IR-RF transceiver: Part I – Taking stuff apart

A few weeks ago I discovered a cheap wireless power control set from Clas Ohlson. At first I intended to use it with my universal remote, but this turned out to be impossible because the universal remote was infrared (IR) only, and the power unit was RF (433 MHz). So I would have to shell out $400 for a more fancy remote… or, I could hack the light controller!

I wanted to add an IR receiver to the RF remote control, and use it as a transceiver / repeater, so I could use my universal remote to control the RF light switches.

2010-02-14 18.53.21

Opening the remote

I brought the gear to PING, where HÃ¥vard and I disassembled it. The remote control contains two PCBs:

  • Frontend with 6 buttons, an LED, a channel selector, a 12V battery, and a signal encoder chip
  • Backend with RF unit

The two PCBs were connected with GND, SIG (+5v) and VCC (+12v).

Decoding the protocol

a1-on
Trace of "A1 ON" command

Physical layer

We hooked up our logic analyzer between the two units, and recorded the signal.

The physical layer protocol was easy to reverse by looking at the trace, two patterns was clearly visible: 1000 and 1110. It looks like each data bit is represented by four bits in the physical layer; a start bit (high), the data bit repeated twice, and then a stop bit (low).

0 = 1000
1 = 1110

Data link/application layer

We then tried to analyze the higher level protocol, first we decoded channel A, lamp 1, button “On” and “Off”:

0001 0101 0001 0101 0101 0111 0
0001 0101 0001 0101 0101 0100 0

Finding the difference was easy; 11 is on and 00 is off.

Next we needed to understand the addressing, and so we recorded and decoded most of the possible “On”-signals:

A1-ON : 0001 0101 0001 0101 0101 0111 0
A2-ON : 0001 0101 0100 0101 0101 0111 0
A3-ON : 0001 0101 0101 0001 0101 0111 0

B1-ON : 0100 0101 0001 0101 0101 0111 0
B2-ON : 0100 0101 0100 0101 0101 0111 0
B3-ON : 0100 0101 0101 0001 0101 0111 0

C1-ON : 0101 0001 0001 0101 0101 0111 0
C2-ON : 0101 0001 0100 0101 0101 0111 0
C3-ON : 0101 0001 0101 0001 0101 0111 0

D1-ON : 0101 0101 0001 0101 0101 0111 0
D2-ON : 0101 0101 0100 0101 0101 0111 0
D3-ON : 0101 0101 0101 0001 0101 0111 0

So each packet (which was repeated several times when pushing a button) had the following structure:

CHANNEL-NO[6] 01 LIGHT-NO[6] 01 0101 01 STATE[2] 0

Channels:

A = 000101
B = 010001
C = 010100
D = 010101

Lights:

1 = 000101
2 = 010001
3 = 010100

One thought on “IR-RF transceiver: Part I – Taking stuff apart”

  1. It’s really a cool and useful piece of info. I’m happy that you simply shared this helpful information with us.
    Please keep us up to date like this. Thank you for sharing.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>