PAGE 2 of 3 - Identifying the Air condition remote control transmission protocol
Now i had to identify the transmission protocol. It turned out to be a hard job and i had to make a lot of tests, but i finally managed to decipher it. First of all, i made some changes to my software. Now that i know what sort of modulation is used, i can de-modulate the signal from the oscilloscope's data. I added a few fields and a long text box which shows the zeros and aces of the transmuted signal in sets of 8-bits:
And then i began the long process of acquiring different data sets for first analysis. I decided to begin by only changing the temperature setting from 31 (max) to 16(min) degrees. Then i pasted all these data to an A4 sheet and printed:
There are 2 regions in the transmitted code which changed when the temperature is changed. That was rather strange because i only expected one region to change. To further identify the protocol, i began taking samples and analyze the digital data (zeros and aces) instead:
There are 14 sets of 8-bit bytes in the protocol. Each byte is sent from left to right, so the LSB is always left and the MSB right. The bits probably must be inverted for proper calculations. The first 5 bytes never change, so i suppose this is the identification code. The 6th byte changes only if a turn-off command is set.
The 7th byte appears to change only when i select different mode (DRY-FAN-HEAT-FEEL-COOL). Only the first 4 bits are used.
The 8th byte seems to have the temperature setting. Only the first 4 bits are used. A 4-bit number can be from 0 to 15, and this explains why the minimum to maximum value is 15 (31-16=15). When the temperature is 16 degrees, the byte is 00001111, and when it is 31 it is 11111111.
The 9th byte seems to have two functions. The first 3 bytes are changed when i select the FAN speed (LOW-MID-HIGH-AUTO). The next 3 bytes are "111" when no SWING is selected, and they become "000" when i enable the SWING.
The next 4 bytes appear to be unchanged all the time. The remote control has some extra functions such as SLEEP mode and on/off TIMER, so probably these bytes are used for these functions. Additionally, notice the green bits. It is obvious that the remote control is responsible to avoid wrong setups. This is precisely the reason why the remote control must always send the compete parameter set upon a button press. For example, notice what happens when i change the MODE from COOL to HEAT. The temprature was set to 16 degrees. Probably, the manufacturer decided that HEAT operation cannot be used with such low temperature, so the control automatically sets the temperature to 24 degrees. Similarly, the FAN is not allowed to me in AUTO if the air-condition is used as a simple FAN.
The last byte was the hardest
At first, i thought that the last byte represents the temperature change, because if you notice, the last byte is change whenever the temperature is changed. One degree of change in the temperature equals to one change in the last byte. But then i noticed that the last byte changes not only with the temperature. As a matter of fact, any change that is done the last byte changes as well. So, the last byte is something like error correction. But what kind of error correction?
I tried to XOR bytes to see if there is a logical result, but i failed. After many observations and tests, i remembered that the the last byte is changed by one when the temperature is changed by one. There is one mathematical function which can achieve this; The addition!
At first, i inverted all the bits because it seemed to be more logical. Then i added the bytes 7-8 and 9 for all the previous samples. To my surprise, when i subtracted this result from the last byte, i always had a constant result of decimal 57, with one exception: The OFF command. This command gave me a different result. Obviously, the 6th byte had to be included in the addition.
So i added all bytes fro 6 to 9. To my surprise, everything looked prettier now! By subtracting the result of this addition from the last byte, i always had constant subtraction result of 21! Normally, this would be the end! To re-create the last byte, i only had to add the bytes form 6 to 9 and then add another 21 and that's all. But since my curiosity always overcomes my practical instincts, i had to find out where this "21" comes from.
The bytes 10 to 13 have no interest since they are all 0 (remember that i invert all bits). So the secret should be hidden somewhere in the first bytes. Unfortunately, none of them is 21. And if i add all these bytes, the result was very high...
BYTE 1: 11000100 = 35
BYTE 2: 11010011 = 203
BYTE 3: 01100100 = 38
BYTE 4: 10000000 = 1
BYTE 5: 00000000 = 0
Addition result = 277
And then, after and hour of tests and research, it just came to me! What if i just ignore the 9th bit of the previous addition which results from the 8-bit overflow???
277 - 256 = 21
This is why i like reverse-engineering that much!
Finally, regarding the last byte. This byte is a simple error correction. To generate this byte, i only need to add the 13 bytes of the protocol and completely ignore any overflow from the 8th to the 9th bit. A very simple operation for any microcontroller!