Did you ever wonder what those remote control signals being sent to your TV, VCR, garage door opener, or ceiling fan look like? This article will show you how to capture them on a PC with some simple probes you can easily build with less than $5 in parts, and a remarkable piece of freeware that turns the PC into a pretty fast 8-channel digital logic analyzer. The probes described are not long range receivers. They must be held close to the transmitter to pickup a signal. But the RF Probe has been tested over a range of frequencies from 27 MHz to over 470 MHz, and the IR Probe will show you infrared carrier frequencies well above those used by most consumer product remote controls. You can measure carrier frequency, pulse spacing, burst on and off times, message repeat intervals, etc., everything you could want for identifying, decoding, or duplicating remote control signals.
By Tommy N. Tyler Revised February 19, 2005
The probes must be connected to a parallel port (sorry, it's just not possible to do this with a serial or USB port) and the software runs under Win95/98/ME/2000/NT/XP. No special skills, experience, or equipment involving radio frequency are necessary, nor is any tuning involved. The RF Probe is passive, so there are no FCC issues. About the only thing it wont tell you is the RF carrier frequency, but there are other ways to find that out. The IR Probe is especially easy to build, consisting of only a 25-pin parallel port connector, a 3-wire cable, and one other component. This probe is unlike the ubiquitous IR-demodulator receivers found in many published articles. It actually sees the raw signal being transmitted, right down to the individual LED pulses.
Construction of the RF and IR Probes is described separately because so many readers will be interested in only one or the other. But there's also a section showing how to combine them both into one "universal" probe. And for those interested primarily in the logic analyzer there's a section suggesting how to make 8-channel TTL logic level probes as well as other input devices.
2. BUILDING THE RF PROBE. The parts list in Figure 1 gives Mouser part numbers (www.mouser.com) because they have all the parts. Radio Shack has everything except the 1N34A diode and the 100pf capacitor.
ITEM
DESIGNATOR
DESCRIPTION
QTY
MOUSER STOCK NO.
PRICE
1
U1
Quad Op Amp, LM324AN
1
512-LM324AN
$.36
2
D1
Germanium Diode, 1N34A
1
526-1N34A
.41
3
R1
Resistor, 1M
1
291-1M
.70 (10)
4
R2, R3
Resistor, 10K
2
291-10K
.70 (10)
5
C1
Capacitor, 100pf / 50V
1
75-1C10COG101J050B
.21
6
C2
Capacitor, 0.1 / 50V
1
75-1C10X7R104K050B
.14
7
---
DB25 Male Plug
1
156-1225
.99
8
---
DB25 Hood
1
156-2025
.65
9
---
3-conductor cable
6 feet
---
---
Figure 1. Parts List for RF Probe
Electronics hobbyists can probably find most of these items in their junk box, with the possible exception of item 2. That diode is one of the vintage RF detector diodes that have been used in crystal radios since we were all just kids. You can find them on the internet and at eBay, but I couldn't find them in the Digikey or Jameco catalogs.
In addition to the parts listed, you'll need a small piece of prototype board. Mouser's smallest piece (589-7100-45) costs about $4.50. Radio Shack has three different sizes (276-1394, 1395, and 1396), the smallest of which costs less than $3. Hopefully you can scrounge up a small scrap somewhere, to keep the total parts cost under $5.
If you don't have 1/4 watt resistors there's plenty of room for using 1/2 watt instead. Capacitor C1 can be almost any type and voltage rating, but do not substitute a value other than 100pf. The value of C2 is not critical. If you order some parts from Mouser, consider that since you're already paying shipping charges for nickel and dime parts you may as well include some spares for contingencies. For example, the glass germanium diodes can chip if handled improperly, particularly by bending the leads too close to the body. Construction of the Probe is not critical. I've even built these on solderless breaboards. If you don't have any 3-conductor cable you can just twist three pieces of hookup wire together.
Figure 2. Board Preparation and Antenna Installation
The RF Probe is built on a perf board paddle 1" wide x 4" long, as shown in Figure 2. In this and other illustrations the upper view shows the top (component) side of the board, and the lower view the bottom (solder) side. Six holes at one end are enlarged with a 1/16" diameter drill, to provide strain relief for three cable wires.
Notice in Figure 2 how the wire antenna is installed. For this you'll need a piece of #20 (preferred) or #22 gage bare buss wire about 8 inches long. Stretch the wire between two pairs of pliers to straighten out any kinks, then weave it through the board to form a rectangular loop as shown. Pull the wire tight to keep it snug against the board, then hook the ends back and cut off all but enough to hold the wire in place.
The RF Probe needs only one of the four amplifiers provided by U1. That leaves 9 of its 14 pins unused. I prefer to just remove the unused pins as shown in Figure 3, so they don't stick through the board and get in the way. The cleanest way to do this is to bend them up and down a few times until they break off close to the sides of the IC.
Figure 3. Removing Unused Pins of U1
A socket is not necessary for U1 because the IC is not very static-sensitive, and the wiring is so simple that even in the unlikely event you have to replace it for some reason there's not a lot of unsoldering to do. Insert U1 and bend its five pins over against the bottom side of the board, as shown in Figure 4. Note that pins 1, 2, and 3 are bent toward the antenna end, while pins 4 and 11 are bent toward the cable end.
Figure 4. Installation of U1
Placement of the remaining components is shown in Figure 5. All interconnections can be made by using just the component leads. Observe the polarity of diode D1. Solder all points where wires are shown touching.
Figure 5. Completed Board Assembly
You will need about six feet of cable with at least three conductors. Almost any size and type will do. If you use a shielded pair, connect the shield where the black wire is shown. Threading the cable wires through the enlarged holes is not essential, but does provide an excellent strain relief.
3. POWER SUPPLY CONSIDERATIONS. The RF Probe draws only about 1 milliamp of current, which can safely be "stolen" from one or more unused output pins of the parallel port. In our case, the available unused outputs of the PC connector are the seven lower order data bits (pins 2 through 8) and the four control signals (pins 1, 14, 16, and 17). All these pins are left in the high state (+5 VDC for desktops, +3.3 VDC for laptops) by the software we will be using, but they have a certain amount of internal resistance which will cause a voltage drop when they are delivering current. Since there is no standardization on the internal ciruits used with parallel ports we must make a few simple tests to be sure the pin we select "has the balls" to do the job.
Figure 6. View of Parallel Port Receptacle
To measure the internal resistance of an unused pin you'll need a voltmeter, a 1K resistor (any wattage), and a couple of small straightened paper clips to use as probes. Connect one probe to the negative lead of the voltmeter and insert it into pin 25 of the port connector. (See Figure 6.) That's your ground reference. Connect the other probe to the positive lead and insert it into an unused pin. Write down the voltage measurement as V1. Then connect a 1K resistor between the probes (which will cause the voltage to drop slightly) and write down the new value as V2. Calculate the internal resistance in ohms as 1000 x (V1 – V2) ¸ V2.
Example #1: Suppose you measure 5.05 volts on pin 2, and it drops to 3.44 volts when you connect the resistor. The internal resistance is 1000 x (5.05 – 3.44) ¸ 3.44 = 468 ohms.
Example #2: Suppose you measure 3.36 volts on pin 1, and it drops to 3.25 volts when you connect the resistor. The internal resistance is 1000 x (3.36 – 3.25) ¸ 3.25 = 34 ohms.
An internal resistance of around 470 ohms is quite common for older PC's. Newer computers usually comply with the IEEE 1284 standard for Level 2 devices, and have lower internal resistance so they can drive longer cables. But the values can be all over the map. My desktop has 470 ohm data pins and 27 ohm control pins, whereas my laptop has 33 ohm data and control pins. Connect the red (power) wire to the lowest resistance pin you can find, connect the black (ground) wire to pin 25, and connect the white (signal) wire to pin 9.
If all you can find in a 5 volt computer are 470 ohm pins, just one of those is still adequate for our application. The output voltage drop for a 1 milliamp load will be (470 ohms x 0.001 amps) = about 1/2 volt. That leaves 4.5 volts for the Sensor, which is plenty. For a 3.3 volt computer, if pin 1 does not have less than 100 ohms internal resistance you will have to use a couple of batteries to power the Sensor, but that's extremely unlikely.
It's not necessary to enclose the sensor in any kind of a package. Just hold it so your fingers don't touch the wiring on the antenna side of U1. If your soldering skills aren't professional and you want to hide the "ugly" stuff, consider wrapping the paddle with black plastic electrical tape. You might first cover it tightly with paper or material from a plastic bag, so that it's easier to remove the tape in case you ever have to repair the unit.
Another way to package the paddle is to paint it with several coats of "liquid vinyl electrical tape", available in 4-oz. cans from Home Depot and other building supply stores.
4. BUILDING THE IR PROBE. The IR Probe is so simple that it doesn't need a parts list or construction details. It consists of only one 78¢ component and a cable to the parallel port connector. The component is a Fairchild QSE156 OPTOLOGIC© integrated circuit, Mouser's Stock Number 512-QSE156. Unlike other widely used IR demodulator IC's, this device responds to individual LED pulses instead of a specified carrier frequency. It consists of a side-looking infrared photodiode, a high gain amplifier with Schmitt trigger output, and an internal voltage regulator, all molded in dark red epoxy that shields the detector from visible light wavelengths. It is sensitive enough to pickup remote control signals from several feet away in dim light.
Figure 7. Wiring of IR Probe
Figure 7 shows how the IC should be wired to a male 25-pin connector that plugs into your PC's parallel port. This probe also needs no enclosure. When soldering the IC to a 3-conductor cable, use 1/16 inch heat shrink tubing on each lead, then cover all three wires and about half of the IC with a few inches of 1/4 inch heat shrink. This will provide you with a very neat, side-looking probe smaller than a pencil eraser.
The IC draws about 3 milliamps, compared to 1 milliamp for the RF Probe, so closer consideration is necessary for selecting a power source. If your computer has an unused pin with 100 ohms or less resistance, that's all you need. But if it has only 470 ohm pins you'll have to parallel several of them to allow for a larger voltage drop at the higher current, plus voltage drop of the diodes required to safely isolate the pins from each other.
You'll need four diodes. Although 1N4148 signal diodes will probably work, a better choice with lower voltage drop is 1N5817 or 1N5818 Schottky diodes, available from Mouser for about 14¢ each. Connect the un-banded (anode) ends of the diodes to pins 1, 14, 16, and 17 of the parallel port connector, and connect the banded (cathode) ends together to the red wire. Make sure nothing can short out inside the connector hood.
