Introduction
This article outlines the process of reverse engineering a basic IR remote, detailing its operational mechanics from power to data transmission. The subject is an IR remote from an Arduino kit..
Disassembly and first observations
Key components identified post-disassembly include- the battery power connector
- the integrated circuit (IC)
- the infrared LED for signal emission
- the contacts for buttons
IC pin-out
The focus is on the IC, the heart of the board. Ignoring available datasheets, a reverse engineering approach is employed to deduce the IC's internal workings.Following the traces (I used an multimeter to double check ) I could map some of the pins:
- PIN1 is connected to GND
- PIN8 is connected to VCC
- PIN7 is connected to LED's cathode (-)
- The remaining 5 pins are exclusively used to buttons.
But how it's possible to read 21 different buttons with only 5 pins ?
Understanding the button press detection
Since there are 5 pins left for button reads, assigning a pin for each button would not work, so there should be some other ways the IC detects the pressed button.
With a simple traceback on the connectors I can see that the buttons makes different connections between the pins 2 and 6 and themselves, GND and VSS.
But how is the IC capable of detecting there is a connection made ? for example between pin2 and pin 3 and pin 4, or pin 5 to GND.
To understand better the mechanism, I hooked my scope on pin 3 and pin 4, and here is the result
I could observe that each pin has some pulses (by pulling the line to GND) one common (that we can ignore) and one at a different offsets. Measuring other pins I could find that each pin emits a pulse at a different time offset:
- pin 2- 13 us
- pin 3 - 15 us
- pin 4 - 17 us
- pin 5 - 19 us
- pin 6 - 21 us
So, that means, if you short together 2 of these pins, you will have 2 pulses, from each pin one, at a different offsets, and by reading the pins, you can detect those pulses, and based on the offset, you can identify which 2 pins are connected thou the pressed button.
Based on this finding, I can see there are 3 distinct cases:
- 2 pins are tied together : in this case by reading the pins you will detect 2 pulses
- a pin is connected to GND - the pin will be 0 for the entire frame
- a pin is connected to VCC - the pin will be 1 for the entire frame, thought own pule will be missing
Here you can find a simulation that illustrates the 3 cases.
Beside this, there is one more special case that is used, some buttons are connecting the PIN 7 to other pulse pins. It turns out that while the remote is not transmitting data, the LED's pin is also use to detect button press.
IR signal encoding
The investigation then shifts to the IR LED to understand its signaling process. The pattern of the emitted IR frame is analyzed, revealing the binary encoding of data.
In this image we can clearly see the composition of a frame: an initial long signal, followed by a gap, then multiple short signals with gaps between them. Since there are 2 types of gaps (except the first one) we can deduce those gaps represents 0 and 1.
The initial START (also referred as start of frame, or sync signal) is used to synchronize the communication. Without the it, the receiver wouldn't know when the frame starts, and if , for example, you block the IR light for the fist part of the transmission, the receiver will read only the second part and it may be decoded into a totally different message.
Measuring the signals, here are the timing for important parts of the signal:
- START is ~9ms
- Data 0 has a ~0.5ms gap
- Data 1 has a ~1.5ms gap
Decoding the rest of the message, we can clearly see there are 4 bytes of data that are sent, but we'll dive into the meaning of the data later.
Another observation that puzzles me is, why the signals are filled in and is not just a line ? Let's zoom in and find out
Why use a carrier and not just turn on and off the led ? Well the reason is simple to eliminate interference. if an on /off keying would be used, and IR light would interfere with the communication, making the receivers to detect On even if the led is not transmitting.
Though, an IR reviver does not detect an IR light, but an IR light that is open and closed 38.500 times per second.
Receiving the message
Since there are quite a few bits of data (32) for each message, decoding the message by hand may be time consuming and prone to error. So I'm using an Arduino and an IR receiver to read the data.
Using a breadboard and 3 wires, I've connected the IR receiver's GND, VCC and the OUT pin to Arduino's digital 8.
Let's test this configuration by tapping the IR led and putput pin from the receiver
Blue line is the transmitter, yellow one is the receiver. As we already said, the receiver goes low whenever there is a ~38.5k IR signal, and we can see the yellow line follows the signal.
And wrote a simple code that detects the staring pulse, then receiving the bits one by one, and print everything in hex. No error detection just the code that does this job IRRemote.ino
Decode the message
Now we have everything we need to understand the message. Let's read out some messages and see the message format:
- 00 f7 40 bf
- 00 f7 00 ff
- 00 f7 80 7f
- 00 f7 b0 4f
- 00 f7 68 97
Based on this data, the first 2 bytes seems to be constant. This should be the remote ID, so the signal won't be picked up by other device.
3 rd and 4th bytes are different for each button pressed. One interesting fact here is that their sum is always 0xFF, that means the 3rd byte is the data and 4th is a checksum, used for verification, you want to be sure that the picked up signal is correct
Conclusions
Even it it's a simple device, there are quite a few things I've leaned from this:
- Pulse signals can be used to increase the number of buttons you can detect with a certain number of I/O pins.
- IR uses a carrier wave of 38.5 kHz
- The IR contains a "START" signal followed by the data bits encoded in "gaps" between signals
- Frame data contains the remote id, the data and a CRC bytes
Comments
Post a Comment