Taking over TVs with Flipper Zero Infrared Port
TV, AC, and home audio remotes transmit commands via the infrared port. The infrared port in Flipper Zero allows you to control all IR devices: capture the signals and save them to an SD card, bruteforce unknown protocols, and load your own codes.
This article covers:
- How infrared receivers and transmitters work
- Varieties of digital signals from IR remotes
- Capturing and analyzing infrared signals
- Mastering the infrared with Flipper Zero
How the Infrared Port Works
Infrared light is invisible to humans. IR wavelength is from 0.7 to 1000 microns. Household remotes use an IR signal for data transmission and operate in the wavelength range of 0.75..1.4 microns. A microcontroller in the remote makes an infrared LED blink with a specific frequency, turning the digital signal into an IR signal.
To receive IR signals a photoreceiver is used. It converts IR light into voltage pulses, which are already digital signals. Usually, there is a dark light filter inside the receiver, which lets only the desired wavelength through and cuts out noise.
Infrared in Flipper Zero
The Flipper Zero IR port has a special dark window, which lets through only the IR light. This helps extract the desired IR signal and mitigates interference from visible light. The transceiver components are hidden behind that window. Flipper Zero's IR port can both receive and transmit signals.
A printed circuit board is located just behind the IR window. There are 3 IR LEDs on both sides of it — these are signal transmitters. Multiple LEDs are used to increase the transmission power. There is also a TSOP photoreceiver on the bottom side of the PCB. The TSOP receives an IR signal and outputs a digital signal, which is processed by the STM32 microcontroller.
Below you can see an interactive schematic and a 3D model of the iButton board, on which IR LEDs, a TSOP receiver, a speaker, and iButton contacts are installed:
IR Signal Receiver in Flipper Zero
Flipper uses a digital IR signal receiver TSOP, which allows intercepting signals from IR remotes. There are some smartphones like Xiaomi, which also have an IR port, but keep in mind that most of them can only transmit signals and are unable to receive them.
The Flipper infrared receiver is quite sensitive. You can even catch the signal while remaining somewhere in between the remote and the TV. Pointing the remote directly at Flipper's IR port is unnecessary. This comes in handy when someone is switching channels while standing near the TV, and both you and Flipper are some distance away. For example, when you're in a cafe and the bartender starts channel hopping, and you want to take control of the TV by capturing the signal.
As the decoding of the infrared signal happens on the software side, Flipper Zero potentially supports the reception and transmission of any IR remote codes. In the case of unknown protocols which could not be recognized - it records and plays back the raw signal exactly as received.
The interface of the saved remotes in the Flipper is displayed vertically. This way it is more convenient to hold the device in your hand while pointing the IR port towards the receiver at the same time.
To read the IR signal, it must get into the Flipper's IR window, which should be easy if you are indoors because the signal will most likely reflect from various surfaces and will hit the IR port eventually.
In order to read the IR signal navigate Infrared -> Learn new remote. The captured signal can then be saved to a new remote. It is possible to add several signals to one remote by selecting the desired remote in Infrared -> Saved remotes. You can add an unlimited number of signals (buttons) to a single remote.
Flipper Zero as Universal Remote
Flipper Zero can be used as a universal remote to control any TV, air conditioner, or media center. In this mode, Flipper bruteforces all known codes of all supported manufacturers according to the dictionary from the SD card. You don't need to choose a particular remote to turn of a restaurant TV.
It is enough to press the power button in the Universal Remote mode, and Flipper will sequentially send "Power Off" commands of all the TVs it knows: Sony, Samsung, Panasonic... and so on. When the TV receives its signal, it will react and turn off.
Such brute-force takes time. The larger the dictionary, the longer it will take to finish. It is impossible to find out which signal exactly the TV recognized since there is no feedback from the TV.
To use the Universal Remote mode, navigate Infrared -> Universal library and select the type of device you want to control.
To check or edit the dictionary, you need to open or create the corresponding file on the SD card. For example, for TVs, the dictionary file looks like this:
#Button name #Protocol #Address #Command
POWER NEC A:08 C:17
VOL+ NEC A:08 C:00
VOL- NEC A:08 C:01
CH+ NEC A:08 C:02
CH- NEC A:08 C:03
MUTE NEC A:08 C:0B
....
