Alternate way for getting RF code from Broadlink RM Pro

Hi,

just wanted to share something I pulled off when setting up some RF code switches using a Broadlink RM Pro.

The instructions in the Broadlink integration page have a process for the old e-control app, but I was able to get the code from the new IHC app on an iPhone. Even in DrZzs videos he states we couldn’t do it without an Android phone, so that might help other people or even get updated in the docs.

I found that you can get the codes from the IHC internal database and then convert them using a HEX to base64 converter online. These are the steps, assuming you already setup RF codes using the IHC app:

  1. Backup iPhone using iTunes;
  2. Open the backup folder using iBackupViewer (On macOS, make sure you have the latest version, I had a issue with permissions where iBackupViewer would not open the backup folder);
  3. In the let navigation pane, locate the app name “cn.com.broadlink.econtrol.plus”;
  4. Search for “db” and locale/export the file “Documents/econtrol.db”;
  5. Open that with any sql lite IDE. I use DB Browser for SQLite;
  6. Look at the data at the buttonCodeTable table, it should have one line for each code you setup. The code column have the hex strings we need to convert;
  7. Convert the hex to base64 (I used this site: http://tomeko.net/online_tools/hex_to_base64.php?lang=en)
  8. Setup the switch in home assistant;

Hope this helps other people.

The person to update it in the docs is you :slight_smile:

Every page has an “edit in github” link. Your changes will get reviewed by someone in the dev team, so you don’t need to worry about f***king up the documentation.

@Raphael_Rissato
Yeah, but can you also add that you dont need to do any of that if you use the
Broadlink manager or node-red-contrib-broadlink-control node as you can learn the code straight from the remote to RM Pro or Mini, app is good if your device is in there database and works 100% and you couldnt be bothered pressing 20+ button

These instructions are awesome, and to anyone who thinks they aren’t useful because of the learn feature: learn feature does not work well when you have lost the remote.

Not sure if this will help anyone else but I came across this today as I was looking to get some codes that are on my RM Mini and were setup in the Broadlink iOS app, that I no longer have the remote for.

In the end I used broadlink_cli’s learn command and whilst that was running I used the Broadlink app and triggered the RM Mini to send the codes. I guess it must have bounced off reflective surfaces/walls and gone back into the RM Mini because it got me what I needed! Seems like a very easy solution as opposed to taking an iOS backup (I didn’t have enough space on my machine for that) or any other method.

Does anyone know if there’s a similar way to extract the existing codes from the BroadLink app on Android? In my case it’s not about IR but RF codes that I learned in both already - the app AND Home Assistant, but the ones stored in the app seem to be better and I don’t want to repeat the whole learning in HA :wink:

Any chance you’d be willing to check again and see if the “Documents/econtrol.db” file still exists for you? Because I’m not finding it in the folder.

Also the name for the app is slightly different now incase that matters. “cn.com.broadlink.econtrol.international"

Bit of an old thread, but for those stuck, i managed to do this using emulators and MITM proxies with the help of Claude. He's the output

Extracting Broadlink IR Commands for Home Assistant

A complete guide to extracting learned IR commands from the Broadlink app and importing them into Home Assistant. This works even though the app blocks ADB backups and uses an encrypted local database.

Requirements:

  • Mac (Apple Silicon or Intel)
  • Android phone with Broadlink app installed and logged in
  • Broadlink RM Pro/Mini device with learned commands
  • Home Assistant with Broadlink integration already set up
  • Android Studio installed
  • Homebrew installed

Step 1 — Install ADB

brew install android-platform-tools
adb version

Step 2 — Enable USB Debugging on your phone

  1. Settings → About Phone — tap Build Number 7 times to unlock Developer Options
  2. Settings → Developer Options → enable USB Debugging
  3. If you see an Auto Blocker warning (Samsung): Settings → Security and Privacy → Auto Blocker → toggle off

Plug your phone in, then:

adb devices

Accept the "Trust this computer" prompt on your phone. You should see your device listed.


Step 3 — Find the Broadlink package name

adb shell pm list packages | grep -i broadlink

Note the package name — it will be something like cn.com.broadlink.econtrol.international.


Step 4 — Extract the APK from your phone

adb shell pm path cn.com.broadlink.econtrol.international

This returns a path like /data/app/~~abc123/cn.com.broadlink.econtrol.international-xyz/base.apk. Pull it:

adb pull /data/app/~~<hash>/cn.com.broadlink.econtrol.international-<hash>/base.apk broadlink.apk

Tip: You can also download the APK from apkpure.com if you prefer.


Step 5 — Create a rooted Android emulator

Open Android Studio:

  1. Tools → Device Manager → Create Device
  2. Pick any device (e.g. Pixel 6 Pro)
  3. Select a system image with Android Open Source (no Google APIs, no Google Play)
    • On Apple Silicon Macs you'll only see ARM 64 v8a images — that's fine
    • API 33 or 34 recommended
  4. Finish but do not start the emulator yet

Find your AVD name:

~/Library/Android/sdk/emulator/emulator -list-avds

Launch with writable system partition:

~/Library/Android/sdk/emulator/emulator -avd "YOUR_AVD_NAME" -writable-system

Step 6 — Root the emulator and install mitmproxy certificate

# Root ADB
adb -e root

# Enable overlayfs remount (first time only — reboot required)
adb -e remount
adb -e reboot

After reboot, root and remount again (required after every reboot):

adb -e root
adb -e remount

Set up a Python virtual environment and install mitmproxy:

python3 -m venv broadlink-env
source broadlink-env/bin/activate
pip install mitmproxy

Start mitmweb:

mitmweb --listen-port 8080

In a new terminal, get your Mac's local IP:

ifconfig | grep "inet " | grep -v 127.0.0.1

Get the mitmproxy certificate hash:

curl -o mitmproxy-ca-cert.pem http://mitm.it/cert/pem
openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.pem | head -1

This returns a hash like c8750f0d. Install the cert to the emulator's system trust store:

cp mitmproxy-ca-cert.pem <HASH>.0
adb -e push <HASH>.0 /system/etc/security/cacerts/
adb -e shell chmod 644 /system/etc/security/cacerts/<HASH>.0
adb -e reboot

After reboot, root and remount again, then verify:

adb -e root
adb -e remount
adb -e shell ls /system/etc/security/cacerts/ | grep <HASH>

Step 7 — Install Broadlink app and configure proxy

Install the APK on the emulator:

adb -e install broadlink.apk

Set the emulator to route traffic through mitmproxy (replace with your Mac's IP):

adb -e shell settings put global http_proxy 192.168.1.x:8080

Step 8 — Intercept the IR commands

  1. Open the Broadlink app on the emulator
  2. Log in with your Broadlink account (use email/password, not Google Sign-in)
  3. Wait for your devices to sync
  4. Navigate to your RM Pro/Mini and browse your learned commands
  5. Open mitmweb at http://127.0.0.1:8081 in your browser
  6. Look for requests to ibroadlink.com — you'll find a response containing irData with all your IR codes as JSON

Save the full JSON response body for the next step.


Step 9 — Convert codes for Home Assistant

Save the intercepted JSON to a file called broadlink_commands.json, then run this script:

import json
import base64

with open('broadlink_commands.json') as f:
    data = json.load(f)

ir_data = data['data']['irData']

print("broadlink_commands:")
for cmd in ir_data:
    name = (cmd.get('name') or cmd.get('function', 'unknown')).lower().replace(' ', '_')
    code_hex = cmd['codeList'][0]['code'] if cmd.get('codeList') else None
    if code_hex:
        code_b64 = base64.b64encode(bytes.fromhex(code_hex)).decode('utf-8')
        print(f"  {name}: '{code_b64}'")

Step 10 — Add to Home Assistant

Add scripts to your script.yaml (adjust entity_id to match your RM device):

fan_on:
  alias: "Fan - On"
  sequence:
    - service: remote.send_command
      target:
        entity_id: remote.rm4_pro   # check your entity ID in HA
      data:
        command: "BASE64_CODE_HERE"

fan_off:
  alias: "Fan - Off"
  sequence:
    - service: remote.send_command
      target:
        entity_id: remote.rm4_pro
      data:
        command: "BASE64_CODE_HERE"

Find your entity ID under Settings → Devices & Services → Broadlink.

After saving, reload scripts: Developer Tools → YAML → Reload Scripts.


Troubleshooting

Problem Solution
adb devices shows nothing Check USB debugging is enabled; accept trust prompt on phone
Auto Blocker blocks USB debugging Settings → Security and Privacy → Auto Blocker → off
run-as fails Expected — Broadlink is a release app, not debuggable
ADB backup is empty Expected — Broadlink sets allowBackup=false
adb remount says "bootloader unlocked" error You used a Google APIs image — recreate emulator with plain AOSP image
Certificate won't install via UI Use the system trust store method via ADB instead
Google Sign-in blocked in emulator Use email/password login instead
mitmweb shows no Broadlink traffic Make sure proxy is set on emulator and cert is installed correctly

Notes

  • The Broadlink app encrypts its local SQLite database (UnifyApp.db), making direct extraction impossible without root
  • IR codes are stored in Broadlink's cloud and synced on login — this is why the emulator approach works
  • The extracted Base64 codes are standard Broadlink IR format and compatible with Home Assistant, Node-RED, and the python-broadlink library
  • You can re-run this process any time you add new learned commands to the app