IR Blasting and Cloning: How to Control Any Device From Your Pocket
You point a TV remote at a screen, press a button, and something happens. Magic, right? Not quite - it's infrared light. And once you understand how it works, you start seeing IR receivers everywhere: hotel TVs, conference room projectors, air conditioning units, access control panels, even some IoT devices. Every one of those is a potential target for research, testing, or just a really good party trick.
BLEShark Nano has a full IR blaster and receiver built in. This post covers what that means, what you can do with it, and why IR is one of the most underrated tools in a hacker's kit.
What Is Infrared Communication?
Infrared (IR) is light - just beyond the visible spectrum, around 700nm-1mm wavelength. Your TV remote emits rapid pulses of IR light when you press a button. The TV's sensor picks up that pulse pattern and interprets it as a command: volume up, channel down, power off.
The communication is entirely one-way and unencrypted. There's no handshake, no authentication, no pairing. The remote just blasts a specific pattern of on/off pulses at a defined carrier frequency (usually 38kHz), and any device listening on that frequency that recognizes the pattern will act on it.
That's the whole security model. If you can reproduce the signal, you control the device.
IR protocols standardize how those pulses are structured. The major ones:
- NEC - The most common. Used by LG, Pioneer, and countless others. 32-bit address + command.
- RC5 / RC6 - Philips standard. Used in older European electronics. RC6 adds a mode bit for more commands.
- Samsung - Similar to NEC but with a distinct header pulse. Used across Samsung's TV and appliance lines.
- Sony SIRC - 12 to 20 bits, variable length. Used across Sony's product catalog.
- Panasonic, JVC, DENON - Manufacturer-specific variants, all supported by BLEShark Nano's IR stack.
BLEShark Nano supports all of these out of the box, plus raw mode for anything non-standard. If it responds to a remote, BLEShark Nano can talk to it.
IR in Security Research
IR gets dismissed as "old tech," but that's exactly why it's still interesting. Devices that use IR are often not part of a modern threat model. Nobody is patching the IR receiver on a 2014 conference room projector. Nobody added authentication to the hotel TV remote protocol in 1998, and they still haven't.
Here's where IR shows up in real security assessments:
Hotel TVs and Hospitality Systems
Most hotel TVs run proprietary hospitality firmware with hidden menus accessible via specific IR codes. These menus can expose hotel network info, IPTV configuration, and in some cases, guest data settings. A good IR blaster hacking tool lets you probe those menus without touching the physical remote - which the hotel may not even give you.
Conference Room AV Equipment
Projectors, screens, and AV switchers in conference rooms are almost always IR-controlled. During a physical penetration test, the ability to kill a projector mid-presentation, switch HDMI inputs, or throw a room into standby is a meaningful distraction or disruption vector. It's low-tech, effective, and rarely considered in scope.
IR-Based Access Control
Some older access control systems - garage doors, parking barriers, gate openers - use IR remotes. These are ripe for infrared remote clone attacks: capture the signal once, replay it later. No RF, no Bluetooth, no app required.
IoT and Smart Home Devices
IR bridges are everywhere in smart home setups. Devices like the Broadlink RM series act as IR-to-WiFi gateways - and they often sit on the same network as everything else. Understanding the IR layer helps you understand the full attack surface of a smart home environment.
How BLEShark Nano's IR Features Work
BLEShark Nano has a dedicated IR LED transmitter and an IR receiver on-board. No adapters, no extra hardware. Here's what the firmware lets you do:
Receive and Decode
Point any remote at BLEShark Nano and press a button. The receiver captures the raw pulse train, detects the protocol automatically, and decodes it into a human-readable command. You'll see the protocol name, address, command code, and raw hex - everything you need to understand and reproduce the signal.
Transmit
Once you have a code (from the built-in library or captured yourself), transmit it at the target device. BLEShark Nano modulates the IR LED at the correct carrier frequency for the protocol and fires the signal. Works from across a room.
Clone and Replay
This is where the infrared remote clone capability shines. Capture a signal from any remote, save it, and replay it on demand. You've just cloned the remote. No original required after that.
BLEShark Nano stores captured signals and lets you replay them instantly from the UI. Batch multiple signals together for custom macro sequences - turn on the TV, switch to HDMI 2, set volume to 20, all with a single button press.
Raw Mode
For protocols that aren't in the standard library, raw mode captures and replays the exact pulse timings with microsecond precision. If the device responds to IR at all, raw mode can capture and reproduce it - even if no one has documented the protocol.
TV-B-Gone Mode: The Classic
Let's talk about the feature that makes people immediately understand what IR can do: TV-B-Gone.
TV-B-Gone is a famous open-source project - a tiny device that iterates through hundreds of power-off codes for virtually every TV ever made, blasting them all in sequence. Point it at any TV in any public space and it will turn off within a few seconds.
BLEShark Nano has TV-B-Gone built into its firmware. One menu option, one button press. Walk into a sports bar, hotel lobby, or waiting room and quietly demonstrate what "no authentication" means in practice. It's a crowd-pleaser at security conferences and an excellent teaching moment about why physical security matters.
Use it responsibly. Use it to make a point. Use it to win arguments about why someone should patch their attack surface.
Practical Use Cases for Pentesters and Researchers
Universal remote hacking has real professional applications:
Physical Pentest Enumeration
Walk a facility. Every device with an IR receiver is a potential interaction point. Conference rooms, lobby TVs, elevator panels (yes, some use IR), HVAC controllers. Document what responds to IR and what the implications are for the client's security posture.
Red Team Distractions
Kill the projector during a board meeting. Switch the lobby TV to static. These aren't "hacks" in the traditional sense, but in a red team scenario, creating confusion and distraction is a legitimate social engineering vector. IR is silent, invisible, and leaves no logs.
Device Fingerprinting
IR codes are device-specific enough to fingerprint equipment. If you can identify that a client's conference room uses a specific projector model, that feeds into your research about other vulnerabilities for that device - network interfaces, admin panels, default credentials.
Automation and QA Testing
If you're building or testing IR-controlled hardware, BLEShark Nano is a programmable IR test bench. Automate button sequences, stress-test responsiveness, validate that your IR receiver correctly handles edge cases and malformed signals.
Fun Applications (Because IR Doesn't Have to Be Serious)
Not everything needs a threat model. IR is also just fun!
- Universal remote: Replace every remote in your house with a single BLEShark Nano. Capture codes from your TV, soundbar, projector, and fan. Done.
- Custom macros: "Movie mode" - one button turns off the lights (smart bulb IR bridge), dims the TV, switches to HDMI 1, and sets the soundbar to surround. Real automation, no hub required.
- Retro gaming: Some older game consoles and accessories used IR. Capture the codes, reproduce them, automate inputs for testing or speedrun research.
- Trolling your coworkers: We're not responsible for what happens next. But TV-B-Gone in a room full of security engineers tends to generate very specific reactions.
Shiver Mesh: Distributed IR Across a Building
BLEShark Nano's Shiver mesh system adds a new dimension to IR testing. When you have multiple Nano devices forming a Shiver mesh (up to 16 nodes via ESP-NOW), each node can act as a distributed IR blaster - controlled from a single controller node anywhere in the mesh.
In practice, this means you can deploy Nano units across a building - one in the conference room, one in the lobby, one near the server room AV rack - and send IR commands to any of them remotely. You never have to be in the same room as the target device.
Two IR mesh commands are available:
- TV-B-Gone - Sends the TV-B-Gone sequence from any specified node in the mesh. Useful for large environments with multiple screens across different rooms.
- TX - Sends a specific IR code (captured or from the library) to a target node for transmission. Lets you replay any saved signal from any node, on demand.
The Shiver mesh uses ESP-NOW Long Range mode at 250 kbps with 20-50m range between nodes. For multi-floor or multi-room facilities, you can chain nodes to extend coverage. For organized red team operations, this means coordinating IR actions across a building from a single control point.
Shiver packs are available in 3, 5, 7, 12, and 16-node configurations depending on the scale of your deployment.
The BLEShark Nano Advantage
There are IR blasters out there - Flipper Zero has one, standalone TV-B-Gone dongles exist, cheap IR modules are on AliExpress. But BLEShark Nano integrates IR into a platform that also does BLE scanning, WiFi probing, packet analysis, and more. You're not carrying a dedicated IR tool. You're carrying one device that does IR and everything else.
And with the Shiver mesh system, IR coverage isn't limited to what you can reach from your pocket. Distribute nodes across a facility and control all of them from a single point. That's a capability no standalone IR blaster can match.
The UI is clean and fast. Capture, save, replay - three taps. The IR library covers hundreds of devices. Raw mode handles the rest. And at $36.99+, it's not a debate.
Start Blasting
IR is the "I can't believe that still works" feature of modern security research. It's invisible, silent, protocol-rich, and almost universally undefended. BLEShark Nano has you covered.
Grab yours and start exploring the infrared layer of the world around you!