/* * elksmart-comm.c: ELK Smart infrared dongle tool (for EKX4S and EKX5S-T) * * Copyright (c) 2024, Přemysl Eric Janouch * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * */ #include "config.h" #undef PROGRAM_NAME #define PROGRAM_NAME "elksmart-comm" #include "liberty/liberty.c" #include // --- Utilities --------------------------------------------------------------- /// Search for a device with given vendor and product ID. /// This is quite similar to libusb_open_device_with_vid_pid(). static libusb_device_handle * find_device(int vendor, int product, int *error) { libusb_device **list = NULL; libusb_device_handle *handle = NULL; int result = 0; ssize_t len = libusb_get_device_list(NULL, &list); if (len < 0) { result = len; goto out; } for (ssize_t i = 0; i < len; i++) { libusb_device *device = list[i]; struct libusb_device_descriptor desc = {}; if ((result = libusb_get_device_descriptor(device, &desc))) print_debug("%s", libusb_strerror(result)); else if (desc.idVendor != vendor || desc.idProduct != product) continue; else if (!(result = libusb_open(device, &handle))) break; } libusb_free_device_list(list, true); out: if (error != NULL && result != 0) *error = result; return handle; } static void wait_ms(long ms) { struct timespec ts = {ms / 1000, (ms % 1000) * 1000 * 1000}; nanosleep(&ts, NULL); } static void dump_hex(const unsigned char *buf, size_t len) { for (size_t i = 0; i < len; i++) printf("%02x", buf[i]); printf("\n"); } static bool read_hex(const char *string, struct str *out) { static const char *alphabet = "0123456789abcdef"; str_reset(out); while (true) { while (*string && strchr(" \t\n\r\v\f", *string)) string++; if (!*string) return true; const char *hi, *lo; if (!(hi = strchr(alphabet, tolower_ascii(*string++))) || !*string || !(lo = strchr(alphabet, tolower_ascii(*string++)))) return false; str_pack_u8(out, (hi - alphabet) << 4 | (lo - alphabet)); } } // --- Coding ------------------------------------------------------------------ // Values are in microseconds. struct pulse { unsigned on, off; }; static bool pulse_equal(struct pulse a, struct pulse b) { return a.on == b.on && a.off == b.off; } static size_t decode_learned_direct(const uint8_t *b, size_t b_len, struct pulse *pulses) { size_t pulses_len = 0; for (size_t i = 0; i < b_len;) { struct pulse *pulse = &pulses[pulses_len++]; while (b[i] == 0xff) { pulse->on += 4080; if (++i == b_len) return 0; } pulse->on += b[i++] * 16; // Who cares, presumably it stays off. if (i == b_len) break; while (b[i] == 0xff) { pulse->off += 4080; if (++i == b_len) return 0; } pulse->off += b[i++] * 16; } return pulses_len; } static struct pulse * decode_learned(const struct str *code, size_t *len, struct error **e) { // This conveniently has an upper bound. struct pulse *pulses = xcalloc(code->len, sizeof *pulses); if (!(*len = decode_learned_direct( (const uint8_t *) code->str, code->len, pulses))) { error_set(e, "code ends unexpectedly"); free(pulses); return NULL; } return pulses; } static struct pulse * encode_nec_byte(struct pulse *p, uint8_t byte) { for (int i = 7; i >= 0; i--) *p++ = (struct pulse) {.on = 550, .off = ((byte >> i) & 1) ? 