ESP-ing A Philips Sound System.

IoT-ifying old stuff is cool. Or even new, offline stuff. It seems to be a trend. And it’s sexy. Yes, it is. Why are people doing this, you may ask: we say why not? Why shouldn’t a toaster be on the IoT? Or a drill press? Or a radio? Yes, a radio.

[Dr. Wummi] just added another device to the IoT, the Internet of Thongs as he calls it. It’s a Philips MCM205 Micro Sound System radio. He wanted to automate his radio but his original idea of building a setup with an infrared LED to remotely control it failed. He blamed it to “some funky IR voodoo”.  So he decided to go for an ESP8266 based solution with a NodeMCU. ESP8266 IR remotes have been known to work before but maybe those were just not voodoo grade.

After opening the radio up, he quickly found that the actual AM/FM Radio was a separate module. The manufacturer was kind enough to leave the pins nicely labelled on the mainboard. Pins labelled SCL/SDA hinted that AM/FM module spoke I²C. He tapped in the protocol via Bus Pirate and it was clear that the radio had an EEPROM somewhere on the main PCB. A search revealed a 24C02 IC in the board, which is a 2K I²C EEPROM. So far so good but there were other functionalities left to control, like volume or CD playing. For that, he planned to tap into the front push button knob. The push button had different resistors and were wired in series so they generated different voltages at the main board radio ADC Pins. He tried to PWM with the NodeMCU to simulate this but it just didn’t work.

In a somewhat ironic turn of events, he realised that he could just tap into the IR receiver wire and simulate an IR code being sent, directly to the wire. No light interference, and no “funky IR voodoo” this time.

Some Lua lines later and the radio was upgraded with a GET API that allowed to:

  • Push all the buttons
  • Set an arbitrary FM frequency
  • Check if the radio is on or off

Let’s see it in action:

[Thanks gregor4005]

42 thoughts on “ESP-ing A Philips Sound System.

  1. Why not? I can sum it up in one word: HACKERS! I know it’s a great thing that pretty much anything that can be electrically controlled can be rigged to make your phone into the universal remote that so many tried and failed with in the IR regime, BUT, unless you want to be playing security cat-and-mouse with hackers for the rest of your existence, you’ll resist the temptation. The first time your coffee pot fills your house with the wonderful aroma of freshly-brewed coffee at 3 AM instead of 7 will be your – sorry – wake-up call, but it will get worse from there.

    This doesn’t even require the army of unemployed Belarusian programmers to discover that you have devices on the Internet; your neighbors will know because you’ve showed your modern conveniences off to them, and ONE of them will take up the challenge.

        1. Actually, it can work the other way.

          “My neighbour plays Barry Manilow really loud, around the clock. So I ‘hacked’ into his stereo and turned it off”.


      1. I have always wondered what would happen with a IR control modulated laser aimed at a high rise while sending global commands for power on volume up country music channel at 0 three or so would do. Lights would come on to find the remote forgotten hours earlier.

      2. It could turn on at maximum volume, permanently damaging the hearing of any infants or elderly who cannot turn it off or shield themselves. It could be forced to operate in a manner that causes internal harm to the device, possibly causing a hardware fault that could lead to a fire. It could drain as much power as protective fuses allow it to. I am sure there are more undesired but possible outputs, though some of these would be harder to “retrofit” in as even possible. Dismissing this as impossible outright though simply because it is “just a radio” is not really adequately or completely considering the potential downsides of the concept of IoT-all-the-things!

        1. Nope, far simpler than you imagine, if you understand it from a mathematical point of view. There is a catch, but the inconvenience only comes around infrequently but otherwise the device operates very normally because it is what it says that matters, not how it says it.

    1. 1. It’s a hack; this is HaD.
      2. The most l33t hacks carry risk.
      3. Many remote controls suck so hard that it’s worth coming up with your own, sane, phone-based control
      4. It’s not that hard to encrypt or obfuscate a one-off control to foil lesser mortals

  2. I’v been looking this Philips radios. All them are manufactured by Chinese contractors. JVC, Kenwood, Panasonic, all have similar models, running a firmware with common father, SunPlus. I’v been trying to revert eng this firmwares. They are available on internet. However, they come without a entry point, which are in the top memory, and are not available.
    They usually use a 68hc12 like micro labelled CA6812.
    Some insights

      1. A bit late now, but in case anyone harvested another Philips device and wanted to make use of the LCD:
        The ET8861S is just another HT1621 (several of the ETek LCD controllers speak that protocol).

        Can be easily bit-banged even with an ATTINY, but you would have to run through the address space and reverse engineer the segment bit locations. HT1621 is just a driver with no knowledge about the meaning of the LCD segments.

  3. OK I think I came up with a good one.
    My IR lights on my cameras around my house I wired separately to the power.
    I was thinking connect that up to a arduino or ESP8266 and program all the TVs and Radios into it. and then lets party.
    I have 2 apartment buildings next store as well. and the cameras are pointed all over hi and low. I even have a camera on my solar panels. I should be able to go at least 500m and farther going to the apartment buildings.

    OK lets party…

    1. What are you most likely to carry around with you at all times – your phone, or the stereo remote? IR remotes don’t exactly work through walls. And many remotes just suck, too.

  4. For all the sillyness in the comments section there are a few good tips on the site. I like the use of the DSO to visually coipy the control protocol post IR decode. That’s a neat trick.

  5. Skype has opened its internet-dependent consumer beta for the entire world, right after introducing it largely inside the
    United states and U.K. before this 30 days. Skype for Internet
    also now supports Linux and Chromebook for instant messaging interaction (no voice and video however, individuals need a plug-in set up).

    The increase of your beta adds assistance for a longer set of languages
    to help bolster that international usability

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.