5. OVERVIEW OF THE SOFTWARE. The program that allows us to display signals picked up by the probes is a digital logic analyzer application called DigiTrace. It is available from an obscure little company in the Netherlands that shows no signs of life. The opening page of the web site says it was last changed June 22, 2000, the Visitors counter never increments beyond 30733, some of the links don't work, and efforts to communicate with the site have gone unanswered. The good news is that the download server is alive and works flawlessly.
The software itself is somewhat of an enigma. Although it shows its European origin, and has a few idiosyncrasies and one minor bug, it achieves a seemingly impossible feat for a Windows application: sampling inputs at speeds approaching 1 Megasamples per second without resort to external hardware. Even with its "warts" the program is amazing. It is extremely stable, and runs on any parallel port address under Win95/98/ME/NT/2000/XP. It's also very compact (written in Borland C++), and there's no elaborate installation required. You just load it and run.
Basically, the DigiTrace program samples all eight data pins of a parallel port at very high speed and displays the captured data on the screen like an 8-channel storage oscilloscope. Once triggered by a transition on the channel of your choice, the program records data at up to 1,000,000 samples per second (typically 700,000 per second, depending on the speed of your PC). The total number of samples is limited to 32,768, but you can increase the recording time by reducing the sampling rate. You can also save recordings and reload them for examination later. To record data from an RF or IR Probe we use only one channel and ignore the other seven.
To achieve its high sampling rate, DigiTrace uses direct access to the parallel port from within Windows. With Win9x this is not a problem, but WinNT/2000/XP will cause an exception (Privileged instruction) if an attempt is made to access an IO port that a usermode program is not privileged to talk to. To get around this problem there is a device driver (porttalk.sys) that can be used in conjunction with a utility (allowio.exe) to grant DigiTrace exclusive access to the parallel port it's using.
6. DOWNLOADING THE SOFTWARE. To download the software click here . The program downloads as a 521K zip file called DigiTrace_zip.zip, and unzips to three files:
Digitrac.exe 696KB Application
borlndmm.dll 30KB Application extension
cp3240mt.dll 974KB Application extension
Put all three in a folder of your choice. If you'll be using WinNT/2000/XP there's some additional software to download. Go to www.beyondlogic.org and click on Device Drivers > PortTalk. Scroll down to Downloading the . . . Programs and click on Version 2.2. The package downloads as a 67K zip file called porttalk22.zip, and unzips to five folders and seven files. You can throw away all but porttalk.sys and allowio.exe. Put porttalk.sys in your Windows\System32\Drivers folder, and put allowio.exe in the same folder with Digitrac.exe. [Local Copy]
7. OPENING THE PROGRAM. No installation or setup is required. For Win9x the application is ready to go, right from the download. But if you try to run the executable with WinNT/2000/XP you'll get a couple of Privileged instruction error messages and lockup the PC. You'll have to use Task Manager to close the program so you can start over.
Here's a simple way to open DigiTrace in WinNT/2000/XP: Create a desktop shortcut to Digitrac.exe, select Properties, and change the Target line to read:
8. GENERAL OPERATION OF DIGITRACE. This section will give an overview of the various controls and options provided by the DigiTrace user interface. Later we'll describe how to test your new Probe, troubleshooting, and show some examples of how these features can be used to record and measure data, including details of how to work around the only serious bug found in the program.
Figure 8. Opening Screen Display for DigiTrace
Figure 8 shows the main display, with a horizontal box for each data channel numbered 1 through 8 from top to bottom. The main display actually initializes with a black background and green data traces, like an oscilloscope, but you can change these colors to whatever pleases you. The horizontal lines about 1/16 inch above the bottom of each box represent the reference level for a data input of "Ø". A data input of "1" would move the trace to about 1/16 inch from the top of the box. The initial display is just a default, and won't show anything meaningful until the first record is made, even if the data is changing at the inputs.
A "record" consists of a large number of samples of all eight data inputs, taken at a chosen sampling interval. Once the recorder is "armed", the start of a record is initiated by any transition of input level on the selected trigger channel, either low to high or high to low. Once triggered, sampling proceeds without interruption. Only after all samples are taken is the data displayed in the form of a timing chart, with time increasing from left to right across the screen.
Referring to Figure 8, Length indicates the span of time between the left and right edges of the display, in either microseconds or milliseconds. The Zoom buttons allow you to expand or compress that over a range of 4,096 to 1. Each click on the Zoom É or ─ buttons halves or doubles the Length displayed, up to 12 clicks. At minimum zoom the screen Length is 24,576 samples, and at maximum zoom it is just six samples.
The screen will show only part of the data at one time, and the scroll bar enables you to move throughout the overall record. Clicking on either end of the scroll bar moves the view left or right by the Length of the display, and clicking on an arrow moves it one sixth of the Length. To keep track of where you are while scrolling, Start shows the location of the vertical line at the left of the screen. The beginning of a record is, by definition, zero time, and the Start time is referenced to that.
If you click on Settings in the tool bar it opens the Sample settings window shown in Figure 9.
Figure 9. Sample Settings Window
Trigger Channel -- Selects which data channel's activity will trigger a record. It should be set at 8, the channel number our Probe is connected to.
Pre trigger delay -- The amount of time (in microseconds) the chosen trigger channel must remain inactive before a transition will trigger a record. It's not important for our application, and can be left set at 1000.
