The reverse engineering of the protocol of the panel from the invertor Electrolux conditioner

In this article I will describe my experience and the main stages of studying the IR remote from the air conditioner. From the tool you will need Arduino nano on mega328 and a receiver of IR signals (I have VS1838B).


To begin with, I wrote a code that reads the duration of the signal from the IR receiver in the low and high states, writes them to the array, and then outputs them to the computer port.


After pressing the button of the air conditioner remote control, the following data came to the port:


We can notice that all odd numbers are the same (except for the starting pulse) and can be ignored. Further, the interrupt code had a rather if condition (digitalRead (2) == 0) which discards the duration of the low state at the controller input.

 void inter_1() { timerValue = (unsigned int)TCNT1L>>1 | ((unsigned int)TCNT1H << 7); //   if (digitalRead(2)==0) { data_m[i]=timerValue; i++; } TCNT1H = 0; //   TCNT1L = 0; } 

In general, the program works as follows: a timer-counter is started with a division factor of 8 (this is one of the standard dividers provided by the MC), and when the state of input D2 changes, an interrupt is performed - the function void inter_1 (). In this interrupt, the value of the timer-counter is read and divided by 2, after which it is written to the array, and the timer itself is reset. The timer counter operates with a frequency of 8 times less than the clock frequency of the MK (16 MHz) i.e. 2 MHz and to get the time in microseconds, the number read from the counter must be divided by 2. In the main body of the program, the timer overflow flag is checked and if the timer counter is full, i.e. counted up to 65535, the counter of the accepted intervals is checked. If it is not 0, all received data is output and the byte count is reset. New data looks like this:


From the data obtained it is clear that the first number is random — this is the time from the last overflow of the timer, before the start of the sending. Further, the starting pulse is 4.5 ms and data. Data is transmitted bit by bit, where an interval of approximately 1690 μs corresponds to a logical one, and an interval of 560 μs corresponds to a logical zero. It is also seen that the parcels are divided into 3 separate parts, where 50 = 7970 and 115 = 7966 are the starting sequences.

Add in the code the function of forming bytes and a small decoding of the received data. I wrote the last line right at the very end, but not producing the same almost code.


It is worth noting that the size of the arrays fit my console, to explore the new console, they should be expanded so that everything fits. It is also worth checking the number of bits in the parcels, for example, I have 50-2 = 48 first parcel, 115-51 = 64 and 172-116 = 56 (I subtract numbers from the last insignificant bit, the first significant one). Total we get 6 bytes 8 bytes and 7 bytes. Since all 3 parcels are of different lengths, I decided to designate the end of the parcel with FF values, since such data are almost not found in the tested console.

As I already mentioned, my air conditioner has the “I feel” function. It works as follows: the console every 9 minutes, along with all the settings, sends the temperature to the conditioner that it measured and that, if it is within the range of the console, corrects the readings of the internal thermal sensor, depending on what it sent. remote controller.

By the way


Then everything is the simplest and most interesting - tykakh on buttons, we get the result and try to guess what, what is responsible for. It turned out that the bits in my air conditioner are transmitted starting from the youngest. I managed to decrypt most of the protocol.

Description of the protocol remote control Electrolux

0.1 bytes 0x83 0x06 Apparently the address
2 bytes 0b00000000 Mode of operation
7 bit = 1 if the “swing” button is pressed
6 5 4 bits in the dehumidification mode are responsible for the “power” 110 = -7 ...- 2, 101 = -1, 000 = 0, 001 = 1, 010 = 2..7
3 bits = 1 in the sleep mode (at the same time the fan is set to minimum)
2 bits are set if the power button is pressed
The 1 and 0 bits correspond to the fan mode - 00 automatic, 10 maximum speed, 01 average speed, 11 low speed.
3 bytes 0b11000010 Mode of operation and temperature. In this example, cooling to 30 degrees
The older 4 bits contain the specified temperature using the formula 18 + the number written here, for example 0b1100 = 12 we add 18 we get 30
The lower 4 bits are responsible for the 0010 operation mode cooling, 0000 heating, 0011 dehumidification, 0001 “smart” mode
4 bytes 0b00000000 unknown byte
5 bytes 0b10010000 Super cooling mode
In the super cooling mode, the fan is at a maximum, the temperature is +18, and additionally the higher 4 bits 1001 in the remaining modes there are zeros.
The first 6 bytes are completed, followed by a starting sequence of 8ms in high state + 0.5ms in low state and the second part of the packet is 8 bytes.
0 bytes 0b10000110 The current time (hours), in this example, 6 hours.
7 bit is always set.
5 bits = 1 turn off the display on the indoor unit.
1 byte 0b00000010 current time (minutes) in this example 02 minutes
7 bit is set when the off timer is enabled.
2 bytes 0b00010111 Auto-off time (hours), it's 23 hours.
3 bytes 0b10111010 Auto power off time (minutes) here 58
7 bit is set when the auto-on timer is on.
4 bytes 0b00001100 Auto-on time (clock) here 12 hours
5 bytes 0b10000010 Auto power on time (minutes) here 2 minutes
7 bits always set
6 bytes 0b00011111 The current temperature measured by the remote control, here 31.
7 bytes CRC. The CRC algorithm is not found by me. (I will be grateful if someone tells). I tried all the proposed algorithms in the online calculators (10 pieces), but did not find the right one. Obviously, when calculating the CRC, the first and second lines are considered. when changing any byte in the first or second line, the CRC changes.
Member huhen guessed the CRC calculation method: This is a XOR operation on all the bytes of the first and second package except the address. For example: 83 06 60 ^ 73 ^ 00 ^ 00 ^ 00 ^ 00 ^ 96 ^ 04 ^ 00 ^ 00 ^ 00 ^ 80 ^ 1E = 1F
The last part of the package is 7 bytes.
0 bytes
5 bit SOFT mode
4 bit switch pressed
3 bits set when mute mode is on (ear icon is lit on the display)
1 byte
0x00 = automatic sending, dimmer button and time setting clock button
0x01 = power button pressed
0x02 = button pressed to change the set temperature (power) + or - 0x03 = button pressed sleep
0x04 = Super Cool button pressed
0x05 = Timer ON auto on / off timer
0x06 = button pressed
0x07 = swing button pressed (swing flap)
0x0B mute button pressed
0x0C button pressed SOFT (power saving)
0x0D button I feel pressed
0x0F switch pressed (turn off the display of the indoor unit)
0x11 fan mode button pressed
0x17 = smart button pressed (automatic operation)
0x1D on or off the auto off timer Timer OFF

2 bytes in dehumidification mode and smart (automatic) are responsible for "power" along with 2 bytes of the first parcel
0x14 = + -7
0x10 = + -6
0x0C = + -5
0x08 = + -4
0x02 = + -3
0x00 = 0, + -1, + -2
6 bytes Checksum 0-5 bytes (third line).
In the dehumidification or smart mode, the air conditioner does not have a temperature, you can only select a number from -7 to +7. Probably they are responsible for power. And this power is transmitted in the second byte of the first parcel and the second byte of the third parcel.

I also have an xiaomi IR transmitter. It was tuned to the air conditioner by a brute force method and sends the first parcel with a length of 6 bytes to the air conditioner. An air conditioner on such a shortened parcel responds and performs it properly. But I don’t really like this version of control because it doesn’t allow the air conditioner to transmit the current temperature, thereby correcting its operation.

Then I just clicked on the buttons. In the signature on the data T = set temperature
C = current temperature measured by the remote control. Vent = fan mode.