Glen Pitt-Pladdy :: Blogenergenie Remote Control Socket Protocol (ENER002) | |||
Although there is very little information available before purchase on may of these devices this one seemed to be a little better presented than most so I gave it a go. These seem to only be sold in sets of 3 with a 4+ALL remote control.
I'm not a fan of the finish of the plastic - the surface is marked around features in the plastic (presumably where it released from the mould) and the surface texture is... well, there hardly is any, and in places none. It smacks of cheap injection moulding. These are not held together by screws like all other devices I've had but instead seem to either be clipped or ultrasonically welded together... difficult to say without breaking the casing apart, but I suspect it's clipped which would likely be cheaper to make. The one obvious advantage of these over other devices I've looked at is that they are learning (ie. you teach them what to respond to) and vitally, they remember their code when power is removed, unlike the STATUS socket which powers up in learning mode and learns from transmissions from other devices like temperature sensors. To program them hold the green button down for 5 seconds and they go into learning mode. Normally this is an on/off toggle which is another advantage these have over many sockets (manual control). Intelligence gatheringThis time round there's not a lot of info to go on, but here's what we know about this device so far:
Baseband SignalOnce again my USB 433MHz transceiver with the Generic Logging plug-in is useful for storing any unrecognized transmissions to a file. From there it's rather easy to get it into a spreadsheet for graphing and analysis.
Well.... here we go again. Same encoding scheme as the STATUS Socket, same number of bits, just slightly different timing and data structure. Likely all the same flaws, vulnerabilities etc. With DC blocking the threshold could shift all over so not an ideal encoding scheme. '0' pulses are ~320us, '1' pulses are ~1020us and the overall period is fixed at ~1400us with 10ms gaps between packets. That means with DC blocking that the threshold can shift within about 20% of the limits. Data StructureI configured the existing PulseWidth decoder class and captured the output from each of the buttons as well as power cycling to remote repeatedly to check if there were any rolling codes (none!). After confirming the structure and writing a decoder, I wrote the encoder and confirmed if any parts of the code are fixed for the product (none!). The data structure is as follows:
As before, this is not safe to be used for any potentially harmful devices as it could be decoded and read with little effort for malicious purposes. So, there you have it. Yet another device with a protocol that is not robust and is at risk of corruption. |
|||
This is a bunch of random thoughts, ideas and other nonsense, and is not intended to be taken seriously. I'm experimenting and mostly have no idea what I am doing with most of this so it should be taken with cuation and at your own risk. Intrustive technologies are minimised where possible. For the purposes of reducing abuse and other risks hCaptcha is used and has it's own policies linked from the widget.
Copyright Glen Pitt-Pladdy 2008-2023
|