Sample size -- The total number of samples that will be recorded. For most of our work we want all the samples we can get, so this should be set to the maximum value of 32768.
Foreground and Background Color -- Clicking on these brings up the familiar color palette for selecting colors of your choice.
Win2000 -- You can ignore this box. A checkmark is placed there by DigiTrace to confirm that Win2000 was automatically detected at start up.
Input Port (Hex) -- Set this to your chosen LPT port, 278, 378, or 3BC.
Granularity -- An unfortunate choice of terms. Think of it as the basic "sample clock" interval. When DigiTrace starts up, it measures the response time of your specific hardware and calculates the minimum amount of time required to fetch and store a sample when sampling as fast as it can. That is the smallest amount of time that can be resolved in a data stream, and it calls that Granularity. The value is shown in the box for your reference. In my tests Granularity varied between 1.48 and 1.54 μs during different sessions when using a 450 MHz P3 desktop running Win98, and 1.26 to 1.27 μs when using a 1.8 GHz P4 laptop running WinXP Pro. I'm not sure what causes it to vary from one session to another when using the same computer. But either of these is fine enough resolution to catch individual blinks of an LED flashing at 60 KHz or faster. The value of Granularity determined by DigiTrace cannot be changed manually
Sample period -- The value in this box determines the actual sampling rate. For any value "n", DigiTrace takes one sample every (n + 1) clock cycles (granularity intervals). For example, if the value in the box is "0", DigiTrace takes a sample every ( 0 + 1 ) = 1 granularity interval. For a granularity of 1.48 μs the actual sampling rate is therefore 1 ¸ 1.48 μs = 676,000 samples per second, which would be the fastest rate available with that particular computer. If the value in the box is "4", DigiTrace takes one sample every ( 4 + 1 ) = 5 granularity intervals. So for a granularity of 1.48 μs the samples are taken every ( 5 x 1.48 μs) = 7.4 μs, and the sampling rate is 1 ¸ 7.4 μs = 135,000 samples per second.
You can see how this parameter can be used to obtain longer records. In the examples above, at the fastest sampling rate a complete record lasts (32,768 samples ¸ 676,000 samples/second) or about 48.5 milliseconds. At 135,000 samples/second it lasts nearly a quarter of a second.
Click on OK to close the Sample settings window and see any new color selections. Changes other than colors will not take effect until a recording is made. When you exit the program these settings (alas, all except colors) are saved automatically to a file named digitrac.ini, and retrieved at the start of the next session.
The Stats button is a tool that can be used for counting pulses. It creates a file named stats.txt that shows, for each channel, the total number of transitions that occurred within a marked interval.
The Sample button is another poorly named control. Think of it as the "Record" button. When you click on it the button label changes subtly from black Sample, to grayed-out Sampling. That (plus a dead mouse and keyboard) are the only indications you have that DigiTrace is armed and ready, waiting to record a transmission from a remote control. As I said previously, DON'T click on Sample until you have a working Probe plugged in that can provide data. I can't overemphasize the single-mindedness of your PC while waiting on a trigger event, once armed. To be ready to take samples at blazing speed, DigiTrace doesn't have time to watch for interrupts from the mouse, keyboard, a timer, or any other abort signal. The mouse is frozen, and nothing works on the PC until DigiTrace sees a transition on the trigger channel.
When the Continuous box is checked the program delays about one second after completing a recording, then automatically re-arms itself for another without your having to click on Sample. This can be handy for comparing two different remote control buttons by zooming in on the area of interest, then alternately pressing the two different buttons while watching the data pattern change back and forth. To start Continuous recording just check the box before pressing Sample. To stop Continuous recording is quite another matter. You must first click on the box to remove the check, then click on Sample before the program rearms itself. Since the only time you can move or click the mouse is during the 1-second intervals right after DigiTrace is triggered, you have to keep repeating transmissions from a remote to keep re-triggering it so that you keep getting opportunities. It can be challenging.
Mark1 and Mark2 are two time marker lines that can be placed on the screen with the left and right mouse buttons, for making precise time measurements. Delta shows the time between these two markers. Actually, you can often decode remote control buttons just by looking at the relative data patterns with DigiTrace, without bothering with absolute time measurements. But sooner or later you are going to want to know an infrared carrier frequency, how long a burst lasts, the time required for a complete message, how often messages repeat, etc., and that's where the markers come in. Once placed, the markers remain fixed in time while scrolling or zooming, and even when a new recording is made. You can't drag a marker. Move it by clicking on the new position. If you position Mark2 to the left of Mark1 the value of Delta will be negative.
There is a nuisance problem with the markers. As long as you keep the same overall record length, the markers remain valid from one recording to the next, even while scrolling or zooming. But if you change the record length while there are markers in the display (by putting a new value in Sample period), DigiTrace neglects to update the markers to the new time scale when the next recording is made. The relative location of a marker on the screen and its indicated time value are simply left as they were on the previous recording. Of course as soon as you click the left or right mouse button anywhere along the data, the marker immediately jumps to that location, with a new time indicated. So it's only a problem if you forget to reposition the markers the first time you use a new record length.
9. TESTING YOUR NEW SENSOR. Now for the moment of truth. To save time, double check to be sure you have configured DigiTrace with the correct port address and trigger channel. This is not a very tolerant program for "trial and error" searching for that information, for reasons explained previously. For most PC's, LPT1 is at hex address 278, LPT2 is at 378, and LPT3 (if available) is at 3BC.
