Although there is very little information available before purchase on may of these devices this one seemed to be a little better presented than most so I gave it a go. These seem to only be sold in sets of 3 with a 4+ALL remote control.

I'm not a fan of the finish of the plastic - the surface is marked around features in the plastic (presumably where it released from the mould) and the surface texture is... well, there hardly is any, and in places none. It smacks of cheap injection moulding.

These are not held together by screws like all other devices I've had but instead seem to either be clipped or ultrasonically welded together... difficult to say without breaking the casing apart, but I suspect it's clipped which would likely be cheaper to make.

The one obvious advantage of these over other devices I've looked at is that they are learning (ie. you teach them what to respond to) and vitally, they remember their code when power is removed, unlike the STATUS socket which powers up in learning mode and learns from transmissions from other devices like temperature sensors. To program them hold the green button down for 5 seconds and they go into learning mode. Normally this is an on/off toggle which is another advantage these have over many sockets (manual control).

Intelligence gathering

This time round there's not a lot of info to go on, but here's what we know about this device so far:

• It keeps it's memory when powered down
• Holding down the green button puts it in learning mode - basically it wants to see some packet it recognizes to learn an ID from. I don't know if that's just the 1-4 addresses from the remote, or if it goes further than that (ie. each remote has it's own ID as well as the button addresses). It will learn from both an On and an Off command.
• Unlike the STATUS Socket these don't seem to get warm nor register on my power meter so their claims of 0.3W standby seems plausible

Baseband Signal

Once again my USB 433MHz transceiver with the Generic Logging plug-in is useful for storing any unrecognized transmissions to a file. From there it's rather easy to get it into a spreadsheet for graphing and analysis.

Well.... here we go again. Same encoding scheme as the STATUS Socket, same number of bits, just slightly different timing and data structure. Likely all the same flaws, vulnerabilities etc. With DC blocking the threshold could shift all over so not an ideal encoding scheme.

'0' pulses are ~320us, '1' pulses are ~1020us and the overall period is fixed at ~1400us with 10ms gaps between packets. That means with DC blocking that the threshold can shift within about 20% of the limits.

Data Structure

I configured the existing PulseWidth decoder class and captured the output from each of the buttons as well as power cycling to remote repeatedly to check if there were any rolling codes (none!). After confirming the structure and writing a decoder, I wrote the encoder and confirmed if any parts of the code are fixed for the product (none!).

The data structure is as follows:

• No preamble, no sync - it's vital data from the first pulse!
• The first 20 bits are a fixed ID. These will be learned by the plug no matter what is transmitted.
• The next 3 bits are Address 0-3 (LSB first), but inverted so 111 as transmitted is button 1, 011 as transmitted is button 2, 101 as transmitted is button 3, 001 as transmitted is button 4, and importantly, 110 as transmitted is the ALL button. The address is learned.
• There is 1 bit for on/off
• There is 1 stop bit which is required but the value is ignored
• Note that there is no error checking or any form of validation which is a risk - any bit corrupted could result in a different address, turning on instead of off, or vise-verse

As before, this is not safe to be used for any potentially harmful devices as it could be decoded and read with little effort for malicious purposes.

So, there you have it. Yet another device with a protocol that is not robust and is at risk of corruption.