Reverse Engineering Self-Powered Wireless Switches

The plethora of wireless communications technologies have cut the comms wire for many applications, but these devices still require power. For home automation, this might mean a battery or mains power, but there is also an alternative that we don’t see often: Kinetic power. [Bigclivecom] bought some kinetic switches from eBay and gave it his usual reverse engineering treatment.

True to the marketing, these switches do not require external power or a battery to send a wireless signal. Instead, it harvests energy from the magnetic latching action of the switch itself. When the switch is actuated, a small current is induced in a coil as the polarity of the magnetic field through its core changes rapidly. Through a series of diodes and resisters, the energy is stored in a capacitor, which is then used to power a small transmitter chip. The antenna coil is wrapped around the switch housing.

The receiver side is powered by mains and includes a relay output for lights. It would be really nice to have a hacker-friendly module for projects. We would be curious to see the range that these devices are capable of.

The same technology is used inside the Philips Hue Tap switch, of which Adafruit did a teardown a few years ago. If you want to learn more about RF modulation, check out the crash course article we put out a while back. Of course, the RTL SDR is an indispensable and affordable tool if you want to do some experimentation.

30 thoughts on “Reverse Engineering Self-Powered Wireless Switches

  1. Interesting though I wouldn’t want something so insecure in my home. I’m sure there are peculiar situations where this is an ideal switch but nothing comes to mind.

    1. Seems ideal to turn off a lamp after exiting the room, instead of walking further in to turn it off and walking twice the distance to leave while in the dark.
      If someone is inside of my house in order to perform a replay attack, the light and its switch is extremely far down the list of concerns from having a stranger in my house :P

    2. I don’t remember the brand, but I have something similar as a door bell. It is quite useful as the main doesn’t go to the garden gate and you never know when a battery powered switch will fail. In this situation, I don’t see security as much of a concern since the device is outside anyway.

    3. If someone is motivated enough to have a crack at a light switch, they’ll certainly be motivated enough to find an opening in something more worthwhile, like your network.

      Besides, we don’t really have a clue how secure or insecure this is. For all we know it sets itself up properly when you pair them. Or not.

    4. I could see a wireless switch controlling several other switches in a different location. A master-slave arrangement. Easier than running a bunch of wires especially in older buildings.

      1. That was my first thought. If you were to rewire an old house it would be nice not needing to run wires to switches, and also to have multiple switches for the same thing like the top and bottom of a stair case or the far ends of a hallway.

    5. I would not consider this less secure than a normal remote controlled socket. And the worst thing somebody could do, is switching on a decorative light in the living room.

  2. Curious how this is done with the hue tab though, as hue is ZigBee based and I wonder if you can harvest enough energy to do a encrypted/signed ZigBee message …

  3. I’ve got acne of these off ebay. Interesting to see how they work. I honestly suspected they had a small button cell hidden in them and they’d die after 3 months, but it’s been working for years now so is presumably legit!

      1. Most interesting would be the size of the storage capacitor, and the peak voltage it’s charged to. From that you can calculate the final harvested energy.

        I was a bit surprised by the simplicity of the energy harvester.
        You could quite easily hack a bigger version together from a relay coil and a nibbidibbibidium magnet. although the arrangement described in US7710227 is slightly easier to hack together.

    1. What on earth are you doing to burn through batteries?
      I’ve had just one die, after 10 years (an ’08, replaced in ’18). The ones from my ’03 outlived the car (12 years). My ’15’s are still on their original batteries.

      1. It’s not how often, it’s the when of it. They build so much intelligence into the key that it knows when you have parked with the only keyholed entry point up against a wall and kills the battery then. :)

        1. Incredible luck. Kind of a once-in-a-lifetime. You oughta buy a lottery ticket.
          Fortunately, a replacement battery can be found just about any convenience or dollar store, and takes just a minute to replace.

          1. My Outback’s fob batteries failed with more than enough advance warning of “hey it’s not reliably unlocking/locking but it’s at least working for now” that if you REALLY got stuck due to a battery failure it’s your own fault in 99% of scenarios.

            As in – to get stuck by a dead battery you’d have to ignore a failing battery for over a month.

  4. The EnOcean switches (PRM21x) are a very good energy-harvesting design. I have a couple.
    They can use strong encryption (rolling counter, AES, MAC). Somewhat pricey though.
    The radio packets are also well designed and structured, not just some fixed OOK pulses…

  5. The company I am employed at currently uses these kinetic energy harvesting.
    As stated by other comments:
    Some of the modules used are enocean tcm320u /PTM 535 ​and work with paired receiver ,no other accepted input. They state as the communication is encrypted but how strong it is, remains to be seen.
    Advised is not using these in security or safety related applications.

    As for reliable the tests in industrial work conditions (humidity, shocks, dirt, radio interference outside their band) the longest random test was for 1 million clicks with around 50 failures of transmission. That was also dependent on the custom case done for them.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.