Reverse Engineering a Radio Weather Station with an RTL-SDR

On his blog Josef Gajdysek has posted about his experience with using an RTL-SDR to reverse engineer the radio protocol used by his home weather station. Josef’s weather station is an ISM band device and transmits at 433 MHz. First he opened up GQRX and tuned to his weather station’s transmit frequency of 433.6 MHz and recorded some audio in AM mode. Josef initially assumed that the device would use on-off-keying (OOK) to encode the data. However, when he opened the sound file in Audacity and looked at it’s waveform he found that the weather station instead used Differential Pulse Position Modulation. In this modulation scheme the distance between pulses determines whether or not the binary bit is high or low.

Differential Pulse Position Modulation in Audacity
Differential Pulse Position Modulation in Audacity

To decode this Josef then wrote a python script to measure the distance between pulses and thus convert the pulses into a binary string. Then by decoding and analyzing the captured packets he was able to isolate the checksum, temperature, channel, and status flags. Knowing all this information finally allowed him to create a real time decoder that uses rtl_fm. The python script can be downloaded from his post.

The weather station transmitter.
The weather station transmitter.
Subscribe
Notify of
guest

4 Comments
Inline Feedbacks
View all comments
Heath Raftery

For what it’s worth, I performed a similar exercise for a Digitech XC-0322 weather station. My trials and eventual success are documented here:

https://discuss.ninjablocks.com/t/digitech-xc-0329/1108/4?u=lightyear

Vince

I ran the 32-bit Windows version and it just sits there doing nothing even though I see all kinds of blips on SDR#. If I use the -t option the screen flies off into neverneverland with strange characters. Nothing is decoded and eventually the computer (not just the program) crashes.

Emily Taylor

It might just be because the rtl sucks when it comes to that. I try to use it to decode pocsag and its impossible most of the time to get it exactly on with right settings to decode the data. And the software for lpd433 and power meter stuff is all crap and the layout on github is idiotic. SDR users are morons, you’re pretty much on your own and have to code your own stuff.

Andrej

Hey
I found many other interesting Signals in my Area but i cant write an Script Language.
Is there no Application who allow me to Count the Peaks?