In previous blog posts, I’ve described two ways to use an Arduino to interface with an off-the-shelf remote power sockets / switches. The first method uses transistors to simulate button presses. It involves some soldering and hacking the remote control unit. The second method uses an oscilloscope to sniff the signal sent by the remote control, and then simulates the same signal using an RF transmitter. But what if you don’t have an oscilloscope, or don’t know where to place the probe to take the measurement? In this post, I will describe a very simple method to sniff remote control signals. It only requires a 434 MHz RF receiver, a couple of resistors, an audio cable, a sound card (with line-in), and an free audio processing software. (Note: some RF remote sockets work at 315 MHz frequency range).
 To get started, I picked a set of indoor wireless power sockets from Amazon. This is different from the model I had before, and it’s not based on the PT2262 encoder, so I cannot predict the RF signal by just looking at the circuit board connections. The reason I picked this model is because it has separate On and Off buttons for each socket, instead of just a Toggle button. So if you want to make sure the socket is on, just repeatedly send the on signal. With only a toggle button, if there is a power reset or if the previous command was not successfully received, you will mess up the control and end up with completely flipped on/off status.
To get started, I picked a set of indoor wireless power sockets from Amazon. This is different from the model I had before, and it’s not based on the PT2262 encoder, so I cannot predict the RF signal by just looking at the circuit board connections. The reason I picked this model is because it has separate On and Off buttons for each socket, instead of just a Toggle button. So if you want to make sure the socket is on, just repeatedly send the on signal. With only a toggle button, if there is a power reset or if the previous command was not successfully received, you will mess up the control and end up with completely flipped on/off status.
RF Sniffing Circuit
Ok, here is the fun part: how can we sniff the signals sent by the remote control to the sockets? It turns out that most of these remote controls work in the 434 MHz band (note: some work in 315 MHz), so we can use a cheap 434 MHz RF receiver to intercept the signal. To record the signal, a simple way is to use your sound card and an audio recording software. The sound card can digitally sample the signal at high speed (e.g. 48,000 Hz), and it can record a signal over a long time, so it is more convenient than using an oscilloscope.
 This is by no means a new idea. I found it when reading this forum post. Scroll down and you will see the schematic to make the sniffing circuit. One important thing is that you should plug the audio cable to the Line-In jack on your sound card, not the Mic jack.
 This is by no means a new idea. I found it when reading this forum post. Scroll down and you will see the schematic to make the sniffing circuit. One important thing is that you should plug the audio cable to the Line-In jack on your sound card, not the Mic jack. 
The picture on the left is my implementation of the circuit. I used my handy AASaver to provide the +5V needed by the RF receiver. This way, the whole circuit sits on a breadboard without any external power adapter. I can easily insert it to the sound card at the back of my desktop PC.
Record the Control Signals
I used the open-source Audacity software in Linux to record the signals. All I have to do is to start recording, and press each of the 6 buttons on the remote control. Then I will zoom in and analyze the signals. Below is a snapshot:

Basically when you press a button, the same sequence is sent multiple times. Each sequence consists of two types of square waves: a long on followed by a short off, which I call a ‘1’, and a short on followed by a long off, which I call a ‘0’.
How can we find out the timing (i.e. the width) of the signal? In Audacity, if you zoom in the signal to the extreme, you will see the actual signal sample points. Remember that we know the sampling rate, which is 48000 Hz by default. So if we count the number of sample points, and divide that by the sampling frequency, then we will get the timing. For example, below is a snapshot of a short on. I counted that there are about 21 sample points, so the width of it (i.e. a short on or short off) is
Similarly, I figured out that a long on or long off is about 1300 us, which is three times the width of a short on or off. Also, there is about 12.5 ms delay before re-sending the same sequence. These timings don’t have to be very accurate.
With the timings figured out, I can now write down the complete sequence corresponding to each button:
Socket 1 on: 1001 0000 0010 1000 00000000000
Socket 1 off: 0101 0000 0010 1000 00000000000
Socket 2 on: 1001 0000 0010 0100 00000000000
Socket 2 off: 0101 0000 0010 0100 00000000000
Socket 3 on: 1001 0000 0010 0010 00000000000
Socket 3 off: 0101 0000 0010 0010 00000000000
Each ‘1’ is a 433 us on followed by a 1300 us off, and each ‘0’ is a 1300 us on followed by a 433 us off. The first 4 bits indicate socket on/off, the next 8 bits are always the same, and the 4 bits following from that indicate the index of each socket.
With these patterns recorded, I can reproduce the signal using an Arduino and a 434 MHz RF transmitter. The RF transmitter has one data pin, which can be connected to any Arduino I/O pin. Since there is a little bit of overhead when using Arduino’s delayMicroseconds function, I reduced the short delay time to 410 us. This way, the signal generated by the code is almost identical to the that produced by the remote control.
Download
- Download example Arduino code here. This example program assumes the RF transmitter data pin is connected to Arduino pin D3, which you can change at the beginning of the file.
Use OpenSprinkler to Control Power Sockets
Now that my Arduino can talk to the remote power sockets, how about adding Internet-based control? For example, sending control signals through a web interface, or even setting a time schedule to turn on or turn off sockets automatically during a day? Aha, my OpenSprinkler is perfect for this purpose. There are two reasons, first, the OpenSprinkler is an integrated circuit that includes ATmega328 + Ethernet + LCD + USB programmer; second, the latest OpenSprinkler software provides a nice web interface where you can set an interval schedule or switch to manual control mode. All that I have to do is to connect the RF transmitter using one of the available pins on board, and then add a few lines of code to send the RF signal wherever the corresponding sprinkler station is turned on or off. This way, I can easily use the same web interface to control power sockets. Internet of things instantly!
The image above shows my implementation. I used a half-built OpenSprinkler, with everything except the switching regulator section and the solenoid driver section. The RF transmitter is connected to the controller using three wires. Again, one of the nice things is that I can directly use the software already written for OpenSprinkler, to set a time schedule for automatically turning on or off power sockets. In addition, I can switch to manual control mode, which also has built-in timers.
What’s Next?
My next plan is to use the sniffing circuit to reverse engineer RF signals sent from wireless temperature, humidity, and rain sensors. This will allow me to use an Arduino and a RF receiver to decode the wireless data and get local temperature, humidity, and rain information. Of course the tricky part is to figure out how the data is encoded. So I will have a couple of posts in the next week or so about RF hacking. Stay tuned!



