My idea is to create a device that replicates the signal that the remote sends to the blinds, triggered by an MQTT command. Good, but what does this signal look like?

For that I have the perfect tool, an SDR (Software defined radio). It’s basically a radio device that has the ability to tune into a wide range of frequencies using a computer. Signals can the be decoded and recorded. Why do I have one of these? Well, i’m a bit of an aviation geek, and I rushed out to buy one when I heard I could listen to aircraft, but that’s another story.

The idea is to tune into the frequency of the remote, record the signal and then analyse it to:

• A) Worst case, replay the signal
• B) Best case, understand is composition and recompose the message

Tuning into the remote

First of all, I need to know what frequency to tune into. Fortunately all devices that want to be sold in the us must have FCC certification that requires the frequency to be printed somewhere in the case of the device. However, in case the sticker had fallen or erased, there are a few usual suspects we can usually search for. 433MHz and 446Mhz are open frequencies here in the EU (315MHz in the US) as long as they emit under 500mW. Other common frequencies are 27 MHz for things such as old RC Cars and wireless mice and keyboards, and its updated version 2.4GHz (Same as wifi signals).

Another issue is the strength of the signal I will be receiving. Ideally I should have a tuned antenna to the frequency I want to listen, however, from the tests that I have carried, any “ol’ piece o wire” will do, as the emitter is close enough to the receiver, the signal is very strong and can be decoded easily.

Insert picture of SDR SW

Recording the signal

This is the part I have most struggled with, as there are several signal modulations. The most typical is ASK modulation (and the easiest to decode), basically, if there is oscillation, its a 1 if there isn’t its a 0. Another typical encoding is FSK, whereby a fast oscillation is 1 and a lower one is 0. This has been a learning experience and may limit my ability to implement this project. Yikes! Hope its something easy!

Insert waterfall graph

It turned out to be ASK, I recorded using AM demodulation (wich suits very well to this type of modulation) into a .wav file. The best software to see wav files is of course, Audacity.

insert audacity image

As you can see, every time I press a button on the remote, it sends 3 distinct signal streams, that after comparison, turn out to be the same. I’ve done this to all the 6 blinds at 3 buttons per blind, i.e 18 times.

I now should determine the digital encoding technique. I spent hours reading on RF encodings, data integrity and data validation. Just to arrive to the conclusion that I didn’t need to understand “what the code meant” I just needed to repeat “the same words”. Just like a tourist who is reading from a translation booklet.

Trouble in paradise

Great I had just managed to record the blinds remote, now I had to do the same with Somfy’s sun covers. But when making sure the code was the same between recordings, I noticed differences. Every time I would press a button, the remote would change (I knew choosing a commercial solution would bring trouble). This is where I started to learn about “Rolling Codes”.

Turns out what I was planning to do with the blinds is a very common attack to get access to things such as garage doors and other RF devices. Even cars used to be this easy to hack! I’ve searched online and found several ways to deal with this problem. But I will leave that to another post. This has really been a learning experience!