Tom Clement Reverse Engineers Neweer's Wireless Light Controls to Ease Rapid Setup

Developer Tom Clement has written up a project to reverse engineer the remote control of a popular photography and videography light — in order to speed up the setup process.

"Neewer makes decent light panels for photography, video, and streaming. Their flagship high-CRI [Color Rendering Index] temperature-adjustable NL660-2.4 panels are around half the price of an Elgato Key Light, and come with a wireless remote to control them," Clement explains. "The remote is also nice, but has one major pitfall: it doesn’t have a button to turn on the lights with their previous brightness setting. As I use my two panels at different angles and distances to my face, they each have their own ideal brightness."

The solution, then: Automating the setup process. To do this, though, Clement had to reverse engineer the 2.4GHz wireless remote that came with the lights — starting by finding standards testing documentation, which offer details about the precise frequency and modulation standard used.

The next step will be familiar to anyone who has attempted a similar project: Dismantling the remote to uncover an STMicro STM8 microcontroller and an SI24R1 radio — "a clone," Clement notes, "of the widely-used Nordic nRF24L01."

Clement tried scanning the radio spectrum for traffic without success, and turned to dumping the contents of the STM8 microcontroller — aided by the presence of an unpopulated SWIM-protocol debug header on the remote board. The protection fuse was set, however, and Clement was not eager to bypass it.

What next? Snooping the SPI bus. "Since all we want is to know the initialization details of the SI24R1 and the packet protocol," Clement writes, "dumping or changing the STM8 firmware is not really important. Instead, we can also simply listen in on the SPI bus that the STM8 uses to initialise the SI24R1 and send packet data."

That process proved a success, aided by the fact the remote retransmits the radio configuration details to the chip — and a few experimental button presses uncovered the most important parts of Neewer's remote control protocol. "I ordered a nifty Arduino Nano-compatible board with an NRF24L01 integrated on it (RFNano)," Clement writes, "and modified an example of the NRF24 library that cycles through Neewer brightness commands. After flashing, we’re greeted with a dimming room."

Full details on the project are available on Clement's blog, In The Name of Science, while the source code for the project has been uploaded to GitHub as a gist.