Electronics > Projects, Designs, and Technical Stuff
Reverse Engineering central heating wireless thermostat - help needed!
picitup:
Hi All
I'd like to control my central heating from the Internet. The current setup is a wireless stat in the hall and a wireless receiver in the airing cupboard, next to the boiler. I did consider removing the wireless receiver, and fitting a Photon board and controlling it that way, but I don't want to mod the system such that a new occupant can't use it if we sell the house.
I did some searching and found this excellent page:
http://www.stevenhale.co.uk/main/2013/08/home-automation-reverse-engineering-a-worcester-bosch-dt10rf-wireless-thermostat/
This guy didn't own a storage scope, but managed to work out the protocol using a sound card and Audacity (sound recorder) to display the waveform.
In his example, the protocol is very simple; it sends a series of 1s and 0s as a training sequence then a couple of bits at the end signify boiler on or off. His system used a 433mHZ transmitter/receiver and compatible hardware is available from eBay for less than £2.00.
Flush with the promise of a simple and cheap solution, I bought a transmitter and receiver. Then I checked my stat and it's quite different to his.
Mine works at 868.3 MHz and has a couple of chips in it:
The Atmel XMEGA128B1 which is the microcontroller and is here:
http://www.atmel.com/images/atmel-8330-8-and-16-bit-avr-microcontroller-xmega-b-atxmega64b1-atxmega128b1_datasheet.pdf
The second chip is an ATRF212 which is the wireless chip. It's essentially an SPI-to-wireless transceiver chip and is here:
http://www.atmel.com/images/doc8168.pdf
Now for the bit where I'm stuck. I don't have much radio experience and want to buy a suitable receiver for it, then I can decode the transmission and work out the on and off codes. However, the ATRF212 supports a range of transmission standards and I have no idea which one it uses. I have a scope, but that's only 100MHz and a frequency counter that goes up to 1.3GHz but I don't think either are much help in this situation.
Interestingly, the ATRF212 is around £2.00, the XMEGA128B1 is around £3.70 and the stat costs £109.99. I think the manufacturer us making a killing with these...
You may think I've bitten off more than I can chew, and you may be right, but I was wondering if anyone could point me in the right direction?
I've attached some piccies of the stat for reference.
Thanks for reading.....
Steve
rickey1990:
Reverse engineering :D my favourite topic - Well iv seen people turning on and off a LED from a webpage, http://www.instructables.com/id/ESP8266-Web-Server-Without-Arduino/ & . It uses a ESP8266, its a wifi module with a build in microcontroller, The ones shown in the links previous can be picked up from aliexpress for about £1.50. but id recommend sepending a extra pound and getting the "NodeMcu Lua" from aliexpress as it has header pins.
Then all you have to do is buy a cheap radio transmitter module and try to get it to communicate wirelesly with the reciever in the thermasat.
Well thats my idea, hope it helps,
Kind regards,
Rickey
LaserSteve:
Post canceled, its O_QPSK modulationm, my diode detector idea would not work, never mind..
OP needs to sniff the SPI bus. I dont suggest hacking furnace controllers, its a safety of life issue if something goes wrong. As each TX chip has a MAC addess the thermostat probably is probably a matched pair, anyways...
Steve
picitup:
@rickey1990 Thanks for your reply. The ESP8266 looks really cool - a tiny web server for almost nothing :D
I didn't explain my own setup fully, I have a Photon (previously Spark Core) which you can communicate with over the Internet via their cloud which I guess is quite similar to the NodeMCU you suggested.
I could fit this in a box and get it to power a relay to offer the volt-free contacts in a proper central heating receiver, but I don't want to modify the existing system as I'll have to put it all back together if we sell house.
@LaserSteve how do you know it's O_QPSK? I'm interested to find out. I think you're right about the MAC address, but the user guide shows you how to pair the transmitter/receiver if, for example you have to replace one of them, so hopefully it's still possible in theory.
Thanks
Steve
ataradov:
The problem with reverse engineering this thing is that you will need equipment and software that will total much more than the price of 10 units.
You can do it on the cheap, of course, but then you will be paying with your time.
There is no point in looking at transmissions over the air with the scope, that's a complete waste of time and you won't see anything because of complex modulations.
You will need to get any ZigBee sniffer hardware/software that is capable of working in a sub-GHz bands. The cheap option is Atmel Wireshark interface and ZigBit-based USB stick (~$50). Expensive options start at ~$2500, so I guess they are out of the question.
Another thing you can do is sniff SPI bus and record significant amounts of traffic, so you will need some equipment for that as well.
Navigation
[0] Message Index
[#] Next page
Go to full version