EasterHegg Basel 2012 - Decoded the Zoom H4n remote control protocol!!!

(Update: I'm doing the same for the new Zoom H5 too.)

For the next 4 days I am on EasterHegg and reverse engeneering the protocol spoken between the RC04 remote and the Zoom H4n audio recorder.
This posting is constantly being updated and rewritten with details as they come up.
  • Friday
  • So far no luck with the OpenBench logic sniffer. 
  • Can't figure out if the buffered inputs support 3.3V signals or only 5V signals. We are trying to verify this by connecting and disconnecting the on-board 3.3V supply to an input-pin to get a known signal.
  • But we are out of chocolate and coffee!!!
  • Saturday
  • I fetched my pocket-oscilloscope from home but forgot 2 cables.
  • Contacted "Nussgipfel" for an oscilloscope because he holds an oscilloscope-workshop tonight. So he must have a working device. Hope to verify that the signal is 3.3V and count it's frequency/bitrate to get the OpenBench to work on decoding it. 
  • Hacked my pocket-Oscilloscope. Found a 5V signal (-0.5 to 4.5V and -1 to 4V) in the 600-800Hz range.
    Aus 2012-04-07_EasterHegg
  • Decoded the signal
    Aus 2012-04-07_EasterHegg
  • Batteries died while decoding the LED signals. Buttons are decoded.
  • Sunday
  • Trying to find Nussgipfel again to make screenshots of the undistorted waveforms and document my findings below.
  • Found a second signal being transmitted with >100ms delay after the first signal. Need help analysing it.
    Aus 2012-04-07_EasterHegg
  • checked the signal using a larger scope. Seems I had GND and Signal confused on the small one. Low<->High. May be RS232 after all? With start+stop -bit the signal checks out. 2.400 = 417 µs per bit seems to match our 0,4ms per bit.
  • Making a break to eat some fondue down in the huuuuuuge bunker below this building. Planning to use a larger logic analyser later.
  • ...
  • Monday
  • ...

Aus 2012-01-22_RC04

The 4 connections between RC04 remote and H4n are labeled 3.3V, RX, TX and GND.

The single chip on the remote is labeled "D78f0500A"
It could be an NEC microcontroller µPD78f0500.
The number of pins and the pins connected to RX, TX and SCK seem to match.
The datasheet is in Korean but what I can make out is that this should be a 5MHz microcontroller that can run on 3.3V and 5V. No details from the datasheet cast and light on the strange encoding used(described below).

What I found out about the protocol being transmitted by the RC04 remote on the 2 lines "RX" and "TX" when certain buttons are pressed on the remote or the Zoom H4n lights up certain LEDs is as follows:


 The protocoll is RS232 at 3.3V with 2400bps 8n1
The remote sends 2 sequences of 2 bytes with a small delay:
Record: 0x81 0x00 | 0x80 0x00
Play:   0x82 0x00 | 0x80 0x00
Stop:   0x84 0x00 | 0x80 0x00
ffwd:   0x88 0x00 | 0x80 0x00
rwd:    0x90 0x00 | 0x80 0x00
vol+:   0x80 0x08 | 0x80 0x00
vol-:   0x80 0x10 | 0x80 0x00
rec+:   0x80 0x20 | 0x80 0x00
rec-:   0x80 0x40 | 0x80 0x00
mic :   0x80 0x01 | 0x80 0x00
ch1 :   0x80 0x02 | 0x80 0x00
ch2 :   0x80 0x04 | 0x80 0x00

It receives a single byte that is a bitmask of the LEDs to light up:

? && 0x01 = record LED
? && 0x10 = MIC LED
? && 0x60 == CH1+CH2 LED = 0x20 + 0x40
? && 0x20 = CH1 green
? && 0x40 = CH2 green
? && 0x04 = CH1 red 0x16?
? && 0x08 = CH2 red

? && 0x24 = CH1 yellow (red+green)
? && 0x48 = CH2 yellow (red+green)


Next step: implement this in an ATTiny13 using a softUart. Maybe use a CMOS 4019 /
4052 or MAX4619 to trigger something else too.

Kommentar veröffentlichen