Electronics > Projects, Designs, and Technical Stuff

Reverse Engineering central heating wireless thermostat - help needed!

<< < (7/9) > >>

ataradov:
Or the goal of reverse engineering has changed to learning about modulations?

picitup:
Hi you may well be right, but for the very low price I thought it was worth a try.

No my main goal is the same, to be able to talk to the wireless receiver next to the boiler, but you're right I'm being seduced into learning some wider RF in the process.

I'll post up when the SDR arrives and I'd had a play with it.

Cheers

Steve

picitup:
Well, my RTL-SDR dongle hasn't arrived yet, but I've had a chance to do some reading and here's what I found:

Dongles
======
I bought the cheapest one I could find (£7.58) and there are reports of drift at the higher end of the spectrum due to overheating.  There's an improved version here:

http://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/

which is $24.95 and has an OXCO for 1ppm stability, is vented to keep it cooler and they say it has a more sensitive front end.

The sdrPlay device covers from 100KHz to 2GHz and costs £118.80 and is here:

http://www.sdrplay.com/

However, don't expect to pick up much the low end with the piddly antenna supplied with the cheap dongle.  I've read that you can buy a wide band antenna, something like the discone or eBay item 121508352707 if you're really serious.

Software
======
There's a lot of free software out there and there's a list here:

http://www.rtl-sdr.com/big-list-rtl-sdr-supported-software/

I've chosen SDR# (sdrsharp) as it's free and seems to be widely used.  It has a range of plugins (including an oscilloscope!!!) here:

http://www.rtl-sdr.com/sdrsharp-plugins/

Identifying Signals
=============
If you're a noob like me, you might like to look at the Signal Idenfication Wiki which has pictures of waterfalls, audio recordings and modulation types etc:

http://www.sigidwiki.com/wiki/Signal_Identification_Guide

Well that's all for now.  I'm away all weekend so if the dongle doesn't arrive tomorrow then I'll post up again next week.

Cheers

Steve

picitup:
Hi All

After a short present wrapping break I found some time to look at this.  The SDR dongle arrived and I installed sdr# to play with it.  Just a couple of comments about the dongle; it's quite wide and fouls the USB port next to it, so I bought a 4 inch USB extension cable which seems to work fine.  Secondly the supplied antenna had about 3 feet of cable which made it difficult to get by the window.  The aerial socket on the dongle is mcx so I bought a 4 foot extension lead.  The antenna screws onto the base with an m3 thread and I've got loads of m3 brass pillars so I may experiment with different antenna lengths in the future.

To learn sdr# I just played around, tuning in local stations etc and then calibrated the dongle with a program called imaginatively, Kalibrate which scans for local GSM stations and then gives you a ppm offset you enter into sdr# by clicking on the cog icon.

Onto the main business; I located my thermostat on the 868mHz band and proved it was the right one by removing the batteries.  Unsurprisingly, it was the strongest signal at a distance of 1 foot from the antenna.

I've posted up a picture of SDR (SDR-Raw)and the waterfall shows the transmission.  The 2 wide signals are the thermostat and I'm not sure what the small signal is, but I think it's an outdoor temp sensor that connects to our wireless thermometer.  The thermostats does a couple of bursts of information about every 40 seconds and you can see this in the audacity recording image Audacity-RepeatSignal.jpg.  Audacity sampling rate was set to 384 KHz to get about 17 samples per cycle and get a reasonable representation.

Audacity-FirstSignal.jpg and Audacity-FirstSignal-Zoom are zoomed in views of the first burst of data.

Audacity-Single.wav is a recording of the dual spike signal and is amplified to make it more visible.

Now I'm stuck  :-\.  I don't have enough experience to find out the modulation type and protocol.  Choosing RAW seems to have the best audio output as for example, WFM has a lot of background hiss.  The zoomed in waveforms as show below don't seem to represent simple binary and have cycles that are well above and below the centre line and other cycles dancing around the centre line.

If anyone has the patience for an RF noob then I'd be grateful for any help I can get.

I did also take note of the helpful posts that suggested I sniff the SPI bus and as a backup plan I've ordered an OpenBench logic sniffer which is currently walking it's way from China.  I figured, I could buy a transmitter only, experiment with it and if I didn't kill it, sell it again without too much loss.

Thanks for reading....

Steve

ataradov:
Sure. First of all, you have a good start knowing what radio it is and what standard it follows. So it will be very helpful to read IEEE 802.15.4-2006 standard to understand what is going on.

The radio is quite flexible, but assuming they went with frequency/modulation from the standard, here are a few quotes from it:

--- Quote ---The data rate of the 868/915 MHz band BPSK PHY shall be 20 kb/s when operating in the 868 MHz band and 40 kb/s when operating in the 915 MHz band.
--- End quote ---


--- Quote ---The 868/915 MHz BPSK PHY shall employ direct sequence spread spectrum (DSSS) with BPSK used for
chip modulation and differential encoding used for data symbol encoding.
--- End quote ---

The raw data is passed to a spectrum spreader, which maps each bit (symbol) to 15-bit long M-sequence, distinct for 1 and 0.

Then the resulting stream is passed on to the BPSK modulator.

Here is what we know about that modulator:
--- Quote ---The chip sequences are modulated onto the carrier using BPSK with raised cosine pulse shaping (roll-off
factor = 1) where a chip value of one corresponds to a positive pulse and a chip value of zero corresponds to a negative pulse. The chip rate is 300 kchip/s for the 868 MHz band and 600 kchip/s in the 915 MHz band.
--- End quote ---

With chip rate of 300 kchip/s you need to digitize your signal with sampling frequency of at least 600 ksps, but for first experiments, it is better to go as fast as hardware will allow.

Right now your signal looks way undersampled, it is not recoverable.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod