Taking over TVs with Flipper Zero Infrared Port

Taking over TVs with Flipper Zero Infrared Port

TV, AC, and home audio remotes transmit commands via the infrared port. The infrared port in Flipper Zero allows you to control all IR devices: capture the signals and save them to an SD card, bruteforce unknown protocols, and load your own codes.

This article covers:

  • How infrared receivers and transmitters work
  • Varieties of digital signals from IR remotes
  • Capturing and analyzing infrared signals
  • Mastering the infrared with Flipper Zero

How the Infrared Port Works

Infrared light is invisible to humans. IR wavelength is from 0.7 to 1000 microns. Household remotes use an IR signal for data transmission and operate in the wavelength range of 0.75..1.4 microns. A microcontroller in the remote makes an infrared LED blink with a specific frequency, turning the digital signal into an IR signal.

[Video] The remote transmits data in batches of IR pulses

To receive IR signals a photoreceiver is used. It converts IR light into voltage pulses, which are already digital signals. Usually, there is a dark light filter inside the receiver, which lets only the desired wavelength through and cuts out noise.

Infrared in Flipper Zero

The Flipper Zero IR port has a special dark window, which lets through only the IR light. This helps extract the desired IR signal and mitigates interference from visible light. The transceiver components are hidden behind that window. Flipper Zero's IR port can both receive and transmit signals.

[Video] Flipper Zero IR port placement

A printed circuit board is located just behind the IR window. There are 3 IR LEDs on both sides of it — these are signal transmitters. Multiple LEDs are used to increase the transmission power. There is also a TSOP photoreceiver on the bottom side of the PCB. The TSOP receives an IR signal and outputs a digital signal, which is processed by the STM32 microcontroller.

Below you can see an interactive schematic and a 3D model of the iButton board, on which IR LEDs, a TSOP receiver, a speaker, and iButton contacts are installed:

IR Signal Receiver in Flipper Zero

Flipper uses a digital IR signal receiver TSOP, which allows intercepting signals from IR remotes. There are some smartphones like Xiaomi, which also have an IR port, but keep in mind that most of them can only transmit signals and are unable to receive them.

The Flipper infrared receiver is quite sensitive. You can even catch the signal while remaining somewhere in between the remote and the TV. Pointing the remote directly at Flipper's IR port is unnecessary. This comes in handy when someone is switching channels while standing near the TV, and both you and Flipper are some distance away. For example, when you're in a cafe and the bartender starts channel hopping, and you want to take control of the TV by capturing the signal.

[Video] Capturing IR signal

As the decoding of the infrared signal happens on the software side, Flipper Zero potentially supports the reception and transmission of any IR remote codes. In the case of unknown protocols which could not be recognized - it records and plays back the raw signal exactly as received.

[Video] Learning feature demo: Flipper captures channel switch signals and controls the TV

The interface of the saved remotes in the Flipper is displayed vertically. This way it is more convenient to hold the device in your hand while pointing the IR port towards the receiver at the same time.

To read the IR signal, it must get into the Flipper's IR window, which should be easy if you are indoors because the signal will most likely reflect from various surfaces and will hit the IR port eventually.

In order to read the IR signal navigate Infrared -> Learn new remote. The captured signal can then be saved to a new remote. It is possible to add several signals to one remote by selecting the desired remote in Infrared -> Saved remotes. You can add an unlimited number of signals (buttons) to a single remote.

Flipper Zero as Universal Remote

[Video] Bruteforcing a cafe TV

Flipper Zero can be used as a universal remote to control any TV, air conditioner, or media center. In this mode, Flipper bruteforces all known codes of all supported manufacturers according to the dictionary from the SD card. You don't need to choose a particular remote to turn of a restaurant TV.

It is enough to press the power button in the Universal Remote mode, and Flipper will sequentially send "Power Off" commands of all the TVs it knows: Sony, Samsung, Panasonic... and so on. When the TV receives its signal, it will react and turn off.

Such brute-force takes time. The larger the dictionary, the longer it will take to finish. It is impossible to find out which signal exactly the TV recognized since there is no feedback from the TV.

[Video] Dictionary-based brute-force mode

To use the Universal Remote mode, navigate Infrared -> Universal library and select the type of device you want to control.

To check or edit the dictionary, you need to open or create the corresponding file on the SD card. For example, for TVs, the dictionary file looks like this:

#Button name #Protocol  #Address #Command
POWER        NEC        A:08     C:17
VOL+         NEC        A:08     C:00
VOL-         NEC        A:08     C:01
CH+          NEC        A:08     C:02
CH-          NEC        A:08     C:03
MUTE         NEC        A:08     C:0B
....

We plan to have dictionaries bundled with the firmware while keeping them in a separate repository, where all users will be able to offer their codes and keys.

Other Universal Remotes to Switch Off Any TV

There are devices specially designed for those who are annoyed by TVs. Such devices contain a database of signals for turning off TVs from different manufacturers. The principle of operation is the same as on Flipper: the device simply tries all known signals from its dictionary, hoping that at some moment the signal will work. Such a signal database is usually embedded in the firmware, and it is not easy to update it.

Comparison of Flipper Zero and other devices which turn off TVs
  • Knopkus by Artemy Lebedev — a simple and beautiful device in a rubberized case with one button. After clicking the button, the code search begins. Unfortunately, the list of signals is not very large and it didn't work for TVs in our office and at home. There is no way to update the signal database in this device: there is some kind of off-brand microcontroller inside, and it's unclear how to flash it.
  • TV B GONE — a well-known old project with open firmware and hardware. 4 powerful IR diodes at once make it very long-range. You can add your own codes, but you will need a chip programmer for this.

Flipper's main difference is that its brute-force dictionary is stored on the SD card and can be easily updated. Users can also create their own dictionaries for new classes of household appliances and automation. Flipper is also able to receive signals, so it can be trained to memorize any remote buttons that for some reason were not found in the brute-force dictionary.

TSOP Infrared Receiver

TSOP-75538 IR receiver used in Flipper Zero

As the IR receiver Flipper uses a TSOP-75338 chip. This component filters the signal itself and maintains it at the constant logical level, amplifying if necessary. Therefore, the TSOP-75338 is able to receive even a very weak signal from small discharged remotes or signals reflected from walls. And the built-in amplifier allows you to get the same voltage levels, regardless of the IR signal strength. This greatly simplifies the software signal processing on the microcontroller side.

Flipper Zero PCB that contains IR transceiver. The schematics show how TSOP-75538 is connected

There is an RC filter in the power supply scheme for the TSOP-75338 photodetector. It is needed because the microcontroller interferes with the power lines, which is why the output digital signal of the photoreceiver may not correspond to the received signal. A diode is used for voltage-matching of the TSOP receiver and the STM32 microcontroller. TSOP outputs a digital signal, which gets processed by the STM32 microcontroller.

Functional blocks of TSOP-75338 IR receiver:

  • IR light filter
  • Sensitive IR photoreceiver
  • Bandpass amplifier
  • Automatic gain control
  • Demodulator for getting a signal envelope

For transmission, a frequency-modulated signal is usually used. Our receiver demodulates the 38 kHz signal. Most remotes work on 36..38 kHz carrier waves.

Why Frequency Modulation

[Video] Digital IR signal gets interfered with noise

There is almost always some background noise when receiving an IR signal, it is there because lots of objects emit IR light, even ordinary lamps. Therefore, the receiver usually gets signal mixed with noise.

  • Background IR noise is created by many light sources because the source of IR light is the generated heat. Therefore, the background IR noise is random. For clarity, it is depicted as a sinusoid in the video above.
  • Modulated IR signal — IR pulse bursts from remote. The ideal pulse burst looks like a smooth meander, but such a signal can only be seen if there is no noise at all. In reality, the meander will always be superimposed on the noise and summed up with it.

Frequency modulation allows distinguishing signal from noise. When the signal flashes at a frequency of 38 kHz, the IR pulses are picked out from the background noise. Thus, the photoreceiver can determine the presence of a signal and distinguish it from the lamp illumination.

IR Signal Transmitter in Flipper Zero

[Video] Schematics of IR to MCU connection in Flipper Zero

The IR signal transmission is directly controlled by the STM32 Flipper microcontroller. It sends pulses to the LEDs through an external transistor. To increase its transmitting power, 3 IR LEDs are used instead of one.

[Video] Pulses on the transmitter side are converted to an inverted digital signal on the receiver side

As in remotes, data from Flipper Zero is transmitted with pulse bursts. The receiver demodulator forms envelopes (meanders) from pulse bursts which are then handled digitally. Often, the digital signal at the receiver output is an inverted envelope.

To increase the power of the transmitter, pulse bursts are used, rather than a whole meander. At the same time, the average power decreases or remains the same, so it doesn't affect the energy consumption.

Usually, transmitters work on 30..50 kHz carrier waves. This carrier range showed the lowest level of interference. Not to be confused with the frequency of the IR light, which corresponds to a wavelength of 940 nm (318.93 THz).

