Author Topic: RF Decoding  (Read 2166 times)

0 Members and 1 Guest are viewing this topic.

Offline JonPyroTopic starter

  • Regular Contributor
  • *
  • Posts: 50
  • Country: gb
RF Decoding
« on: April 19, 2019, 11:10:32 pm »
Hi All,

I have been experimenting with an DB04r Remote firing system, similar to this one : https://www.ebay.co.uk/itm/12-CH-Wireless-Fireworks-Firing-control-system-equipment-Remote-4pcs-Igniters-UK/264105120302?epid=28027443463&hash=item3d7de4522e&enc=AQADAAADAFjVrDbVsZ8oH%2F8PNHtt9VX4%2Fw7FZcmMuqsX8uaFEduVEiP4E8oVdkMwUmazuRzC2GXcJqCWx9esq2YyO0ZttRNg4CczUn7Ii5fdRovvZb5hCzbLcSQL1BubE4GOUGlITZijvCCg60ei31IOFv76g6o2SDRkVkscKbzLvXNsNO7aVR4zv5dlg0xqqDLeDMlr%2BqKPHKDcqAqw4CKOH8e%2BGiguLnq5IZGrXzclrkZIXq9J46nOiutz8xJ0uNQXh1KNzPxBrZgm1QDI6PDxzVAfBdcRTaY3Mt0%2FelY0jMAloZpxof6x67rRVcOV1UqJMP0CbSySd70iHuSHFCpI60JgqO%2FHutV30p080NxBK0vtLs3oivFmDmsDZiIog4k95kbGR0mqxGCUmdkgkcukfE26YraJWfp3iUt4RMg1B6p1x7A%2B9fpzcF9T8VCeRHWKs2CMhW0AE4EtbramP8zidRGeIC%2BTbj38ziEWUfstl7%2Ftk7rT94aYgDeaeskvqY5Mc0bE0AalJYgOa3pVTEDSJvD74w6ARxP%2FzfU30S095HANRXhgVZ5vMJztG%2BdXoBDnhB46vppBxmjDTwh1%2BDW7zTyT4Ovb3eU6ln8kD0GRJl%2Bb6EQzdS3raQN8LprSgVNsfSYiRji4wQVmxXyP%2Frqi%2F0PpkNQgPHI6iwY%2FtdmJYGFpEmHkHHOYVhuTbSX5ZnKJM9t3EZj63PIsZN7s6%2BDubmxEyGA7Q%2FTXoanuruEz58fEZLtj6EA1OTRef7nTXh83DaBDJSMh4Ed%2FNE%2BAHz3TLsDK9jhj1lQgzCtoQVjC%2FZUrMgjnyzH%2FqBY%2B%2Bbc8FTpMMcqoW9mOedHtR9p%2B9VQ02kpNEtYKODSHvCA9CkjsYTzMy23mW7iugu5%2B%2Btq876tqwwMPiH7ljq5WqGZowa16A4MnvO8CsDFulitwFqg5vZF6JxeAbgit5T%2BvgXOcMbipSHc9J8k3D5xiZDrJF%2FqjIMQqPoG5rDwk7b8nISG7NpC93im1KbPZ6bUIwPhu83ZjSOfUQA%3D%3D&checksum=264105120302c43df0162d604f2ba2bef26a906658b8

I have torn it down and probed the I2C bus etc and found out how it works.

However, the one thing I do not understand is how to figure out how to interpret the rf control signal. It uses a SYN470R receiver chip and I probe the Data Out using a cheap logic probe. A lot of what I see is just noise but when I press the buttons I get a decent signal pattern appear but I am not sure how I go about making sense of it. I have attached a zip with the PulseView file containing 4 different button presses.

The datasheet mentions the receiver uses OOK so I tried to add a OOK decoder to pulseview but none of the settings seemed to make any sense when reading the signal pattern. If i am honest I am not sure what I am looking for. I know the remote has 12 buttons, so each of them must have a unique ID that it is sending.  Looking at the patterns from the different buttons they do indeed look different. I was rather hoping it would be sending the number (in binary) of the button being pressed, which it might be, but I am not sure how to extract that.

Here is what I believe one button press looks like:


I have tried Manchester encoding and all those options but nothing looks right.

Can anyone give me some clues of how to crack this code and where to start? You can clearly see I have never done this before and I blame Dave's videos entirely for me trying :P

Many thanks
« Last Edit: April 19, 2019, 11:13:55 pm by JonPyro »
 

Offline Buriedcode

  • Super Contributor
  • ***
  • Posts: 1718
  • Country: gb
Re: RF Decoding
« Reply #1 on: April 19, 2019, 11:25:13 pm »
There are a few ways to encode bits, other than the standard NRZ (non-return to zero) and Manchester coding is one of them.  Another common ones that is used with cheap RF remotes is PWM, where each bit is a pulse, but the difference between a '1' and '0' is either the length of the pulse, or less often, the gap between them.  All these methods have the advantage that they are self-clocking (there is a transition every bit regardless of its value) so they don't require any kind of synchronization pattern and are less prone to differences in the clocks in the tx and rx.

Without seeing a zoomed in version of the waveform, its hard to say.  It could also be a packet structure with a preamble, sync word, payload, checksum etc..

So a zoomed in picture so we can clearly see individual transitions will help.
 
The following users thanked this post: JonPyro

Offline JonPyroTopic starter

  • Regular Contributor
  • *
  • Posts: 50
  • Country: gb
Re: RF Decoding
« Reply #2 on: April 21, 2019, 09:08:24 am »
Thanks for your help so far.

I may have found something that may help. Listening to the EEPROM communications shows that the micro reads 5 bytes of information which are 07 2E CC 09 A7. The module can be reprogrammed to start from any button on the remote so reprogramming changes the first byte with the number it starts firing from, so can be from 01-12. The other 4 bytes I think are going to be a unique ID for the remote control so another cheap remote on the same frequency does not fire the module, but by putting them in EEPROM you can program a new remote to the unit as it just changes the ID in memory.

I have zoomed in on what I think could be bytes of information from the previous screenshot for you:
 

Offline JonPyroTopic starter

  • Regular Contributor
  • *
  • Posts: 50
  • Country: gb
Re: RF Decoding
« Reply #3 on: April 21, 2019, 12:06:29 pm »
interesting that all the periods are 1.3ms
 

Offline soldar

  • Super Contributor
  • ***
  • Posts: 3595
  • Country: es
Re: RF Decoding
« Reply #4 on: April 21, 2019, 03:45:36 pm »
interesting that all the periods are 1.3ms
And only two widths so I would guess one is 1 and the other is 0.
All my posts are made with 100% recycled electrons and bare traces of grey matter.
 
The following users thanked this post: JonPyro

Offline Buriedcode

  • Super Contributor
  • ***
  • Posts: 1718
  • Country: gb
Re: RF Decoding
« Reply #5 on: April 21, 2019, 06:20:19 pm »
I'm going to take a wild guess and say it looks like the type of output you'd get from a HT12E/PT2262  http://www.princeton.com.tw/Portals/0/Product/PT2262_5.pdf (page 7 shows the bit timing).

You can confirm this if the pulse widths are 1/4 and 3/4 of the bit period (your 1.3ms), and by how many bits/pulses are sent in a packet.  At the very least it looks like it really is a PWM encoding, but as to whether it is the same as the PT2262 format I'm not sure. In your last posted screen shot, there is 25 pulses, and the PT2262 format has.. two pulses per bit, 9 address bits, 3 data bits, and a sync pulse, which gives 25 pulses. 

Again I could be wrong here, but if you manage to write basic code that just converts those pulse widths to bits and spits them out a serial port, you could see which bits change depending on what buttons you hit on the remote.

I believe there is an Arduino library, "Virtual Wire" that is meant for using cheap RF modules (dumb ones that are just OOK AM or FM, no encoding) that can decode these types of formats for you.  I haven't used it though, but I did write code specifically for decoding this for use with ubiquitous chinese "RF remotes".  It isn't that difficult, and can be run using timer interrupts so it runs in the background of whatever task the micro is doing.  Also, a version of the KEELOQ protocol, used by Microchip also has a similar PWM scheme, and I'm sure they have code for a decoder available in standard C.
 
The following users thanked this post: JonPyro

Offline JonPyroTopic starter

  • Regular Contributor
  • *
  • Posts: 50
  • Country: gb
Re: RF Decoding
« Reply #6 on: April 21, 2019, 06:27:49 pm »
ok I think with everyone's help I have cracked it.

I reckon long duty cycle is 1 and small is 0.

That gives a 20bit identifier and 4bit data. Reading it back as I press the buttons the last 4 bits count up as i increment the buttons.

It is interesting that it sends the same data about 5 times, I presume this is to increase the chance that one packet of data is received correctly. Taking apart the controller I have found it is transmitting using a EV1527 which confirms the 20bit and 4bit data sending searching around for a datasheet.

Interestingly, the bit pattern coincides with the EEPROM: CC 09 A7 is the 24bit pattern for button 7. The 07 is simply the micro stripping out the data but I just cannot work out why it needs to record 2E.....
« Last Edit: April 21, 2019, 06:40:27 pm by JonPyro »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf