2

I have a set of 4 power sockets that can be turned on and off with an RF remote. That remote has 4 pairs of on/off buttons along with a master pair that can control all sockets at once.

Initially, the power sockets do not know about the remote, one needs to "program" the socket by pressing the desired "ON" button while the socket is in learning mode.

Sniffing the 433MHz signal is quite easily done and repeating captured signals works just fine, so there does not appear to be any kind of security here.

Out of curiosity, I wanted to understand the structure of data sent to these sockets and have figured out that it's made of 24 bits with the following structure:

Nibble Usage
5 Remote Id
1-4 Action code
0 Button Id

So for instance, if I receive 5ae940, the Remote Id is 5, the Button Id is 0 and the action code is ae94

Recording multiple button presses, I discovered that the same button, On for A channel for instance, rolls between 4 possible action codes. And using a second set of power sockets bought 3 years ago shows that they are cross compatible with the newer one, with a different set of 4 possible action codes.

When placing the power socket in learning mode, there is only one button press needed, so the socket itself has a way to identify any of the four possible action codes as equivalent to the one it has learnt.

What I have a hard time figuring out is what makes those 4 possible action codes related to each other.

Here are the captured packets and their associated action:

Set year A
On		 A
Off		 B
On		 B
Off		 C
On		 C
Off		 D
On		 D
Off		 Master
On		 Master
Off
2019 bf756c
b7441c
bd9c5c
be3aac		 b20e7c
b5212c
b9d88c
b8c0bc		 b6af35
b453f5
b0f6e5
bc1705		 b16bc5
b3b995
bb8dd5
bae245		 b20e7e
b5212e
b9d88e
b8c0be		 bf756e
b7441e
bd9c5e
be3aaz		 b16bc7
b3b997
bb8dd7
bae247		 b6af37
b453f7
b0f6e7
bc1707		 b20e72
b52122
b9d882
b8c0b2		 bf7562
b74412
bd9c52
be3aa2
2022 5ae940
592870
52acb0
530d30		 5814a0
5d5b20
54cf10
559090		 5ae944
592874
52acb4
530d34		 5814a4
5d5b24
54cf14
559094		 5ae94c
59287c
52acbc
530d3c		 5814ac
5d5b2c
54cf1c
55909c		 5814a2
5d5b22
54cf12
559092		 5ae942
592872
52acb2
530d32		 5814aa
5d5b2a
54cf1a
55909a		 5ae94a
59287a
52acba
530d3a

So in 2019, I bought remote with Id b and in 2002 the new remote has Id 5

What can be seen is that if bit 1 of the button Id is set, then the meaning of the action code is reversed.

What I could not figure out yet is how to detect that a given button Id is the "Master" one for the remote. For remote 5, it could be because a is the binary complement of the remote Id, but this does not work for remote Id b

And as already mentioned above, I cannot figure out the logic that connects together any given set of 4 action codes. As a reference, here are the 6 sets I have so far:

Set 1 Set 2 Set 3 Set 4 Set 5 Set 6
f756
7441
d9c5
e3aa		 20e7
5212
9d88
8c0b		 6af3
453f
0f6e
c170		 16bc
3b99
b8dd
ae24		 ae94
9287
2acb
30d3		 814a
d5b2
4cf1
5909

I have tried various things like xor-ing, and-ing, or-ing values in a group, comparing bits set to 1 in any given values but I could not figure out what makes those group of 4 values related to each other.

I understand that this is quite a lengthy message, but I wanted to make sure that I share all the discoveries I made into this endeavor.

I totally admit that I can store the above 6 sets of values in a constant array and be done with it, but this would leave an itch in my brain...

Many thanks in advance for any suggestions, things to try, hints...

EDIT 2002 02 05

The remote appears to have a global value indicated which of the next four possible values is to be used.

If we consider the 2022 remote, On button A is in the ae94, 9287, 2acb, 30d3 group and On button D is in the 814a, d5b2, 4cf1, 5909 group.
Here are the codes used following the button presses in that sequence:

Button Code used
On A ae94
On D d5b2
On A 2acb
On A 30d3
On D 814a

As you can see, some values are "skipped" because another button was pressed.

Taking the battery off for a while and placing it back on does not change the codes that are sent by the remote.

Both sets are sold by LIDL under the Silvercrest brand, the one from 2019 having those references:

IAN 284705
Article# 1 04772 1706

While the one from 2022 has those:

Reference 36626_2101
Model 8 50 50 00066

Both remotes look like this:

Silvercrest remote

The whole point of this research is to be able to make the plugin for the RFLink32 project much more flexible. Indeed, it currently uses the "truth table" approach which only works with my own set of sockets.

Improve this question

1 Answer 1

Reset to default
3

is the next step in a sequence of on action like

f756 7441 d9c5 e3aa

the same, also when another action comes in between? Did you tried if action code is generated in some way by remote id, button id, 1-4 (0-3)? I think in learning mode it needs only to learn remote id, and other are known by algorithm used.

Edit 220205

so there is a counter# 0-3 to consider. Just an idea to work out: you have input remote id, button id, counter# and action will be calculated by CRC-16 (because of variability of codes) or whatever. To be clear: I'm not expert in that matter, just sharing my ideas as I'm working on similar issue.

Edit 220212

Looking over the dataset again, I think it is possible just to do some assumptions for the algorithm behind, some of them can be tested, some not, just because of lack of data.

  1. I agree that remoteID is nibble#1, maybe hardcoded or as per DIP switch in remote
  2. nibble#5 is switchID as you said, and I think its generated by algorithm. All sockets need to know independent from remote what switchID the master is, depending on send remoteID, specifically a "2" could be code for socket "D" or master. Assumption could be, that switchID for master is "remoteID ^ F" and "remoteID ^ 9" depending on bit1 at remoteIDs is set or not. The same works similar with bit2 set or not set for remoteID. Several other methods are possible, but cannot be verified due to lack of data with other remoteIDs. Maybe there is also a method that works for all remoteID, without any "if-clause".
  3. I think, for actionCode there is not any roting code needed for proper work. When "A"-On is pressed, then pressing 3 other buttons, and again "A"-on it will send the same message again. For me the 4 options seems just obfuscation. At least for "2022" remote it's worth to try with only one code for "On" and "off" each. And if that is true, why not also for "2019" remote? This theory can be easily verified: switch on "A", press 3 times a button and remote is far away from socket, then again "A" off. When this repeated key is accepted, no rotating code is needed. However, this doesn't give any clue at the moment how action code is generated.

Edit 220213

In some articles on this remote I have found my assumption confirmed that no rolling code is needed to switch on/off. A single action code per remoteID should suffice. However the method to generate the action code is unknown, since almost 10 years now. Best information seems to be a semi-encryption method using table substitution here, "AnBan". Sometimes it is called Quigg GT-1000 protocol, details also unknown. As it comes to the point that a 14Pin chip inside generates the codes all discussions ends without better result. Maybe someone else being more clever will find out the details.

Improve this answer
0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.