I want to solve remote control for a basically unknown Air condicitoner, hence I bought some ESP8266 based tiny cheap standalone 2.4 wifi module called ESP_IR_TR_WIFI 303ESPIRTR3 from Aliexpress ebay or such. It can be used as an infrared repeater, one device puts UDP broadcast packet of the IR receiver (NEC protocol) to the WIFI LAN, the other transmits it after receiving the udp packet, at least it was said to be work like that. Unfortunately there is no much info about packet format, nor the firmware can be downloadad (or upgraded), and once the wifi is set, no management web service is provided.
So you can simply live with the fact that you receive UDP packets, or you rewrite the firmware to some better managed and open source firmware.
But I want to know what is the UDP structure and how the device avoids loops, eg. one receiver receives a signal another relays it and the other again puts it on the wifi making an infinite loop. I guess there should be some TTL, nonce, random that should be changed, or it stops after seeing the same data multiple times. anyhow, this post is only to share that as first step I downloaded the 4MB firmware form the ESP8266Ex or what to a file by esptool, and I share the binary here.
https://etl.hu/files/wp/boldi/irwifi.firmware.bin
The esptool was set to 4MB download after flash_info, meaning size 0x400000; the board has a 6 pin header area where I connected ground to GPIO0 breakout and addig usb-c power afterwards so you can start esptool for downloading firmware. (esptool was started from espressif IDF env, which is started from start menu as idf env 5.4 cmd prompt stuff after installing it — notes to myself, as usual)
some captures about traffic ( UDP broadcast, port 9 (discard) to port 9 , data begins with “IR” magic
device boot and data on serial:
—–$`-o-d*wm:AutoConnect
*wm:Connecting to SAVED AP: moomoo44
*wm:connectTimeout not set, ESP waitForConnectResult…
*wm:AutoConnect: SUCCESS
*wm:STA IP Address: 10.44.2.201
WiFi connect succcess!
IP address: 10.44.2.201
gateway address: 10.44.15.254
URL: http://www.baidu.com
Send GET request to URL: http://www.baidu.com
Server Response Payload:UDP started
2A4C0280E86A2A4C0280E86A2A4C0280E86A2A4C0280E86A
20:33:16.312809 e0:98:06:a7:b5:2f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 60: 10.44.2.201.9 > 255.255.255.2 0x0000: 4500 0026 004e 0000 ff11 ae84 0a2c 02c9 E..&.N…….,.. 0x0010: ffff ffff 0009 0009 0012 725c 4952 6ae8 ……….r\IRj. 0x0020: 8002 4c2a 0000 0000 0000 0000 0000 ..L………. 20:33:16.445385 e0:98:06:a7:b5:2f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 60: 10.44.2.201.9 > 255.255.255.2 0x0000: 4500 0026 004f 0000 ff11 ae83 0a2c 02c9 E..&.O…….,.. 0x0010: ffff ffff 0009 0009 0012 725c 4952 6ae8 ……….r\IRj. 0x0020: 8002 4c2a 0000 0000 0000 0000 0000 ..L………. 20:33:20.118358 e0:98:06:a7:b5:2f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 60: 10.44.2.201.9 > 255.255.255.2 0x0000: 4500 0026 0050 0000 ff11 ae82 0a2c 02c9 E..&.P…….,.. 0x0010: ffff ffff 0009 0009 0012 725c 4952 6ae8 ……….r\IRj. 0x0020: 8002 4c2a 0000 0000 0000 0000 0000 ..L………. 20:33:20.250597 e0:98:06:a7:b5:2f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 60: 10.44.2.201.9 > 255.255.255.2 0x0000: 4500 0026 0051 0000 ff11 ae81 0a2c 02c9 E..&.Q…….,.. 0x0010: ffff ffff 0009 0009 0012 725c 4952 6ae8 ……….r\IRj. 0x0020: 8002 4c2a 0000 0000 0000 0000 0000 ..L……….
binwalk irwifi.firmware.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
359620 0x57CC4 HTML document footer
361055 0x5825F HTML document header
417336 0x65E38 AES S-Box
417720 0x65FB8 Base64 standard index table
452824 0x6E8D8 SHA256 hash constants, little endian
458293 0x6FE35 PEM RSA private key
460293 0x70605 PEM certificate
930940 0xE347C SHA256 hash constants, little endian
937272 0xE4D38 AES Inverse S-Box
941624 0xE5E38 AES S-Box
942008 0xE5FB8 Base64 standard index table
977112 0xEE8D8 SHA256 hash constants, little endian
982581 0xEFE35 PEM RSA private key
984581 0xF0605 PEM certificate