Now it's time to build a circuit that will mimic the incredibly cheap plastic remote. Open up the remote by removing the battery case, battery, and screws. You'll see a couple pushbuttons, some tiny components, a metal crystal package (marked with R315A), and an IC with HS1527 stamped on it. The "315" on the crystal sounds very much like we're operating a 315MHz transmitter, and a quick look at the HS1527 datasheet tells us that we're dealing with an OTP encoder transmitter.
Page 2 is particularly interesting, showing an output format of a 20-bit code and 4 data bits. The code is used to prevent any random device on the same frequency from accidentally turning the lights on, since there's an approximately 1/1,000,000 chance that a random broadcast will match the code. The four data bits correspond to which RF socket is being turned on - this is the last four bits of the hex value that changes between each of the socket's EEPROMs.
So we know the data bits are where the hex data is changing. What about the 20-bit code? Couldn't it be anywhere in the EEPROM? Well, it turns out that programmers are lazy. They really don't want to create extra work and more code, so when reading a serial transmitter broadcast they'd likely want the comparison data arranged in the same way in memory. Looking at one of the dumps, we see something like:
5a5a 0c5a c18c 285a bea3 915a ffff ffff
On another dump, we see:
5a5a 0c5a c18c 285a bea3 925a ffff ffff
And so on. Counting 20 bits to the left of the changing digit (that's 5 hex values), we get the code 0xBEA39. With any luck, we can shove this into a data packet and blast it at the light sockets, and they'll respond by turning on or off!
Let's get to building a new transmitter!