Reverse Engineering Remote Control Power Sockets - Part 5: Setting up a development environment for the STM32F0DISCOVERY

The STM32F0DISCOVERY is a cheap STM32F0 (ARM® Cortex®-M0-based) evaluation board. It is the second target of choice to controll a 433 MHz transmitter in order to switch cheap remote controlled power outlets.

You might want to read the following posts before you continue:

libopencm3

libopencm3 is a free/libre/open-source (LGPL v3, or later) firmware library for various ARM Cortex-M microcontrollers. It comes along with various examples and makes it very easy to do the first steps in embedded programming.

Toolchain

In order to be able to compile libopencm3, you'll need an appropriate cross-toolchain for the ARM platform:

yay -S gcc-arm-none-eabi-bin-92 arm-none-eabi-gdb opencocd stlink

libopencm3-examples

Let's initially build all examples along with libopencm3:

git clone https://github.com/libopencm3/libopencm3-examples
cd libopencm3-examples/
git submodule init
git submodule update
make

Finally connect the STM32F0DISCOVERY via the Mini-USB connectors to your development host and run the following command to flash the miniblink example to the target:

cd examples/stm32/f0/stm32f0-discovery/miniblink/
make flash

Or to flash with stlink instead of OpenOCD:

make miniblink.stlink-flash

You'll hopefully see the green LED flashing now.

Reverse Engineering Remote Control Power Sockets - Part 4: Setting up a development environment for the Raspberry Pi

If you've read the first blog post of this series, you already know that the intention of this project is to replace the remote control of these devices by a cheap 433 MHz transceiver and a microcontroller platform. The first target of choice is a Raspberry Pi Model B Rev 2, containing a Broadcom BCM2835 System on a chip (SoC) with an ARM1176JZF-S 700 MHz processor.

Host system (Arch Linux, x64)

Cross-Toolchain

In order to cross-compile applications for the Raspberry Pi on the host system, a cross-toolchain is needed. The Raspberry Pi Github tools repository comes with a ready to use toolchain. The installation is as easy as this:

git clone http://github.com/raspberrypi/tools
sudo cp -r tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64 /opt/
export PATH=$PATH:/opt/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin

C library for controlling Broadcom BCM2835 GPIOs

Switching a power socket requires sending the appropriate code bits by switching the 433 MHz transceiver's data pin. The data pin shall be connected to a Rasperry Pi General-purpose input/output (GPIO) pin, which shall be controlled by a C program utilizing the bcm2835 C library. The library can be installed as follows:

wget http://www.airspayce.com/mikem/bcm2835/bcm2835-1.59.tar.gz
tar xvf bcm2835-1.59.tar.gz
cd bcm2835-1.59
export PATH=$PATH:/opt/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin
./configure --host=arm-linux-gnueabihf
make
sudo make install

Hello world program

Makefile

CFLAGS =  -DDEBUG
CFLAGS += -Wall -Werror
CFLAGS += -Wmissing-prototypes -Wmissing-declarations
CFLAGS += -Wstrict-prototypes -Wpointer-arith -Wwrite-strings
CFLAGS += -Wcast-qual -Wcast-align -Wbad-function-cast
CFLAGS += -Wformat-security  -Wformat-nonliteral -Wmissing-format-attribute
CFLAGS += -Winline -W -pedantic -funsigned-char

ARCH := $(shell uname -m)

ifeq ($(ARCH),x86_64)
ARCH=arm
CROSS_COMPILE=arm-linux-gnueabihf-
CC=$(CROSS_COMPILE)gcc
INCLUDES=-I/usr/local/include/
LIBS=-L/usr/local/lib
endif

sswitch:
              $(CC) $(CFLAGS) $(INCLUDES) $(LIBS) -o toggle toggle.c -l bcm2835

clean:
              -@rm -rf *.o *~ toggle 2>/dev/null || true

toggle.c

#include <bcm2835.h>

#define PIN RPI_GPIO_P1_07 /* GPIO 4 */

int main(void)
{
      /* Initialize the IO pin */
      if (!bcm2835_init()) {
              return -1;
      }

      /* Set the pin to be an output */
      bcm2835_gpio_fsel(PIN, BCM2835_GPIO_FSEL_OUTP);

      while (1) {
                bcm2835_gpio_write(PIN, HIGH);
                delayMicroseconds(1000);
                bcm2835_gpio_write(PIN, LOW);
                delayMicroseconds(1000);
      }

      return 0;
}

The program can be built as follows:

make

If everything went well, the make command should have produced a toggle binary compiled for the ARM platform:

file toggle
toggle: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 2.6.26, BuildID[sha1]=965aa16a5ff6a190f6005eb3b825af56df701a8e, not stripped

Installing the target operating system

Since the standard Linux kernel does not have real-time capabilities by default, reaching the appropriate timing characteristics for a codeword is not trivial. Using a blown up distribution like Raspbian will make things even harder.

Arch Linux ARM is a lightweight alternative and the choice for this project. The image will be installed to a 16 GB SD card.

The Arch Linux ARM project website provides excellent installation instructions (see tab Installation).

After the installation, put the SD card into the Raspberry Pi, connect it to the Ethernet and power it up. Use nmap to gather it's IP address:

nmap 192.168.1.0/24 | grep alarmpi
Nmap scan report for alarmpi.fritz.box (192.168.1.19)

Finally copy the first program to the target and log in via SSH:

scp Makefile toogle.c alarm@alarmpi:~/hackstock/toggle
ssh alarm@alarmpi.fritz.box

Target system (Arch Linux ARM)

Before doing anything on the target system, fix the weird issue with backspace not working:

export TERM=rxvt

Package manager initialization

After the Raspberry Pi has booted up for the first time, initialize the package manager as follows:

su -c 'pacman-key --init'
su -c 'pacman-key --populate archlinuxarm'

Tools

The follwing packages are necessary for development purposes:

su -c 'pacman -S wget gcc make'

C library for controlling Broadcom BCM2835 GPIOs

Before the test program can be compiled on the target system, the bcm2853 library needs to be installed:

wget http://www.airspayce.com/mikem/bcm2835/bcm2835-1.59.tar.gz
tar xvf bcm2835-1.59.tar.gz
cd bcm2835-1.59
./configure
make
su -c 'make install'

Building the program

cd ~/hackstock/toggle
make

Running the program

Trying to run the program as user alarm fails with the following error message:

./toggle
bcm2835_init: Unable to open /dev/gpiomem: Permission denied

Running the program as root is a quick fix but not a good idea in general, we'll fix that issue later.

su -c './toggle'
toogle.c

Looking at GPIO4 with an Oscilloscope shows the expected behaviour, the pin toggles between HIGH and low with a periodic time of 2 seconds.

Raspberry Pi Zero W: Headless bring up (Raspbian)

The following article describes the most straightforward way to setup and connect a Raspberry Pi Zero W to your WPA2 Wi-Fi network.

Preparation

Download and unpack the image:

wget -O raspbian-stretch-lite.zip https://downloads.raspberrypi.org/raspbian_lite_latest
unzip raspbian-stretch-lite.zip

Mount the image to the local filesystem:

su -c 'losetup -f --show 2017-11-29-raspbian-stretch-lite.img'
  /dev/loop0
su -c 'partx -a /dev/loop0'
mkdir boot root
su -c 'mount /dev/loop0p1 boot'
su -c 'mount /dev/loop0p2 root'

Enable SSH server

su -c 'touch boot/ssh'

Configure Wi-Fi interface

Automatically setup wlan0 for DHCP:

su -c 'emacs root/etc/network/interfaces'
source-directory /etc/network/interfaces.d
+
+auto wlan0
+allow-hotplug wlan0
+iface wlan0 inet dhcp
+    wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Create and open file wpa_supplicant.conf:

su -c 'emacs root/etc/wpa_supplicant/wpa_supplicant.conf'

Configure wpa_supplicant according to your Wi-Fi network:

-country=GB
+country=DE
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
+
+network={
+  ssid="YOUR_SSID"
+  psk="YOUR_PSK"
+  proto=RSN
+  key_mgmt=WPA-PSK
+  pairwise=CCMP
+  auth_alg=OPEN
+}

Clean up

Unmount image partitions and clean up:

su -c 'umount root'
su -c 'umount boot'
su -c 'partx -d /dev/loop0'
su -c 'losetup -d /dev/loop0'

Install image to MicroSD card

Insert the MicroSD card into your host computer and check the systemd journal for the appropriate device node:

journalctl -k -f | grep sd
  ...
  Jan 23 20:41:10 discordia kernel:  sdb: sdb1
  ...

Use dd to write the image to the card:

Be careful when running the following command! The output file (of) has to be the MicroSD card's device node!

su -c 'dd bs=4M if=2017-11-29-raspbian-stretch-lite.img of=/dev/sdb conv=fsync'

Now put the MicroSD card into your Raspberry Pi and attach the power supply. Give the device some time to boot up.

Connect to the Raspberry Pi

Scan your local network for the Raspberry Pi:

nmap -p22 192.168.1.0/24 | grep raspberrypi
  Nmap scan report for raspberrypi (192.168.1.27)

Finally connect to it via SSH:

ssh pi@192.168.1.27

Emulate Raspberry Pi with QEMU

It's not always practical to carry around a Raspberry Pi when you just want to do some basic ARM development or research. azeria-labs.com has a great article about how to emulate a Raspberry Pi (running Raspbian) with qemu. However, since not everybody likes the Debian based antiquary distro, this article shows how to do the same with Arch Linux ARM on a host system running a recent version of qemu:

qemu-system-arm --version
  QEMU emulator version 2.11.0

Preparation

We need a proper kernel and the Arch Linux ARM distro for the Raspberry Pi system. You can get both using wget:

wget https://github.com/dhruvvyas90/qemu-rpi-kernel/raw/master/kernel-qemu-4.4.34-jessie
wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-latest.tar.gz

Check the qemu-rpi-kernel github page for a more recent kernel if needed.

Image creation

Choose an appropriate size for your image, I'll go for 8 GiB in this example:

dd if=/dev/zero of=Arch.img count=8192 bs=1048576

We create two partitions inside the image, one 100 MiB partition for /boot and one / partition filling the rest of the image:

fdisk ./Arch.img
  Command (m for help): n
    Partition type
      p   primary (0 primary, 0 extended, 4 free)
      e   extended (container for logical partitions)
    Select (default p): p
    Partition number (1-4, default 1):
    First sector (2048-16777215, default 2048):
    Last sector, +sectors or +size{K,M,G,T,P} (2048-16777215, default 16777215): +100M

    Created a new partition 1 of type 'Linux' and of size 100 MiB.

    Command (m for help): n
    Partition type
      p   primary (1 primary, 0 extended, 3 free)
      e   extended (container for logical partitions)
    Select (default p): p
    Partition number (2-4, default 2):
    First sector (206848-16777215, default 206848):
    Last sector, +sectors or +size{K,M,G,T,P} (206848-16777215, default 16777215):

    Created a new partition 2 of type 'Linux' and of size 7.9 GiB.

    Command (m for help): w

Arch Linux ARM installation

Using losetup and partx, we setup a loop device for the image and add specific partitions:

su -c 'losetup -f --show Arch.img'
su -c 'partx -a /dev/loop0'

The partitions are now accessible as /dev/loop0p1 and /dev/loop0p2 within the local filesystem. Time to create an appropriate filesystem for each partition. We choose FAT for the /boot partition and ext4 for the / partition.

su -c 'mkfs.vfat /dev/loop0p1'
su -c 'mkfs.ext4 /dev/loop0p2'

We are now able to locally mount both partitions:

mkdir boot root
su -c 'mount /dev/loop0p1 boot/'
su -c 'mount /dev/loop0p2 root/'

The following commands install Arch Linux ARM to the image:

su -c 'bsdtar -xpf ArchLinuxARM-rpi-latest.tar.gz -C root/'
su -c 'mv root/boot/* boot/'

Since ArchLinuxARM-rpi-latest.tar.gz was created to fit onto a SD Card, the fstab file does not yet fit our needs. Without the following changes to fstab, the kernel would not find the partitions:

emacs root/etc/fstab
# Static information about the filesystems.
# See fstab(5) for details.

# <file system>  <dir>   <type>  <options>      <dump>  <pass>
-/dev/mmcblk0p1  /boot   vfat    defaults        0       0
+/dev/sda1       /boot   vfat    defaults        0       0
+/dev/sdb2       /       ext4    defaults        0       0

Now unmount the partitions and clean up things:

su -c 'umount /dev/loop0p1'
su -c 'umount /dev/loop0p2'
su -c 'partx -d /dev/loop0'
su -c 'losetup -d /dev/loop0'

Run the guest system

Let's finally run the Raspberry Pi image with qemu-system-arm:

qemu-system-arm -kernel kernel-qemu-4.4.34-jessie -cpu arm1176 -m 256 -M versatilepb -serial stdio -append "root=/dev/sda2 rootfstype=ext4 rw" -hda Arch.img -net nic,macaddr=de:ad:be:ef:ca:fe -net user,hostfwd=tcp::5555-:22

Note from the command above, that qemu will forward the guest's TCP port 22 (SSH) to the host TCP port 5555. Login into your guest system as root and activate the SSH server:

systemctl enable sshd
systemctl start sshd

Now you should be able to SSH from your host into your guest system:

ssh -p 5555 alarm@127.0.0.1

Reverse Engineering Remote Control Power Sockets - Part 3: Protocol analysis with SDR

Tooling

SDR

In the last blog post Part 2: Protocol analysis with oscilloscope, I used an oscilloscope to record the protocol send by the remote control. This time I'd like to show a cheaper approach to get to the same result. The DVB-T sticks supported by rtl-sdr are able to tune to the 433 MHz UHF band and can be used as a Software-defined radio (SDR). Using free software like Gqrx and Audacity, it's possible to fully reverse engineer the codewords send by the remote control's encoder chip. All needed information is already known from the blog post Part 1: Information gathering.

Record codeword with Gqrx

Gqrx is an excellent, easy to use, open source software defined radio receiver supporting rtl-sdr devices like the Noxon DAB Stick. See the list of Supported hardware to check if your device is supported.

Modulation

Readers interested in radio communication may have already noticed by reading the encoder datasheet, that all circuits showing UHF band data transmitters, implement an amplitude modulation (AM) modulator. The carrier frequency (433.92 MHz) can be found in the power outlet manual or on the remote control's backside.

Gqrx settings

Codeword 001

Gqrx can be used to record a complete remote control transmission to a .wav file. The recorded audio file can then be analyzed with Audacity. The output file gets stored to the home folder, the filename looks similar to gqrx_20170422_152940_433920000.wav. This file can now be opened by Audacity for analyzing the codeword.

Analyze codeword with Audacity

Audacity is a free, open source, cross-platform audio software. It can be used to view the demodulated codeword audio files generated by Gqrx.

Outlet group 0 | Outlet 1 | On

The following picture shows the recorded codeword for switching on outlet 1 within outlet group 0.

Codeword 001

Although the codeword seems to contain valid bit patterns, it is apparent that the first and the last bit (sync bit) look weird. A quick look into the decoder datasheet (PT2272) shows an inverting stage in the RF Application Circuit. Luckily, Audacity offers the possibility to just invert the audio track:

Effect -> Invert

Codeword 001

The first bit pattern still looks a little bit weird, but the rest of the codeword matches exactly the result we already know from Part 2: Protocol analysis with oscilloscope.

Group

Outlet

On/Off

FFFFF

0FFFF

0F

Damn Vulnerable Router Firmware - Hardware Bring-up

The Damn Vulnerable Router Firmware (DVRF) is a vulnerable firmware for Linksys E1550 routers. According to the author, "the goal of this project is to simulate a real world environment to help people learn about other CPU architectures outside of the x86_64 space."

Before overwriting the original firmware, make sure to get a copy of the most recent version: FW_E1550_1.0.03.002_US_20120201_code.bin.

DVLF can be installed to the Linksys E1550 by opening the device's firmware upgrade page.

UART connection

As stated in the project's README.md file, UART access is needed in order to execute the "pwnable" binaries. The UART pins are easily accessible after populating DJ12 with a 1x5 pin male header (2.54 mm spacing between pins).

Open Housing

housing

To avoid short-circuiting, remove the power plug before you open the housing!

The Linksys E1550 uses an external power supply so it was not designed with concern for hazardous voltages inside the enclosure. However, to avoid short-circuiting, remove the power plug before you open the housing!

To open the housing, remove the three screw covers on the back of the device. Please note that products with their warranty labels and barcodes removed or altered are not covered by the warranty any more.

The screws can be easily removed using a Phillips-tip screwdriver. After removal, use a special soft-plastic housing opening tool to lift the lid.

Attach Pin Header

pcb

The UART pins are located at DJ12, right above the Serial Flash IC (Winbond 25Q128BVFG). Use a solder iron to solder a 1x5 pin male header (2.54 mm spacing between pins) to DJ12.

Pinout

  • Pin1: 3.3 V

  • Pin2: Tx (Linksys E1550 transmits on this pin)

  • Pin3: Rx (Linksys E1550 receives on this pin)

  • Pin4: ?

  • Pin5: GND

Firmware Installation

Download DVRF

git clone https://github.com/praetorian-inc/DVRF.git
file DVRF/Firmware/DVRF_v03.bin
   DVRF/Firmware/DVRF_v03.bin: data

Install DVRF

Connect your PC to the Linksys E1550 via Ethernet. Your PC should get an IP address via DHCP, the default subnet is 192.168.1.0/24. Use your default browser to open the device's firmware upgrade page and upload file DVRF/Firmware/DVRF_v03.bin. The device will automatically reboot after the installation.

After the device rebooted, connect to the router's default page, you should see the following:

housing

Reverse Engineering Remote Control Power Sockets - Part 2: Protocol analysis with oscilloscope

Tooling

If you've read the first blog post of this series, you already know that the intention of this project is to replace the remote control of these devices by a cheap 433 MHz transceiver and a microcontroller platform. In order to do so, the protocol send by the remote control encoder chip PT2262, has to be imitated by the microcontroller. We already know from the previous blog post, that pushing one of the buttons of the remote control forces the PT2262 to create a unique codeword that is send to RF modulator. The datasheet:

The encoded waveform is serially outputted to this pin. When PT2262 is not transmitting, DOUT outputs low (Vss) voltage.

To be able to replace the remote control by an own circuit driven by a microcontroller, the special codeword for each button has to be determind.

Oscilloscope

Oscilloscope DOUT

Using an oscilloscope is the most comfortable way to reverse engineer the remote control protocol. A cheap one like the Rigol DS1052e is more than sufficient. Don't mind if you can't afford one, I will show a cheaper method to get behind the protocol in an upcoming blog post.

Connection

Connect your probe's ground clip to HX2262's pin 9 (VSS) and the probe tip to pin 17 (DOUT).

Rigol DS1052E settings

  • Long Memory (Acquire -> MemDepth -> Long Mem)

  • Single shot trigger

Determining the Oscillating Clock Period α

product info

We already know from the datasheet, that each bit waveform consists of two pulse cycles and each pulse cycle has 16 oscillating time periods. In the case of a Bit "0", one pulse cycle consists of four periods high, twelve periods low, four periods high and another twelve periods low. This pattern can be easily found with the oszilloscope.

The picture on the left shows the overall time (2.8 ms) for a "0" bit:

\begin{equation*} \alpha = \frac{2800\,us}{32} = 87.5\,us \end{equation*}
product info

The picture on the right shows the high part of the first pulse cycle (4 periods high bits) with a total time of 350 us:

\begin{equation*} \alpha = \frac{350\,us}{4} = 87.5\,us \end{equation*}
product info

The picture on the left shows the low part of the first pulse cycle (12 periods low bits) with a total time of 1050 us:

\begin{equation*} \frac{1050\,us}{12} = 87.5\,us \end{equation*}

Given those three results, we can asume the oscillating clock period α to be 87.5 us. According to the datasheet, α can be configured by a resistor connected between pins 15 (OSC 1) and 16 (OSC 2), so it might differ for other power outlets. It might be a good idea to not hardcode the value.

product info

Another approach to determine α is to connect the probe tip to pin 15 (OSC 1) and to directly measure the oscillator frequency. The next picture on the right shows one cycle duration of the oscillator frequency. The measured periodic time of 87.6 us perfectly fits our previously made assumption of 87.5 us.

Codeword analysis

A group of Code Bits is called a Code Word. A Code Word consists of 12 AD bits followed by one Sync Bit.

product info

In part 1 of this blog post series, we assumed that the first five bits encode the outlet group part of the codeword, the next five encode the socket within that group and the last two encode the on/off part. We can simply proof this assumption by just pressing the appropriate push-button on the remote control and displaying the waveform on the oscilloscope. A good starting point is to set all pins of the DIP switch (Code Address Pin 0 ~ 5) to off (outlet group 0) and press the on/off push-buttons for each outlet within that group.

The following sequence of images show one complete codeword for pushing the on and off buttons for different combinations of groups and outlets. Please notice that some signal changes overlap, just try to find the bit patterns that are already known from the datasheet. Each picture (except the last one) contains four bit patterns. This makes a summary of 12 AD bits followed by one sync bit. The codewords are then grouped together to their group (five bits), outlet (five bits) and data (two bits) parts.

Outlet group 0 | Outlet 1 | On

Pushing the on button for outlet 0 within group 0 leads to the following codeword:

product infoproduct infoproduct infoproduct info

Codeword: FFFF F0FF FF0F Sync

Group

Outlet

On/Off

FFFFF

0FFFF

0F

Outlet group 0 | Outlet 1 | Off

Pushing the off button for the same outlet (0) within the same group (0) leads to a very similar result. Solely the last two bits have changed.

product infoproduct infoproduct infoproduct info

Codeword: FFFF F0FF FFF0 Sync

Group

Outlet

On/Off

FFFFF

0FFFF

F0

Outlet group 0 | Outlet 2 | On

The next image series shows the result for pushing the on button for outlet 1 within group 0. This time, the outlet part of the codeword has changed while the group part is still the same.

product infoproduct infoproduct infoproduct info

Codeword: FFFF FF0F FF0F Sync

Group

Outlet

On/Off

FFFFF

F0FFF

0F

Outlet group 1 | Outlet 1 | On

Setting the first DIP switch to "on" and pressing the on button for socket 0 again, leads to another codeword. This time, the first bit group has changed.

product infoproduct infoproduct infoproduct info

Codeword: 0FFF F0FF FF0F Sync

Group

Outlet

On/Off

0FFFF

0FFFF

0F

Outlet group 31 | Outlet 1 | On

The last image series shows the codeword for the following setup: All remote control DIP switches are set to on (group 31) and the on button for outlet 0 has been pushed.

product infoproduct infoproduct infoproduct info

Codeword: 0000 00FF FF0F Sync

Group

Outlet

On/Off

00000

0FFFF

0F

Looking at the combinations above, we can see a clear pattern. Both, groups and outlets are binary encoded with group/socket 1 as LSB and group/socket 5 as MSB. A cleared bit translates to a "F" waveform, a set bit translates to a "0" waveform.

Conclusion

The assumtions made in part 1 of this series seem to be correct. One codeword consists of five bits for the outlet group, five bits for the outlet within that group and two bits for the on/off part of the codeword.

The timebase for the codeword (Oscillating Clock Period α) was measured with the oscilloscope and seems to be 87.5 us.

