More 433MHz Fan Fun: Bunnings Arlec Fan Remote
More 433MHz Fan Fun -- Bunnings Arlec Fan Remote Reverse Engineering
I've done some more reverse engineering along the same lines as my previous post, but this time in a way that's much more likely to be useful for other people -- this is the main currently-available 433MHz remote control fan controller from Bunnings, the national hardware chain.
Specifically, I REed this product: https://www.bunnings.com.au/arlec-remote-control-ceiling-fan-kit_p0101918
I used the same technique, taking an IQ recording from GQRX with an RTL-SDR tuned to 433.9MHz, then opening it with Universal Radio Hacker, and adjusting the auto-detected parameters slightly until the repeated messages all decoded exactly the same. Then, I used URH's analyser to try substitution for the sequences -- this time, I didn't have different length symbols, and the sync sequence was made of valid high-level symbols, so the built-in substitution tool worked fine.
ASK (Semi-decoded) Captures
Message: light on 1000100010001000100011101000111010001110100010001000100010001110100010001000100010001000111010001
Preamble: 10001000100010001000
Rest: 11101000111010001110100010001000100010001110100010001000100010001000111010001
Message light off 1000100010001000100011101000111010001110100010001000100010001110111011101110111010001000100010001000
Rest: 11101000111010001110100010001000100010001110111011101110111010001000100010001
MESSAGE: 111110101011111000001111
Timing
440µs per bit pulse.
RC Switch symbols
Sync: 0000000000000 (No real sync apart from long leading zeroes).
Symbol 1: 1000 (Aka [1, 3])
Symbol 0: 1110 (Aka [3, 1])
Message structure
| Bits | Purpose |
|---|---|
11111 |
Sync/preamble |
010 |
Model number? unknown |
XX XX XX XX |
Address formatted in 0=11;1=10, MSB-LSB bit order |
XXXX |
1111= something on; 0000= all off ? |
XX |
Fan mode |
X |
Light mode |
XX |
Probably timer mode, not confirmed |
Decoded Commands
| Command | Message |
|---|---|
| Light on | 11111 010 10111110 1111 11 0 11 |
| All Off | 11111 010 10111110 0000 11 1 11 |
| Fan High/on | 11111 010 10111110 1111 00 1 11 |
| Fan mid | 11111 010 10111110 1111 10 1 11 |
| Fan low | 11111 010 10111110 1111 01 1 11 |
| Timer settings | Haven't captured yet... |
Addressing
There's a sub-encoding for the address! Each DIP switch bit becomes 2 bits of RC sequence (or you could say, becomes the even bits in an 8 bit sequence). Probably just to expand 4-way DIP switch to 8 available bits. Maybe odd bit lines are just grounded? Also the LSB-MSB DIP switch swaps order when it comes to the packet (MSB-LSB).
| DIP Switch | ID field |
|---|---|
0000 |
010 11 11 11 11 |
1000 |
010 11 11 11 10 |
0100 |
010 11 11 10 11 |
0010 |
010 11 10 11 11 |
0001 |
010 10 11 11 11 |
ESPHome Config
Here's some snippets of how to use ESPHome to transmit these codes!
remote_transmitter:
pin: GPIO4 # Or any output hooked up to a 433MHz transmitter data pin.
carrier_duty_percent: 100% # Disable high-freq modulation that's used for IR.
# Just an example that uses a button in home assistant interface -- you can change this to anything that takes a template "then:"
button:
- platform: template
name: Test Remote
id: button_remote
# Optional variables:
icon: "mdi:remote"
on_press:
then:
# Light toggle
- remote_transmitter.transmit_rc_switch_raw:
code: '1111101010111110111111011' # The bit sequence assembled with the preamble, model, address, on/off, fan, light, timer bits above.
protocol:
pulse_length: 220 # For some reason the pulses come out double the length?? actually 440us. I think this was a specific ESPHome version bug
#sync: [1, 30] # The default sync is fine, it just needs some leading zeroes
zero: [3, 1]
one: [1, 3]
inverted: false
repeat:
times: 5
wait_time: 0ms