You are looking at the HTML representation of the XML format.
HTML is good for debugging, but is unsuitable for application use.
Specify the format parameter to change the output format.
To see the non HTML representation of the XML format, set format=xml.
See the complete documentation, or
API help for more information.
<?xml version="1.0"?>
<api>
<query-continue>
<allpages gapcontinue="Seagate_FreeAgent_GoFlex_Home_Building_Kernel" />
</query-continue>
<query>
<pages>
<page pageid="75" ns="0" title="Reverse engineering the RF protocol on a 4 outlet powerboard">
<revisions>
<rev contentformat="text/x-wiki" contentmodel="wikitext" xml:space="preserve">
== Reverse engineering the 433MHz RF protocol on a 4 outlet powerboard ==
Sino Wealthy (Hong Kong) Limited manufacture a four outlet remote controlled power board sold under various brands including Click (Part No. CLKRCP4), PowerTran (Cat No. P-8119), PowerTech/Jaycar (Cat No MS6150) and Heller (Part No. RCS8888.) With 4 independently operated outlets controlled by a 433MHz RF remote control, it makes for an ideal candidate for basic home automation. Once the protocol is known, there is no need to penetrate the power board and fiddle with circuitry at potentially dangerous mains potentials. The end result is four standards compliant mains relay outputs that can be purchased off the shelf at a budget price.
Having a peek in the power board shows it is made of two Printed Circuit Boards (PCBs). One includes an energy efficient non-isolated switcher integrated circuit (LNK304) to provide the 5 volts DC at 120mA to power the logic and four 10 amp 250 VAC relays to switch each outlet on and off. A six wire ribbon cable is used to connect this board to the 433MHz receiver comprising of a PT4301 433MHz OOK/ASK Receiver and micro-controller.
<center>http://wiki.beyondlogic.org/i/RCS8888_Internal.jpg</center>
It is easy to identify a trace leading from the PT4301 that includes the asynchronous message to be decoded by the micro-controller. In fact, it even includes a test point. As the board is not isolated from the mains and is potentially hazardous to probe while connected, I went about de-soldering the 6 pin ribbon cable so I could power the RF decoder from a bench power supply and connect it safely to an oscilloscope and later – a logic analyser.
<center>http://wiki.beyondlogic.org/i/RCS8888_RF_Decoder.jpg</center>
The remote control distributed with the board contains five buttons. There is a “all off” button, followed by buttons 1 to 4 used to toggle on and off each outlet. The power board ships uncoded from the factory and requires pairing before use. To pair, the end user presses the ‘coding’ button on the power board and then presses the “all off” button on the remote control. According to the manual, up to five remote controls can be used with a single power board.
In next to no time, I had captured my first message and proceeded to decode it:
<center>http://wiki.beyondlogic.org/i/RCS8888_Data.jpg</center>
When a button was held down, the 45mS long message was sent approximately every 50mS. The first check was to make sure each repeated message was identical. It was, so this made life much easier. Some, more secure remote controls may employ code hoping, making decoding and replay just a tad more difficult.
Closer examination of the actual message showed a series of shorter and longer positive pulses, all having the same period. I have assigned the short pulse a logic ’0′ and the long pulse a logic ’1′. Based on these assumptions, each message contains 34 bits.</rev>
</revisions>
</page>
<page pageid="48" ns="0" title="Reverse engineering the RF protocol on a Kambrook Power Point Controller">
<revisions>
<rev contentformat="text/x-wiki" contentmodel="wikitext" xml:space="preserve">
== Reverse engineering the RF protocol on a Kambrook Power Point Controller ==
433MHz remote control “power point controllers” are becoming more prevalent at bargain basement prices. These units consist of a single power point adapter and a radio frequency (RF) remote control allowing the device plugged into the power point adapter to be turned on and off remotely from distances up to approximately 30 meters. By hacking and replaying the 433MHz protocol, these cheap adapters can be safely controlled by a microcontroller system such as an Arduino. Being radio frequency, there is no physical connection to potentially lethal mains voltages and having passed the mandatory compliance checks there should be no threat to safety or from fire.
<center>http://wiki.beyondlogic.org/i/RF3399/RF3672.jpg</center>
To demonstrate just how cheap these adapters are, you can pick up a [http://www.bunnings.com.au/kambrook-4-piece-indoor-powerpoint-kit-with-remote-control_p7030054 three pack complete with remote control] (Pictured above) from your local Bunnings Hardware store for $29.90 AUD. If $29.90 breaks the bank, a [http://www.bunnings.com.au/kambrook-10a-240v-single-indoor-power-point-controller_p4420192 single outlet without remote control] costs just $8.98 AUD. You don’t need the remote control when operating these devices from a foreign microcontroller, hence the remote control is superfluous.
Sold under the Kambrook & Bauhn brands, the RF3399/RF3405/RF3672/RF3689/RF4471R Power Point Controller appears to be made by [http://www.nbcomen.com.cn/products2.asp?classid=30&page=2 Ningbo Comen Electronics Technology Co. Ltd.]
