Etekcity ZAP 3L remote power

outlet: teardown and analysis

Posted on July 1, 2020 by Vincent Mallet

In this post I will be taking a look inside the ZAP 3L remote switch outlets
and their remote control, roughly describe the circuits involved and look at
how the communication protocol works. The tech involved is pretty simple
(mains-powered radio receiver & decoder) yet I learned plenty about power

supply design, safety, and radios   These plugs seem to still be popular
on Amazon  despite the proliferation of “smart” plugs with wifi and
google/siri/alexa support. Let’s dive in!

The devices

These are Etekcity’s ZAP 3L Remote Outlet Switch : a simple remote-control

outlet with an on/off remote, operating via radio over the common
433.92MHz frequency (car key fobs, garage door openers, etc). You press ON
and the outlet turns on, press OFF and it turns off; pretty straightforward
operation!

Basic listed specs:

  120V AC / 60Hz
 10A max load  (1200W max)
 Frequency: 433.92Mhz
 100ft range in line of sight

The model number at the back of the switch is 10-BH9938U. A quick search
and we can see what the FCC knows about these devices: FCC ID Q92-
BH9938U for the outlet and FCC ID Q92-BHOP for the remote (although the
remote at the FCC doesn’t use the same HS2260A chip). The FCC application
was submitted by NINGBO BAIHUANG ELECTRIC APPLIANCES CO., a
company based in China. It’s fair to say that “Etekcity” works better for the
US market.

No fanfare here. My package came with three outlets and one remote as
pictured below

Front of the packaging

Back of the packaging
Inside the box: three plugs, a remote control and its battery

The plug has a button on the side to be able to turn it on or off manually,
and to learn a specific code from a remote or to reset the programming
completely.
Side view of the outlet with the on/off/program button

Teardown: plug
The journey begins by removing the two screws at the back. The situation is
made slightly more complicated by the use of three-prong safety screws, as
required by the design of the power supply which we’ll talk about later on.
With the right tool though it’s no different than a normal screw.

A safety screw and the uncommon three-prong tip that goes with it

Once open we see a seemingly very simple design: a small circuit with just a
few components and a couple of wires to connect it to the outlet’s prongs.
Inside the plug

The circuit’s PCB is held to the case by two little Philipps screws (you can see
them in the photo above right above the yellow capacitor, and on the right
of the blue relay). After removing these two screws the circuit and the
prongs pop right out of the enclosure and we can start taking a closer look
at how it works. The outlet lets the Ground and Neutral prongs go straight
through, and switches the Live (Hot) prong with a standard 10A relay.
The PCB and the prongs out of the plastic case. Visible are all the top
through-hole components: a fuse, the relay, a push-button, a resistor, an X2
capacitor (yellow), two electrolytic capacitors, an LED, a spring antenna, and
the radio PCB.
Detail of the prongs where we can clearly see the Hot prong not being a
pass-through

The circuit is on a single-sided PCB with a few big through-hole components

on top, and a few surface-mount components on the bottom (which is the
copper-side of the PCB). One of the “components” is another tiny PCB
labeled “RX-480R” mounted at a right-angle with simple 0.1″ headers. Like
we’ll see a bit later the little PCB is the radio receiver for the module.
Copper-side of the PCB: a bunch of passives, a Zener diode, a bridge
rectifier, a voltage regulator, a transistor, and an unknown MCU
The little RX-480R PCB for the 433Mhz radio receiver

Outlet PCB: look ma, no transformer! Circuit Analysis

This is where things get interesting. At first glance the circuit seems like
nothing special but looking deeper I realized all the usual power supply
suspects where nowhere to be found. No transformer? No switching
controller? How does this thing pull some low-voltage DC from the mains?

