Need some pointers for IR decoding

I just picked up a couple of Blackbean (Broadlink RM3) WiFi IR controllers. I've kind of figured out how to get the devices to listen for IR but the code returned is close but not exact and I didn't expect it would be. But since it's relatively close that would suggest it can decoded into a more consistent string. What I need now are some good examples of how IR works (yes I know, lots of protocols). But before I code I need to crawl. Got any good pointers?
 
PS: The Blackbean doesn't really have any kind of description of it's output. Only what others have reverse engineered.
 
Thanks
 

@Neil,
 
Googling a bit here noticed a few OpenHAB folks tinkering with it using python scripts.  
 
IE: from the OpenHAB forum see
 
I just replicated your tests by intercepting the UDP traffic from the phone to the Mini and then sending back the packets from a PC to the Mini. It appears that it is possible to send commands to the Mini, provided that two consecutive commands are not the same packet.

At this point, I'm a little bit concerned about security, though. What happens if I give a command with the App when I'm ouside my LAN and someone sniffs that packet?

After the learning process, that requires some connection with broadlink servers, I will close all inbound and outbound traffic to the MAC/IP address of the Mini.

By the way, I've read in a russian forum that the developer of the android tasker plugin is trying to support the Mini even though he does not know if it will be possible.
 
 
Since I don't have wireless card in my PC, I've used tPacketCapture application from playstore (it doesn't require phone to have root access - I'm using it with stock Samsung ROM). It creates VPN connection and captures all traffic from and to cellphone. You just have to be on the same wireless network as RM 3, otherwise, it will communicate with RM 3 over Internet, instead of communicating directly (it's easier to detect packages to local IP than random IP address). Besides that, you should start broadlink application first and start tPacketCapture afterwards. After you finish capturing packets, you should transfer them to PC and open it with wireshark. Then just filter traffic by protocol (UDP) and destination address (IP of the RM 3), and copy whole payload section (right click on payload in the upper half of the Wireshark) as hex stream. Than use that steam in BlackBeanControl.ini.
 
Other google searches show MFG disclaimers about not reverse engineering the product.
 
As it is an embedded firmware device there are probably serial pins on it inside where you could JTAG and device and watch the firmware work.
 
Last time I played around with IR was during the Tivo days before and during the DirecTivo days.
 
Personally have found the most resources at remote central dot com. 

pete_c said:

@Neil,
 
Googling a bit here noticed a few OpenHAB folks tinkering with it using python scripts.  
 
IE: from the OpenHAB forum see

Click to expand...

 
I found that and it lead me to the Broadlink python code that I'm using (it takes care of the network part). I'm able to send and receive, from the command line, just fine but if you press the same button twice the string learned is different. I know the string returned is the bits in time between changes form. So if I can figure out what rough set of numbers means Zero and One I can then interpret the data correctly.
 

pete_c said:

Personally have found the most resources at remote central dot com. 

Click to expand...

 
I've just signed up there, thanks.
 
What I need to do most is to understand the NEC IR protocol and then apply it to the information arriving from the Blackbean controller. That the largest disconnect so far.
 
Thanks

Good news Neil.
 
Here is some stuff relating to the NEC IR Protocol.
 
NEC Infrared Protocol
 

• A 9ms leading pulse burst (16 times the pulse burst length used for a logical data bit)
• A 4.5ms space
• The 8-bit address for the receiving device
• The 8-bit logical inverse of the address
• The 8-bit command
• The 8-bit logical inverse of the command
• Final 562.5µs pulse burst to show end of message transmission.
• Logical '0' – a 562.5µs pulse burst followed by a 562.5µs space, with a total transmit time of 1.125ms
• Logical '1' – a 562.5µs pulse burst followed by a 1.6875ms space, with a total transmit time of 2.25   

 
There are  four bytes of data bits are being sent in  least significant bit first order the figure blow shows the format of an NEC IR transmission frame, for a command of 0xB1 (10110001b) and an address of 0x8D (10001101b) .