We plan to have dictionaries bundled with the firmware while keeping them in a separate repository, where all users will be able to offer their codes and keys.
Other Universal Remotes to Switch Off Any TV
There are devices specially designed for those who are annoyed by TVs. Such devices contain a database of signals for turning off TVs from different manufacturers. The principle of operation is the same as on Flipper: the device simply tries all known signals from its dictionary, hoping that at some moment the signal will work. Such a signal database is usually embedded in the firmware, and it is not easy to update it.
- Knopkus by Artemy Lebedev — a simple and beautiful device in a rubberized case with one button. After clicking the button, the code search begins. Unfortunately, the list of signals is not very large and it didn't work for TVs in our office and at home. There is no way to update the signal database in this device: there is some kind of off-brand microcontroller inside, and it's unclear how to flash it.
- TV B GONE — a well-known old project with open firmware and hardware. 4 powerful IR diodes at once make it very long-range. You can add your own codes, but you will need a chip programmer for this.
Flipper's main difference is that its brute-force dictionary is stored on the SD card and can be easily updated. Users can also create their own dictionaries for new classes of household appliances and automation. Flipper is also able to receive signals, so it can be trained to memorize any remote buttons that for some reason were not found in the brute-force dictionary.
TSOP Infrared Receiver
As the IR receiver Flipper uses a TSOP-75338 chip. This component filters the signal itself and maintains it at the constant logical level, amplifying if necessary. Therefore, the TSOP-75338 is able to receive even a very weak signal from small discharged remotes or signals reflected from walls. And the built-in amplifier allows you to get the same voltage levels, regardless of the IR signal strength. This greatly simplifies the software signal processing on the microcontroller side.
There is an RC filter in the power supply scheme for the TSOP-75338 photodetector. It is needed because the microcontroller interferes with the power lines, which is why the output digital signal of the photoreceiver may not correspond to the received signal. A diode is used for voltage-matching of the TSOP receiver and the STM32 microcontroller. TSOP outputs a digital signal, which gets processed by the STM32 microcontroller.
Functional blocks of TSOP-75338 IR receiver:
- IR light filter
- Sensitive IR photoreceiver
- Bandpass amplifier
- Automatic gain control
- Demodulator for getting a signal envelope
For transmission, a frequency-modulated signal is usually used. Our receiver demodulates the 38 kHz signal. Most remotes work on 36..38 kHz carrier waves.
Why Frequency Modulation
There is almost always some background noise when receiving an IR signal, it is there because lots of objects emit IR light, even ordinary lamps. Therefore, the receiver usually gets signal mixed with noise.
- Background IR noise is created by many light sources because the source of IR light is the generated heat. Therefore, the background IR noise is random. For clarity, it is depicted as a sinusoid in the video above.
- Modulated IR signal — IR pulse bursts from remote. The ideal pulse burst looks like a smooth meander, but such a signal can only be seen if there is no noise at all. In reality, the meander will always be superimposed on the noise and summed up with it.
Frequency modulation allows distinguishing signal from noise. When the signal flashes at a frequency of 38 kHz, the IR pulses are picked out from the background noise. Thus, the photoreceiver can determine the presence of a signal and distinguish it from the lamp illumination.
IR Signal Transmitter in Flipper Zero
The IR signal transmission is directly controlled by the STM32 Flipper microcontroller. It sends pulses to the LEDs through an external transistor. To increase its transmitting power, 3 IR LEDs are used instead of one.
As in remotes, data from Flipper Zero is transmitted with pulse bursts. The receiver demodulator forms envelopes (meanders) from pulse bursts which are then handled digitally. Often, the digital signal at the receiver output is an inverted envelope.
To increase the power of the transmitter, pulse bursts are used, rather than a whole meander. At the same time, the average power decreases or remains the same, so it doesn't affect the energy consumption.
Usually, transmitters work on 30..50 kHz carrier waves. This carrier range showed the lowest level of interference. Not to be confused with the frequency of the IR light, which corresponds to a wavelength of 940 nm (318.93 THz).
Analyzing IR protocols with Arduino
For rapid IR testing and debugging, we used the Arduino IRMP library. You can find instructions on how to assemble a device for analyzing IR protocols on the GitHub repository.
After collecting all office IR remotes we made sure that almost all of them have different IR protocols. But you can't fully trust the self-built analyzer. If the IR protocol is unknown, the Arduino IRMP analyzer may recognize it as the Siemens protocol.
