remote control

[Funkelfetisch]

heyho!

I tried to analyse the "RF" remote control (which is actually BLE), but it's super difficult and I've come to block in the road.

I captured these BLE packets from it.
I pressed the same button over and over again - and a lot of bytes change each time.
the bytes that stay the same also stay the same if I press a different button - so I assume that the actual payload is encrypted and uses an incremental counter as well as some passphrase as key.

0x0201021B03715A00111127C2C3DF1587B69C2D186F53C3C26E72233589677B
0x0201021B03715A00111127C1C3DF15EADBF14075023EAEAF031F4E35E4BCC2
0x0201021B03715A00111127C0C3DF1596A78D3C097E42D2D37F63323598B083
0x0201021B03715A00111127C7C3DF152E1F3584B1C6FA6A6BC7DB8A3520E440
0x0201021B03715A00111127BFC3DF151F2E04B580F7CB5B5AF6EABB35112E4E
0x0201021B03715A00111127BEC3DF1596A78D3C097E42D2D37F6332359800AF
0x0201021B03715A00111127BDC3DF15437258E9DCAB970706AAB6E7354D182F
0x0201021B03715A00111127BCC3DF15122309B88DFAC65657FBE7B6351CF394
0x0201021B03715A00111127B3C3DF15625379C8FD8AB626278B97C6356CACE2
0x0201021B03715A00111127B4C3DF15C9F8D26356211D8D8C203C6D35C7E203
0x0201021B03715A00111127ABC3DF156E5F75C4F186BA2A2B879BCA35600021
0x0201021B03715A00111127AAC3DF1557664CFDC8BF831312BEA2F33559A575
0x0201021B03715A00111127A9C3DF15D8E9C37247300C9C9D312D7C35D66208
0x0201021B03715A00111127A3C3DF1511200ABB8EF9C55554F8E4B5351F3F55
0x0201021B03715A00111127A2C3DF15B786AC1D285F63F3F25E421335B9E46D
0x0201021B03715A00111127A4C3DF152E1F3584B1C6FA6A6BC7DB8A3520DC66
0x0201021B03715A001111279BC3DF15A392B8093C4B77E7E64A560735AD692F
0x0201021B03715A001111279AC3DF15427359E8DDAA960607ABB7E6354C0921
0x0201021B03715A0011112799C3DF15083913A297E0DC4C4DE1FDAC35066FCD
0x0201021B03715A0011112798C3DF1557664CFDC8BF831312BEA2F33559FA9F
0x0201021B03715A0011112790C3DF15526349F8CDBA861617BBA7F6355C1837
0x0201021B03715A0011112797C3DF15A899B30237407CECED415D0C35A65A95
0x0201021B03715A0011112796C3DF15BA8BA11025526EFEFF534F1E35B42E5E
0x0201021B03715A0011112795C3DF15CCFDD766532418888925396835C2A749
0x0201021B03715A001111278EC3DF15FFCEE45560172BBBBA160A5B35F14742
0x0201021B03715A001111278DC3DF15F1C0EA5B6E1925B5B418045535FF01AA
0x0201021B03715A001111278CC3DF1596A78D3C097E42D2D37F633235985F45
0x0201021B03715A0011112783C3DF15DEEFC57441360A9A9B372B7A35D0CB8E
0x0201021B03715A0011112787C3DF154F7E54E5D0A79B0B0AA6BAEB354164F0
0x0201021B03715A0011112786C3DF150D3C16A792E5D94948E4F8A935039569
0x0201021B03715A001111277EC3DF153E0F2594A1D6EA7A7BD7CB9A353042C8
0x0201021B03715A001111277DC3DF15A998B20336417DEDEC405C0D35A74C29
0x0201021B03715A001111277CC3DF15AC9DB706334478E8E945590835A20686
0x0201021B03715A0011112773C3DF1574456FDEEB9CA030319D81D0357A1BD9
0x0201021B03715A001111276AC3DF150B3A10A194E3DF4F4EE2FEAF35054CA3
0x0201021B03715A0011112769C3DF1566577DCCF98EB222238F93C23568971A

does anybody have an idea how to decrypt this?

https://chat.openai.com/share/94d056af-2970-4735-8b3d-196af5674094

chatgpt also had no idea how to proceed.

I even found the SDK of the MCU in the LED controller, but it doesn't seem to contain any crypto functions.
http://www.tr3ma.com/Dati/reverse_engineering_elm327_yichip_yc1155.zip

[8none1]

Is this the remote for the ring light? If so, very interesting. I'm amazed that the little remote control can do all the BLE handshake business and command the light.

There is the ability to "pair" a given remote with a given light. Perhaps the key exchange happens as part of that pairing process and that's how they work?

The other alternative that I can think of is that it uses some kind of car key like rolling codes. They have a portion of unencrypted data and a portion of encrypted data: https://en.wikipedia.org/wiki/Rolling_code

[monty68]

I think these remotes form part of the Zengge BLE Mesh. If so, then yes, all the traffic is encrypted, you can only get the key, password, and token required to communicate with these devices from the "Magic Hue" cloud.

First off, have you tried the Hao Deng app to see if it can detect the remote and pair with it etc.?

What is your use case for the remote?

I don't think you can use the remote as a way of controlling other devices it will only control paired devices from the same manufacturer.

[Funkelfetisch]

I just tried it - my remote (the same as the photo in the repo's readme) seems to be state-less.
The controllers can learn it, so I assume it sends an ID or the MAC address is saved on the controller.

The Hao Deng app can't detect it, since I can't put the remote into a "pairing mode", as required in the pairing wizard.

Use case: I'm using these remote + controllers for already almost 1000 of my fiber optic fanny packs and backpacks (nebulite.berlin), I'd like to also use them for WLED on esp32, used in my jackets, vests, and kimonos.

If I can crack the code, it will be easy since I can already see the advertisement packets on a test sketch on esp32.