My Ceiling fan is controlled by a Hunter Fan Co 27185 remote control, which transmits control messages over RF at 350MHz.
Internally the device uses a HT12E encoder chip driving a 350MHz LC oscillator.
It has a 4-bit DIP switch that controls the id of the fan that will be controlled.
I used my RTLSDR and Gqrx to capture transmissions from the remote, which revealed the following things…
Inspectrum is a promising open source project that enables very quick and easy analysis of narrow-band signals contained in IQ-data captures.
Analysis of the transmissions captured by Gqrx revealed that the packets are sent in a PWM (pulse-width modulation) scheme over OOK.
With the modulation of the packets now known, I used GNU radio to construct a real-time version of the Inspectrum demodulator.
Data is transmitted by a 2/3rd / 1/3rd PWM scheme at ~2000bps.
|Command||Preamble||4-bit Fan Id||7-bit Payload|
Because of the simple modulation scheme, it's possible to transmit the 350MHz packets by simply wiggling a pin with a flying lead attached, which acts as a monopole antenna.
The source is available on github. The final implementation allows the fan to be controlled through push-buttons and over serial-over-USB via the board's FT2232 USB interface.
The ideal quarter-wave antenna length for a monopole 350MHz is ~214mm. With a flying lead of this length, I found that the FPGA could transmit to a distance of 150m. This range is quite excessive, so I trimmed the antenna to ~50mm which the reduced the transmission range to a more reasonable distance.
Given that there are only 16 id-codes possible with the 4-bit DIP switch, and that the transmit range is so long, and that the fans in my housing complex are presumably all the same type, it would be easy to prank the neighbors in the housing complex by transmitting random commands to all the ids at once.