You hear a lot these days about the Chinese stealing U.S. intellectual property. Most of the time when they “steal” it they don’t have to work at hacking or reverse engineering, the information is simply given to them as part of the conditions required to manufacture in China. This post is NOT intended to discuss the political or moral aspects of this practice, so don’t bother.
I’m looking for one or more team members who would like to put the shoe on the other foot, so to speak, by collaborating on a project to hack a Chinese product and publish the results in a prominent U.S. technical publication where many hobbyists can benefit from it. The device I have selected for the target is one of the simplest, most efficient, best performing designs I have ever seen, and at my age I’ve seen many. The product is called a “Learning Remote Control”. The Chinese company that makes it has many models, but the “crown jewel” in my opinion is the smallest model, shown in the attached schematic. It does everything the models with dozens of learning keys do, only less of it. Let me tell you why I think the design of this product is so commendable.
The entire circuit consists of an 8-bit CMOS processor with OTP program, a 24C16 EEPROM, two resistors, one capacitor, and two LEDs. That’s it! For the 16 pins of the processor, two are for power and ground, two are for the EEPROM, three are for the LEDs, six are for the keyboard matrix, and three are unused. Incredible! The internal oscillator is good enough to provide data (carrier frequency and burst patterns) with accuracy of 1 or 2 percent. Somehow it gets enough current from a processor pin to drive the IR LED so that it has a control range of at least 37 feet (measured), and that’s with a battery supply of only 3 volts. Learning a signal from a TV remote control takes about 15 seconds: Press the Setup button, press the button to be learned, press the button that learns it, and press Setup again. The infrared emitter LED also serves as a fast optical detector for learning. I’ve learned signals of dozens of different protocols from a universal remote modified for crystal accuracy, and compared the learned signals with the originals to evaluate accuracy. Nealy all published learning circuits use a 3-pin demodulating detector chip. They really learn only the demodulated signal waveform, then modulate it at a fixed carrier frequency when reproducing it. Those same 3-pin chips are the front end of all TV remote control receivers. They don’t actually care what the carrier is, but they have a sharp band pass filter on it, so it makes a difference. The Chinese device actually measures and reproduces the exact carrier frequency from 10 KHz to 100 KHz.
I know how hard it can be to get even hex code from a OTP chip. A couple of years ago I tried taking advantage of the EEPROM to figure out how they stored data for a learned signal, thinking that might give some clues as to how the program worked. I made a test setup where I could switch the EEPROM back and forth from the learner to a device that would read out the EEPROM. I would then record several buttons at different carrier frequencies or other parameters and look at the stored data patterns. Hey, I never said this was an easy project. But if you’re curious to learn how the Chinese have done such a clever thing, and think it might be fun to try and find out, let me know. Of course I would expect to provide some hardware and a lot more information and data to anyone who wants to help. I also expect to write the published article, with due credit of course.
Incidentally, I tried for two years to contact someone at the manufacturer to pursuade them to market the OTP chip in the U.S. because there is no ASIC on the market for this. No luck, not even an answer to any of my emails. They need not be afraid someone will use it to compete with them. They have a virtual monopoly on learning remotes. I buy the little unit shown in the schematic for less than $4.
I can’t see my schematic attachment, so I hope it is included.