Created
March 26, 2012 21:20
-
-
Save udif/a81a4aa671775d28f251 to your computer and use it in GitHub Desktop.
Bury 9012 remote control reverse engineering
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Using Atmel ATMEGA48 driving a Nordic Semiconductor 2402 transmitter with a 16Mhz oscillator. | |
| Programming connector (Standard Atmel): | |
| GND MOSI VCC | |
| 6 4 2 | |
| RST SCLK MISO | |
| 5 3 1 | |
| Pin 1 is marked by a square pad | |
| ATMGA48<>2402 comms: | |
| +----------+------------+----------+-------+ | |
| |Atmel Pin | Atmel Name | 2402 Pin | Desc | | |
| +----------+------------+----------+-------+ | |
| | 32 | PD2 | 2 | CS | | |
| | 31 | PD1/TxD | 4 | DIN | | |
| | 30 | PD0 | 1 | CE | | |
| | 2 | PD4/RxD | 3 | CLK | | |
| | 7 | PB6 | 16 | PWRUP | | |
| +----------+------------+----------+-------+ | |
| Protocol description: | |
| On each key press, 3 configuration are sent: | |
| 0x03, 0xe6, 0x82 | |
| This is broken down as follows: | |
| 23-20 - Not used. | |
| 19 - PLL - open loop - normal | |
| 18 - not used - 0 - (doc says should be 1 ??) | |
| 17 - Pre_EN - preamble enabled | |
| 16 - Not used - set to 1 | |
| 15 - CRC_L - set to 1, 16-bit CRC | |
| 14 - CRC_EN - set to 1, on-chip CRC generation enabled | |
| 13 - Burst - set to 1 - enable ShockBurst(TM) mode. | |
| 12 - OD - set to 0 - 250kbps data rate (?? 1Mbps should be more power conservative) | |
| 11-9 - set to 3'b011 - 16MHz oscillator | |
| 8-7 - set to 2'b01 - transmit at -10dB | |
| 6-0 - RF ch# - set to 7'h02 - Transmit at 2402MHz | |
| Timing (not that it matters): | |
| There are ~88us between the rising clock edges of the first bits in each configuration byte. | |
| The clock rate itself is ~500KHz | |
| Keys: | |
| For each key, 30 bytes are sent in 3 groups of 10 bytes | |
| The result is probably sent as one ShockBurst packet. | |
| The 3 groups are identical: | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x04 0x00 0x00 0xd1 (Key is the refresh button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x00 0x80 0xd1 (Key is the green dial button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x01 0x00 0xd1 (Key is the red hangup button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x04 0x00 0xd1 (Key is the 1 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x08 0x00 0xd1 (Key is the 2 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x00 0x40 0xd1 (Key is the 3 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x20 0x00 0xd1 (Key is the 4 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x40 0x00 0xd1 (Key is the 5 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x02 0x00 0xd1 (Key is the 6 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x01 0x00 0x00 0xd1 (Key is the 7 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x02 0x00 0x00 0xd1 (Key is the 8 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x10 0x00 0xd1 (Key is the 9 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x08 0x00 0x00 0xd1 (Key is the +/* button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x10 0x00 0x00 0xd1 (Key is the 0 button) | |
| 0x01 0x10 0x05 0x0f 0xa9 0x00 0x00 0x80 0x00 0xd1 (Key is the # button) | |
| The first 5 bytes are probably a 40-bit address that may be different on other remote units | |
| The next 4 bytes are a one-hot 32-bit number identifying the keys. This is because when multiple keys are pressed, more than one bit may be set. | |
| The last byte is fixed 0xd1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment