Brute forcing IR remote

09.09.2012 19:24

I have an old Sony CMT-CP11 Hi-Fi that drives a pair of speakers in my living room. I use it to listen to the radio, CDs and everything sound-related my desktop computer outputs. If I remember correctly it will soon be 12 years old and it has aged incredibly well. I've only opened it up once, to make a backup battery hack so that I don't need to reprogram the radio stations each time power goes out.

It has one annoyance though. While it has two auxiliary audio inputs, it only allows switching to them by pressing a button on the front panel. Otherwise most other functions can only be activated from the infra-red remote control. That's unfortunate because it's preventing me from having a script on my desktop that sets everything up automatically when I want to listen to the audio from the computer on the Hi-Fi speakers.

I was thinking that maybe the Hi-Fi component actually implements a command for switching on the auxiliary input but whoever designed the remote control ran out of buttons or something like that. A bit of searching on the web quickly turned out a description of the physical protocol and a collection of codes used by Sony equipment.

After recording and inspecting the codes transmitted by my remote control it turned out that most buttons produce the 12-bit variant of the code with a few buttons using 20-bit codes. While the codes matched their functions as recorded at the site linked above, unfortunately none of the codes listed there for switching on the auxiliary inputs produced any response on my Hi-Fi.

Perhaps it is using some code that is not listed? 12 bits make for 4096 possible codes. That's not outside of reach of a brute force search: with 5 seconds per try that comes to around 6 hours. I chose a 5 second delay because for input switching that's how long it takes between a command is sent and the audio output actually appears on the speakers (plus some error margin).

Of course, I didn't want to spend 6 hours in front of the Hi-Fi, listening whether the correct output is playing. Therefore I hacked up a simple automatic detector. I made the computer connected to the auxiliary input play a continuous 600 Hz tone (using simply Audacity Generate -> Tone function and looped playback). On the other end a laptop running the IR code brute forcing had its line input connected to the headphones output and detected the tone.

Brute force search for IR codes on a Sony CMT-CP11

Not wanting to lose too much time with filters or anything fancy, I simply took a Fourier transform of the signal and compared the mean amplitude in the band around 600 Hz with the complete spectrum (excluding the DC component). This turned out to work well enough for this purpose, although I did get a few false positives when the radio was playing. But those were simple to filter out since they were limited to a few samples while a genuine switch would give a continuous detection:

# samples is an array of 2048 16-bit samples from ALSA
w = numpy.abs(numpy.fft.rfft(samples))

signal = w[30:32].mean()
noise = w[1:].mean()

if signal/noise > 100:
	# success! detected the 600 Hz signal ...

In the end, this exercise wasn't successful. I failed to find any 12-bit codes that would switch to the auxiliary inputs. I also tried all combinations of 20-bit codes with the 12-bit device prefixes I saw transmitted by the remote control (complete 20-bit space is a bit too much for an exhaustive search). I did find out that such brute force testing makes my (also Sony) TV go crazy, so I had to unplug it while the test was running.

I guess if I still want to be lazy and not get up to press the button the only solution left would be to hack together something that would press the button for me. Like a microcontroller that would hook up to the IR receiver in the Hi-Fi, recognize the code that isn't recognized by the Hi-Fi itself, and simulate a pressed key. On the second thought, while it might be a fun hack, I don't think I'm lazy enough to attempt that.

Posted by Tomaž | Categories: Code


This blog is so epic. :D


This is a very old post but few hours ago I was wondering to hack this old hifi to introduce something like a Pi inside (add bluetooth or volumio or many ideas...). Then I found your post.

Few years, I had exactly the same goal to add capability to command remotely the audio input but I didtnt found the IR code too.

In the end, did you achieved anything else (funky or funny project) with this Hifi ?

Thank you,

Posted by Hugo

Hugo, no unfortunately not. The only modification I did to this Hi-Fi was to replace the supercapacitor that was used to hold radio station memory with a small NiMH battery and charge circuit. At the time I often unplugged the Hi-Fi and quickly got tired of constantly having to set up stations.

The Hi-Fi worked well for almost 20 years. I'm still using the speakers that came with the system, but the electronics broke down around 2 years ago and I wasn't able to fix it. The mains transformer died - either a break in the primary windings or the embedded thermal fuse blew. I couldn't get a replacement part. Even before that, the remote died - the PCB fell apart, probably because the batteries leaked at some point, so I have even less motivation to fix it. It's now sitting in a corner and waiting for me to figure out what to do with it.

Posted by Tomaž

Add a new comment

(No HTML tags allowed. Separate paragraphs with a blank line.)