We recently published an article where someone apparently controlled their TV by simulating a remote with merely a lighter and a sheet of paper. The paper had a barcode like cutout for a supposed “Universal Standby Signal”. The video rightfully attracted a substantial crowd, some awestruck by its simplicity, others sceptical about its claims.
Coming from some generic “Viral Life Hack” production house, the characteristic blare of background music, more suited to an underground rave than a technical video, certainly did not do it any favours. As any moderately experienced campaigner would know, modern televisions and remotes have been carefully engineered to prevent such mishaps. Many of us at Hackaday, were under the impression that it would take something slightly more sophisticated than a fluorescent-bodied lighter and a crisp sheet of A4 to deceive the system. So we tested it out. Our verdict? Unlikely, but not impossible. (And we’re pretty sure that the video is a fake either way.) But enough speculation, we’re here to do science.
Careful of the Carrier:
The most glaring inconsistency in the video’s methodology is the omission of 38-40 kHz carrier usually employed by infrared remotes.
There are two big advantages to transmitting an on-off signal using a carrier:
- Optimise the frequency of transmission to one that is more suited to the medium. This will minimise the incurred distortion and loss.
- Prevent false transmissions and signal contamination by a noisy background
The fundamental role of the carrier render it key in the command decoding process at the TV end. Receivers are designed to respond to one particular frequency. Can any of this still work if we discard the carrier?
Enter the IR Receiver:
If you take apart your TV or any other appliance that uses an IR remote, you are likely to see one of these. IR receivers are usually 3 pin devices and are not to be confused with IR photo-diodes or IR transistors.
The latter completely disregard the modulation scheme and instead simply respond to the correct wavelength.
IR Receivers on the other hand, contain an IR photodiode (or transistor) and additional circuitry to restrict signals that are outside the 38-40 kHz pass band. Once an AM style modulated carrier is present, it is demodulated and presented on the output pin of the device.
The performance of the elements, paramount to our investigation are the AGC (Automatic Gain Control) and the Band pass filter. They prevent noisy surroundings from inducing spurious responses at the output.
The AGC’s job is to optimise the gain for the surrounding ambient noise. For example, if you have a fluorescent lamp spewing out some high frequency IR thanks to the noisy electronic ballasts or even a lighter producing a low-frequency bit pattern, the AGC will reduce the overall sensitivity of the receiver. Once this signal passes through the bandpass filter it should be attenuated enough to be rejected by the demodulator. Sophisticated IR receivers even employ clever control circuitry to reject some in-band noise based on the length of the signal. It’s not looking good for the hack.
Any Hope for the Hack?
On paper this hack looks done, dusted, and busted! Even before we proceed to scrounge the datasheet in search of the Bode plot to deliver the final blow; it’s clear that the band pass filter would have to be pretty bad to leak through a signal, orders of magnitudes smaller in frequency than the nominal carrier.
As first glance, the bandpass filter performs reasonably well. Figure 5 shows the response of the receiver to a frequency relative to the response exhibited for the nominal frequency. The 3 dB bandwidth of this IR receiver is about 4 kHz — only about half of the signal gets through at 34 kHz or 42 kHz.
Unfortunately, the graph does not extend all the way down to the low base-band frequencies we are interested in. We can extrapolate and see that the response will be severely degraded at those frequencies. However, this still doesn’t guarantee that an out-of-band signal will be attenuated enough to be successfully rejected by the subsequent stages. How much attenuation do we need exactly?
Perhaps, more instructive is Figure 2. It shows the required irradiance needed to trigger the output for a given frequency.
Almost an octave away from the nominal frequency, we only need seven times the irradiance to trigger the output. Assuming a crude linear extrapolation to the left, we need about a 10 dB gain of incident power to trigger the output directly, using a typical 1 kHz base band signal. That’s not much!
Considering that irradiance of a light source, such as a flame, follows the inverse square law. If the lighter is bought in close enough, the IR receiver might just accept the base-band signal. Has this actually resurrected some hope for the hack?!
Let’s Test This
Im not going to lie. I was hoping this investigation demand some thorough “on the bench” tests, rather than just lending itself solely to some book-work! The insight offered by the graphs has certainly given me an excuse to fire up the oscilloscope!
I have decided to proceed in a civilised manner, one that does not involve hacking some A4 and creating a potential fire hazard. Instead im going to make it easier for his hack to succeed, by idealising all conditions. What we need a series of tests to demonstrate whether an IR receiver would faithfully reproduce its input, regardless of it being presented in its low frequency base-band form or its high frequency carrier embedded form.
