Code snipplets

Reverse engeneering a RF remote

Rintin
Fri Jan 29, 2016 5:58 pm
Hi,

I’ve got this RF mini controller for the WS2812b.

I figured out that it sends on 433Mhz.

I connected one of these Rf-receivers to an USB soundcard and recorded the signal with Audacity.

I connected a transmitter to my STM32 board and wrote this code that simulates some button presses:

#define PIN PB5
#define LED PC13

void setup() {
pinMode(PIN, OUTPUT);
pinMode(LED, OUTPUT);
}

int ledstatus = 1;

void send(int length, uint8_t *data){
// toogle LED
digitalWrite(LED, ledstatus);
ledstatus = 1 - ledstatus;

digitalWrite(PIN, LOW);
delayMicroseconds(1000);
digitalWrite(PIN, HIGH);
delayMicroseconds(2000);

// send Button sequence 4 times
for (int z=0;z<4;z++){
digitalWrite(PIN, HIGH);
delayMicroseconds(7000);
digitalWrite(PIN, LOW);
delayMicroseconds(3500);

// send sequence
int level = 1;
for (int c=0;c<length;c++){
int v = data[c];
delayMicroseconds(515*v);
digitalWrite(PIN, level);
level = 1 - level;
}

delayMicroseconds(1400);
digitalWrite(PIN, LOW);
}
}

// Button sequences
// wait x times before toggleing the output pin
uint8_t data_ON[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,1,1,1,1,3,1,3,1,1,1,3,1,1}; // ON
uint8_t data_AUTO[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,3,1,3,1,3,1,1,1,1}; // AUTO
uint8_t data_OFF[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,1,1,1,1,3,1,1,1,1}; // OFF

uint8_t data_SP[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,1,1,1,1,1,1,3,1,3,1,3,1,3,1,1}; // S+
uint8_t data_MP[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,1,1,1,1,1,1,3,1,1,1,3,1,1,1,1}; // M+
uint8_t data_BP[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,3,1,1,1,1,1,1,1,3,1,1,1,3,1,3,1,1}; // B+

uint8_t data_SM[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,1}; // S-
uint8_t data_MM[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,3,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,1}; // M-
uint8_t data_BM[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1}; // B-

uint8_t data_C11[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,3,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1}; // Red
uint8_t data_C12[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1}; // Green
uint8_t data_C13[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,3,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}; // Blue

uint8_t data_C21[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,1,1,3,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,1}; // Yellow
uint8_t data_C22[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,1,1,3,1,3,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,1}; //
uint8_t data_C23[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,1}; //

uint8_t data_C31[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,3,1,3,1,3,1,3,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,1}; //
uint8_t data_C32[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,3,1,3,1,1,1,1,1,1}; //
uint8_t data_C33[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,1,1,3,1,3,1,1,1,1,1,3,1,3,1,3,1,1,1,3,1,1}; //

uint8_t data_C41[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,3,1,3,1,3,1,3,1,1,1,1}; //
uint8_t data_C42[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,1,1,3,1,3,1,3,1,1,1,1,1,3,1,3,1,3,1,3,1,3,1,1}; //
uint8_t data_C43[] = {1,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,3,1,1,1,3,1,1,1,1,1,3,1,1,1,1,1,3,1,3,1,1,1,3,1,1,1,1}; //

void loop() {
// put your main code here, to run repeatedly:
delay(2000);
send(sizeof(data_ON), data_ON);

delay(2000);
send(sizeof(data_C11), data_C11);
delay(2000);
send(sizeof(data_C12), data_C12);
delay(2000);
send(sizeof(data_C13), data_C13);

delay(2000);
send(sizeof(data_OFF), data_OFF);
}

RogerClark
Fri Jan 29, 2016 7:55 pm
Very interesting…

Did it work ?

Can you tell me how you connected the receiver to analyse the data.

It looks like you used one of those USB audio dongles that uses the C-Media chip.
Did you bypass the input capacitor?
Did you need to level shift the input voltage e.g. with a resistor divider etc?

Thanks

Roger

Rintin
Fri Jan 29, 2016 8:20 pm
RogerClark wrote:Very interesting…

Did it work ?

ahull
Fri Jan 29, 2016 11:22 pm
A neat trick, I’ll need to remember that one. :D

I decoded a couple of junk box 433 MHz PIR sensors a couple of years back, but I had the luxury of an oscilloscope.

I bought a USB sound card, similar to the one you used a while back too, with a view to using it as a quick and dirty oscilloscope, but I have to admit it is languishing in my junk box. Too many other distractions. You might just have inspired me to drag it out and get it doing something useful.

At the moment I’m messing around with a very low cost VC921 digital multimeter, that I am trying to coax a serial signal out of. I *think* the chip is capable of it, but I haven’t found the correct combination of pins to get it to say anything yet.

I’ve actually ordered a UNI-T 61B too, with the intention of using an STM32XXX or an ESP8266 as a data logger, pigbacked on to the IR output, to allow remote monitoring. If I get the little VC921 to emit a serial data stream, I will see if I can squeeze an ESP8266 in to its case, that would be a neat hack (although probably a little heavy on AAA batteries). If I make any progress with either of those, I’ll probably post something in the “Off topic” thread.

RogerClark
Sat Jan 30, 2016 3:27 am
@Rintin

Thanks

I bought some USB audio dongles to use for audio output, but I will re-purpose one of them to act as a RF sniffer

Thanks for posting

PS. Have you seen the RCSwitch library

It does something similar, but only sends and receives a few protocols.

I have not tried RCSwitch on STM32 yet, but I used it a lot on AVR Arduinos and it worked well.

Rintin
Sat Jan 30, 2016 8:05 am
This? https://github.com/sui77/rc-switch

No.

Thanks for mentioning it. I will give it a try.

RogerClark
Sat Jan 30, 2016 9:00 am
Yes.Rintin wrote:This? https://github.com/sui77/rc-switch

No.

Thanks for mentioning it. I will give it a try.

Rintin
Thu Feb 04, 2016 5:32 pm
Sending was easy with this library (using the master branch).

I defined the protocol timing and the button codes translated to this:

RCSwitch::Protocol proto = { 515, { 17, 8 }, { 1, 1 }, { 1, 3 }};

RCSwitch mySwitch = RCSwitch();
mySwitch.setProtocol(proto);
...

char* data_ON = "001101001010000000000001100011010"; // ON
char* data_AUTO = "001101001010000000000010100011100"; // AUTO
char* data_OFF = "001101001010000000011000100100100"; // OFF

char* data_SP = "001101001010000000000011100011110"; // S+
char* data_MP = "001101001010000000000100100010100"; // M+
char* data_BP = "001101001010000000000101100010110"; // B+

char* data_SM = "001101001010000000000110100010010"; // S-
char* data_MM = "001101001010000000000111100010000"; // M-
char* data_BM = "001101001010000000001000100000100"; // B-

char* data_C11 = "001101001010000000001001100000110"; // Red
char* data_C12 = "001101001010000000001010100000010"; // Green
char* data_C13 = "001101001010000000001011100000000"; // Blue

char* data_C21 = "001101001010000000001100100001100"; // Yellow
char* data_C22 = "001101001010000000001101100001110"; //
char* data_C23 = "001101001010000000001110100001010"; //

char* data_C31 = "001101001010000000001111100001000"; //
char* data_C32 = "001101001010000000010000100111000"; //
char* data_C33 = "001101001010000000010001100111010"; //

char* data_C41 = "001101001010000000010010100111100"; //
char* data_C42 = "001101001010000000010011100111110"; //
char* data_C43 = "001101001010000000010100100110100"; //

mySwitch.send(data_ON);

RogerClark
Thu Feb 04, 2016 8:31 pm
Some pins are 5V tollerant. :-)
mrburnette
Fri Feb 05, 2016 12:35 am
RogerClark wrote:Some pins are 5V tollerant. :-)
Rintin
Fri Feb 05, 2016 7:52 am
Only the datasheet will know…
(page 28, “FT”)
zmemw16
Fri Feb 05, 2016 2:15 pm
for the unaware, this would also be of interest from DocID13587 Rev 16 page 62

FT = Five-volt tolerant. In order to sustain a voltage higher than VDD+0.3 the internal pull-up/pull-down resistors must be disabled.

for exams i was once told ‘read the rubrics’, i find it applies to a lot of things

stephen

RogerClark
Fri Feb 05, 2016 8:18 pm
I find the old Maple Mini page on the leaflabs site to be a useful quick reference.

it would be great if someone had time to put this sort of thing into the wiki, but I am afraid I don’t have time to do it

mrburnette
Sat Feb 06, 2016 3:27 am
Source: ST DOC ID 14611, Datasheet for STM32F103xC, STM32F103xD,
STM32F103xE, Table 5, pp. 30–35.
Some additional peripheral GPIO information is given in the "Other"
section following each bank's main table.