Plug in your RF or IR Probe and click on the Sample button in the DigiTrace display to arm it. Point a remote at the Probe and make a transmission. For an IR remote, point the LED(s) toward the lens of the Probe from a distance of a few inches. Avoid high ambient light shining on the Probe. For an RF remote, hold the "transmitter end" of the remote (invariably the front end) close to the antenna loop on the Probe.
Figure 10. Example Showing Recording of Signal from Stanley Garage Door Opener
You know everything is working when you see the Sampling button change back to Sample as soon as you transmit. If you don't see data pulses on the screen at first, don't panic. Click on the Zoom ─ button to expand the display until you begin to see data pulses, as in Figure 10. Once you see that, life will never be the same. Put these instructions aside for an hour or so while you play around with DigiTrace and have a little fun.
10. IN CASE OF PROBLEMS. If you can't get the remote to trigger a recording you'll have to use Task Manager to shut down the program so you can try again. It's pretty easy to find out if the problem is hardware or software related. The first test you should make is to arm DigiTrace, then momentarily short the white and black wires of your Probe, if you can still get to them. Otherwise, unplug the PC connector and momentarily short pins 9 and 25. If either of these tests triggers a recording there must be a problem with your Probe. Go back through the instructions and recheck your construction. If grounding pin 9 of the port connector doesn't trigger a recording, recheck your DigiTrace configuration in the Sample settings window. Make sure the Trigger Channel is set on 8 and the Input Port (Hex) address is correct. You may have to check the port configuration of your PC to make sure you have the right address and that there are no conflicts with other devices. If you are trying to use a laptop that has no parallel port by using a USB-to-parallel adapter, forget it. That will never work with this application.
11. WORKING AROUND THE TIMING BUG. Although DigiTrace may have a few quirks and idiosyncrasies, the only serious bug is that it displays incorrect times for Mark1, Mark2, and Delta whenever you select a value greater than 0 for Sample period in order to obtain longer records. This is easy to compensate for once you are aware of it. You simply multiply those measurements by a correction factor of [( n + 1 ) ¸ n] , where n is the value indicated in the Sample period box. This can be demonstrated by using an example.
Figure 11. Recording of Sony TV Remote POWER Button
Figure 11 shows the initial screen captured from a Sony TV remote control transmitting its POWER button signal. The Sample settings window showed the Granularity to be 1.54 μs. The Length of the display happens to be 147.84 μs in this example only because DigiTrace always initializes with the screen zoomed in just four steps shy of maximum, and we haven't changed that since opening the program. Whenever you change the zoom setting it stays at the new value when you make new records, until changed again.
The signal you see corresponds to individual LED pulses during the opening burst of the transmission, before the start of data bursts. The signal goes high when the infrared LED is on, and low when it is off. You can count pulses or measure the time from the start to stop of a burst with confidence, but measurement of individual pulse widths or duty cycle is meaningless. For one thing, the resolution is not good enough. Sony uses a 40 KHz carrier frequency. If the duty cycle were 50% (which it isn't) each pulse would be about 12.5 μs, which is only eight samples (Granularity intervals) at our highest resolution. That alone means a possible error of ± 12%.
But a bigger reason for disregarding pulse width is that the optical threshold level of the Probe is affected too much by signal strength and ambient light to reliably detect the precise moment an LED turns on or off, even though the Probe is very reliable at catching all the pulses. You can demonstrate this by making a record with the remote held fairly close to the probe, then back off about a foot and make another record, and so on. You'll see there's a usable range where pulses are not missed entirely, but even within this range the duty cycle of the pulses varies considerably from one record to another. Fortunately, individual pulse width or duty cycle isn't critical. An infrared receiver looks primarily for the right carrier frequency, and the data content lies in the burst duration or spacing, not the individual pulses.
Figure 12. Recording of Sony Signal After Zooming Out
Figure 12 shows the same record after we have zoomed out to get a better look at the opening burst. After clicking the Zoom ─ button five times we're looking at the first 4.73 ms of the record. Now you can make out the start and stop of the first two bursts of the transmission, even though the individual carrier pulses are at about the limit of resolution of the video display. As an exercise, let's measure the off-time between those bursts.
Figure 13. Preliminary Placement of Markers Between First and Second Bursts
In Figure 13 we've used the left and right mouse buttons to place Mark1 close to the falling edge of the first burst, and Mark2 close to the rising edge of the second burst.
Figure 14. Zooming In to Adjust Markers
Now we'll zoom in about six clicks to place the markers more accurately. In Figure 14 we have scrolled over until the Start value is close to the Mark1 value, and Shazam! There's our Mark1. Use the left mouse button to reposition it as close to the last pulse as possible. Note that the value indicated for Mark1 drops from 2.45 ms to
Figure 15. Readjusting the Left Marker While Zoomed In
2.42 ms when we do that. Next we zoom over until the Start value is about the same as Mark2, and similarly reposition that marker with the right mouse button.
Figure 16. Zooming Out to See Both Markers Again
In Figure 16 we have zoomed back out to the original scale. If you compare this with Figure 13 you'll see the markers do appear closer to the burst edges, and the width of the off-time (Delta) has changed from 614.46 μs to 626.78 μs. To be honest, we've only improved our measurement of off-time by 2%, which isn't worth all that zooming and scrolling because remote control systems are not that precise. This was just an exercise to show how the zoom and scroll features can be used with the markers to improve measurement accuracy.
