IoT-ifying old stuff is cool. Or even new, offline stuff. It seems to be a trend. And it’s sexy. Yes, it is. Why are people doing this, you may ask: we say why not? Why shouldn’t a toaster be on the IoT? Or a drill press? Or a radio? Yes, a radio.
[Dr. Wummi] just added another device to the IoT, the Internet of Thongs as he calls it. It’s a Philips MCM205 Micro Sound System radio. He wanted to automate his radio but his original idea of building a setup with an infrared LED to remotely control it failed. He blamed it to “some funky IR voodoo”. So he decided to go for an ESP8266 based solution with a NodeMCU. ESP8266 IR remotes have been known to work before but maybe those were just not voodoo grade.
After opening the radio up, he quickly found that the actual AM/FM Radio was a separate module. The manufacturer was kind enough to leave the pins nicely labelled on the mainboard. Pins labelled SCL/SDA hinted that AM/FM module spoke I²C. He tapped in the protocol via Bus Pirate and it was clear that the radio had an EEPROM somewhere on the main PCB. A search revealed a 24C02 IC in the board, which is a 2K I²C EEPROM. So far so good but there were other functionalities left to control, like volume or CD playing. For that, he planned to tap into the front push button knob. The push button had different resistors and were wired in series so they generated different voltages at the main board radio ADC Pins. He tried to PWM with the NodeMCU to simulate this but it just didn’t work.
In a somewhat ironic turn of events, he realised that he could just tap into the IR receiver wire and simulate an IR code being sent, directly to the wire. No light interference, and no “funky IR voodoo” this time.
Some Lua lines later and the radio was upgraded with a GET API that allowed to:
- Push all the buttons
- Set an arbitrary FM frequency
- Check if the radio is on or off
Let’s see it in action:
42 thoughts on “ESP-ing A Philips Sound System.”
Why not? I can sum it up in one word: HACKERS! I know it’s a great thing that pretty much anything that can be electrically controlled can be rigged to make your phone into the universal remote that so many tried and failed with in the IR regime, BUT, unless you want to be playing security cat-and-mouse with hackers for the rest of your existence, you’ll resist the temptation. The first time your coffee pot fills your house with the wonderful aroma of freshly-brewed coffee at 3 AM instead of 7 will be your – sorry – wake-up call, but it will get worse from there.
This doesn’t even require the army of unemployed Belarusian programmers to discover that you have devices on the Internet; your neighbors will know because you’ve showed your modern conveniences off to them, and ONE of them will take up the challenge.
Well it’s a radio. What’s the worse they can do? Fill your house with the sounds of Barry Manilow?
“At the Copa… Copacabana….”
Actually, it can work the other way.
“My neighbour plays Barry Manilow really loud, around the clock. So I ‘hacked’ into his stereo and turned it off”.
I have always wondered what would happen with a IR control modulated laser aimed at a high rise while sending global commands for power on volume up country music channel at 0 three or so would do. Lights would come on to find the remote forgotten hours earlier.
It could turn on at maximum volume, permanently damaging the hearing of any infants or elderly who cannot turn it off or shield themselves. It could be forced to operate in a manner that causes internal harm to the device, possibly causing a hardware fault that could lead to a fire. It could drain as much power as protective fuses allow it to. I am sure there are more undesired but possible outputs, though some of these would be harder to “retrofit” in as even possible. Dismissing this as impossible outright though simply because it is “just a radio” is not really adequately or completely considering the potential downsides of the concept of IoT-all-the-things!
It cost about $2 extra hardware to make a totally secure ESP phone/PC link that not even the NSA could crack, but what is it worth to you to know how to do it?
History is full of “unbreakable” security systems. Broken ones.
Your mathematical knowledge is deficient if you think I am wrong.
Your security knowledge is deficient if you think you are right.
Operate from inside a faraday cage ? surrounded by multiple frequency jamming techniques on the outside also having the cage lined with Egg cartons and wearing a stylish Sailor shaped Foil Hat.
Nope, far simpler than you imagine, if you understand it from a mathematical point of view. There is a catch, but the inconvenience only comes around infrequently but otherwise the device operates very normally because it is what it says that matters, not how it says it.
