All you want is a decent night’s sleep, so you decide to invest in one of those fancy adjustable beds. At first, it’s fine — being able to adjust the mattress to your needs on the fly is a joy, and yet…something isn’t quite right. Something nags at you every night, thwarting your slumber and turning your dreams of peaceful sleep into a nightmare once you realize your bed has locked you into a vertically integrated software ecosystem from which there’s no escape.
Or is there? That’s what [Chris Laplante] wanted to know, and why he reverse-engineered his Tempur-Pedic remote control. As many products these days do, his bed was touted as having an Android application for smartphone adjustability, but alas, the app hasn’t been updated since 2014 (!) and doesn’t appear to work on modern phones. [Chris] decided to take matters into his own hands and build a gateway to talk to the bed using its native RF protocol.
Most good reverse engineering stories start with research, and this one is no exception. Digging into the FCC database revealed a wealth of clues, such as the frequency — 433-MHz ISM band, no surprise — and even spectrum analyzer screenshots of the remote’s signals. A HackRF One revealed more about the signals, but it turned out that sniffing in on the SPI bus between the microcontroller and the Si4431 RF transceiver with a Salae logic analyzer was more fruitful, allowing him to dig into the packet structure.
The engineers at Tempur-Pedic threw quite a few challenges at [Chris], like an application-level CRC in addition to the CRC used by the Si4431, and interesting complications to control the massage features of the bed. In the end, [Chris] managed to get a pretty complete snapshot of the conversation between the bed and the remote, and is now in the process of building a gateway that’ll actually connect to his phone, plus integrate into his home automation system. We’re looking forward to updates on that.
This is going to happen more and more. Bit rot seeping in from the virtual world to the real one.
Not really a bit rot problem, more of a planned obsolescence problem.
Legislation should be changed regarding support for older devices- The app is no longer supported. We need laws to document how to control devices when the apps are no longer supported. OP had to find the codes while they should be made available when you purchase a device. Too many of these IOT devices lock you into a control mechanism that is app specific and then the manufacturer doesn’t update their app to support updated phones.. the products become obsolete. In this case there is a physical remote, however still functionality is lost because it was advertised as having capability to run from the customer’s phone. Not every product has a physical dedicated controller, some are only controllable via smartphone. What then when the app is no longer updated?
Blog post author here! Small correction – the gateway is actually done and released. Here’s the source code if anyone wants to see it: https://github.com/mostthingsweb/temperbridge-esphome/tree/cpl/temperbridge/esphome/components/temperbridge. I built the gateway on top of ESPHome.
pwn!
Awesome hack.
I remembered someone was doing the same thing few years ago and was interested at the time but forgot all about it.
I clicked the link and recognised it immediately, I’m glad you managed to figure it out!
When I fired up Home Assistant, it found an integration for my Sleep Number bed. Lots of sensors and controls. I’m using that for my signal that we are in bed.
Correction: It’s a common mistake but 433MHz is not an ISM band in North America.
433MHz band is allowed in the US, along with a number of other lower frequencies as long as they are for manually operated remote control devices with a relatively low output power. The transmissions must cease when the operator stops pressing the trigger.
Automatic transmission rates can be done, but with an extremely long time between transmissions.
I think in the EU they call this SRD, Short Range Devices.
ISM band in US is 902 – 928MHz and then again at 2.4GHz. 900MHz band has about 2x the line-of-sight range for the same output power vs 2.4GHz.
Application level CRCs are typical for products that rely on software for safety functions, or just good OTA bootloader practice. You have to know if the image you’re about to run is bad or not. If bad, use previous version.