The answer: A Transformerless Power Supply (TPS), something apparently

reasonably common in those tiny mains-powered devices. I found two
resources that were really helpful in understanding the theory:

 This great article on Hackaday which gives a really good overview and
puts a good emphasis on the safety aspect of such a thing: The
Shocking Truth About Transformerless Power Supplies
  A detailed design note from Designer Circuits: Transformerless Power
Supply Design  (pdf) which digs a bit more into the theory of TPS

The main takeaway here is that it is possible to design very cheap, tiny, and
reasonably efficient mains-powered power supplies without using a
transformer. But without a transformer none of the circuit is isolated from
the mains and it can be extremely dangerous to work with, a hiccup
anywhere and it will fry your equipment and kill you in your lab. These
designs are only suitable when the device is going to be completely enclosed
and isolated with no means of touching or connecting to the insides (like this
outlet, or a smart lightbulb, etc). That’s why they put those safety screws on
the device: don’t poke inside!

Back to our circuit. Now that we have a sense of how the power situation
might work, let’s dive into the specifics, including a reverse-engineered
schematics.

The components on the main PCB are:

 Relay: Shenghaiwai JQC-3FF-1A-24VDC: The relay doing the hard work

switching the 120V circuit on/off. (Here’s some info about a similar but
not quite the same relay: datasheet  PDF). The nominal voltage for the
solenoid is 24VDC and the relay can in theory pass 10A@250VAC or
15A@125VAC
 R1: in-rush limiting resistor, 46Ohms 5%
 C1: mains series capacitor, X2 rated: MKP-X2, 0.68uF 305V. Info for a
similar capacitor: datasheet PDF
 F1: mains fuse, Thermal Cut-Off (TCO) Aupo A2-10A-F , 115F
 C2: 220uF 35V Electrolytic
 C3: 220uF 10V Electrolytic
 R2, R3: 300K SMD
 R5: 2K SMD
 R6: 4K7 SMD
 ZD1: 24V Zener Diode
  Q1: NPN Transistor in a SOT-23 package, markings “J6”, a S9014  (pdf)
maybe? It drives the solenoid of the relay
 U1: Full-bridge rectifier with “MB10S” markings similar to the ON Semi
MB10S  (pdf)
 U2: 78L05 LDO 5V voltage regulator (similar to ST’s 78L series , pdf)
 U3: The unknown MCU driving the switch. 5V power on Pin 1, GND on
Pin 8

Markings on the main PCB:

 Top: BH9938-L
 Bottom: 1H01571A1

I desoldered the ZD1 Zener diode so I could measure its Zener voltage off-
line: 24V

With that out of the way let’s look at the schematics I recreated by tracing
the circuit (which means, it might be incorrect in more than one way):
Reverse-engineered schematics for the main PCB (click for a larger view)

C1, U1, C2, and ZD1 are what makes up the basis of the transformerless
power supply, providing about 24V DC to the system. R1 limits the in-rush
current going into C1 when we plug it in to avoid tripping the (most-likely)
15A breaker on the circuit and reducing the chances of seeing nice sparks
too. R2 and R3 in series form a 600K bleeder resistor to drain C1 once
unplugged, so C1 doesn’t stay charged with a high voltage once
disconnected.

The 24V DC power serves two purposes: it is used to energize the relay’s coil
(driven by Q1), and it is fed into the U2 voltage regulator that produces a
more predictable 5V supply for the rest of the system. The MCU and the
radio receiver both run on 5V.

The unknown MCU has 6 pins that might be GPIOs. One is for driving the
LED on/off, one is for receiving data from the radio receiver, one is for
driving the base of Q1 (to then drive the relay), and one is to read the push-
button switch. Two pins remain unconnected.

The radio receiver is quite straightforward too, with one chip taking care of
pretty much everything:
A closer look at the RX-480R radio receiver PCB and its spring antenna on
the right

The main chip on the RX-480R receiver PCB is a Synoxo SYN480R 300-
450Mhz ASK Receiver  (pdf) configured with the 6.7458Mhz crystal and a few
passives to run at 433.92Mhz. It has a 4-pin header: GND, DATA, VCC (5V),
and ANTenna.

The reverse-engineered schematics looks like this:

Not too much to write about here, this is pretty much the same as the
reference design they have in the SYN480R datasheet.

Teardown: Remote

The remote is simple and light. It can control four plugs either individually or
all at once.

Front and back views of the remote. It can control 4 plugs individually or all
at once.

Inside the 23A battery tray are two little screws. With the screws removed
everything comes apart nicely.
Exploded view of the ZAP remote

What we care most about is the circuit, let’s take a closer look:
Front of the remote’s PCB. Real buttons! And the 433.92Mhz SAW resonator
Back of the remote’s PCB with the main HS2260A-R4 encoding chip

The remote’s PCB has 10 physical push-buttons on one side along with a
433.92Mhz SAW resonator and an LED, and the other side has the main
HS2260A-R4 encoding chip with a bunch of passives, and a trace antenna.

Remote’s circuit analysis

The main (and only) chip is a HuaXin HS2260A-R4  Remote Control Encoder.
There are 20 diodes, a bunch of passives, one transistor, and a resonator.
How does it all work?

The HS2260A datasheet is not very helpful (it being in pretty light, and all in
Chinese..) but with a bit of magic translation fu we see it is compatible with
another part, Princeton Technology PT2260 Remote Control Encoder  (PDF)
and that datasheet is a bit more helpful. (I wish I had known that before
tackling the Protocol section further on; live and learn).
Reverse-engineered schematics for the ZAP remote’s PCB

The first thing to notice is that there is absolutely no power regulation going
on here; the battery directly feeds 12V to the chip with just one bypass
capacitor (C8). I don’t know if the chip could survive having the battery
reversed and there is nothing in the battery holder to prevent it from
happening. Hmm..

The encoder

The chip as 8 address lines A0->A7 and 4 data pins, D0->D3. The chip is
always powered on and goes straight to idle mode, consuming almost no
power. As soon as the chip notices one of the 4 data pins going high, it starts
pulsing its encoded data on its DOUT pin. By doing so it activates the
transmitter section which pushes power through the antenna. In this
application, the chip has 5 of its 8 address lines (A0->A4) used for the pre-
configured “channel” and three address lines (A5, A6, A7) used as data.
Each button is tied to +12V on one side and to two of the 7 data pins (D0-
>D3, A5->A7) through a bunch of protection diodes. 5 of the pins are to
indicate which plug to act on (1, 2, 3, 4, or ALL), and two of the pins are to
convey the ON (D0) or OFF (D1) state.

The transmitter

The 433.92Mhz transmitter is a bit beyond my understanding here, but it

seems to be of a reasonably common design. Its three main components are
the Surface-Acoustic-Wave  (SAW) resonator (similar to this one: RFM
RO3101  (pdf)), an RF transistor (markings “R25”, possibly a Renesas
2SC3356  (pdf)), and a trace antenna. Pulses on the DOUT pin of the main
chip will drive the RF transistor to in turn drive 433.92Mhz pulses out for the
receiver to retrieve on the other end.

A look at the protocol

Using the Saleae Logic Analyzer to peek at the encoded signal

I spent some time looking at the encoded signal coming out of the DOUT pin
of the encoding chip to figure out the protocol used between the remote
and the plugs and it’s only once it all made sense that I discovered the
PT2260 datasheet which explains a good part of it… Anyways, let’s take a

look 

I plugged the Saleae Logic Pro 8 logic analyzer onto the DOUT pin (Pin 15)
and recorded a button press. DOUT is conveniently kept at 0V when idle so
any activity on DOUT would be very visible. DOUT swings between 0V and
12V and luckily the Logic Pro’s inputs can tolerate the 12V high so we are in
business.
DOUT activity for a short button press: 7 bursts of ~18ms each

Ok that looks promising. One short button press (“click!”) on the remote
resulted in 7 bursts of activity on DOUT. Zooming in a bit and we see
something we might be able to work with: regular pulses, long and short, in
repeating bursts.

Groups of long and short pulses, repeated 2 times here (7 times total)

One of the 7 bursts. Each pulse is ~0.75ms for a frequency of 1.343kHz. 25

pulses in a burst.

