IKEA Ansluta 433 MHz remote on/off switch reverse engineering
This is my humble attempt at analyzing and replicating the transmissions of the IKEA Ansluta remote on/off switch. (Note: There are at least two different versions of this remote; this is about the simple switch without dimming.)
Manuals:
- http://www.ikea.com/en/en/manuals/ansluta-remote-control__AA-804078-1_pub.pdf
- http://www.ikea.com/en/en/manuals/ansluta-remote-control__AA-855696-2_pub.pdf
The plan:
- find transmitter on the PCB
- capture
on/offtransmissions at the source - figure out the code (optional)
- replicate the code with own transmitter
Unfortunately I’m no electrical engineer, far from it: I’m utterly clueless. Let’s just open this thing up and have a look. I have another 433 MHz remote control for reference.
The reference remote is extremely simple: an 18 pin IC labelled HX2262, a led, a few switches and button pads, and the crystal oscillator (round metal package) labelled 433.92.
The Ansluta is more crowded, but we see a 16 pin IC, this time labelled Holtex HT48R06A-1, and a crystal (oblong metal package) labelled T13.560 – I’m not sure whether there’s any significance to the fact that this is not a 433 MHz crystal.
After trying a few of the IC’s pins I see that a led attached to pin 5 (bottom row in the picture) flickers suspiciously when pressing the on/off buttons — this must be it.
Here’s what I got from that pin (when pressing on) — this was repeated seven times:
Looks good, doesn’t it? An initial long sync pulse followed by a sequence with nice even spacing of about half a ms. More precisely, the periods of high voltage are slightly under half a ms, while a (single) low is slightly longer: 0.489±4% vs 0.507±2%.
Let’s call them 1 and 0 bits (even though they’re not) until the coding is figured out. Then the sequence looks like this:
100000000000000000000000000000000000(1 + 35 bits), then10101010100101010010010101001010010100100101001010100100101001010100100101010010100101001010010100101001001010010100101001010010(128 bits).
Okay, I feel slightly uncomfortable with this because of the uneven lengths, but clearly it’s a sequence of 10 and 100s. So let’s call those 1 and 0, yielding this shorter representation:
1111011001101010010110010110011010101010100101010101(oncode),1111011001101010010110010110011010101010100110101010(offcode).
Notice that all but the last eight bits are identical, and that those eight bits are precisely inverted: 01 (times four) for on, 10 for off.