Go Down

Topic: Stolen Intellectual Property (Read 654 times) previous topic - next topic

OLDokasional

You hear a lot these days about the Chinese stealing U.S. intellectual property.  Most of the time when they "steal" it they don't have to work at hacking or reverse engineering, the information is simply given to them as part of the conditions required to manufacture in China.  This post is NOT intended to discuss the political or moral aspects of this practice, so don't bother.

I'm looking for one or more team members who would like to put the shoe on the other foot, so to speak, by collaborating on a project to hack a Chinese product and publish the results in a prominent U.S. technical publication where many hobbyists can benefit from it.  The device I have selected for the target is one of the simplest, most efficient, best performing designs I have ever seen, and at my age I've seen many.  The product is called a "Learning Remote Control".  The Chinese company that makes it has many models, but the "crown jewel" in my opinion is the smallest model, shown in the attached schematic.  It does everything the models with dozens of learning keys do, only less of it.  Let me tell you why I think the design of this product is so commendable.

The entire circuit consists of an 8-bit CMOS processor with OTP program, a 24C16 EEPROM, two resistors, one capacitor, and two LEDs.  That's it!  For the 16 pins of the processor, two are for power and ground, two are for the EEPROM, three are for the LEDs, six are for the keyboard matrix, and three are unused.  Incredible!  The internal oscillator is good enough to provide data (carrier frequency and burst patterns) with accuracy of 1 or 2 percent.  Somehow it gets enough current from a processor pin to drive the IR LED so that it has a control range of at least 37 feet (measured), and that's with a battery supply of only 3 volts.  Learning a signal from a TV remote control takes about 15 seconds:  Press the Setup button, press the button to be learned, press the button that learns it, and press Setup again.  The infrared emitter LED also serves as a fast optical detector for learning.  I've learned signals of dozens of different protocols from a universal remote modified for crystal accuracy, and compared the learned signals with the originals to evaluate accuracy.   Nealy all published learning circuits use a 3-pin demodulating detector chip. They really learn only the demodulated signal waveform, then modulate it at a fixed carrier frequency when reproducing it.  Those same 3-pin chips are the front end of all TV remote control receivers.  They don't actually care what the carrier is, but they have a sharp band pass filter on it, so it makes a difference. The Chinese device actually measures and reproduces the exact carrier frequency from 10 KHz to 100 KHz.

I know how hard it can be to get even hex code from a OTP chip.  A couple of years ago I tried taking advantage of the EEPROM to figure out how they stored data for a learned signal, thinking that might give some clues as to how the program worked.  I made a test setup where I could switch the EEPROM back and forth from the learner to a device that would read out the EEPROM.  I would then record several buttons at different carrier frequencies or other parameters and look at the stored data patterns.  Hey, I never said this was an easy project.  But if you're curious to learn how the Chinese have done such a clever thing, and think it might be fun to try and find out, let me know.  Of course I would expect to provide some hardware and a lot more information and data to anyone who wants to help.  I also expect to write the published article, with due credit of course.

Incidentally, I tried for two years to contact someone at the manufacturer to pursuade them to market the OTP chip in the U.S. because there is no ASIC on the market for this.  No luck, not even an answer to any of my emails.  They need not be afraid someone will use it to compete with them.  They have a virtual monopoly on learning remotes.  I buy the little unit shown in the schematic for less than $4.

I can't see my schematic attachment, so I hope it is included.

Tommy Tyler
   

zwieblum

How would work on technology of days gone by?

wvmarle

You have the schematic, what's stopping you to simply build it?

The ad009-03 chips are sold at prices of about USD 0.25 a piece, the 24C16 for even less. Lots of sellers of this part on Alibaba. Start importing and market your device, don't bother reverse engineering and building your own as you're never going to match let alone beat that price.
Quality of answers is related to the quality of questions. Good questions will get good answers. Useless answers are a sign of a poor question.

6v6gt

#3
Sep 14, 2019, 05:53 am Last Edit: Sep 15, 2019, 12:15 pm by 6v6gt Reason: improved the title.
There are only a finite number of encoding schemes in normal use for these IR devices. For example NEC, Sony, JVC etc. There cannot be too many surprises because the manufacturers have to work with detectors available on the market e.g. the Vishay TSOP range.
I guess the ChungHop tries first to identify the encoding scheme looking at things like the carrier frequency, the length of header burst, the format of a bit (m microseconds mark, n microsecond space), the number of bits transmitted in a block, check digit or redundant transmission scheme in use, repetition code etc. It will do this by performing a series of trys until it gets a match with a known scheme.
Once it has got so far, then it can store the code it has learned from the source device in a relatively simple structure.
I cannot believe that it could work by a brute force recording of every nuance in the IR spectrum during the learning phase and spitting that back at the target device. Of course that would mean that if say a new TV manufacturer came along with a completely new proprietary IR encoding scheme, the ChungHop would be unable to cope without a software update.

So I don't think you have to do a complex reverse engineering task (unless that itself is really your goal here). You simply have to make an inventory of existing coding schemes and work out how to identify one in use so you can then record and later replay the data block.

zwieblum

What's the point in this? There have been applications even for PalmOS in the days that did this, and they were free. ETH Z├╝rich had a database of all IR protocols, when it was top notch. Nowadays virtually all IR controls use RC5, even transmittion fequency is standardised, so whare's the point?

6v6gt

#5
Sep 15, 2019, 12:14 pm Last Edit: Sep 15, 2019, 12:18 pm by 6v6gt
You may also be able to use a technique described here. https://www.instructables.com/id/Clone-a-Remote-with-Arduino/ .
It is very simple but requires some storage space. You'd only have to identify the carrier frequency, then record the lengths of the marks (uS) and spaces (uS) alternately in storage e.g. 9000,4500,562,562,562,1687.... .
To replay, you would simply switch the carrier on and off (at the correct frequency) for the appropriate time intervals. If you are not attempting to validate the code during recording, or clean it up, this may work for you.

Take a look for example at the NEC code specification to see how it would work: https://www.ad-notam.com/download/RS232/ad_notam_IR_protocol_DFU.pdf

Incidentally, I wrote a simple parser for NEC code which may help you get started if you go the route of attempting to identify the exact protocol in use: https://forum.arduino.cc/index.php?topic=619622.0 or google for Arduino IR library for more comprehensive solutions.

Your schematic omits the IR receiver, but this would have to be a basic photo transistor or photo diode. You could probably not use a TSOP device which are usually optimized for a specific carrier frequency and protocol. There are simple methods for detecting frequency, especially as there are only a small number of discrete frequencies in use.

Go Up