Figure 17. Zooming Out to See Entire Message
In the upper illustration of Figure 17 we've zoomed all the way out to look at the overall picture. At this scale the carrier pulses blend together so that you can easily make out the on-bursts as solid bars. The upper illustration shows the start of the record and you can see all of the first message but none of the second. Notice that our markers are still on the edges of the first off-time space, demonstrating that the markers remain valid when you change zoom. In the lower illustration we have scrolled over to the end of the record and repositioned Mark1 and Mark2 to mark the space between the first and second messages. Delta indicates that the separation between messages is 26.82 ms.
Figure 17 is a textbook example that illustrates several characteristics of many infrared remote control signals. First, note that the initial burst (often referred to as the "lead-in") is longer than any other. Second, notice that all the off-times are the same, whereas there are two distinct widths of on-times. That tells you the on-times represent the data bits, although you can't tell whether the "fat" ones are the "1s" or the " Øs". With some protocols it's the other way around. The on-times are constant and the off-times represent the "1s" and " Øs". In either case, you can't tell by looking at one message whether the serial order of the data bits is MSB first or MSB last. Finally, notice the unusually long off-time following the message. That makes it easy for the receiver to distinguish the end of one message string and the start of another.
But with this record we can't tell whether the second message is an exact duplicate of the first, and whether it repeats just once or keeps repeating as long as the transmit button is held down. (All these factors vary from one manufacturer's protocol to another.) We need a longer record. If we doubled the record length by placing a "1" in the Sample period box we would probably be able to see all of the second message, but to make sure we can see if the message keeps repeating let's stretch it out a little more by setting the Sample period to "3" and holding the POWER button down for a full second.
Figure 18. Sony Record With Sample Period Set At "3"
Figure 18 shows the result. The values shown for Length and Start increased three times OK, but look at those red markers! They're no longer marking the space between the first and second messages where we left them, and the values for Mark1, Mark2, and Delta no longer appear to correspond with their relative positions. The first thing we'll do is scroll back to the beginning and reposition the markers between the first and second messages.
Figure 19. Repositioning Markers on Expanded Record
Figure 19 shows the record after repositioning the markers. Delta now says the space between messages is only 19.87 ms, whereas we know from the lower illustration of Figure 17 it is actually 26.82 ms. Here you see the timing bug in action. Whenever recording with a Sample period "n" other than "0" we have to multiply the values for Mark1, Mark2, and Delta by a correction factor of [( n + 1 ) ¸ n]. Since our Sample period is 3, the correction factor is [( 3 + 1 ) ¸ 3] = 1.33. Multiplying the Delta value 19.87 ms by 1.33 gives 26.43 ms, which is within about 1% of the value we got with Sample period set at "0". The values for Mark1 and Mark2 must also be corrected if you want to know their true positions. Length and Start values do not require correction.
To summarize, here are the timing rules in a nutshell:
¡ Apply a correction factor to Mark1, Mark2, and Delta any time Sample period is other than 0.
¡ Update Mark1, Mark2, and Delta with the mouse whenever you change the Sample period.
The repeated messages in Figure 19 may appear to be slightly dissimilar, but that's caused by limitations in screen resolution of the PC, not the actual data. Zooming in will show they are identical. Incidentally, one of the easiest ways to compare two different records or two portions of the same record is to open a second session of DigiTrace along side the first. They'll operate independently while sharing the same Probe. When you arm one, it will record the next transmission while leaving the other unaffected, and vice versa. You have to see this to believe it.
12. SAVING AND PRINTING RECORDS. DigiTrace will save any record to a location of your choice as a 32KB binary file with an extension of .dgt. This is a proprietary format, so all you can do with the file is reload it into DigiTrace. The file actually consists of the hex values of the 32,768 samples, one byte per sample.
There is no print feature. If you want a hard copy of a recording you'll have to take a screen snapshot with
13. COMPARING IR AND RF REMOTE CONTROLS. Both RF and IR remotes transmit their signals by modulating a carrier on and off. This is often referred to as OOK for On/Off/Keying, as opposed to Frequency Modulation (FM) or Amplitude Modulation (AM). In the case of an RF remote the carrier is a VHF or UHF signal whose frequency is usually somewhere between 27 MHz and 460 MHz. Our RF Probe demodulates the carrier to give a high output signal when it is turned on, and a low when it is off, and that's what you see on DigiTrace.
But in the case of an IR remote the carrier consists of turning an infrared LED on and off at a much lower frequency, usually somewhere between 30 and 60 KHz. Infrared receivers are usually "tuned" to the carrier frequency, and demodulate it to give an output signal that switches between high and low as the infrared carrier is started and stopped.
Some dual remotes transmit both IR and RF signals. Sometimes the demodulated RF signal is the same as the demodulated IR signal, and sometimes the RF is gated on and off with the same signal that drives the infrared LED, so that the demodulated RF looks like the IR carrier signal. The best way to tell is to examine the circuit board to see if the IR and RF drive signal originate from different pins of the processor. The response time of the RF Probe is such that it will tend to demodulate the envelope of the individual RF bursts even if the RF transmitter is being gated on and off by individual pulses of the IR carrier. Sometimes you can see this by backing the remote away from the RF Probe to reduce the signal strength to the point where it almost drops out. If the broad pulses suddenly break into groups of many smaller pulses it means the RF bursts correspond to the LED pulses.
The subject of infrared remote control protocols and decoding messages is beyond the scope of this article. But if you want to learn more about this, as well as put it to practical use, take a look at www.hifi-remote.com/forums/. This is a site dedicated to working with universal remote controls and reprogramming them to add features and enhance their operation. You'll find a ton of information, and willing help from the forum members.
14. A WORD ABOUT ACCURACY. If you want to check out the timing accuracy of DigiTrace, one method is to make a recording with a remote control for which you know the carrier frequency, and see how closely the measurement of that frequency by DigiTrace agrees. A good test model is the Sony TV remote, which has a setup code of 0000 on most universal remote controls. This Sony protocol uses a 40KHz carrier and has a nice long lead-in burst of that frequency. Here's a way to run the test. First make a recording of any button with Sample period set at "0" for maximum accuracy. Zoom in close on the opening burst to place one marker near the center of the first carrier pulse and the other near the center of the last pulse. Now click on the Stats button, which causes DigiTrace to measure the number of transitions between the two markers. Open the 1KB text file named stats.txt in the DigiTrace folder. Channels 1 through 8 of the DigiTrace display are referred to as Ch[0] through Ch[7] in this text file. Look at the number of Changes shown for Ch[7] (our channel 8). It should be an even number around 188. Since each cycle consists of an up and down transition, divide the number of Changes by two to get the number of cycles,. Divide the number of cycles by the elapsed time, shown as Delta, to get the carrier frequency. The result will probably be within a few percent of 40,000 Hz.
Most of the error in this measurement of carrier frequency is caused by innacuracy in DigiTrace's determination of Granularity. Only a small portion is attributable to the remote control itself because nearly all of these remotes use ceramic resonators for their processor clock and timing. That gives them a worst-case timing accuracy of ± 0.5 % and a typical accuracy of about ± 0.25 %. If you use DigiTrace for a project where you need greater accuracy you can derive a correction factor from the previous experiment. However, you should always take note of the prevailing Granularity when you make this determination, because DigiTrace may come up with a slightly different value the next time it opens, which would affect your correction factor. In my experience, on a given computer the program seems to have a predominant value for Granularity it usually opens with, and a second value it sometimes opens with. It must depend on what's going on within Windows at the time DigiTrace is starting up. Sometimes you can repeatedly close and reopen it until it shows the Granularity value you want. When DigiTrace is starting up, don't operate the mouse or keyboard until the JWA Logo in the opening screen disappears. That's when it's making the speed measurement, and it seems to get screwed up if there are mouse or keyboard interrupts during that critical time.
If you're doing work that demands super accuracy you can buy a tiny crystal oscillator and frequency divider combination from Mouser for a couple of bucks and use it to lay down a reference timing signal on one of the unused channels. But for working with remote controls, that's like "polishing the canon ball". A timing accuracy of a few percent is all you need.
15. BUILDING A DUAL IR/RF PROBE. This section explains everything you need to know about combining the IR and RF Probes into one dual-purpose unit. There are several ways to do this. For example, since DigiTrace accepts eight inputs (Channels 1-8, parallel port connector pins 2 -9 respectively) you can connect the output of the RF Probe (U1-1) to one channel, and the output of the IR Probe (center pin of optical IC) to another.
That approach requires a cable having four conductors rather than three. Also, you will have to remember to change the Trigger Channel number in the Settings window whenever you switch from testing an RF remote to an IR remote, and vice versa.
I prefer a method that keeps the 3-conductor cable, and never requires changing the trigger channel. This is accomplished by adding a switch on the Probe board for selecting between RF and IR remotes, so that the data is always recorded as channel 8. If you are thinking this might sacrifice the ability to study remotes that transmit both RF and IR simultaneously, that's not necessarily so. Remember, you can open dual sessions of DigiTrace, trigger on the RF signal in one session, then switch-over and trigger on the IR signal in the other. By moving the windows to line up one display with the other you can compare the two signals just as if they had been recorded simultaneously.
The RF/IR switch also provides an additional feature that I find very useful. Any time DigiTrace is armed and you can't seem to trigger it, simply changing the position of the switch (either way) will cause a transition on the data channel that should trigger the display. You can use this whenever you want to verify that DigiTrace is working properly. Best of all, it takes the misery out of having to abort a recording when you arm DigiTrace and then realize you're not ready to receive the data.
The actual details of construction of a Dual Probe are not critical, including where to mount the optical detector and the switch. But for those who would rather just follow a proven approach, here is a good way to do it.
A. PREREQUISITES. Make sure you have read all the information in Section 3 about selecting an unused pin of the parallel port connector to supply power for the sensors. A Dual Sensor is not recommended unless you can find a pin whose internal resistance is 100 ohms or less. Most newer PC's will have even less than 50 ohms internal resistance for pin 1 (the STROBE pin), and that's the pin I use.
The Dual Probe uses all the parts of an RF Probe shown in Figure 1 of the main article, plus the optical sensor IC mentioned in Section 4. You'll also need a small SPDT switch for switching between RF and IR remotes. If you are buying parts from Mouser, the best switch to use is Mouser Stock No. 10SP001, which is a sub-miniature slide switch that's about 1/4" x 1/4" x 1/2" with PC terminals, and costs 34¢. You can substitute any other SPDT switch as long as you can figure out a place to mount it. If you are desperate, Radio Shack has a small DPDT slide switch (275-407) but it costs more than $3.