To receive the IR signal with Arduino IRMP, we used the Flipper IR board directly. The variety of well-known IR protocols in the IRMP library allows faster firmware development.
Variety of IR Protocols
IR protocols differ in 3 factors:
- bit encoding
- data structure
- carrier frequency — often in range 36..38 kHz
Bit encoding ways
1. Pulse Distance Encoding
Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant.
2. Pulse Width Encoding
Bits are encoded by modulation of the pulse width. The width of space after pulse burst is constant.
3. Phase Encoding
It is also known as Manchester encoding. The logical value is defined by the polarity of the transition between pulse burst and space. "Space to pulse burst" denotes logic "0", "pulse burst to space" denotes logic "1".
4. Combination of previous ones and other exotics
Data structure
- control command
- device address
- checksums
- any other service info
There are IR protocols that are trying to become universal for several types of devices. The most famous ones are RC5 and NEC. Unfortunately, the most famous does not mean the most common. In my environment, I met just two NEC remotes and no RC5 ones.
Manufacturers love to use their own unique IR protocols, even within the same range of devices (for example, TV-boxes). Therefore, remotes from different companies and sometimes from different models from the same company, are unable to work with other devices of the same type.
IR protocols we know| Protocol Name | Details |
|---|---|
| SIRCS | Sony |
| NEC | NEC with 32 bits, 16 address + 8 + 8 command bits, Pioneer, JVC, Toshiba, NoName etc |
| NEC16 | NEC with 16 bits (incl. sync) |
| NEC42 | NEC with 42 bits |
| SAMSUNG | Samsung |
| SAMSUNG32 | Samsung32: no sync pulse at bit 16, length 32 instead of 37 |
| SAMSUNG48 | air conditioner with SAMSUNG protocol (48 bits) |
| LGAIR | LG air conditioner |
| MATSUSHITA | Matsushita |
| TECHNICS | Technics, similar to Matsushita, but 22 instead of 24 bits |
| KASEIKYO | Kaseikyo (Panasonic etc) |
| PANASONIC | Panasonic (Beamer), start bits similar to KASEIKYO |
| MITSU_HEAVY | Mitsubishi-Heavy Aircondition, similar timing as Panasonic beamer |
| RECS80 | Philips, Thomson, Nordmende, Telefunken, Saba |
| RC5 | Philips etc |
| DENON | Denon, Sharp |
| RC6 | Philips etc |
| APPLE | Apple, very similar to NEC |
| RECS80EXT | Philips, Technisat, Thomson, Nordmende, Telefunken, Saba |
| NUBERT | Nubert |
| BANG_OLUFSEN | Bang & Olufsen |
| GRUNDIG | Grundig |
| NOKIA | Nokia |
| SIEMENS | Siemens, e.g. Gigaset |
| FDC | FDC keyboard |
| RCCAR | RC Car |
| JVC | JVC (NEC with 16 bits) |
| RC6A | RC6A, e.g. Kathrein, XBOX |
| NIKON | Nikon |
| RUWIDO | Ruwido, e.g. T-Home Mediareceiver |
| IR60 | IR60 (SDA2008) |
| KATHREIN | Kathrein |
| NETBOX | Netbox keyboard (bitserial) |
| LEGO | LEGO Power Functions RC |
| THOMSON | Thomson |
| BOSE | BOSE |
| A1TVBOX | A1 TV Box |
| ORTEK | ORTEK — Hama |
| TELEFUNKEN | Telefunken (1560) |
| ROOMBA | iRobot Roomba vacuum cleaner |
| RCMM32 | Fujitsu-Siemens (Activy remote control) |
| RCMM24 | Fujitsu-Siemens (Activy keyboard) |
| RCMM12 | Fujitsu-Siemens (Activy keyboard) |
| SPEAKER | Another loudspeaker protocol, similar to Nubert |
| MERLIN | Merlin (Pollin 620 185) |
| PENTAX | Pentax camera |
| FAN | FAN (ventilator), very similar to NUBERT, but last bit is data bit instead of stop bit |
| S100 | very similar to RC5, but 14 instead of 13 data bits |
| ACP24 | Stiebel Eltron ACP24 air conditioner |
| VINCENT | Vincent |
| SAMSUNGAH | SAMSUNG AH |
| IRMP16 | IRMP specific protocol for data transfer, e.g. between two microcontrollers via IR |
| GREE | Gree climate |
| RCII | RC II Infra Red Remote Control Protocol for FM8 |
| METZ | METZ |
| ONKYO | Like NEC but with 16 address + 16 command bits |
Exploring IR signal with an oscilloscope
The most reliable way to see how the remote IR signal looks like is to use an oscilloscope. It does not demodulate or invert the received signal, it is just displayed "as is". This is useful for testing and debugging. I will show the expected signal on the example of the NEC IR protocol.