For this test I wanted to see how a simple IR transistor would behave with a flame present. I probed the collector of a IR transistor and found that it was totally sensitive to the lighter. As soon as the lighter is ignited, the transistor saturates, recovers and continues to respond to the flame. Now considering the amplification stages present in IR receivers this could potentially cause havoc.
Clearly, the lighter is a very strong source of IR, which is ideal when trying to fool the IR receiver.
Lets move on to the actual IR receivers. I had two types in my parts bin. I powered them up, probed the output pin, and fired up the lighter. To my surprise all of them were fooled as far as to produce some bit pattern at the output. I could even get a response from across the room!
However, the sensitivity and response depended on the receiver used. The ones with the metal shielding performed a lot worse than the bare black bodied one. In fact, look at the two scope shots below. Can you differentiate between the bit pattern associated with the remote and the lighter?
Interestingly, the IR receivers offered no response to the lighter, after the initial ignition. This is mainly down to the AGC finally compensating for the blinding IR source and the over all high attenuation low frequency signals experience through the IR receiver.
In any case, this makes the investigation interesting. It is clearly possible to induce some sort of bit pattern using a lighter! But can this be used to produce a deliberate pattern or are we always just confined to error prone gibberish? Lets build a test rig to get to the bottom of this!
The results from test two were a bit of a revelation. We now need to test whether a reliable bit stream could be produced with a lighter or any other deliberate low frequency IR perturbation. Lets test the ideal case: a high-power IR LED outputting the base-band (no carrier) bit stream in close proximity to the IR receiver. Do we get the exact replica at the receivers output?
To keep the test data as realistic as possible, I wrote a quick program on a STM32 to read a bit-stream from my remote and output that like for like to an IR LED, minus the carrier. I then taped the IR receiver and IR led together, and placed the whole fixture in a cardboard veil. Comparing the output of the IR receiver to this emitted bit stream will decide the fate of this hack.
The trace on the top is the demodulated signal produced by my TV remote. The trace in the middle is the output of the IR LED being driven by the MCU. Finally, the trace at the bottom is the output of the IR receiver. At first glace it seems to have worked!
Here is a zoomed in section of the second and third trace. They must be identical for the hack to work:
Uh ohh. Clearly, they are not the same. Repeating this experiment multiple times, even with different kinds of IR receivers, I have noticed that the error rate is extremely high and the bit patterns produced are absolutely not repeatable without the carrier. In this case we see two output toggles for every one input toggle. This, I suspect, is an artefact due to the demodulator not being happy with the out-of-band frequencies.
Even though there is a strong correlation between the two signals, it is certainly not enough to fool a TV. I’ve tried pointing this IR LED to the three TV sets I have, none of them even budged.
Can An Obstruction Produce Any Bit Pattern?
The last thing to test is producing some kind of bit pattern using an obstruction. This is a bit redundant as the last test has shown, low frequency signals produce erroneous data at the receivers output anyways. Manipulating this to get a valid code is difficult or impossible.
IR receivers are incredibly sensitive devices. For example, trying to prevent your TV from registering a remote press by covering the LED is not easy. Unless you try very hard, it cant be obstructed. Thus it is very likely that without turning the strong source of IR off, a simple cutout based obstruction will simply look like a flat, always-on signal to the receiver.
To test this, I tried various card based obstructions in front of a constant IR LED and lighter. Moving the card back and forth several times landed me nothing.
To turn things up a notch, I decided to use a PC fan as the source of obstruction. Spinning at about >2000 RPM with seven blades, gives a frequency of 250-300 Hz. This worked pretty well without a carrier, but produced the wrong bit pattern on the scope.
Next, to simulate a carrier I flashed the IR LED using the function generator, instead of turning it on constantly. I set the flash frequency to 38 kHz and voilà, the perfectly demodulated 300Hz signal being produced by the fan, appeared on the scope! However, if I now deviate away from the carrier by a an octave or so, I see an erroneous pattern again.
The photos below show how the worst performing IR receiver I had, demodulated the 300 Hz input signal caused by the fans, for a given carrier. Only the 10 kHz and 38 kHz carriers were successfully demodulated to reveal the underlining 300 Hz signal.
Is the video fake? We’d put our money on it. But is it possible to produce bit patterns on the output of an IR receiver using an obstruction and an IR source like a lighter? Yes, and we’ve demonstrated it. Are the bit patterns produced in this fashion repeatable and error free? Nope, and this is the crux of our skepticism. Is there even a little chance this could work, considering the multitude of IR receiver types in the market? A slim chance, but definitely a chance. If the IR receiver has dubious bandpass filter characteristics and is happy to work at a much lower carrier, it might just be plausible. But it’s not easy, and it’s not a life hack, whatever that means.