If you have not already built the RF Sensor from the previous instructions, you should go ahead and do that, but stop at the point near the end of Section 2 on page 3 before you connect the three cable wires to the board. If you have already built the Sensor, unsolder and remove the red and white cable wires.
B. COMPLETING THE DUAL PROBE. If you compare Figure 20 with Figure 5 you can see the suggested location of two additional components, U2 and S1. The terminals of S1 do not fit either the hole diameter or spacing on the perf board, so you will have to enlarge three holes with a 1/16" drill. Rock the drill back and forth until the holes are just wide enough that you can insert the terminals all the way until the switch lies snug against the board. If you press the wires to the switch tightly against the board as you solder them, they'll hold the switch in place. Some additional epoxy or hot glue along the sides of the switch will also help secure it.
Figure 20. Dual Probe Board Assembly
The location shown for U2 is my own personal preference because from that point its terminals are long enough to reach the points they need to be soldered to. But the location is not critical, and if you prefer to locate it somewhere else on the board (including within the "C"-shaped loop antenna), just use insulated wire to make the connections. If you need a reminder which way to actuate the switch for RF and IR remotes, you can use a label or mark the board with a Sharpie pen.
When attaching the cable, note that the positions of the RED and WHITE wires in Figure 20 are swapped from where they were shown for the RF Probe board in Figure 5. Connect the RED (power) wire to pin 1 of the DB25 male connector (or whatever pin you are using to supply power), connect the WHITE (signal) wire to pin 9, and connect the BLACK (ground) wire to pin 25.
Now go to Section 9 and test your Probe. In case of problems it is easier to troubleshoot the Dual Probe than described in Section 10, because you should be able to trigger DigitTrace by just actuating switch S1.
16. FINDING THE TRANSMITTER FREQUENCY OF AN RF REMOTE CONTROL. Nearly all remote controls that transmit at RF/UHF frequencies are tested to comply with FCC standards to ensure they stay within prescribed limits of frequency and transmitter power. Somewhere on the product, either in a label or molded into the plastic, you will often find a statement that it complies with certain FCC rules, and a line that says "FCC ID: XXXYYYYYY". That's the FCC identification number, or simply the FCCID. The first three characters (XXX) identify the company in whose name the product is registered, and the remaining characters (YYYYYY) identify a particular file number for that specific product.
Go to https://gullfoss2.fcc.gov/prod/oet/cf/eas/reports/GenericSearch.cfm, which will open a page at the FCC web site entitled Equipment Authorization System Generic Search. Enter the first three characters of the FCCID in the Grantee Code box and all the remaining characters in the Product Code box, then click on Start Search. If you've entered the code correctly that will bring up a page showing the company's name and mailing address, the date approval was granted, and at the far right side, the operating frequency.
Over toward the left you'll see a column labeled Display Exhibits, and beneath that the words Detail and Summary, either side by side or above and below each other. Sometimes when you click on Detail it brings up a list of documents in the file that are a treasure of information. (NOTE: Be sure to click on the word Detail and not the word Summary.) A good file will often contain schematics, parts lists, photographs of circuit boards, etc. But sometimes you'll get a page that says "There are no attachments for public view associated with this application". I think that means the company has asked the FCC to keep all that information confidential so competitors and rip-off artists can't easily get their hands on it. But you can always find the frequency on the previous page.
If you make a search on just the three characters of the Grantee Code you'll get a list of all the products that company has registered. Sometimes the list goes on and on for many pages if it is a company that is very active in the remote control business (or whatever type of product they make). For example, B4S is the Grantee Code for X10 (USA) Inc. Search that code and you'll find 168 products listed. Most of those on the first 10 pages don't have any information available for viewing, but beyond page 10 most of them do. If you want to see what a typical good file looks like, go back to the search page and enter Grantee Code B4S and Product Code BT30A. When the file list comes up, click on the View Attachment icon in the left column for any item you want to see.
Unfortunately, even if you know the Grantee Code there's no way to "reverse" search for an FCC file using the product model number because the Product Code seldom gives any clue as to what product it applies to.
17. USING THE LOGIC ANALYZER WITHOUT THE PROBES. At the JWA site (www.xs4all.nl/~jwasys/old) near the bottom of the page from which you downloaded the application program, there's a section on Hardware that shows two methods the designer used to interface a PC for general purpose logic analyzer work with digital circuits. One uses a 74HC245 chip to interface the eight data lines so that the PC is pretty well isolated from any dangerous external circuits. The other is just a passive cable with direct inputs on each of the eight lines. Either of these approaches will work with standard TTL voltage levels on the inputs. If you're familiar with digital logic devices you undoubtedly can think of many kinds of interface chips other than the 74HC245 that can be used for this application. Since the data lines all have weak pull-up resistors, any device that pulls them to ground, such as NPN transistors with open collectors, can be used with DigiTrace. If you want a first hand demonstration of what the term "switch bounce" means, connect any mechanical switch (other than a mercury switch) between pins 9 and 25, arm DigiTrace, and then open or close the switch. The resulting record is very enlightening.
18. SCHEMATIC OF RF PROBE.
Figure 21. Schematic of RF Probe
Wednesday, March 26, 2008
Hacking Remote Control Signals
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment