m (Reverted edits by Craig Peacock (talk) to last revision by FitchBeltran2)
m (Protected "Reverse engineering the RF protocol on a Kambrook Power Point Controller" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
Meal replacement shakes for weight loss currently have become quite favored inside the last few years since they offer a great deal of convenience and nutritional benefits. Losing weight requires a great deal of difficult function not to mention willpower. With all the large number of misguiding products for weight loss that usually are on the market within the market now, it very often becomes difficult for folks to learn what is actually proper for them. Prior to you purchase any kind of products that promise which your needs will likely lose weight rapidly it could be significant in order to learn more regarding the particular firm which markets these products and so that a person can easily get good quality treatments that provide good results.
+
 
Just what Do many of these goods Come with to Provide Your needs?
+
== Reverse engineering the RF protocol on a Kambrook Power Point Controller ==
Meal replacement shakes for weight loss provide a healthy replacement for your meal. Generally there tend to be a few health advantages that these shakes provide in case you intake it daily. Shedding pounds is the particular largest benefit which many of these drinks offer. We would feel more powerful and also more energized with these drinks. They additionally aid digestion and help lower the cholesterol degrees. You could be capable in order to stay away from wellness problems such as heart diseases. Since these products are really for sale with regard to several delicious flavours, us might not currently have to be able to compromise on taste at just about all. Whenever anyone replace 1 meal with a drink, we will be cutting out all the unwanted fat and in addition calories as well as might be consuming something that typically is wise for the human body.  
+
 
Do many of these drinks Seriously Function?
+
433MHz remote control “power point controllers” are becoming more prevalent at bargain basement prices. These units consist of a single power point adapter and a radio frequency (RF) remote control allowing the device plugged into the power point adapter to be turned on and off remotely from distances up to approximately 30 meters. By hacking and replaying the 433MHz protocol, these cheap adapters can be safely controlled by a microcontroller system such as an Arduino. Being radio frequency, there is no physical connection to potentially lethal mains voltages and having passed the mandatory compliance checks there should be no threat to safety or from fire.
Meal replacement shakes for weight loss do function well. Nonetheless, we will currently have to be quite cautious about the actual product that a person select. Generally there are a large number of nutritional businesses that market their nutritional drinks these days thus your needs would currently have to be able to studies a little before anyone purchase specific. Select a shake on that a few of the market studies can certainly be found plus which is actually known to be able to provide good results. Many of these nutritional shakes have that would be consumed every single day. They function by getting rid of the actual wastes as well as the toxins with regard to the human body so which us could be able to be able to absorb the actual nutrients needed conveniently. Many of these concoctions contain prebiotics or simply digestive enzymes as well as a blend of the actual nutrients and vitamins which the particular body requires.  
+
 
Throughout most cases, these liquids might create anyone feel fuller for a longer time and so which a person might certainly not feel the actual urge to be able to eat unhealthy food products. Should you continue to take the particular concoctions regularly over a few weeks, buyers will be able to find suitable results. For powerful weight loss, healthy eating habits not to mention standard exercises usually are the actual two a large number of important things. Whether or not we do intake weight loss drinks day to day, you may include in order to confirm which we exercise regularly with regard to purchase to be able to see any kind of solid results. Meal replacement shakes for weight loss provide a convenient as well as an efficient technique to be able to lose weight.
+
<center>http://wiki.beyondlogic.org/i/RF3399/RF3672.jpg</center>
Deciding on the right meal replacement shakes for weight loss can be a pretty tricky task. Your needs need to be able to watch exactly what is literally put into shakes. In case you're allergic to certain foods us ought to watch for that not to mention as well make sure that it's really a healthy drink. Weight loss meal replacement shakes are really a fabulous way in order to lose the additional weight that us have been holding onto whether or not it's simply a few pounds or even 20+ pounds.  
+
 
There is actually not much that a person ought to search out for whenever choosing on a meal substitute shake for weight loss. Because already stated, the actual greatesst thing is actually creating sure that the actual shake contains the particular correct nutrients as well as fits with the many recent standard of wellness. lots of shakes have a lot of sugar so that they taste superior. Never buy into this - generally there tend to be shakes accessible that contain less than a gram of sugar per serving and even taste extremely superior. In addition we might discover shakes in which us can add your individual own fruits and in addition natural flavoring to be able to it throughout order in order to create it taste superior.  
+
To demonstrate just how cheap these adapters are, you can pick up a [http://www.bunnings.com.au/kambrook-4-piece-indoor-powerpoint-kit-with-remote-control_p7030054 three pack complete with remote control] (Pictured above) from your local Bunnings Hardware store for $29.90 AUD. If $29.90 breaks the bank, a [http://www.bunnings.com.au/kambrook-10a-240v-single-indoor-power-point-controller_p4420192 single outlet without remote control] costs just $8.98 AUD. You don’t need the remote control when operating these devices from a foreign microcontroller, hence the remote control is superfluous.
Instead of fretting over precisely what shakes you ought to be able to drink, a person ought to be able to simply just choose specific and also go with it. Spend more of the time actually planning out your individual weight loss/fitness goals and also just how a person are going in order to achieve which. Anyone will likely literally focus more of your vitality on a 90 week weight loss challenge thus which us can lose the actual weight us are looking for drinking a number of meal replacement shakes for weight loss not to mention feel greater concerning yourself within the task.  
+
 
It is completely likely to be able to lose weight with regard to 90 days should you select that would be committed to be able to the process until the extremely end. 90 days typically is not a long period of time for a person that would focus on and is actually brief enough that it happens to be terribly doable. Finding a 90 day challenge is challenging if perhaps you don't realize where in order to feel. I may personally recommend the actual bodybyvi 90 week challenge as it has a number of marvelous meal replacement shakes as well as has proven prosperity stories already throughout destination with persons that include lost a lot of weight not to mention have been capable in order to maintain it off as well.  
+
Sold under the Kambrook & Bauhn brands, the RF3399/RF3405/RF3672/RF3689/RF4471R Power Point Controller appears to be made by [http://www.nbcomen.com.cn/products2.asp?classid=30&page=2 Ningbo Comen Electronics Technology Co. Ltd.]
Despite that anyone could imagine you will need in order to begin functioning out not to mention running for hours on end, I will certainly not recommend this especially should you have been considerably sedentary. Your needs desire to take baby steps that would start out. The truth typically is 80% of exactly how we occur is actually based on our diet - certainly not on our physical activity. And so begin your own challenge with all the meal replacement shakes for weight loss as well as because we begin that would drop the pounds as well as feel better afterward you may begin that would incorporate a number of exercise into a schedule. The actual workout usually simply just assist boost your individual weight loss and add some a lot needed muscle in order to the body.  
+
 
Attain started at this point with your health/fitness goals. The actual longer a person procrastinate the actual longer anyone might feel and in addition develop such as crap. Should you procrastinate, the particular passion you feel at present about shedding all those undesired pounds will vanish. Us might forget about it and also will be unlikely that would follow via on what us wish that would do at the moment.  
+
The remote control consists of 10 buttons and a slider switch. There is a dedicated switch to turn on a power point controller (left hand side) and a different button to turn it off (right hand side) thus five appliances can be controlled. To further expand the system, the slider switch can select up to four groups of appliances, hence a total of twenty appliances can be controlled.
For more information and facts on Meal replacement shakes please refer to [http://www.bodybyvishape.com/bodybyvi_sucralose/ body by vi shakes]
+
 
 +
Each power point controller comes from the factory uncoded. Before use, the end user needs to hold the on button for five seconds until the indicator light starts flashing. The user can then press either the off or on button to assign this button/group to the power point controller and the code is stored away in non volatile EEPROM.
 +
 
 +
There are a range of methods for eavesdropping on the protocol communicated between the remote control and the power point adapter. One method can be to use a third party 433.92MHz receiver module. This has the advantage in that you don’t need to pull anything apart (boring), but there can be some jitter on the raw signal from the demodulator hindering efforts to obtain accurate timing information. Another way (much more exciting) is to pull the transmitter apart and probe the signal prior to modulation. Naturally, I decided to explore the later.
 +
 
 +
Examining the printed circuit board (PCB) suggested the device operated from either a microcontroller or ASIC (as expected the top of the IC has been ground off) and a separate 433.92MHz SAW resonator. The demodulated signal is present on pin 13 of the IC and is routed toward the SAW resonator via jumper wire J3 on the single sided PCB. This made an ideal location to probe for the signal. On a DSO the message looked like:
 +
 
 +
<center>http://wiki.beyondlogic.org/i/RF3399/RF3399_Waveform.jpg</center>
 +
 
 +
The message appeared to comprise of a series of short and long pulses. A short pulse was constructed from a 280uS wide pulse, followed by 300uS off period. The long pulse consisted of a 675uS wide pulse, followed by the same 300mS off period. With the timing down pat and a quick check the logic level was 5V and wouldn’t cause damage, I next reached for the logic analyser. My logic analyser has deeper memory than the DSO and is hence more suitable for decoding these longer, more complex messages.
 +
 
 +
<center>http://wiki.beyondlogic.org/i/RF3399/RF3399_Message.jpg</center>
 +
 
 +
Above is the waveform from one complete message – Group A, Unit 1 On – containing 48 bits or 6 bytes. When a button is pressed, the message is repeated five times. Then the button must be depressed.
 +
 
 +
I then proceed to decode a sample of messages in a bid to understand the decoding of the message. The result can be found in the table below.
 +
 
 +
<center>
 +
<table>
 +
<tr id="head">
 +
<td>Group</td>
 +
<td>Unit</td>
 +
<td>Operation</td>
 +
<td align="center">Sync</td>
 +
<td align="center">Addr 1</td>
 +
<td align="center">Addr 2</td>
 +
<td align="center">Addr 3</td>
 +
<td align="center">Data</td>
 +
<td align="center">Trailing</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">1</td>
 +
<td align="center">On</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00000001</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">1</td>
 +
<td align="center">Off</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00000010</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">2</td>
 +
<td align="center">On</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00000011</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">2</td>
 +
<td align="center">Off</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00000100</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">3</td>
 +
<td align="center">On</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00000101</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">3</td>
 +
<td align="center">Off</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00000110</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">4</td>
 +
<td align="center">On</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00000111</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">4</td>
 +
<td align="center">Off</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00001000</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">5</td>
 +
<td align="center">On</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00001001</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">A</td>
 +
<td align="center">5</td>
 +
<td align="center">Off</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00001010</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">B</td>
 +
<td align="center">1</td>
 +
<td align="center">On</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00010001</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">C</td>
 +
<td align="center">1</td>
 +
<td align="center">On</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00100001</td>
 +
<td>11111111</td>
 +
</tr>
 +
<tr id="row">
 +
<td align="center">D</td>
 +
<td align="center">1</td>
 +
<td align="center">On</td>
 +
<td>01010101</td>
 +
<td>00000000</td>
 +
<td>01101101</td>
 +
<td>11111101</td>
 +
<td>00110001</td>
 +
<td>11111111</td>
 +
</tr>
 +
</table>
 +
</center>
 +
 
 +
With all the hard work done, it was now time to write some code to replay the messages and check if it works.
 +
 
 +
<center>http://wiki.beyondlogic.org/i/RF3399/PIC32_TWS-BS-3.jpg</center>
 +
 
 +
I used a garden variety [http://www.beyondlogic.org/433.92MHz/TWS-BS-3_433.92MHz_ASK_RF_Transmitter_Module_Data_Sheet.pdf TWS-BS 433.92MHz RF ASK Transmitter] available from [http://littlebirdelectronics.com/products/rf-link-transmitter-434mhz-1 Little Bird Electronics] for as little as $4.95 AUD or from [http://www.altronics.com.au/index.asp?area=item&id=Z6900 Altronics] at $7.95 AUD.
 +
 
 +
The TWS-BS-3 transmitter can be operated from a 1.5V to 12V supply. In this example, I run it from a 5 volt supply. The Data IN pin is connected to the PIC32′s RD0 pin.
 +
 
 +
After a little trial and error it appeared the controllers refused to play ball if the messages were not separated by more than 7mS.
 +
 
 +
It would also appear the trailing byte can be anything – it doesn't effect the operation of the unit.
 +
 
 +
A notable omission from the protocol is a checksum. It was found during testing, if the timing was a little slack, I could erroneously turn on a neighbouring unit or toggle the state off the unit I was intending on controlling.
 +
 
 +
The [http://www.beyondlogic.org/433.92MHz/RF3399.zip Source Code can be downloaded here] for the Microchip [http://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en535591 PIC32MX440F512H].

Latest revision as of 10:57, 25 March 2014

Reverse engineering the RF protocol on a Kambrook Power Point Controller

433MHz remote control “power point controllers” are becoming more prevalent at bargain basement prices. These units consist of a single power point adapter and a radio frequency (RF) remote control allowing the device plugged into the power point adapter to be turned on and off remotely from distances up to approximately 30 meters. By hacking and replaying the 433MHz protocol, these cheap adapters can be safely controlled by a microcontroller system such as an Arduino. Being radio frequency, there is no physical connection to potentially lethal mains voltages and having passed the mandatory compliance checks there should be no threat to safety or from fire.

RF3672.jpg

To demonstrate just how cheap these adapters are, you can pick up a three pack complete with remote control (Pictured above) from your local Bunnings Hardware store for $29.90 AUD. If $29.90 breaks the bank, a single outlet without remote control costs just $8.98 AUD. You don’t need the remote control when operating these devices from a foreign microcontroller, hence the remote control is superfluous.

Sold under the Kambrook & Bauhn brands, the RF3399/RF3405/RF3672/RF3689/RF4471R Power Point Controller appears to be made by Ningbo Comen Electronics Technology Co. Ltd.

The remote control consists of 10 buttons and a slider switch. There is a dedicated switch to turn on a power point controller (left hand side) and a different button to turn it off (right hand side) thus five appliances can be controlled. To further expand the system, the slider switch can select up to four groups of appliances, hence a total of twenty appliances can be controlled.

Each power point controller comes from the factory uncoded. Before use, the end user needs to hold the on button for five seconds until the indicator light starts flashing. The user can then press either the off or on button to assign this button/group to the power point controller and the code is stored away in non volatile EEPROM.

There are a range of methods for eavesdropping on the protocol communicated between the remote control and the power point adapter. One method can be to use a third party 433.92MHz receiver module. This has the advantage in that you don’t need to pull anything apart (boring), but there can be some jitter on the raw signal from the demodulator hindering efforts to obtain accurate timing information. Another way (much more exciting) is to pull the transmitter apart and probe the signal prior to modulation. Naturally, I decided to explore the later.

Examining the printed circuit board (PCB) suggested the device operated from either a microcontroller or ASIC (as expected the top of the IC has been ground off) and a separate 433.92MHz SAW resonator. The demodulated signal is present on pin 13 of the IC and is routed toward the SAW resonator via jumper wire J3 on the single sided PCB. This made an ideal location to probe for the signal. On a DSO the message looked like:

RF3399_Waveform.jpg

The message appeared to comprise of a series of short and long pulses. A short pulse was constructed from a 280uS wide pulse, followed by 300uS off period. The long pulse consisted of a 675uS wide pulse, followed by the same 300mS off period. With the timing down pat and a quick check the logic level was 5V and wouldn’t cause damage, I next reached for the logic analyser. My logic analyser has deeper memory than the DSO and is hence more suitable for decoding these longer, more complex messages.

RF3399_Message.jpg

Above is the waveform from one complete message – Group A, Unit 1 On – containing 48 bits or 6 bytes. When a button is pressed, the message is repeated five times. Then the button must be depressed.

I then proceed to decode a sample of messages in a bid to understand the decoding of the message. The result can be found in the table below.

A 1 On 01010101 00000000 01101101 11111101 00000001 11111111
A 1 Off 01010101 00000000 01101101 11111101 00000010 11111111
A 2 On 01010101 00000000 01101101 11111101 00000011 11111111
A 2 Off 01010101 00000000 01101101 11111101 00000100 11111111
A 3 On 01010101 00000000 01101101 11111101 00000101 11111111
A 3 Off 01010101 00000000 01101101 11111101 00000110 11111111
A 4 On 01010101 00000000 01101101 11111101 00000111 11111111
A 4 Off 01010101 00000000 01101101 11111101 00001000 11111111
A 5 On 01010101 00000000 01101101 11111101 00001001 11111111
A 5 Off 01010101 00000000 01101101 11111101 00001010 11111111
B 1 On 01010101 00000000 01101101 11111101 00010001 11111111
C 1 On 01010101 00000000 01101101 11111101 00100001 11111111
D 1 On 01010101 00000000 01101101 11111101 00110001 11111111

With all the hard work done, it was now time to write some code to replay the messages and check if it works.

PIC32_TWS-BS-3.jpg

I used a garden variety TWS-BS 433.92MHz RF ASK Transmitter available from Little Bird Electronics for as little as $4.95 AUD or from Altronics at $7.95 AUD.

The TWS-BS-3 transmitter can be operated from a 1.5V to 12V supply. In this example, I run it from a 5 volt supply. The Data IN pin is connected to the PIC32′s RD0 pin.

After a little trial and error it appeared the controllers refused to play ball if the messages were not separated by more than 7mS.

It would also appear the trailing byte can be anything – it doesn't effect the operation of the unit.

A notable omission from the protocol is a checksum. It was found during testing, if the timing was a little slack, I could erroneously turn on a neighbouring unit or toggle the state off the unit I was intending on controlling.

The Source Code can be downloaded here for the Microchip PIC32MX440F512H.