inspired me to drag it out and get it doing something useful.

At the moment I'm messing around with a very low cost VC921 digital multimeter, that I am trying to coax a serial signal out of. I *think* the chip is capable of it, but I haven't found the correct combination of pins to get it to say anything yet.

I've actually ordered a UNI-T 61B too, with the intention of using an STM32XXX or an ESP8266 as a data logger, pigbacked on to the IR output, to allow remote monitoring. If I get the little VC921 to emit a serial data stream, I will see if I can squeeze an ESP8266 in to its case, that would be a neat hack (although probably a little heavy on AAA batteries). If I make any progress with either of those, I'll probably post something in the "Off topic" thread.
- Andy Hull -

User avatar
RogerClark
Posts: 6679
Joined: Mon Apr 27, 2015 10:36 am
Location: Melbourne, Australia
Contact:

Re: Reverse engeneering a RF remote

Post by RogerClark » Sat Jan 30, 2016 3:27 am

@Rintin

Thanks

I bought some USB audio dongles to use for audio output, but I will re-purpose one of them to act as a RF sniffer

Thanks for posting

PS. Have you seen the RCSwitch library

It does something similar, but only sends and receives a few protocols.

I have not tried RCSwitch on STM32 yet, but I used it a lot on AVR Arduinos and it worked well.

User avatar
Rintin
Posts: 16
Joined: Sat Jan 23, 2016 11:20 am

Re: Reverse engeneering a RF remote

Post by Rintin » Sat Jan 30, 2016 8:05 am

This? https://github.com/sui77/rc-switch

No.

Thanks for mentioning it. I will give it a try.
#legalizeawoo

User avatar
RogerClark
Posts: 6679
Joined: Mon Apr 27, 2015 10:36 am
Location: Melbourne, Australia
Contact:

Re: Reverse engeneering a RF remote

Post by RogerClark » Sat Jan 30, 2016 9:00 am

Yes.
Rintin wrote:This? https://github.com/sui77/rc-switch

No.

Thanks for mentioning it. I will give it a try.
Yes

I think thats the lib I used.

You generally have to know the chipset, but from what I know it has a Raw mode that I used on one unsupported chipset

User avatar
Rintin
Posts: 16
Joined: Sat Jan 23, 2016 11:20 am

Re: Reverse engeneering a RF remote

Post by Rintin » Thu Feb 04, 2016 5:32 pm

Sending was easy with this library (using the master branch).

I defined the protocol timing and the button codes translated to this:

Code: Select all

RCSwitch::Protocol proto = { 515, {  17, 8 }, {  1,  1 }, {  1,  3 }};

RCSwitch mySwitch = RCSwitch();
mySwitch.setProtocol(proto);
...

char* data_ON   = "001101001010000000000001100011010"; // ON
char* data_AUTO = "001101001010000000000010100011100"; // AUTO
char* data_OFF  = "001101001010000000011000100100100"; // OFF

char* data_SP   = "001101001010000000000011100011110"; // S+
char* data_MP   = "001101001010000000000100100010100"; // M+
char* data_BP   = "001101001010000000000101100010110"; // B+

char* data_SM   = "001101001010000000000110100010010"; // S-
char* data_MM   = "001101001010000000000111100010000"; // M-
char* data_BM   = "001101001010000000001000100000100"; // B-

char* data_C11  = "001101001010000000001001100000110"; // Red
char* data_C12  = "001101001010000000001010100000010"; // Green
char* data_C13  = "001101001010000000001011100000000"; // Blue

char* data_C21  = "001101001010000000001100100001100"; // Yellow
char* data_C22  = "001101001010000000001101100001110"; // 
char* data_C23  = "001101001010000000001110100001010"; // 

char* data_C31  = "001101001010000000001111100001000"; // 
char* data_C32  = "001101001010000000010000100111000"; // 
char* data_C33  = "001101001010000000010001100111010"; // 

char* data_C41  = "001101001010000000010010100111100"; // 
char* data_C42  = "001101001010000000010011100111110"; // 
char* data_C43  = "001101001010000000010100100110100"; // 

mySwitch.send(data_ON);

On the button press the sync is missing, but it is repeating the signal a few times so it does not matter too much.


I guess I should start the receiving part.
Hmm... 5V receiver with 3.3V logic...
#legalizeawoo

User avatar
RogerClark
Posts: 6679
Joined: Mon Apr 27, 2015 10:36 am
Location: Melbourne, Australia
Contact:

Re: Reverse engeneering a RF remote

Post by RogerClark » Thu Feb 04, 2016 8:31 pm

Some pins are 5V tollerant. :-)

User avatar
mrburnette
Posts: 1796
Joined: Mon Apr 27, 2015 12:50 pm
Location: Greater Atlanta
Contact:

Re: Reverse engeneering a RF remote

Post by mrburnette » Fri Feb 05, 2016 12:35 am

RogerClark wrote:Some pins are 5V tollerant. :-)
And some pins are not. :roll:

Like so many wiring decisions, picking the tollerent pin incorrectly will admit one into the Magic Smoke Club.

Ray

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests