SkyNet Protection Reverse Engineering infrared RC Devices Project

SkyNet Protection

Reverse Engineering infrared RC Devices Project

Team Members: Kirill Rogachevsky, Hilal Hamam and Nir Rosen

1. Introduction

SkyNet Protection is an RE (Reverse Engineering) Project, which deals with the challenge of cracking the protocols of RC (Remote-Control) Helicopters.

In this project we have carried out the process of cracking two different models of RC Helicopters: from the point of disassembling the controller, to the point of transmitting commands to the RC Helicopter.

In addition, we managed to build a complete guide for cracking Remote-Control Helicopters / Quadcopters, describing the entire process in detail.


2. First Step: The Mini Syma S6 Helicopter Reversing the IR Control Protocol

In this section we will describe in detail the process of cracking the S6 protocol.

(2.a) Recording the IR transmission:

&  IR Receiver.&  Arduino Uno Board.

&  Logic Analyzer system.


(2.b) We have assembled our recording gear in the following manner:

(2.c) And recorded the remote control various states:

(2.d) We have compared frames between different recordings and performed throughful analysis of each frame:

(2.e) We now know exactly which functionality each bit of the frame is responsible of and ready to move to the next step →

           & Programing an Arduino code to simulate a Remote-Control Transmission.

Click here to view the transmission code.

          &  we have uploaded the code onto the Arduino with an IR led transmitter:




3. Second Step: The Lutema Avatar Hovercraft

In this section we will describe how we managed to implement our experience from the first RE challeng on the Lutema Hovercraft.

We applied our experience, Following the protocol of IR reverse engineering:

&   We assembled the recording gear.
&   We recorded the remote control signal.
&   we decoded the frames we recorded according to the various states of the remote control.


(3.a) Our recording table of the remote control states:


(3.b) The frames we recorded:


(3.c) The decoding of the frame:


  * note: We left the checksum calculation to future work.


(3.d) We recycled the transmission code of the Syma, and adjusted it for the transmission of the Lutema.

Click here to view the transmission code.


4. Third step: Writing the guide

    IR devices reverse engineering – HowToDo booklet –


(4.a) We have gathered and ordered all the knowledge gained during our work on the project and . . .

(4.b) Created a user friendly HowToDo step-by-step guide on the subject of IR devices reverse engineering

You can download The booklet here.


Close Close