Reverse Engineering Remote Control Power Sockets - Part 1: Information gathering

Data Output Pin (DOUT)

All connections of the pins described later on have only one purpose, to influence the behaviour of pin 17, the Data Output Pin (DOUT).

The encoded waveform is serially outputted to this pin. When PT2262 is not transmitting, DOUT outputs low (Vss) voltage.

We already know from the Remote Control Encode description, that DOUT's output is fed into the RF modulator and send to the power plug. The lazy reader might stop reading at this point. The whole magic happens on DOUT as will be described in a future post.

Code Address Pin Group

From the power plug manual, we already know that the DIP switch is used to control a specific outlet group and the push-buttons are used to control four outlets within that group. Using a multimeter in continuity test mode or just looking at the connections on the bottom layer shows, that five pins of the DIP switch are directly connected to the bottom layer polygone plane. The polygone plane is directly connected to the negative pole of the battery holder (GND).

The remaining five pins are directly connected to pins 1 to 5 of the HX2262 (red dots on bottom layer picture):

• DIP switch Pin 1 <--> PT2261 Pin 1 (A0)

• DIP switch Pin 2 <--> PT2261 Pin 2 (A1)

• DIP switch Pin 3 <--> PT2261 Pin 3 (A2)

• DIP switch Pin 4 <--> PT2261 Pin 4 (A3)

• DIP switch Pin 5 <--> PT2261 Pin 5 (A4)

According to the datasheet, pins 1 to 5 belong to the Code Address Pin group (A0 ~ A5):

Code Address Pin 0 ~ 5: These six tri-state pins are detected by PT2262 to determine the encoded waveform bit 0 ~ bit 5. Each pin can be set to 0, 1 or f (floating).

Taking a look at the bottom layer again shows that PT2262's pins 6, 7, 8 and 10 are connected to vias in the middle of the PCB (yellow dots). Together with pin 11 (yellow dot on the top layer picture), those pins are all connected to push-button contacts.

The description for pins 6, 7, 8, 10 and 11 states that those pins are named A6/D5 ~ A11/D0 and belong to the Code Address Pin group as well.

Code Address Pin 6 ~ 11 / Data Pin 5 ~ 0. These six tri-state pins are detected by PT2262 to determine the encoded waveform bit 6 ~ bit 11. When these pins are used as address pins, they can be set to 0, 1, or f (floating). When these pins are used as data pins, they can be set only to 0 or 1.

Since those pins are directly connected to the push-buttons, it is most likely that they are used as data pins for setting a power plug either on or off.

RF operation: Code bits

A code bit is the basic component of the encoded waveform, and can be classified as either an AD (address/data) bit or a sync (synchronous) bit. The PT2262 protocol knows three different AD bits:

• Bit "0"

• Bit "1"

• Bit "f" (floating)

A group of code bits is called a code word. A code word consists of 12 AD bits followed by one sync bit.

The time base for all code bits is the so called Oscillating Clock Period (α). To be able to create the codewords with a microcontroller, it is necessary to know α. The simplest way to get the Oscillating Clock Period is to connect an oscilloscope to the DOUT pin, search for a known bit pattern ("0", "1" or "f") and just measure the time for that pattern.

Signal Resistor Oscillator

The PT2262 has a built-in oscillator circuitry that can be configured with a resistor connected between pins 15 (OSC1) and 16 (OSC2). Taking a look at the bottom layer shows that the respective resistor is R04. The SMD resistor code "335" indicates the numerical resistance value of 3.3 MΩ, a value suggested by the datasheet.

The Signal Resistor Oscillator directly affects the DOUT carrier frequency. The datasheet includes a diagram showing the relationship between R04 and the encoder oscillator frequency. For the resistor value of 3.3 MΩ, the frequency amounts to approximately 10 kHz.