Cryptanalyse Your Air Con

Infrared remote controls are simple and ubiquitous. Emulating them with the aid of a microcontroller is a common project that hackers use to control equipment as diverse as televisions, cable boxes, and home stereos. Some air conditioners can be a little more complicated, however, but [Ken]’s here to help.

The root of the problem is that the air conditioner remote was using a non-obvious checksum to verify if commands received were valid. To determine the function generating the checksum, [Ken] decided to bust out the tools of differential cryptanalysis. This involves carefully varying the input to a cryptographic function and comparing it to the differences in the output.

With 35 signals collected from the remote, a program was written to find input data that varied by just one bit. The checksum outputs were then compared to eventually put together the checksum function.

[Ken] notes that the function may not be 100% accurate, as they’re only using a limited sample of data in which not all the bytes change significantly. However, it shows that a methodical approach is valuable when approaching such projects.

Thirsty for more checksum-busting action? Check out this hacked weather station.

19 thoughts on “Cryptanalyse Your Air Con

    1. Air conditioner remotes send every command with each button press, even if you just set the temperature it also sends fan speed, mode etc so you’d have to capture a lot of different commands if you wanted to do it that way

      1. Depends on the AC. Lower-end ones just have dumb “up/down/etc.” buttons and can easily be replayed.

        Higher-end ones (like ones with remote thermostat) send everything in each command and you need to know the checksum algo.

  1. I once did such analysis for reverse engineering a packet radio system. It was quite fun and not so difficult once you grasp what “linear” means in the context of functions that take binary string as input and give another as output.

    Of course, at the end of it, it turned out to be pretty standard CRC32. It just didn’t include all the bytes in the packet so my initial check missed it.

  2. With that attitude, I can tell you don’t live in Houston, like I do. I’ve always said that Houstonians would make the perfect people for migration to a lunar colony. They are already used to never going outside unless it’s absolutely necessary, and they understand that if the HVAC/life support fails, it’s a critical life threatening emergency that has to be dealt with immediately.

      1. When a trolly parent comment gets deleted, it takes the whole thread with it.

        a) Please don’t feed the trolls.
        b) Hit the “Report comment” button so that we can delete them as fast as possible and other folks don’t waste their time replying to a comment that’s just going to go away soon anyway.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s