Reverse Engineering Remote Control Power Sockets - Part 1: Information gathering

Tooling

  • Phillips-tip screwdriver

  • Computer with internet access

  • Multimeter (optional)

Remote control

product info

According to the information on the back, the remote control sends on 433.92 MHz, a frequency within the UHF band. The 433 MHz band is meant for short range consumer devices including automotive, alarm systems, home automation and temperature sensors.

Open housing

To avoid short-circuiting, remove the 12 V battery, then remove the three screws using a Phillips-tip screwdriver. When the srews are removed, you can easily lift the housing and remove the printed circuit board (PCB).

Printed circuit board

product info

There are only a few components placed on the PCB, the most interesting ones can be found on the top layer:

  • Battery holder

  • DIP switch

  • Integrated circuit (IC) in 18 pin dual in-line (DIP) package, labeled with HX2262

  • Contacts for push-buttons

  • 433 MHz oscillator

  • Light-emitting diode (LED)

Ignore the yellow dot added to the picture of the PCB's top layer at the moment, we'll come back to it later.

Remote Control Encoder

An internet search for HX2262 quickly leads to the IC's datasheet. The IC HX2262 (PT2262) is a Remote Control Encoder and can be paired with PT2272, the suitable Remote Control Decoder.

PT2262's purpose is quickly explained:

PT2262 encodes the code address and data set at A0 ~ A5 and A6/D5 ~ A11/D0 into a special waveform and outputs it to the DOUT when TE is pulled to 0 (Low State). This waveform is fed to the RF modulator for transmission. The transmitted radio frequency RF demodulator and reshaped to the special waveform. PT2272 is then used to decode the waveform and set the corresponding output pin(s). Thus completing a remote control encoding and decoding function.

Data Output Pin (DOUT)

All connections of the pins described later on have only one purpose, to influence the behaviour of pin 17, the Data Output Pin (DOUT).

The encoded waveform is serially outputted to this pin. When PT2262 is not transmitting, DOUT outputs low (Vss) voltage.

We already know from the Remote Control Encode description, that DOUT's output is fed into the RF modulator and send to the power plug. The lazy reader might stop reading at this point. The whole magic happens on DOUT as will be described in a future post.

Code Address Pin Group

product info

From the power plug manual, we already know that the DIP switch is used to control a specific outlet group and the push-buttons are used to control four outlets within that group. Using a multimeter in continuity test mode or just looking at the connections on the bottom layer shows, that five pins of the DIP switch are directly connected to the bottom layer polygone plane. The polygone plane is directly connected to the negative pole of the battery holder (GND).

The remaining five pins are directly connected to pins 1 to 5 of the HX2262 (red dots on bottom layer picture):

  • DIP switch Pin 1 <--> PT2261 Pin 1 (A0)

  • DIP switch Pin 2 <--> PT2261 Pin 2 (A1)

  • DIP switch Pin 3 <--> PT2261 Pin 3 (A2)

  • DIP switch Pin 4 <--> PT2261 Pin 4 (A3)

  • DIP switch Pin 5 <--> PT2261 Pin 5 (A4)

According to the datasheet, pins 1 to 5 belong to the Code Address Pin group (A0 ~ A5):

Code Address Pin 0 ~ 5: These six tri-state pins are detected by PT2262 to determine the encoded waveform bit 0 ~ bit 5. Each pin can be set to 0, 1 or f (floating).

R04

Taking a look at the bottom layer again shows that PT2262's pins 6, 7, 8 and 10 are connected to vias in the middle of the PCB (yellow dots). Together with pin 11 (yellow dot on the top layer picture), those pins are all connected to push-button contacts.

The description for pins 6, 7, 8, 10 and 11 states that those pins are named A6/D5 ~ A11/D0 and belong to the Code Address Pin group as well.

Code Address Pin 6 ~ 11 / Data Pin 5 ~ 0. These six tri-state pins are detected by PT2262 to determine the encoded waveform bit 6 ~ bit 11. When these pins are used as address pins, they can be set to 0, 1, or f (floating). When these pins are used as data pins, they can be set only to 0 or 1.

