Group Actions
Engagement
  • Author Author: Gough Lui
  • Date Created: Date Created
  • Views 1148 views
  • Likes 4 likes
  • Comments 15 comments
Related
Recommended

Woefully Insecure: Remote Control 433Mhz Power Sockets

Gough Lui

It's been a while since I've had the time to post anything around here. Luckily, I had recently just submitted my PhD thesis so that gives me a chance to take a short break and do some of the stuff that I like.

 

Recently, I came across a bunch of cheap remote controlled 433Mhz power sockets which I decided to pick up, tear down and reverse engineer on my blog site. Because of the recent discussions regarding remote control that I've been a part of on this forum, I thought it would be rather interesting to some of the people here as well. What I found was most intriguing - a fixed code system with no checksum/CRC, a 3-bit address space and 1-bit switch command for 4 variable bits in a 25-bit message, and hard coded broadcast-to-all switches including fresh un-learned switches out of the box.

 

I think it's probably worth a read as I go through the whole process from start to finish, and now I have an Ethernet bridge to the 433Mhz system built out of my efforts. It doesn't improve security, but it does improve usability. However, it's a key point that even if a system has a "learning" button and doesn't seem to respond to "other" codes that it's not necessarily secure by design. It may just give the impression of security.

  • in reply to DAB

    Thanks for that. Fingers crossed - it'll be a while still before I find out what the assessors think, so I'm trying my best to enjoy the next few weeks before I have to get back to paper writing for the university.

     

    - Gough

  • in reply to mcb1

    Ahh! Yes, I did hear of a version with an integrated nightlight from the manual, so that must be what it is for. It's starting to make sense now.

     

    Of course, you can have more if you alter the fixed parts, all it takes is an alteration to the program in the microcontroller, which I suspect, is using the fixed parts as a sort of "preamble" to spot the transmission in the noise and can probably have that tailored to virtually anything not all zeroes or ones (for synchronization reasons). It would probably make most sense for different markets since they want to advertise "expandability", and changing the fixed parts will probably break compatibility somewhere along the chain. However, then again, when we're talking about other markets, they're a long (geographic) way away, so it's not likely that you will get interference, but it will just make hobbyists' jobs harder in having another variant to code for.

     

    Agreed, it's a safer way ... and very inexpensive when you get lucky like I did on a clearance ... image

     

    - Gough

  • in reply to Gough Lui

    The pictures do show quite a bit of difference.image

    I was hoping to pick up some next week when I jump across the ditch.

    The RF ones are still on their website ...

     

     

    I imagine that they could change the 'fixed' part of the address for different markets.

    24 bits give 16,777,215 so even if you take a couple out, you're left with 4,194,303 ... IF you can alter the fixed parts.

     

    The light v lamp had no real effect, it seems that some units had the second output wired to a light, but as long as you 'learnt' the code it worked.

     

    Your comment ....

    There appears to be a spot for an additional surface mounted push button, its use is not immediately obvious

    If I recall the light and socket version has two pushbuttons ... unfortunately they are packed/piled/shifted while the painter is here.

     

     

    Great blog and code breakdown.

    I was aked to come up with a "Home Minder" and I used these which worked fine.

     

    The one thing about them is they provide a safe way to switch mains using a micro, rather than some of the other awful and Dangerous stuff we've seen.

     

    Mark

  • in reply to mcb1

    Aha! It looks like you looked at the RF-only version of the Watts Clever. Very nice to see their internal design shares some similarities, but it seems like they really do use some ICs of some sort and the coding scheme is different - mine utilizes a 25 bit message with four variable bits: one of the bits indicating on/off and three bits of binary address, where address 6 (0b110) is the "all plugs" address. Your one seems to have 24 bit message with 6 variable bits where bit 21 indicates on/off, bit 22+23 are a two bit "base" address with bits 19+20 being a "bank" address (or MSBs), bit 24 indicates light/socket. Again, not too complex and the space of possibilities not too big.

     

    This makes me wonder where WattsClever and their parent companies got the 1M+ codes "claim" from. 6 variable bits with a defined structure where only 4 of the bits carry variable address data doesn't give me 1M codes ... (chuckle).

     

    I was actually looking at Forget Me Not :  eLDERmon  Outlets  where you had the codes in a spreadsheet. Thanks for your work Mark! Enjoyed reading yours image

  • in reply to mcb1

    Like me for internal test routers.