1650 : 550}; return p; } static struct pulse * encode_nec(const struct str *code, size_t *len, struct error **e) { if (code->len % 2) { error_set(e, "NEC transmission format requires pairs"); return NULL; } // The timings seem to be rather tolerant. *len = code->len / 2 * (1 /* leader */ + 32 + 1 /* stop */); struct pulse *pulses = xcalloc(*len, sizeof *pulses), *p = pulses; for (size_t i = 0; i < code->len; i += 2) { *p++ = (struct pulse) {.on = 8500, .off = 4250}; p = encode_nec_byte(p, code->str[i + 0]); p = encode_nec_byte(p, ~code->str[i + 0]); p = encode_nec_byte(p, code->str[i + 1]); p = encode_nec_byte(p, ~code->str[i + 1]); *p++ = (struct pulse) {.on = 550, .off = 25000}; } return pulses; } static void compress_value(unsigned value, struct str *encoded) { if (value <= 2032) { // We fix a minor problem in the original Ocrustar algorithm. uint8_t v = value / 16. + .5; str_pack_u8(encoded, MAX(2, v)); } else { do { uint8_t v = value & 0x7f; if ((value >>= 7)) v |= 0x80; str_pack_u8(encoded, v); } while (value); } } static void compress_pulses (const struct pulse *pulses, size_t len, struct str *encoded) { unsigned counts[len]; memset(counts, 0, sizeof counts); for (size_t i = 0; i < len; i++) for (size_t k = 0; k < len; k++) if (pulse_equal(pulses[i], pulses[k])) counts[i]++; struct pulse p1 = {}, p2 = {}; size_t top1 = 0, top2 = 0; for (size_t i = 0; i < len; i++) if (counts[i] > counts[top1]) p1 = pulses[top1 = i]; for (size_t i = 0; i < len; i++) if (counts[i] < counts[top1] && counts[i] > counts[top2]) p2 = pulses[top2 = i]; else if (counts[top2] == counts[top1]) p2 = pulses[top2 = i]; // Although I haven't really tried it, something tells me that // this will work even in the degenerated case of len <= 2. // XXX: The receiver might not like multibyte values here, // Ocrustar also oddly replaces 0xff with 0xfe for these fields. compress_value(p2.on, encoded); compress_value(p2.off, encoded); compress_value(p1.on, encoded); compress_value(p1.off, encoded); str_pack_u8(encoded, -1); str_pack_u8(encoded, -1); str_pack_u8(encoded, -1); for (size_t i = 0; i < len; i++) { if (pulse_equal(pulses[i], p1)) { str_pack_u8(encoded, 0); } else if (pulse_equal(pulses[i], p2)) { str_pack_u8(encoded, 1); } else { compress_value(pulses[i].on, encoded); compress_value(pulses[i].off, encoded); } } } // --- Device interaction ------------------------------------------------------ enum { USB_VENDOR_SMTCTL = 0x045c, // 0x134 (EKX5S ~ 5s, 5th generation remote) // 0x195 (EKX4S ~ 4s, 4th generation remote) // 0x184 (EKX5S-T, international edition) USB_PRODUCT_SMTCTL_SMART_EKX4S = 0x0195, USB_PRODUCT_SMTCTL_SMART_EKX5S_T = 0x0184, // There should only ever be one interface. USB_INTERFACE = 0, }; static uint8_t c_transmit[] = {-1, -1, -1, -1}, c_learn[] = {-2, -2, -2, -2}, c_stop[] = {-3, -3, -3, -3}, c_identify[] = {-4, -4, -4, -4}; static struct { unsigned char endpoint_out; ///< Outgoing endpoint unsigned char endpoint_in; ///< Incoming endpoint } g; static bool init_device_from_desc(struct libusb_config_descriptor *desc, struct error **e) { // We're not being particuarly strict in here. if (desc->bNumInterfaces != 1) return error_set(e, "unexpected USB interface count"); if (desc->interface->num_altsetting != 1) return error_set(e, "unexpected alternate setting count"); const struct libusb_interface_descriptor *asd = desc->interface->altsetting; if (asd->bInterfaceClass != LIBUSB_CLASS_COMM) return error_set(e, "unexpected USB interface class"); if (asd->bNumEndpoints != 2) return error_set(e, "unexpected endpoint count"); bool have_out = false, have_in = false; for (uint8_t i = 0; i < asd->bNumEndpoints; i++) { const struct libusb_endpoint_descriptor *epd = asd->endpoint + i; if ((epd->bmAttributes & LIBUSB_TRANSFER_TYPE_MASK) != LIBUSB_ENDPOINT_TRANSFER_TYPE_BULK) return error_set(e, "unexpected endpoint transfer type"); switch ((epd->bEndpointAddress & LIBUSB_ENDPOINT_DIR_MASK)) { break; case LIBUSB_ENDPOINT_OUT: have_out = true; g.endpoint_out = epd->bEndpointAddress; break; case LIBUSB_ENDPOINT_IN: have_in = true; g.endpoint_in = epd->bEndpointAddress; } } if (!have_out || !have_in) return error_set(e, "USB interface is not bidirectional"); return true; } static bool init_device(libusb_device_handle *device, struct error **e) { struct libusb_config_descriptor *desc = NULL; int result = libusb_get_active_config_descriptor(libusb_get_device(device), &desc); if (result) return error_set(e, "%s", libusb_strerror(result)); bool ok = true; if ((result = libusb_kernel_driver_active(device, USB_INTERFACE)) == 1) ok = error_set(e, "device is claimed by a kernel driver"); else if (result) ok = error_set(e, "%s", libusb_strerror(result)); else ok = init_device_from_desc(desc, e); libusb_free_config_descriptor(desc); return ok; } // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - static uint8_t mangle(uint8_t value) { uint8_t reversed = 0; for (int i = 0; i < 8; i++) { reversed = (reversed << 1) | (value & 1); value >>= 1; } return ~reversed; } static uint8_t checksum(const uint8_t *b, size_t len) { uint32_t sum = 0; for (size_t i = 0; i < len; i++) sum += b[i]; return mangle((sum & 0xF0) | ((sum >> 8) & 0x0F)); } static bool send_transmit(libusb_device_handle *device, unsigned long frequency, const struct pulse *pulses, size_t pulses_len, struct error **e) { if (g_debug_mode) for (size_t i = 0; i < pulses_len;) { printf("%u,%u", pulses[i].on, pulses[i].off); putchar(++i == pulses_len ? '\n' : ','); } struct str compressed = str_make(); compress_pulses(pulses, pulses_len, &compressed); struct str message = str_make(); str_append_data(&message, c_transmit, sizeof c_transmit); frequency += 0x7ffff; str_pack_u8(&message, mangle(frequency >> 8)); str_pack_u8(&message, mangle(frequency >> 16)); str_pack_u8(&message, mangle(frequency)); str_pack_u8(&message, mangle(compressed.len >> 8)); str_pack_u8(&message, mangle(compressed.len)); str_append_str(&message, &compressed); str_free(&compressed); size_t i = 0; uint8_t buffer[64]; bool ok = true; while (i != message.len) { size_t chunk = MIN(62, message.len - i); memcpy(buffer, message.str + i, chunk); i += chunk; if (chunk == 62) { buffer[chunk] = checksum(buffer, chunk); chunk++; } int result = 0, len = 0; if ((result = libusb_bulk_transfer( device, g.endpoint_out, buffer, chunk, &len, 100))) { ok = error_set(e, "send: %s", libusb_strerror(result)); break; } wait_ms(2); } str_free(&message); return ok; } // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - static bool pulse_is_likely_leader(const struct pulse *p) { return p->on >= 2048 && p->off >= 2048; } static void try_to_depulse(const struct str *code) { size_t len = 0; struct pulse *pulses = decode_learned(code, &len, NULL); if (!pulses) return; struct pulse *p = pulses, *end = p + len; while (p != end && pulse_is_likely_leader(p)) { p++; printf("Attempted pulse decode:\n"); uint8_t bits = 0, nibble = 0; for (; p != end && !pulse_is_likely_leader(p); p++) { nibble = nibble << 1 | (p->off > 2 * p->on); if (++bits == 4) { putchar("0123456789abcdef"[nibble]); bits = nibble = 0; } } putchar('\n'); } free(pulses); } static bool recv_learn(libusb_device_handle *device, struct str *data, struct error **e) { uint8_t buffer[64] = {}; int result = 0, len = 0; while ((result = libusb_bulk_transfer( device, g.endpoint_in, buffer, sizeof buffer, &len, 100))) { if (result != LIBUSB_ERROR_TIMEOUT) return error_set(e, "learn/recv: %s", libusb_strerror(result)); print_debug("learn/recv: %s", libusb_strerror(result)); } if (len < 6 || memcmp(buffer, c_learn, sizeof c_learn)) return error_set(e, "learn/recv: %s", "unexpected response"); // This field might only make sense for a later device, // because it doesn't always correspond with how much data we receive. // Nonetheless, it does match exactly often enough. size_t size = buffer[4] << 8 | buffer[5]; print_debug("learn: code size: %zu", size); str_append_data(data, buffer + 6, len - 6); dump_hex((const unsigned char *) data->str, data->len); while (data->len < size) { if (!(result = libusb_bulk_transfer( device, g.endpoint_in, buffer, sizeof buffer, &len, 100))) { dump_hex(buffer, len); str_append_data(data, buffer, len); print_debug( "learn: received %d (have %zu of %zu)", len, data->len, size); continue; } if (result != LIBUSB_ERROR_TIMEOUT) return error_set(e, "learn/recv: %s", libusb_strerror(result)); // The device seems to queue up its output with pauses. print_debug("learn/recv: %s", libusb_strerror(result)); } // As far as I know, this doesn't do anything, // and the device doesn't accept it while scanning infrared codes either. if ((result = libusb_bulk_transfer( device, g.endpoint_out, c_stop, sizeof c_stop, &len, 100))) return error_set(e, "learn/send: %s", libusb_strerror(result)); return true; } static bool send_learn(libusb_device_handle *device, struct error **e) { int result = 0, len = 0; if ((result = libusb_bulk_transfer( device, g.endpoint_out, c_learn, sizeof c_learn, &len, 100))) return error_set(e, "learn/send: %s", libusb_strerror(result)); printf("Reading remote control codes.\n"); printf("Press a remote control button from less than a centimeter.\n"); printf("The dongle may be unusable until it returns some data.\n"); // ... Resetting the device using libusb_reset_device() doesn't help then. printf("If the code fails to replay, retry the capture.\n"); struct str data = str_make(); bool ok = recv_learn(device, &data, e); if (ok) { printf("Full command:\n"); dump_hex((const unsigned char *) data.str, data.len); try_to_depulse(&data); } str_free(&data); return ok; } // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - static bool send_identify(libusb_device_handle *device, struct error **e) { uint8_t buffer[64] = {}; int result = 0, len = 0; while (!(result = libusb_bulk_transfer( device, g.endpoint_in, buffer, sizeof buffer, &len, 10))) /* Flush buffers. */; if ((result = libusb_bulk_transfer( device, g.endpoint_out, c_identify, sizeof c_identify, &len, 100))) return error_set(e, "identify/send: %s", libusb_strerror(result)); if ((result = libusb_bulk_transfer( device, g.endpoint_in, buffer, sizeof buffer, &len, 100))) return error_set(e, "identify/recv: %s", libusb_strerror(result)); // XXX: Sometimes, the device doesn't send any identification values. if (len != 6 || memcmp(buffer, c_identify, sizeof c_identify) || buffer[4] != 0x70 || buffer[5] != 0x01) return error_set(e, "device busy or not supported"); #if 0 // The EKX4S does not respond to this request. static uint8_t c_serial[] = { -5, -5, -5, -5 }; if ((result = libusb_bulk_transfer (device, g.endpoint_out, c_serial, sizeof c_serial, &len, 100))) return error_set (e, "serial/send: %s", libusb_strerror (result)); if ((result = libusb_bulk_transfer (device, g.endpoint_in, buffer, sizeof buffer, &len, 100))) return error_set (e, "serial/recv: %s", libusb_strerror (result)); if (len < (int) sizeof c_serial || memcmp (buffer, c_serial, sizeof c_serial)) return error_set (e, "serial retrieval failed"); #endif return true; } static bool run(libusb_device_handle *device, unsigned long frequency, bool nec, char **codes, size_t codes_len, struct error **e) { if (!send_identify(device, e)) return false; if (!codes_len) return send_learn(device, e); struct str code = str_make(); bool ok = true; for (size_t i = 0; i < codes_len; i++) { if (!read_hex(codes[i], &code)) { ok = error_set(e, "invalid hex string"); break; } size_t pulses_len = 0; struct pulse *pulses = nec ? encode_nec(&code, &pulses_len, e) : decode_learned(&code, &pulses_len, e); ok = pulses && send_transmit(device, frequency, pulses, pulses_len, e); free(pulses); if (!ok) break; wait_ms(100); } str_free(&code); return ok; } // --- Main -------------------------------------------------------------------- int main(int argc, char *argv[]) { unsigned long frequency = 38000; bool nec = false; static const struct opt opts[] = { {'d', "debug", NULL, 0, "run in debug mode"}, {'f', "frequency", "HZ", 0, "frequency (38000 Hz by default)"}, {'n', "nec", NULL, 0, "use the NEC transmission format"}, {'h', "help", NULL, 0, "display this help and exit"}, {'V', "version", NULL, 0, "output version information and exit"}, {0, NULL, NULL, 0, NULL}}; struct opt_handler oh = opt_handler_make(argc, argv, opts, "[COMMAND...]", "Transmit or receive infrared commands."); int c; while ((c = opt_handler_get(&oh)) != -1) switch (c) { case 'd': g_debug_mode = true; break; case 'f': if (!xstrtoul(&frequency, optarg, 10) || !frequency) exit_fatal("invalid frequency"); break; case 'n': nec = true; break; case 'h': opt_handler_usage(&oh, stdout); exit(EXIT_SUCCESS); case 'V': printf(PROGRAM_NAME " " PROGRAM_VERSION "\n"); exit(EXIT_SUCCESS); default: print_error("wrong options"); opt_handler_usage(&oh, stderr); exit(EXIT_FAILURE); } argc -= optind; argv += optind; opt_handler_free(&oh); // - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #if LIBUSB_API_VERSION >= 0x0100010A const struct libusb_init_option option = { .option = LIBUSB_OPTION_LOG_LEVEL, .value.ival = LIBUSB_LOG_LEVEL_DEBUG, }; int result = libusb_init_context(NULL, &option, g_debug_mode); #else int result = libusb_init(NULL); #endif if (result) exit_fatal("libusb: %s", libusb_strerror(result)); libusb_device_handle *device = NULL; if (!device && !result) device = find_device( USB_VENDOR_SMTCTL, USB_PRODUCT_SMTCTL_SMART_EKX4S, &result); if (!device && !result) device = find_device( USB_VENDOR_SMTCTL, USB_PRODUCT_SMTCTL_SMART_EKX5S_T, &result); if (result) exit_fatal("couldn't open device: %s", libusb_strerror(result)); else if (!device) exit_fatal("no suitable device found"); struct error *e = NULL; if (!init_device(device, &e)) exit_fatal("%s", e->message); if ((result = libusb_claim_interface(device, USB_INTERFACE)) == 1) exit_fatal("couldn't claim interface: %s", libusb_strerror(result)); if (!run(device, frequency, nec, argv, argc, &e)) { print_error("%s", e->message); error_free(e); } if ((result = libusb_release_interface(device, USB_INTERFACE)) == 1) exit_fatal("couldn't release interface: %s", libusb_strerror(result)); libusb_close(device); libusb_exit(NULL); return 0; }