Electronics > Beginners

RF Decoding

(1/2) > >>

JonPyro:
Hi All,

I have been experimenting with an DB04r Remote firing system, similar to this one : https://www.ebay.co.uk/itm/12-CH-Wireless-Fireworks-Firing-control-system-equipment-Remote-4pcs-Igniters-UK/264105120302?epid=28027443463&hash=item3d7de4522e&enc=AQADAAADAFjVrDbVsZ8oH%2F8PNHtt9VX4%2Fw7FZcmMuqsX8uaFEduVEiP4E8oVdkMwUmazuRzC2GXcJqCWx9esq2YyO0ZttRNg4CczUn7Ii5fdRovvZb5hCzbLcSQL1BubE4GOUGlITZijvCCg60ei31IOFv76g6o2SDRkVkscKbzLvXNsNO7aVR4zv5dlg0xqqDLeDMlr%2BqKPHKDcqAqw4CKOH8e%2BGiguLnq5IZGrXzclrkZIXq9J46nOiutz8xJ0uNQXh1KNzPxBrZgm1QDI6PDxzVAfBdcRTaY3Mt0%2FelY0jMAloZpxof6x67rRVcOV1UqJMP0CbSySd70iHuSHFCpI60JgqO%2FHutV30p080NxBK0vtLs3oivFmDmsDZiIog4k95kbGR0mqxGCUmdkgkcukfE26YraJWfp3iUt4RMg1B6p1x7A%2B9fpzcF9T8VCeRHWKs2CMhW0AE4EtbramP8zidRGeIC%2BTbj38ziEWUfstl7%2Ftk7rT94aYgDeaeskvqY5Mc0bE0AalJYgOa3pVTEDSJvD74w6ARxP%2FzfU30S095HANRXhgVZ5vMJztG%2BdXoBDnhB46vppBxmjDTwh1%2BDW7zTyT4Ovb3eU6ln8kD0GRJl%2Bb6EQzdS3raQN8LprSgVNsfSYiRji4wQVmxXyP%2Frqi%2F0PpkNQgPHI6iwY%2FtdmJYGFpEmHkHHOYVhuTbSX5ZnKJM9t3EZj63PIsZN7s6%2BDubmxEyGA7Q%2FTXoanuruEz58fEZLtj6EA1OTRef7nTXh83DaBDJSMh4Ed%2FNE%2BAHz3TLsDK9jhj1lQgzCtoQVjC%2FZUrMgjnyzH%2FqBY%2B%2Bbc8FTpMMcqoW9mOedHtR9p%2B9VQ02kpNEtYKODSHvCA9CkjsYTzMy23mW7iugu5%2B%2Btq876tqwwMPiH7ljq5WqGZowa16A4MnvO8CsDFulitwFqg5vZF6JxeAbgit5T%2BvgXOcMbipSHc9J8k3D5xiZDrJF%2FqjIMQqPoG5rDwk7b8nISG7NpC93im1KbPZ6bUIwPhu83ZjSOfUQA%3D%3D&checksum=264105120302c43df0162d604f2ba2bef26a906658b8

I have torn it down and probed the I2C bus etc and found out how it works.

However, the one thing I do not understand is how to figure out how to interpret the rf control signal. It uses a SYN470R receiver chip and I probe the Data Out using a cheap logic probe. A lot of what I see is just noise but when I press the buttons I get a decent signal pattern appear but I am not sure how I go about making sense of it. I have attached a zip with the PulseView file containing 4 different button presses.

The datasheet mentions the receiver uses OOK so I tried to add a OOK decoder to pulseview but none of the settings seemed to make any sense when reading the signal pattern. If i am honest I am not sure what I am looking for. I know the remote has 12 buttons, so each of them must have a unique ID that it is sending.  Looking at the patterns from the different buttons they do indeed look different. I was rather hoping it would be sending the number (in binary) of the button being pressed, which it might be, but I am not sure how to extract that.

Here is what I believe one button press looks like:


I have tried Manchester encoding and all those options but nothing looks right.

Can anyone give me some clues of how to crack this code and where to start? You can clearly see I have never done this before and I blame Dave's videos entirely for me trying :P

Many thanks

Buriedcode:
There are a few ways to encode bits, other than the standard NRZ (non-return to zero) and Manchester coding is one of them.  Another common ones that is used with cheap RF remotes is PWM, where each bit is a pulse, but the difference between a '1' and '0' is either the length of the pulse, or less often, the gap between them.  All these methods have the advantage that they are self-clocking (there is a transition every bit regardless of its value) so they don't require any kind of synchronization pattern and are less prone to differences in the clocks in the tx and rx.

Without seeing a zoomed in version of the waveform, its hard to say.  It could also be a packet structure with a preamble, sync word, payload, checksum etc..

So a zoomed in picture so we can clearly see individual transitions will help.

JonPyro:
Thanks for your help so far.

I may have found something that may help. Listening to the EEPROM communications shows that the micro reads 5 bytes of information which are 07 2E CC 09 A7. The module can be reprogrammed to start from any button on the remote so reprogramming changes the first byte with the number it starts firing from, so can be from 01-12. The other 4 bytes I think are going to be a unique ID for the remote control so another cheap remote on the same frequency does not fire the module, but by putting them in EEPROM you can program a new remote to the unit as it just changes the ID in memory.

I have zoomed in on what I think could be bytes of information from the previous screenshot for you:

JonPyro:
interesting that all the periods are 1.3ms

soldar:

--- Quote from: JonPyro on April 21, 2019, 12:06:29 pm --- interesting that all the periods are 1.3ms
--- End quote ---
And only two widths so I would guess one is 1 and the other is 0.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod