Learn How to Reverse Engineer Sub-GHz Remotes for Home Assistant

A lot of “dumb” home appliances and devices use sub-GHz remote controls. My ceiling fans, for example, work with sub-GHz remotes instead of standard light switches. Wouldn’t it be nice if you could control those devices with Home Assistant? KeenOnTech has a great video that will walk you through how to do exactly that by reverse engineering sub-GHz remote codes.

This is a bit like recording the code from an infrared remote and replicating that with an IR blaster. Except sub-GHz remote transmissions can be a lot harder to decipher. They encode data much more densely and often use proprietary modulation schemes that aren’t easy to decipher.

Cian first attempted to reverse engineer the sub-GHz (433MHz) remote for his fireplace using a Flipper Zero, but found that it simply couldn’t record and replay the proper commands. So, he turned to a HackRF One SDR (Software-Defined Radio) gadget. With that and software called Universal Radio Hacker (UHR), he was able to look at the transmissions sent by the remote with each button press.

UHR has some handy tools for autodetecting modulation parameters and even deciphering command encoding. All Cian really wanted was to replay commands, so it wasn’t necessary to figure out all of the details and those tools were enough for the job.

But despite recording properly, Cian was unable to replay the commands through the Flipper Zero. It turns out the Flipper Zero was using an incompatible radio preset. By creating his own preset with the proper parameters, Cian was able to successfully transmit codes to control his fireplace with the Flipper Zero.

However, he still wanted to give Home Assistant the ability to do the same. That was actually the easiest part of the process and Cian pulled it off with an ESP32 development board paired with a CC1101 radio transmitter. Those went into a 3D-printed case and Home Assistant can control the DIY remote through MQTT.

If you happen to have the same fireplace as Cian, you can simply flash his code. But the real value of the video is for learning how to reverse engineer your own remotes.