Analyzing IR protocols with Arduino

For rapid IR testing and debugging, we used the Arduino IRMP library. You can find instructions on how to assemble a device for analyzing IR protocols on the GitHub repository.

Arduino IRMP-based IR protocols analyzer schematics

After collecting all office IR remotes we made sure that almost all of them have different IR protocols. But you can't fully trust the self-built analyzer. If the IR protocol is unknown, the Arduino IRMP analyzer may recognize it as the Siemens protocol.

To receive the IR signal with Arduino IRMP, we used the Flipper IR board directly. The variety of well-known IR protocols in the IRMP library allows faster firmware development.

[Video] IRMP-Arduino IR Analyzer

Variety of IR Protocols

IR protocols differ in 3 factors:

  • bit encoding
  • data structure
  • carrier frequency — often in range 36..38 kHz

Bit encoding ways

1. Pulse Distance Encoding

Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant.

With pulse distance encoding, the bits differ only in the delay after pulse bursts

2. Pulse Width Encoding

Bits are encoded by modulation of the pulse width. The width of space after pulse burst is constant.

With pulse width encoding, the pulse burst width is different for "0" and "1"

3. Phase Encoding

It is also known as Manchester encoding. The logical value is defined by the polarity of the transition between pulse burst and space. "Space to pulse burst" denotes logic "0", "pulse burst to space" denotes logic "1".

With biphase encoding, the bit value is defined by space and pulse burst order

4. Combination of previous ones and other exotics

Data structure

  • control command
  • device address
  • checksums
  • any other service info

There are IR protocols that are trying to become universal for several types of devices. The most famous ones are RC5 and NEC. Unfortunately, the most famous does not mean the most common. In my environment, I met just two NEC remotes and no RC5 ones.

Manufacturers love to use their own unique IR protocols, even within the same range of devices (for example, TV-boxes). Therefore, remotes from different companies and sometimes from different models from the same company, are unable to work with other devices of the same type.

IR protocols we know
Protocol Name Details
SIRCSSony
NECNEC with 32 bits, 16 address + 8 + 8 command bits, Pioneer, JVC, Toshiba, NoName etc
NEC16NEC with 16 bits (incl. sync)
NEC42NEC with 42 bits
SAMSUNGSamsung
SAMSUNG32Samsung32: no sync pulse at bit 16, length 32 instead of 37
SAMSUNG48air conditioner with SAMSUNG protocol (48 bits)
LGAIRLG air conditioner
MATSUSHITAMatsushita
TECHNICSTechnics, similar to Matsushita, but 22 instead of 24 bits
KASEIKYOKaseikyo (Panasonic etc)
PANASONICPanasonic (Beamer), start bits similar to KASEIKYO
MITSU_HEAVYMitsubishi-Heavy Aircondition, similar timing as Panasonic beamer
RECS80Philips, Thomson, Nordmende, Telefunken, Saba
RC5Philips etc
DENONDenon, Sharp
RC6Philips etc
APPLEApple, very similar to NEC
RECS80EXTPhilips, Technisat, Thomson, Nordmende, Telefunken, Saba
NUBERTNubert
BANG_OLUFSENBang & Olufsen
GRUNDIGGrundig
NOKIANokia
SIEMENSSiemens, e.g. Gigaset
FDCFDC keyboard
RCCARRC Car
JVCJVC (NEC with 16 bits)
RC6ARC6A, e.g. Kathrein, XBOX
NIKONNikon
RUWIDORuwido, e.g. T-Home Mediareceiver
IR60IR60 (SDA2008)
KATHREINKathrein
NETBOXNetbox keyboard (bitserial)
LEGOLEGO Power Functions RC
THOMSONThomson
BOSEBOSE
A1TVBOXA1 TV Box
ORTEKORTEK — Hama
TELEFUNKENTelefunken (1560)
ROOMBAiRobot Roomba vacuum cleaner
RCMM32Fujitsu-Siemens (Activy remote control)
RCMM24Fujitsu-Siemens (Activy keyboard)
RCMM12Fujitsu-Siemens (Activy keyboard)
SPEAKERAnother loudspeaker protocol, similar to Nubert
MERLINMerlin (Pollin 620 185)
PENTAXPentax camera
FANFAN (ventilator), very similar to NUBERT, but last bit is data bit instead of stop bit
S100very similar to RC5, but 14 instead of 13 data bits
ACP24Stiebel Eltron ACP24 air conditioner
VINCENTVincent
SAMSUNGAHSAMSUNG AH
IRMP16IRMP specific protocol for data transfer, e.g. between two microcontrollers via IR
GREEGree climate
RCIIRC II Infra Red Remote Control Protocol for FM8
METZMETZ
ONKYOLike NEC but with 16 address + 16 command bits

Exploring IR signal with an oscilloscope

[Video] Capturing the IR signal with an oscilloscope

The most reliable way to see how the remote IR signal looks like is to use an oscilloscope. It does not demodulate or invert the received signal, it is just displayed "as is". This is useful for testing and debugging. I will show the expected signal on the example of the NEC IR protocol.