This document was prepared carefully and is believed to be correct,
but the final arbiter of truth is the ST datasheet.

*** NB: UART 4 and 5 are NOT USART (columns are labeled appropriately).

---------------------------------------------------------------------------
GPIO ADC Timer FSMC I2S I2C USART SPI DAC 5v?
---------------------------------------------------------------------------
PA0 123in0 2ch1etr - - - 2cts - - -
5ch1
8etr
PA1 123in1 5ch2 - - - 2rts - - -
2ch2
PA2 123in2 5ch3 - - - 2tx - - -
2ch3
PA3 123in3 5ch4 - - - 2rx - - -
2ch4
---------------------------------------------------------------------------
PA4 12in4 - - - - 2ck 1nss out1 -
PA5 12in5 - - - - - 1sck out2 -
PA6 12in6 8bkin - - - - 1miso - -
3ch1
PA7 12in7 8ch1n - - - - 1mosi - -
3ch2
---------------------------------------------------------------------------
PA8 - 1ch1 - - - 1ck - - Y
PA9 - 1ch2 - - - 1tx - - Y
PA10 - 1ch3 - - - 1rx - - Y
PA11 - 1ch4 - - - 1cts - - Y
---------------------------------------------------------------------------
PA12 - 1etr - - - 1rts - - Y
PA13 - - - - - - - - Y
PA14 - - - - - - - - Y
PA15 - - - 3ws - - 3nss - Y
---------------------------------------------------------------------------

Other:

PA0: WKUP
PA8: MCO
PA11: USBDM, CAN_RX
PA12: USBDP, CAN_TX
PA13: JTMS-SWDIO (default)
PA14: JTCK-SWCLK (default)
PA15: JTDI (default)

-------------------------------------------------------------------------------
GPIO ADC Timer FSMC I2S I2C USART SPI DAC 5v? SDIO
-------------------------------------------------------------------------------
PB0 12in8 3ch3 - - - - - - - -
8ch2n
PB1 12in9 3ch4 - - - - - - - -
8ch3n
PB2 - - - - - - - - Y -
PB3 - - - 3ck - - 3sck - Y -
-------------------------------------------------------------------------------
PB4 - - - - - - 3miso - Y -
PB5 - - - 3sd 1smba - 3mosi - - -
PB6 - 4ch1 - - 1scl - - - Y -
PB7 - 4ch2 NADV - 1sda - - - Y -
-------------------------------------------------------------------------------
PB8 - 4ch3 - - - - - - Y D4
PB9 - 4ch4 - - - - - - Y D5
PB10 - - - - 2scl 3tx - - Y -
PB11 - - - - 2sda 3rx - - Y -
-------------------------------------------------------------------------------
PB12 - 1bkin - 2ws 2smba 3ck 2nss - Y -
PB13 - 1ch1n - 2ck - 3cts 2sck - Y -
PB14 - 1ch2n - - - 3rts 2miso - Y -
PB15 - 1ch3n - 2sd - - 2mosi - Y -
-------------------------------------------------------------------------------

Other:

PB2: BOOT1
PB3: JTDO (default)
PB4: NJTRST (default)

-------------------------------------------------------------------------------
GPIO ADC Timer FSMC I2S I2C UART SPI DAC 5v? SDIO
-------------------------------------------------------------------------------
PC0 123in10 - - - - - - - - -
PC1 123in11 - - - - - - - - -
PC2 123in12 - - - - - - - - -
PC3 123in13 - - - - - - - - -
-------------------------------------------------------------------------------
PC4 12in14 - - - - - - - - -
PC5 12in15 - - - - - - - - -
PC6 - 8ch1 - 2mck - - - - Y D6
PC7 - 8ch2 - 3mck - - - - Y D7
-------------------------------------------------------------------------------
PC8 - 8ch3 - - - - - - Y D0
PC9 - 8ch4 - - - - - - Y D1
PC10 - - - - - 4tx - - Y D2
PC11 - - - - - 4rx - - Y D3
-------------------------------------------------------------------------------
PC12 - - - - - 5tx - - Y CK
PC13 - - - - - - - - - -
PC14 - - - - - - - - - -
PC15 - - - - - - - - - -
-------------------------------------------------------------------------------

Other:

PC13: TAMPER_RTC
PC14: OSC32_IN
PC15: OSC32_OUT

-------------------------------------------------------------------------------
GPIO ADC Timer FSMC I2S I2C UART SPI DAC 5v? SDIO
-------------------------------------------------------------------------------
PD0 - - D2 - - - - - Y -
PD1 - - D3 - - - - - Y -
PD2 - 3etr - - - 5rx - - Y CMD
PD3 - - CLK - - - - - Y -
-------------------------------------------------------------------------------
PD4 - - NOE - - - - - Y -
PD5 - - NWE - - - - - Y -
PD6 - - NWAIT - - - - - Y -
PD7 - - NE1 - - - - - Y -
NCE2
-------------------------------------------------------------------------------
PD8 - - D13 - - - - - Y -
PD9 - - D14 - - - - - Y -
PD10 - - D15 - - - - - Y -
PD11 - - A16 - - - - - Y -
-------------------------------------------------------------------------------
PD12 - - A17 - - - - - Y -
PD13 - - A18 - - - - - Y -
PD14 - - D0 - - - - - Y -
PD15 - - D1 - - - - - Y -
-------------------------------------------------------------------------------

Other:

PD0: OSC_IN (default)
PD1: OSC_OUT (default)

---------------------------------------------------------------------------
GPIO ADC Timer FSMC I2S I2C USART SPI DAC 5v?
---------------------------------------------------------------------------
PE0 - 4etr NBL0 - - - - - Y
PE1 - - NBL1 - - - - - Y
PE2 - - A23 - - - - - Y
PE3 - - A19 - - - - - Y
---------------------------------------------------------------------------
PE4 - - A20 - - - - - Y
PE5 - - A21 - - - - - Y
PE6 - - A22 - - - - - Y
PE7 - - D4 - - - - - Y
---------------------------------------------------------------------------
PE8 - - D5 - - - - - Y
PE9 - - D6 - - - - - Y
PE10 - - D7 - - - - - Y
PE11 - - D8 - - - - - Y
---------------------------------------------------------------------------
PE12 - - D9 - - - - - Y
PE13 - - D10 - - - - - Y
PE14 - - D11 - - - - - Y
PE15 - - D12 - - - - - Y
---------------------------------------------------------------------------

Other:
PE2: TRACECK
PE3: TRACED0
PE4: TRACED1
PE5: TRACED2
PE6: TRACED3

---------------------------------------------------------------------------
GPIO ADC Timer FSMC I2S I2C USART SPI DAC 5v?
---------------------------------------------------------------------------
PF0 - - A0 - - - - - Y
PF1 - - A1 - - - - - Y
PF2 - - A2 - - - - - Y
PF3 - - A3 - - - - - Y
---------------------------------------------------------------------------
PF4 - - A4 - - - - - Y
PF5 - - A5 - - - - - Y
PF6 3in4 - NIORD - - - - - -
PF7 3in5 - NREG - - - - - -
---------------------------------------------------------------------------
PF8 3in6 - NIOWR - - - - - -
PF9 3in7 - CD - - - - - -
PF10 3in8 - INTR - - - - - -
PF11 - - NIOS16 - - - - - Y
---------------------------------------------------------------------------
PF12 - - A6 - - - - - Y
PF13 - - A7 - - - - - Y
PF14 - - A8 - - - - - Y
PF15 - - A9 - - - - - Y
---------------------------------------------------------------------------

---------------------------------------------------------------------------
GPIO ADC Timer FSMC I2S I2C USART SPI DAC 5v?
---------------------------------------------------------------------------
PG0 - - A10 - - - - - Y
PG1 - - A11 - - - - - Y
PG2 - - A12 - - - - - Y
PG3 - - A13 - - - - - Y
---------------------------------------------------------------------------
PG4 - - A14 - - - - - Y
PG5 - - A15

ahull
Tue Jul 19, 2016 6:14 am
ahull wrote:

At the moment I’m messing around with a very low cost VC921 digital multimeter, that I am trying to coax a serial signal out of. I *think* the chip is capable of it, but I haven’t found the correct combination of pins to get it to say anything yet.

I’ve actually ordered a UNI-T 61B too, with the intention of using an STM32XXX or an ESP8266 as a data logger, pigbacked on to the IR output, to allow remote monitoring. If I get the little VC921 to emit a serial data stream, I will see if I can squeeze an ESP8266 in to its case, that would be a neat hack (although probably a little heavy on AAA batteries). If I make any progress with either of those, I’ll probably post something in the “Off topic” thread.

Leave a Reply

Your email address will not be published. Required fields are marked *