Bit of an old thread, but for those stuck, i managed to do this using emulators and MITM proxies with the help of Claude. He's the output
Extracting Broadlink IR Commands for Home Assistant
A complete guide to extracting learned IR commands from the Broadlink app and importing them into Home Assistant. This works even though the app blocks ADB backups and uses an encrypted local database.
Requirements:
- Mac (Apple Silicon or Intel)
- Android phone with Broadlink app installed and logged in
- Broadlink RM Pro/Mini device with learned commands
- Home Assistant with Broadlink integration already set up
- Android Studio installed
- Homebrew installed
Step 1 — Install ADB
brew install android-platform-tools
adb version
Step 2 — Enable USB Debugging on your phone
- Settings → About Phone — tap Build Number 7 times to unlock Developer Options
- Settings → Developer Options → enable USB Debugging
- If you see an Auto Blocker warning (Samsung): Settings → Security and Privacy → Auto Blocker → toggle off
Plug your phone in, then:
adb devices
Accept the "Trust this computer" prompt on your phone. You should see your device listed.
Step 3 — Find the Broadlink package name
adb shell pm list packages | grep -i broadlink
Note the package name — it will be something like cn.com.broadlink.econtrol.international.
Step 4 — Extract the APK from your phone
adb shell pm path cn.com.broadlink.econtrol.international
This returns a path like /data/app/~~abc123/cn.com.broadlink.econtrol.international-xyz/base.apk. Pull it:
adb pull /data/app/~~<hash>/cn.com.broadlink.econtrol.international-<hash>/base.apk broadlink.apk
Tip: You can also download the APK from apkpure.com if you prefer.
Step 5 — Create a rooted Android emulator
Open Android Studio:
- Tools → Device Manager → Create Device
- Pick any device (e.g. Pixel 6 Pro)
- Select a system image with Android Open Source (no Google APIs, no Google Play)
- On Apple Silicon Macs you'll only see ARM 64 v8a images — that's fine
- API 33 or 34 recommended
- Finish but do not start the emulator yet
Find your AVD name:
~/Library/Android/sdk/emulator/emulator -list-avds
Launch with writable system partition:
~/Library/Android/sdk/emulator/emulator -avd "YOUR_AVD_NAME" -writable-system
Step 6 — Root the emulator and install mitmproxy certificate
# Root ADB
adb -e root
# Enable overlayfs remount (first time only — reboot required)
adb -e remount
adb -e reboot
After reboot, root and remount again (required after every reboot):
adb -e root
adb -e remount
Set up a Python virtual environment and install mitmproxy:
python3 -m venv broadlink-env
source broadlink-env/bin/activate
pip install mitmproxy
Start mitmweb:
mitmweb --listen-port 8080
In a new terminal, get your Mac's local IP:
ifconfig | grep "inet " | grep -v 127.0.0.1
Get the mitmproxy certificate hash:
curl -o mitmproxy-ca-cert.pem http://mitm.it/cert/pem
openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.pem | head -1
This returns a hash like c8750f0d. Install the cert to the emulator's system trust store:
cp mitmproxy-ca-cert.pem <HASH>.0
adb -e push <HASH>.0 /system/etc/security/cacerts/
adb -e shell chmod 644 /system/etc/security/cacerts/<HASH>.0
adb -e reboot
After reboot, root and remount again, then verify:
adb -e root
adb -e remount
adb -e shell ls /system/etc/security/cacerts/ | grep <HASH>
Step 7 — Install Broadlink app and configure proxy
Install the APK on the emulator:
adb -e install broadlink.apk
Set the emulator to route traffic through mitmproxy (replace with your Mac's IP):
adb -e shell settings put global http_proxy 192.168.1.x:8080
Step 8 — Intercept the IR commands
- Open the Broadlink app on the emulator
- Log in with your Broadlink account (use email/password, not Google Sign-in)
- Wait for your devices to sync
- Navigate to your RM Pro/Mini and browse your learned commands
- Open mitmweb at http://127.0.0.1:8081 in your browser
- Look for requests to
ibroadlink.com — you'll find a response containing irData with all your IR codes as JSON
Save the full JSON response body for the next step.
Step 9 — Convert codes for Home Assistant
Save the intercepted JSON to a file called broadlink_commands.json, then run this script:
import json
import base64
with open('broadlink_commands.json') as f:
data = json.load(f)
ir_data = data['data']['irData']
print("broadlink_commands:")
for cmd in ir_data:
name = (cmd.get('name') or cmd.get('function', 'unknown')).lower().replace(' ', '_')
code_hex = cmd['codeList'][0]['code'] if cmd.get('codeList') else None
if code_hex:
code_b64 = base64.b64encode(bytes.fromhex(code_hex)).decode('utf-8')
print(f" {name}: '{code_b64}'")
Step 10 — Add to Home Assistant
Add scripts to your script.yaml (adjust entity_id to match your RM device):
fan_on:
alias: "Fan - On"
sequence:
- service: remote.send_command
target:
entity_id: remote.rm4_pro # check your entity ID in HA
data:
command: "BASE64_CODE_HERE"
fan_off:
alias: "Fan - Off"
sequence:
- service: remote.send_command
target:
entity_id: remote.rm4_pro
data:
command: "BASE64_CODE_HERE"
Find your entity ID under Settings → Devices & Services → Broadlink.
After saving, reload scripts: Developer Tools → YAML → Reload Scripts.
Troubleshooting
| Problem |
Solution |
adb devices shows nothing |
Check USB debugging is enabled; accept trust prompt on phone |
| Auto Blocker blocks USB debugging |
Settings → Security and Privacy → Auto Blocker → off |
run-as fails |
Expected — Broadlink is a release app, not debuggable |
| ADB backup is empty |
Expected — Broadlink sets allowBackup=false |
adb remount says "bootloader unlocked" error |
You used a Google APIs image — recreate emulator with plain AOSP image |
| Certificate won't install via UI |
Use the system trust store method via ADB instead |
| Google Sign-in blocked in emulator |
Use email/password login instead |
| mitmweb shows no Broadlink traffic |
Make sure proxy is set on emulator and cert is installed correctly |
Notes
- The Broadlink app encrypts its local SQLite database (
UnifyApp.db), making direct extraction impossible without root
- IR codes are stored in Broadlink's cloud and synced on login — this is why the emulator approach works
- The extracted Base64 codes are standard Broadlink IR format and compatible with Home Assistant, Node-RED, and the
python-broadlink library
- You can re-run this process any time you add new learned commands to the app