1. It’s a hack; this is HaD.
2. The most l33t hacks carry risk.
3. Many remote controls suck so hard that it’s worth coming up with your own, sane, phone-based control
4. It’s not that hard to encrypt or obfuscate a one-off control to foil lesser mortals
I just want to know when someone is going to IoT one of these; https://www.youtube.com/watch?v=yTaTUmMj9d0 (1993 GE Digital Clock Radio 7-4612B or any of the other similar models)
Here you go:
there’s only one “L” in PHILIPS
Quite right, thanks. Fixed!
Philips not Philllllllllllllllllips please.
You can tell, because that is what is says on the front panel in big caps.
Errm, a Phillips radio and he’s surprised by the presence of I²C that was invented by, Phillips?
I was surprised that the whole fm tuner was a separate module.
Power and i2c in, analog audio out.
It makes sense, because this Radio is as much Philips as this car is a Ferrari
It’s full on chinesium inside
+1 for chinesium
Should get an IRToy, they’re cheap and quite good at funky IR voodoo IIRC.
Also, that video title I can totally relate to.
I’v been looking this Philips radios. All them are manufactured by Chinese contractors. JVC, Kenwood, Panasonic, all have similar models, running a firmware with common father, SunPlus. I’v been trying to revert eng this firmwares. They are available on internet. However, they come without a entry point, which are in the top memory, and are not available.
They usually use a 68hc12 like micro labelled CA6812.
Some insights http://hackjvc.livejournal.com/206205.html
Yes the insides scream chinesium at me. Do you have any info on the lcd controller ET8861S? Im kinda stuck http://stuff.wummi.at/pages/espradio/lcd-hax.php
My own is a MCD135. take a look at service manuals, they help a lot.
For my version, https://www.electronica-pt.com/esquema/func-startdown/21569/
Searching I found http://manualzz.com/doc/6367019/az1837-service-manual-p6-27.indd that cotnain th pinout of the chip. I think is only a deserializer with driver for VFD displays. At end, a simple chip.
By the way, the IR controller is crapy. It stop work. I have to put a resistor to the IR led, cause it was saturating. Also, some cap’s in crystal.
You have a osciloscope. Easily can figure out the simple serial protocol running over that serial. It seen to be a simple VFD driver with deserialization.
A bit late now, but in case anyone harvested another Philips device and wanted to make use of the LCD:
The ET8861S is just another HT1621 (several of the ETek LCD controllers speak that protocol).
Can be easily bit-banged even with an ATTINY, but you would have to run through the address space and reverse engineer the segment bit locations. HT1621 is just a driver with no knowledge about the meaning of the LCD segments.
OK I think I came up with a good one.
My IR lights on my cameras around my house I wired separately to the power.
I was thinking connect that up to a arduino or ESP8266 and program all the TVs and Radios into it. and then lets party.
I have 2 apartment buildings next store as well. and the cameras are pointed all over hi and low. I even have a camera on my solar panels. I should be able to go at least 500m and farther going to the apartment buildings.
OK lets party…
I may think bad things, but I guess its a good thing I’m a good person over all.
Maybe I just don’t get the whole IoT thing, but didn’t he just reinvent the remote that came in the box?
You’re not thinking fourth dimensionally. “Alexa, turn on the radio.”
And YOU’RE not thinking meta. What happens when somebody on the radio says, “Alexa, turn off the radio.”?
The radio will shut off? Oh no
What are you most likely to carry around with you at all times – your phone, or the stereo remote? IR remotes don’t exactly work through walls. And many remotes just suck, too.
Oddly enough my phone has an IR emitter and can double as a remote.
Yes and no.
I can now set a frquency over http, the original can’t.
Also this now finally allows me to integrate the radio in my FHEM home automation system. http://fhem.de/
It’s just better™
OK how do I use the “Internet of Thongs” ?
If it’s going to connect to Wifi, it better be able to stream audio over Wifi. A Raspberry Pi would do that quite well.
For all the sillyness in the comments section there are a few good tips on the site. I like the use of the DSO to visually coipy the control protocol post IR decode. That’s a neat trick.
Skype has opened its internet-dependent consumer beta for the entire world, right after introducing it largely inside the
United states and U.K. before this 30 days. Skype for Internet
also now supports Linux and Chromebook for instant messaging interaction (no voice and video however, individuals need a plug-in set up).
The increase of your beta adds assistance for a longer set of languages
to help bolster that international usability
Please be kind and respectful to help make the comments section excellent. (Comment Policy)