To transmit I use a Aurel TX-SAW-MID 5v transmitter hand soldered on an experiment board.
#REVERSE INGENEERING BROADLINK RM PRO CODE#
Given a captured address, rolling code and ‘encryption key’ I was indeed able to control the blinds. Now I could decode the protocol I went on to write a program to actually send out my own frames. But that one doesn’t describe the payload data. With this new information I was able to determine the obfuscation algorithm used.Īn other interesting patent I found was US 7860481 B2. Hmmm… interesting! Reading further I found that this patent almost completely describes the RTS protocol. Skimming through it I found an image of the frame structure I already determined. With all the information gathered so far I went back to Google and stumbled upon US Patent 8,189,620 B 2. This finally brought me at a point where I was able to predict the data multiple frames ahead of the current frame. Using these counters I started XOR’ing nibbles together, till the counters increased as expected. So I assumed that there was some sort of XOR based obfuscation going on. Looking at the bytes that change with every button press I noticed that some actually behave as counters that constantly increase by 1, but with some bits flipped. Comparing the traces of two different buttons shows that the upper nibble of the second byte is probably the button code. Suggesting that the protocol is not static, but uses some kind of rolling code/sequence number. This directly showed that pressing the same button multiple times resulted in different data. As always when reverse engineering I started by making a list of data fields I would expect to be in the protocol and then started comparing the frames from the different traces. Now I knew how the data was modulated, framed and encoded I could actually analyse the frame payload data. On the red markers the signal level always changes, on the blue only sometimes Payload Data The frames are clearly visible and it is pretty obvious that there is a preamble at the start of the frame.Ĭlose up of Somfy RTS data. The image below shows 4 traces of pressing the same button. GTKWave isn’t very user friendly either, but it works a lot better then GnuPlot, especially with longer traces. Later I converted my trace files to VCD files and used GTKWave. Although very cumbersome and time consuming, I was able to get some useful images out of it. So I searched for a way to plot the traces. The trace files are just a big bunch of 1’s and 0’s, not very readable. With this setup I created traces of different button presses 4 times ‘up’, 4 times ‘down’ and so on.
#REVERSE INGENEERING BROADLINK RM PRO PC#
The microcontroller, a Cypress EZ-USB FX2, was running a very simple program that samples the data output from the RF receiver every 35 us and forward it to my PC through USB. Although the frequency’s don’t exactly match, the receiver is able to pick up the signal if the remote is within ~10 meters. This was very convenient since I already had a microcontroller with an Aurel RX-4M50RR30SF 433.92 Mhz OOK receiver attached laying around from an other project. It uses an OOK(/ASK) modulated signal on 433.42 Mhz. Some searching revealed that RTS stands for “Radio Technology Somfy” and is a proprietary system. The remotes are of the type Somfy Smoove Origin RTS.
For a detailed explanation of the protocol it self see here. In this post I’ll explain the process of reverse engineering the protocol. This made me curious how these remotes actually work, and if I would be able to control the blinds from a PC. Some time ago we got new motorized blinds at my office which are controlled by a small wireless remote control.
0 kommentar(er)