Popular NEC protocol oscillogram

Usually, there is a preamble at the beginning of an encoded packet. This allows the receiver to determine the level of gain and background. There are also protocols without preamble, for example, Sharp.

Then data is transmitted. The structure, preamble, and bit encoding method are determined by the specific protocol.

NEC IR protocol contains a short command and a repeat code, which is sent while the button is pressed. Both the command and the repeat code have the same preamble at the beginning.

NEC command, in addition to the preamble, consists of an address byte and a command-number byte, by which the device understands what needs to be performed. Address and command-number bytes are duplicated with inverse values, to check the integrity of the transmission. There is an additional stop bit at the end of the command.

The repeat code has a "1" after the preamble, which is a stop bit.

For logic "0" and "1" NEC uses Pulse Distance Encoding: first, a pulse burst is transmitted after which there is a pause, its length sets the value of the bit.

Infrared oscilloscope probe

Oscilloscope captures IR signal with a "silver bullet"

For capturing IR pulses with an oscilloscope I used a self-made Silver Bullet, developed by AnalysIR author. It is just an IR LED and a resistor, soldered to an RCA audio connector, which is then connected to an oscilloscope via a BNC->RCA adapter. It can be assembled in five minutes from that are generally available and easy to find.

Silver Bullet IR-capturing oscilloscope probe circuit diagram

While the IR light of the remote hits the IR LED of the probe, a small current begins to pass through the LED. This current raises a voltage at the LED pins, which is distinctly visible on the oscilloscope. It is important to lean the IR transmitter close to the probe, to get a clear signal on the oscilloscope.

What is wrong with Air Conditioners

Air conditioner remotes send a large single package with a full list of settings

Air conditioner remotes are full-fledged devices with a display. They control a lot of settings such as temperature, fan power, etc. At the same time, the remote does not know whether the air conditioner has received the signal, it simply sends a signal every time the settings on the remote are changed.

But what will happen if we change the temperature on the remote from another room, so the air conditioner does not get that signal? For example, the value of 19°C was set on the air conditioner, we went to another room and completely changed all the settings on the remote, setting it to 30°C. Then we return to the air conditioner and raise the temperature by 1°C up. If the remote simply sent a code of each button, as other remotes do, the temperature would be set to 20°C on the air conditioner, and we would see 31°C on the remote screen. The result would be a data desynchronization between the remote and the AC.

Therefore, air conditioner remotes, unlike other remotes, do not transmit the code of the pressed button, but all the parameters. In another word, these remotes always send ALL the remote data in one large packet. Such protocols are very complex.

[Video] Capturing an AC remote signals (NEC IR protocol) using the IR-toy receiver and AnalysIR software

The data structure of air conditioner remotes may be completely different for various models. Air conditioners may have different temperature or power ranges, humidity control options, etc. Therefore the data structure may be so large, so it has to be transmitted in several batches.

Creating a universal user interface for such remotes is a challenging task, due to the inability to test multiple air conditioners and their functions. Therefore we can work with several air conditioners, but support for a large number of models has not been already implemented yet.

How to analyze IR-signals on PC

Scheme of using of AnalysIR with IR-Toy device

To work with IR signals on PC I use the AnalysIR. This is a program for analyzing IR protocols and which supports different devices for IR-capturing. The most common way is to make a homemade receiver with TSOP and Arduino, and connect it via USB. I am using IR-toy V2 as a receiver. List of supported receivers: AnalysIR.pdf.

AnalysIR shows the envelope of the IR signal instead of pulses, unlike an oscilloscope. The program calculates the delays and durations of pulse bursts and logs this info. It helps analyze unknown IR protocols. AnalysIR knows more than 100 IR protocols and is able to recognize them automatically. By the way, the author of the program suggested adding support for a Flipper as an IR receiver. Great idea, isn't it?

Pre-order Now

Our first priority is to fulfill all Kickstarter orders, so our backers will get the first production batch.

If you missed our Kickstarter campaign, you can pre-order now and get your device in Fall 2021, as soon as the second batch is ready. Your pre-orders help us to plan the production and logistics.