Since those pins are directly connected to the push-buttons, it is most likely that they are used as data pins for setting a power plug either on or off.

RF operation: Code bits

product info

A code bit is the basic component of the encoded waveform, and can be classified as either an AD (address/data) bit or a sync (synchronous) bit. The PT2262 protocol knows three different AD bits:

  • Bit "0"

  • Bit "1"

  • Bit "f" (floating)

A group of code bits is called a code word. A code word consists of 12 AD bits followed by one sync bit.

The time base for all code bits is the so called Oscillating Clock Period (α). To be able to create the codewords with a microcontroller, it is necessary to know α. The simplest way to get the Oscillating Clock Period is to connect an oscilloscope to the DOUT pin, search for a known bit pattern ("0", "1" or "f") and just measure the time for that pattern.

Signal Resistor Oscillator

R04

The PT2262 has a built-in oscillator circuitry that can be configured with a resistor connected between pins 15 (OSC1) and 16 (OSC2). Taking a look at the bottom layer shows that the respective resistor is R04. The SMD resistor code "335" indicates the numerical resistance value of 3.3 MΩ, a value suggested by the datasheet.

Osc

The Signal Resistor Oscillator directly affects the DOUT carrier frequency. The datasheet includes a diagram showing the relationship between R04 and the encoder oscillator frequency. For the resistor value of 3.3 MΩ, the frequency amounts to approximately 10 kHz.

Schematics

As stated before, all relevant information, needed to reverse engineer the protocol send by the remote control, is already known. However, the nosy reader may want to grab a multimeter in continuity test mode to reverse engineer the functionality of the push-buttons and the DIP switch.

product info
  • As stated before, one pin row of the DIP switch is directly connected to GND. The other row is connected to PT2262's pins A0 to A4. The DIP switch is used to configure the outlet group part of the code word send out by the DOUT pin.

  • Pin A10 is pulled high by R03 by default. Pushing one of the ON buttons pulls the pin to GND. Pin A10 encodes the ON information part of the codeword.

  • Pin A11 is pulled high by R01 by default. Pushing one of the OFF buttons pulls the pin to GND. Pin A11 encodes the OFF information part of the codeword.

  • One of the three contacts of each push-button pair is connected to one of PT2262'S pins A5 to A8:

    • Push-buttons A: A5

    • Push-buttons B: A6

    • Push-buttons C: A7

    • Push-buttons D: A8

  • The low-active Transmission Enable (/TE) pin is pulled high by R02 normally. Pushing one of the buttons brings the corresponding diode in its conductive state and pulls /TE towards GND. PT2262 starts to output the encoded waveform to DOUT.

Reverse Engineering Remote Control Power Sockets

pollin frontpollin back

For about 13 EUR, the German electronics dispatcher Pollin sells remote controlled power plugs that can be used as kind of a poor man's home automation system. Four plugs can be grouped together and switched on or off by a remote control.

Inspired by an article in the German c't Hacks magazine (3/2012), the following series of post will guide through a reverse engineering process with the intention to replace the remote control in two different ways. The first approach uses an Andoid smartphone connected to a Raspberry Pi via WiFi, the second one makes use of a STM32F0DISCOVERY. Both microcontroller platforms make use of a cheap 433 MHz transceiver ordered in China. If you plan to rebuild one of the projects, make sure to order right now, the shipping from China may take weeks to month.

In case of the Raspberry Pi, two approaches will be described, one in userspace and one in kernel space. The kernel space approach comes in form of a Linux Kernel Module (LKM) and hides the fact that the Raspberry Pi normally is not capable of fulfilling realtime tasks.

Tooling

In order to follow the articles, or to rebuild one of the projects, you'll need the following items:

  • Raspberry Pi and Android smartphone or

  • STM32F0DISCOVERY

  • 433 MHz transceiver (e.g. from ebay)

  • Multimeter (optional, e.g UNI-T UT61C)

  • Oscilloscope (e.g. RIGOL DS1052E) or

  • Software-defined radio supported by rtl-sdr (e.g. Noxon DAB Stick)

  • Phillips-tip screwdriver