Reverse Engineering Remote Control Power Sockets - Part 2: Protocol analysis with oscilloscope

Michael Hornung

2017-04-22 16:00

Tooling

Datasheet PT2262
Oscilloscope (e.g. Rigol DS1052e)

If you've read the first blog post of this series, you already know that the intention of this project is to replace the remote control of these devices by a cheap 433 MHz transceiver and a microcontroller platform. In order to do so, the protocol send by the remote control encoder chip PT2262, has to be imitated by the microcontroller. We already know from the previous blog post, that pushing one of the buttons of the remote control forces the PT2262 to create a unique codeword that is send to RF modulator. The datasheet:

The encoded waveform is serially outputted to this pin. When PT2262 is not transmitting, DOUT outputs low (Vss) voltage.

To be able to replace the remote control by an own circuit driven by a microcontroller, the special codeword for each button has to be determind.

Oscilloscope

Using an oscilloscope is the most comfortable way to reverse engineer the remote control protocol. A cheap one like the Rigol DS1052e is more than sufficient. Don't mind if you can't afford one, I will show a cheaper method to get behind the protocol in an upcoming blog post.

Connection

Connect your probe's ground clip to HX2262's pin 9 (VSS) and the probe tip to pin 17 (DOUT).

Rigol DS1052E settings

Long Memory (Acquire -> MemDepth -> Long Mem)
Single shot trigger

Determining the Oscillating Clock Period α

We already know from the datasheet, that each bit waveform consists of two pulse cycles and each pulse cycle has 16 oscillating time periods. In the case of a Bit "0", one pulse cycle consists of four periods high, twelve periods low, four periods high and another twelve periods low. This pattern can be easily found with the oszilloscope.

The picture on the left shows the overall time (2.8 ms) for a "0" bit:

\begin{equation*} \alpha = \frac{2800\,us}{32} = 87.5\,us \end{equation*}

The picture on the right shows the high part of the first pulse cycle (4 periods high bits) with a total time of 350 us:

\begin{equation*} \alpha = \frac{350\,us}{4} = 87.5\,us \end{equation*}

The picture on the left shows the low part of the first pulse cycle (12 periods low bits) with a total time of 1050 us:

\begin{equation*} \frac{1050\,us}{12} = 87.5\,us \end{equation*}

Given those three results, we can asume the oscillating clock period α to be 87.5 us. According to the datasheet, α can be configured by a resistor connected between pins 15 (OSC 1) and 16 (OSC 2), so it might differ for other power outlets. It might be a good idea to not hardcode the value.

Another approach to determine α is to connect the probe tip to pin 15 (OSC 1) and to directly measure the oscillator frequency. The next picture on the right shows one cycle duration of the oscillator frequency. The measured periodic time of 87.6 us perfectly fits our previously made assumption of 87.5 us.

Codeword analysis

A group of Code Bits is called a Code Word. A Code Word consists of 12 AD bits followed by one Sync Bit.

In part 1 of this blog post series, we assumed that the first five bits encode the outlet group part of the codeword, the next five encode the socket within that group and the last two encode the on/off part. We can simply proof this assumption by just pressing the appropriate push-button on the remote control and displaying the waveform on the oscilloscope. A good starting point is to set all pins of the DIP switch (Code Address Pin 0 ~ 5) to off (outlet group 0) and press the on/off push-buttons for each outlet within that group.

The following sequence of images show one complete codeword for pushing the on and off buttons for different combinations of groups and outlets. Please notice that some signal changes overlap, just try to find the bit patterns that are already known from the datasheet. Each picture (except the last one) contains four bit patterns. This makes a summary of 12 AD bits followed by one sync bit. The codewords are then grouped together to their group (five bits), outlet (five bits) and data (two bits) parts.

Outlet group 0 | Outlet 1 | On

Pushing the on button for outlet 0 within group 0 leads to the following codeword:

Codeword: FFFF F0FF FF0F Sync

Group	Outlet	On/Off
FFFFF	0FFFF	0F

Outlet group 0 | Outlet 1 | Off

Pushing the off button for the same outlet (0) within the same group (0) leads to a very similar result. Solely the last two bits have changed.

Codeword: FFFF F0FF FFF0 Sync

Group	Outlet	On/Off
FFFFF	0FFFF	F0

Outlet group 0 | Outlet 2 | On

The next image series shows the result for pushing the on button for outlet 1 within group 0. This time, the outlet part of the codeword has changed while the group part is still the same.

Codeword: FFFF FF0F FF0F Sync

Group	Outlet	On/Off
FFFFF	F0FFF	0F

Outlet group 1 | Outlet 1 | On

Setting the first DIP switch to "on" and pressing the on button for socket 0 again, leads to another codeword. This time, the first bit group has changed.

Codeword: 0FFF F0FF FF0F Sync

Group	Outlet	On/Off
0FFFF	0FFFF	0F

Outlet group 31 | Outlet 1 | On

The last image series shows the codeword for the following setup: All remote control DIP switches are set to on (group 31) and the on button for outlet 0 has been pushed.

Codeword: 0000 00FF FF0F Sync

Group	Outlet	On/Off
00000	0FFFF	0F

Looking at the combinations above, we can see a clear pattern. Both, groups and outlets are binary encoded with group/socket 1 as LSB and group/socket 5 as MSB. A cleared bit translates to a "F" waveform, a set bit translates to a "0" waveform.

Conclusion

The assumtions made in part 1 of this series seem to be correct. One codeword consists of five bits for the outlet group, five bits for the outlet within that group and two bits for the on/off part of the codeword.

The timebase for the codeword (Oscillating Clock Period α) was measured with the oscilloscope and seems to be 87.5 us.