Author Topic: The best way to decipher a wireless protocol  (Read 2325 times)

0 Members and 1 Guest are viewing this topic.

Offline rthorntnTopic starter

  • Frequent Contributor
  • **
  • Posts: 399
  • Country: au
The best way to decipher a wireless protocol
« on: October 15, 2013, 06:04:18 am »
Hi

Looking for ideas and this has always been a very helpful forum.

I want integrate a 433Mhz siren in to Arduino (specifically the Arduino present on the BeagleBone cape that ships with the Ninja Block) so as far as I can tell this is all about rc-switch (warning big phone cam images):

https://dl.dropbox.com/u/2436853/alarm.jpg
https://dl.dropboxusercontent.com/u/2436853/alarm2.jpg

There is an atmega48v on there, the RX says 9931A on the PCB and has a cd4069ubm hex inverter being used I assume for the receiver.

Basically I have the remote and the siren, the remote actuates the siren, rc-switch sees the button press as a 24bit code, I can see it but when I try to use the code to actuate the siren using rc-switch nothing happens, I believe RX and TX are implemented in different parts of rc-switch and so there could be stuff that RX OK but that doesn't TX properly.

I want to decode what's going on both to get a better understanding of electronics and to get this flipping siren working.  I have no idea where to start, I have access to a scope, logic analyzer and sdr (I would be a beginner on all of them) as well as lots of Arduino boards and breakouts including 433Mhz, can somebody point me in the right direction please?

Thanks.

Rich
 

Offline adam1213

  • Regular Contributor
  • *
  • Posts: 120
  • Country: au
Re: The best way to decipher a wireless protocol
« Reply #1 on: October 15, 2013, 07:40:37 am »
How do you know that the "rc-switch sees the button press as a 24bit code" - is this in the specifications or did you measure this.

A good way to start is by looking at the requirements for the siren:
  • It needs to be possible to have multiple sirens of the same type near each other without them conflicting. Due to this the siren has a learn mode.
  • An attacker should not be able to disable the siren. e.g. the data sent each time might change. Try checking if it changes e.g. try recording the data transmitted / looking at it on a logic analzer or scope

« Last Edit: October 15, 2013, 07:45:25 am by adam1213 »
 

Offline rthorntnTopic starter

  • Frequent Contributor
  • **
  • Posts: 399
  • Country: au
Re: The best way to decipher a wireless protocol
« Reply #2 on: October 15, 2013, 08:13:13 am »
Thanks adam1213!

The ninja block sees the remote button press and it has a UI that shows the code but the actuate function using the observed code does not work.

The siren does have a learn button.

I didn't think about some sort of anti-sniffing technique.

How would I record the press, I could build an arduino with 433mhz radio and probe the radio pins, would a scope or logic analyzer be better, I could also setup the SDR and sniff at 433mhz watching the gnu radio scope...?

Thanks again.

Richard
 

Offline adam1213

  • Regular Contributor
  • *
  • Posts: 120
  • Country: au
Re: The best way to decipher a wireless protocol
« Reply #3 on: October 15, 2013, 11:53:09 am »
What code shows up / at least the start of the code?

I suggest you probe a 433mhz receiver and look at:
  • what the remote sends - is it always the same message for on / off or does the message change on multiple button presses / how much of the message changes.
  • how what the ninja block sends compares against the remote


Setup:
433mhz receiver - connect to power, probe output pin. ** note: you can use the receiver that is part of the ninjablock and probe it.
« Last Edit: October 15, 2013, 12:02:51 pm by adam1213 »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf