Finding the logic in remote control data

Question

I have a set of remote controlled power sockets which operate on the 433MHz range and am trying to understand the protocol used between the remote and the sockets. They are sold under the Silvercrest brand, with the 284705 IAN.

Using an ESP32 with a RFM69CW module, I was able to figure out that it uses OOK PWM transmission to send packets of 24 bits for each order, and that the first 4 are the remote Id, the last 4 are the button Id.

This leaves me with the 16 middle bits for which I observed they can only take 4 possible values for a given button and order. For instance, pressing the "On" order for button "A" sends one of the following four values, in a repeating loop:

F756

7441

D9C5

E3AA

I thought that this might be a rolling code, but using again the ESP32 to send commands, I discovered that the socket reacts to any one of the following 4 codes. I can even send always the same, it will react properly and this has no impact on the remote usage.

Giving the "Off" order for button "A" uses a different set of four values:

20E7

5212

9D88

8C0B

Button B uses a different set of values, for On:

6AF3

453F

0F6E

C170

and for Off:

16BC

3B99

B8DD

AE24

On the same remote, there are three other buttons, C, D and Master, but C and Master use the same set of codes as A while D uses the same codes as B, just with a reversed meaning. This is easily figured out by looking at bit 1 of the button 1. If it's a 1, then the meaning is reversed.

I could easily use a lookup table for those values and be done with it, but I have found other people using those remote controlled sockets and it appears they are receiving other codes for the "On"/"Off" command. One such example is here.

So, what I'd like to figure out is the relationship between a given set of four codes, basically a "formula" that allows to validate any code, based on one of the three others and figure out if it's "On" or "Off" in the process, pretty much like what the socket is doing when it receives a command.

I tried counting bits, XORing, ANDing, ORing each pair of values, but nothing seemed obvious to me.

Does this appear easy to any of you?

What would you suggest I try next?

shabaz · Answer

obones wrote:

What would you suggest I try next?

Suggest determining if it's worth your time trying to figure it out : ) What problem would it solve? You only need to store a few bytes more in Flash if you wish to send all the four codes in the cycle to replicate the transmitter behavior 100%.

javagoza · Answer

I think the same as shabaz but if it is just for curiosity, have you tried to decode the data as a Manchester code? Manchester code - Wikipedia

obones · Answer

The RF signal that I receive is OOK PWM, meaning that I have a series of Long/Short and Short/Long "High/Low" pairs. This is what I decoded to get the 24 bits and establish the truth table presented above.
What you are suggesting is that I take those mystery 16 bits and apply Manchester decoding onto them?
So for instance, I have e3aa which in binary is 1110001110101010 and I should interpret this as a series of raising and falling edges?

obones · Answer

Yes, that could be the source of the table inside the remote.

However, I believe there is a relationship between those 4 numbers because the receiving socket is "programmed" using this procedure:

Plug the socket into mains
The indicator is blinking
Press a "On" button on the remote to pair it with this channel

To remove the association between a socket and a channel, one has to repeat the three steps above, but pressing the "Off" button.

At step 3, the receiving socket is obviously getting only one of the four possible codes and yet, it is capable of identifying it's an On or Off order and to which group of four it belongs to.

This behavior leads me to believe there is a way, given any code, to validate it against a reference code, thus identifying both the group and the order.
But I'm yet to find the logic used here by just looking at the numbers.

Finding the logic in remote control data

Top Replies