Reverse Engineering Smart TV Remote with Logic Analyzer

preview_player
Показать описание
In this video, I show how I analyzed an unknown digital signal on a remote control for a Google Smart TV with a logic analyzer. I used the PCBite probe kit to connect to the test points without solder.

PCBite kits:

saleae-logic2 program:

IoT Hackers Hangout Community Discord Invite:

🛠️ Stuff I Use 🛠️

🪛 Tools:

🫠 Soldering & Hot Air Rework Tools:

🔬 Microscope Setup:

About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.

- Soli Deo Gloria

💻 Social:

#iot #hacking #embedded_systems #microscope #tools
  1. Matt Brown
Рекомендации по теме
Reverse Engineering Smart 0:13:26

Reverse Engineering Smart TV Remote with Logic Analyzer

Reverse Engineering of 0:03:55

Reverse Engineering of TV Remote BEEE DA-2

Intro to Hardware 0:12:07

Intro to Hardware Reversing: Finding a UART and getting a shell

4K Roku TV 0:01:04

4K Roku TV Disassembly, Reverse Engineered and Tested

Hacking the Firmware 0:02:45

Hacking the Firmware of a Van Fan Window by Reverse Engineering it with IDA

#reverse #remote #rc 0:00:13

#reverse #remote #rc #radiocontrol #satisfying #oddlysatisfying

Tools I use 0:00:55

Tools I use while Reverse Engineering

bazjo: Hardware Reverse 0:59:51

bazjo: Hardware Reverse Engineering 101

How To Put 0:05:22

How To Put Universal Remote With Any Tv

Kiosk mode Bruteforce 0:00:40

Kiosk mode Bruteforce Evasion with Flipper Zero

Reverse Engineering IOT 1:10:25

Reverse Engineering IOT Device APIs - EM Live

TRAINING IC 0:01:07

TRAINING IC Reverse Engineering & Code Extraction

Tutorial: AnalysIR Reverse 0:11:07

Tutorial: AnalysIR Reverse Engineering Tool for Infrared AC Signals

DEF CON 22 0:48:22

DEF CON 22 - Felix Leder - NinjaTV - Increasing Your Smart TV’s IQ Without Bricking It

Using the Samsung 0:12:03

Using the Samsung Smart TV Remote

Why hasn't Apple 0:01:00

Why hasn't Apple invented this yet?!

Universal TV Remote 0:00:55

Universal TV Remote Control

Can We Reverse 0:10:47

Can We Reverse Engineer a Network Switch & Fix It?

Hack Your Electronics: 0:18:31

Hack Your Electronics: Uploading Your Own Firmware to Any Device

Mike Himbeault - 0:33:51

Mike Himbeault - Taking Back the Home: Reverse engineering proprietary home automation

Reverse engineering Outernet 0:52:24

Reverse engineering Outernet (33c3)

Control Your Laptop 0:00:16

Control Your Laptop Using IR Remote (TV Remote)

DJI Drone Hacking, 0:08:08

DJI Drone Hacking, Phantom Swarms, McDonald's and Ghidra - Reverse Engineering News - July 14th...

Keynote | Reverse 0:47:14

Keynote | Reverse Engineering Is Good For Soul by Travis Goodspeed | hardwear.io NL 2022

Комментарии
Автор

A video on the process of decoding would be incredibly interesting! What tools you use, common patterns you know, etc etc. Really enjoying all of your videos, keep it up :)

Packmanman
Автор

I have always wondered about these pads, especially on the old Vizio double sided remotes with the keyboard attached to the bottom, it’s made of two motherboards with two IR lights pointed in different directions. I remember I would spend hours as a kid testing out all kinds of stuff with the remote and they even have weird little games you could play on these early smart TV’s. (BTW I’m talking about the big one with the A B X Y buttons, not the slim newer one and not the one where the keyboard slides down)

rd.Eye.Saw.Destruction
Автор

This explains why I gotta wait between button presses on these "smart" remotes. Channel surfing is dead now.

SlinkyD
Автор

wow you are a gizmo i stg i watched your whole channel today, addicting seeing what you can do 🙈

AustinHypes
Автор

It would be cool to see how you approach CANbus

simmosideways
Автор

2F seems to be transmit, 5F might be receive? (Not sure) I noticed additional patterns in each of the messages as well. It seems each message has three messages in it. I've broken them apart before. As you noted, the same byte is sent in position 3 for each of the three parts, which is always followed up be 48.

Perhaps the 3rd byte is a sort of message id for the current packet?

2F 8A7D 48 0A08
2F 9A7D 48 0A08
5F FA7D 48 690D1828F8

2F 3FA8 48 0A08
2F 2FA8 48 0A08
5F 4FA8 48 690D1828F8

2F F9AC 48 0A08
2F E9AC 48 0A08
5F 89AC 48 690D1828F8

iamsleepyhollow
Автор

Cool but you should be able to solder to those points with no issues, those pogo pins just cause more problems than there worth...

jayfowler
Автор

7:43
1 Million (Translated to BAUD) is Sym/s SYMBOLS PER SECOND
Not Samples
and 1MHz is Frequency not BAUD, 1MHz doesn't have to mean 1 Million symbol changes per second,
you could have 9600 Symbols in that time, it depends on the BAUD RATE in use in the protocol

but.. you were looking for BAUD RATE... in SYMBOLS per second Sym/s or Sym/sec or even Bd

martinkuliza
Автор

Bought one of these off ebay it never arrived:/ first experience of this but could you recommend a reseller

neon_Nomad
Автор

Hi. Thank you for the video. I have a question. The blue LED in the logic analyzer is on all the time, and Logic2 shows that the device is starting from a high state. Is it damaged or is it supposed to be like that?

yankovalsky
Автор

8:35 it's not Binary Protocol. it's likely NEC Protocol
Binary isn't a protocol. it's a Numbering system and a Language, it's not a Protocol
also you just said it was HEX so....

martinkuliza
Автор

Ive been wanting the pcbite kit for so long but the kit i want is like 700cad haha

jstro-hobbytech
Автор

I like the video but I hate that fuckin hat lol. Good video though, liked and commented for your algo

Sockheadrps