Usually, there is a preamble at the beginning of an encoded packet. This allows the receiver to determine the level of gain and background. There are also protocols without preamble, for example, Sharp.
Then data is transmitted. The structure, preamble, and bit encoding method are determined by the specific protocol.
NEC IR protocol contains a short command and a repeat code, which is sent while the button is pressed. Both the command and the repeat code have the same preamble at the beginning.
NEC command, in addition to the preamble, consists of an address byte and a command-number byte, by which the device understands what needs to be performed. Address and command-number bytes are duplicated with inverse values, to check the integrity of the transmission. There is an additional stop bit at the end of the command.
The repeat code has a "1" after the preamble, which is a stop bit.
For logic "0" and "1" NEC uses Pulse Distance Encoding: first, a pulse burst is transmitted after which there is a pause, its length sets the value of the bit.
Infrared oscilloscope probe
For capturing IR pulses with an oscilloscope I used a self-made Silver Bullet, developed by AnalysIR author. It is just an IR LED and a resistor, soldered to an RCA audio connector, which is then connected to an oscilloscope via a BNC->RCA adapter. It can be assembled in five minutes from that are generally available and easy to find.
While the IR light of the remote hits the IR LED of the probe, a small current begins to pass through the LED. This current raises a voltage at the LED pins, which is distinctly visible on the oscilloscope. It is important to lean the IR transmitter close to the probe, to get a clear signal on the oscilloscope.
What is wrong with Air Conditioners
Air conditioner remotes are full-fledged devices with a display. They control a lot of settings such as temperature, fan power, etc. At the same time, the remote does not know whether the air conditioner has received the signal, it simply sends a signal every time the settings on the remote are changed.
But what will happen if we change the temperature on the remote from another room, so the air conditioner does not get that signal? For example, the value of 19°C was set on the air conditioner, we went to another room and completely changed all the settings on the remote, setting it to 30°C. Then we return to the air conditioner and raise the temperature by 1°C up. If the remote simply sent a code of each button, as other remotes do, the temperature would be set to 20°C on the air conditioner, and we would see 31°C on the remote screen. The result would be a data desynchronization between the remote and the AC.
Therefore, air conditioner remotes, unlike other remotes, do not transmit the code of the pressed button, but all the parameters. In another word, these remotes always send ALL the remote data in one large packet. Such protocols are very complex.
The data structure of air conditioner remotes may be completely different for various models. Air conditioners may have different temperature or power ranges, humidity control options, etc. Therefore the data structure may be so large, so it has to be transmitted in several batches.
Creating a universal user interface for such remotes is a challenging task, due to the inability to test multiple air conditioners and their functions. Therefore we can work with several air conditioners, but support for a large number of models has not been already implemented yet.
How to analyze IR-signals on PC
To work with IR signals on PC I use the AnalysIR. This is a program for analyzing IR protocols and which supports different devices for IR-capturing. The most common way is to make a homemade receiver with TSOP and Arduino, and connect it via USB. I am using IR-toy V2 as a receiver. List of supported receivers: AnalysIR.pdf.
AnalysIR shows the envelope of the IR signal instead of pulses, unlike an oscilloscope. The program calculates the delays and durations of pulse bursts and logs this info. It helps analyze unknown IR protocols. AnalysIR knows more than 100 IR protocols and is able to recognize them automatically. By the way, the author of the program suggested adding support for a Flipper as an IR receiver. Great idea, isn't it?
Pre-order Now
Our first priority is to fulfill all Kickstarter orders, so our backers will get the first production batch.
If you missed our Kickstarter campaign, you can pre-order now and get your device in Fall 2021, as soon as the second batch is ready. Your pre-orders help us to plan the production and logistics.