By counting the short pulses as 0s and long pulses as 1s (and ignoring the
last bit which might be a stop pulse of sorts), we can get a useful
representation of the burst. For this example we get:

0000 0001 0001 0101 0011 1100 (Button 2, “1 OFF”)

After analyzing the data for the 10 buttons, clear patterns started to emerge
as to which input line affected which parts of the 24 bits. And after
discovering the datasheet for the PT2260 compatible chip, it became even
clearer…
The 24 bits represent the state of the 12 input pins, 2 bits per pin to support
the address pins that can have three states (High, Low, or left floating). The
D0 through D3 data pins are either High or Low, and have internal pull-
downs to make them Low if they are left floating.

 0 -> “00”
 1 -> “11”
 floating -> “01”

The 12 pins are transmitted in order, as such:

A0 A1 A2 A3 A4 A5 A6 A7 D0 D1 D2 D3

For example when we press Button 2 “1 OFF” which uses D1 and D2, the
remote sends:

 Pre-configured address A0 -> A4 (0, 0, 0, F, 0) -> 00 00 00 01 00

 A5, A6, A7 left floating: F, F, F -> 01 01 01
 D0 Low (floating), D1 High, D2 High, D3 Low (floating) -> 00 11 11 00
 => 0000 0001 0001 0101 0011 1100

Here’s a recap of lines go High when a given button is pressed based on our
schematics:

A5 A6 A7 D0

1 ON H

1 OFF

2 ON H

2 OFF

3 ON H H
 3 OFF H

4 ON H H

4 OFF H

ALL ON H H

ALL OFF H

The remote buttons mapped to the input lines of the HS2260A chip

When a button is pressed the remote sends to pieces of information: which

plug to act on (1 through 4, or ALL) and whether to turn these ON or OFF.
Each of the 7 input pins maps to a specific bit of information:

 A5: ALL outlets

 A6: Outlet 4
 A7: Outlet 3
 D0: TURN ON
 D1: TURN OFF
 D2: Outlet 1
 D3: Outlet 2

Lastly, the datasheet tells us the HS2260A will start transmitting as soon as it
sees a High on one of the four data pins. When that happens it starts
sending the 24 bits for the 12 states and waits for a short time (about 5ms in
our case). If when it’s done waiting one of the data pins is still High, it will
start sending the whole 24 bits again. Hence why we see many bursts for a
single button press; and if we kept the button pressed it would keep sending
the same sequence over and over again.

Security: is there any? (aka: Can my neighbors control my

plugs?)
Security? Not really. There is no authentication, no encryption of any kind,
just a straight up blasting of bits in the air and receiving on the other end.
The only thing that is in place is the matching pre-configured “channels” in
the remote and the outlets.

These devices are pretty simple and have a fixed “channel” (address) that is
set at the factory and it is clearly not intended for a consumer to be able to
change it.

The 5 pre-configured address lines: GND, GND, GND, Float, GND

The chip has 8 address lines that can have three states (High, Low, Floating)
so in theory we could have 3^8 (i.e. 59,059) different addresses. Not too
bad…

… but here, two things. They use 3 address lines for data so that leaves us
with 5 usable ones for actual addresses; and the way they configure these 5
address lines appears to just be by pulling them to GND or by leaving them
floating. That’s only 2 states, so now we have 2^5 = 32 addresses.

So it sounds like if both you and your neighbor buy these plugs you have a 1
in 32 chance of controlling each other’s plugs. Not ideal!

Appendix: testing the plug safely

Because of the use of a Transfomerless Power Supply design described

earlier testing and probing the circuit while the plug is connected to mains
voltage is a really bad idea. But luckily now that we understand the circuit a
bit better we know where to inject some safe DC voltage to allow us to work
on the plug.

Safely powering the circuit by bringing ~24VDC between GND and one of the
bridge’s inputs
I chose to solder a wire to one of the pins of the big C1 capacitor, the pin
that’s otherwise connected to the rectifier bridge. By connecting my bench
power supply’s positive terminal to this wire and its negative terminal to the
circuit’s ground (here using the conveniently accessible body of the push
button) we inject about 24V DC right before the bridge. After dropping over
one of the bridge’s diodes the current is ready to be used for the relay coil
and the 5V regulator. It works beautifully and it makes it safe to look at
signals and measure voltages.