The remote control consists of 10 buttons and a slider switch. There is a dedicated switch to turn on a power point controller (left hand side) and a different button to turn it off (right hand side) thus five appliances can be controlled. To further expand the system, the slider switch can select up to four groups of appliances, hence a total of twenty appliances can be controlled.
Each power point controller comes from the factory uncoded. Before use, the end user needs to hold the on button for five seconds until the indicator light starts flashing. The user can then press either the off or on button to assign this button/group to the power point controller and the code is stored away in non volatile EEPROM.
There are a range of methods for eavesdropping on the protocol communicated between the remote control and the power point adapter. One method can be to use a third party 433.92MHz receiver module. This has the advantage in that you don’t need to pull anything apart (boring), but there can be some jitter on the raw signal from the demodulator hindering efforts to obtain accurate timing information. Another way (much more exciting) is to pull the transmitter apart and probe the signal prior to modulation. Naturally, I decided to explore the later.
Examining the printed circuit board (PCB) suggested the device operated from either a microcontroller or ASIC (as expected the top of the IC has been ground off) and a separate 433.92MHz SAW resonator. The demodulated signal is present on pin 13 of the IC and is routed toward the SAW resonator via jumper wire J3 on the single sided PCB. This made an ideal location to probe for the signal. On a DSO the message looked like:
<center>http://wiki.beyondlogic.org/i/RF3399/RF3399_Waveform.jpg</center>
The message appeared to comprise of a series of short and long pulses. A short pulse was constructed from a 280uS wide pulse, followed by 300uS off period. The long pulse consisted of a 675uS wide pulse, followed by the same 300mS off period. With the timing down pat and a quick check the logic level was 5V and wouldn’t cause damage, I next reached for the logic analyser. My logic analyser has deeper memory than the DSO and is hence more suitable for decoding these longer, more complex messages.
<center>http://wiki.beyondlogic.org/i/RF3399/RF3399_Message.jpg</center>
Above is the waveform from one complete message – Group A, Unit 1 On – containing 48 bits or 6 bytes. When a button is pressed, the message is repeated five times. Then the button must be depressed.
I then proceed to decode a sample of messages in a bid to understand the decoding of the message. The result can be found in the table below.
<center>
<table>
<tr id="head">
<td>Group</td>
<td>Unit</td>
<td>Operation</td>
<td align="center">Sync</td>
<td align="center">Addr 1</td>
<td align="center">Addr 2</td>
<td align="center">Addr 3</td>
<td align="center">Data</td>
<td align="center">Trailing</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">1</td>
<td align="center">On</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00000001</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">1</td>
<td align="center">Off</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00000010</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">2</td>
<td align="center">On</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00000011</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">2</td>
<td align="center">Off</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00000100</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">3</td>
<td align="center">On</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00000101</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">3</td>
<td align="center">Off</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00000110</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">4</td>
<td align="center">On</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00000111</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">4</td>
<td align="center">Off</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00001000</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">5</td>
<td align="center">On</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00001001</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">A</td>
<td align="center">5</td>
<td align="center">Off</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00001010</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">B</td>
<td align="center">1</td>
<td align="center">On</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00010001</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">C</td>
<td align="center">1</td>
<td align="center">On</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00100001</td>
<td>11111111</td>
</tr>
<tr id="row">
<td align="center">D</td>
<td align="center">1</td>
<td align="center">On</td>
<td>01010101</td>
<td>00000000</td>
<td>01101101</td>
<td>11111101</td>
<td>00110001</td>
<td>11111111</td>
</tr>
</table>
</center>
With all the hard work done, it was now time to write some code to replay the messages and check if it works.
<center>http://wiki.beyondlogic.org/i/RF3399/PIC32_TWS-BS-3.jpg</center>
I used a garden variety [http://www.beyondlogic.org/433.92MHz/TWS-BS-3_433.92MHz_ASK_RF_Transmitter_Module_Data_Sheet.pdf TWS-BS 433.92MHz RF ASK Transmitter] available from [http://littlebirdelectronics.com/products/rf-link-transmitter-434mhz-1 Little Bird Electronics] for as little as $4.95 AUD or from [http://www.altronics.com.au/index.asp?area=item&id=Z6900 Altronics] at $7.95 AUD.
The TWS-BS-3 transmitter can be operated from a 1.5V to 12V supply. In this example, I run it from a 5 volt supply. The Data IN pin is connected to the PIC32′s RD0 pin.
After a little trial and error it appeared the controllers refused to play ball if the messages were not separated by more than 7mS.
It would also appear the trailing byte can be anything – it doesn't effect the operation of the unit.
A notable omission from the protocol is a checksum. It was found during testing, if the timing was a little slack, I could erroneously turn on a neighbouring unit or toggle the state off the unit I was intending on controlling.
The [http://www.beyondlogic.org/433.92MHz/RF3399.zip Source Code can be downloaded here] for the Microchip [http://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en535591 PIC32MX440F512H].</rev>
</revisions>
</page>
</pages>
</query>
</api>