Tagged: 433 mhz

Video on Hacking 433 MHz Devices with an RTL-SDR and Raspberry Pi

Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators. 

Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.

Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.

Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.

How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)
How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)

Wireless Door Bell 433 MHz ASK Signal Analysis with a HackRF

Paul Rascagneres, an RF experimenter has recently uploaded a document detailing his efforts at reverse engineering a wireless doorbell (pdf file) with a 433 MHz Amplitude Shift Keyed (ASK) signal with his HackRF software defined radio. The HackRF is a SDR similar to the RTL-SDR, but with a wider available bandwidth and transmit capabilities.

To reverse engineer the doorbell, Paul used GNU Radio with the Complex to Mag decoder block to receive and demodulate the ASK signal. Once demodulated he was able to visually see the binary modulated waveform, and manually obtain the serial bit stream. From there he went on to create a GNU Radio program that can automatically obtain the binary strings from the ASK waveform.

In order to replay the signal, Paul found that the simplest way was to use the hackrf_transfer program, which simply records a signal, and then replays it via the HackRF transmitter on demand. With this method Paul was able to ring his doorbell via the HackRF.

Paul also confirmed his SDR results with an Arduino and 433 MHz transceiver. He then took it a step further and used the Arduino to create a system that could automatically receive and replay signals at 433 MHz and 315 MHz.

Decoding an ASK modulated bitstream.
Decoding an ASK modulated bitstream.

Recovering 433MHz Messages with RTL-SDR and MATLAB

Recently RTL-SDR.com reader Ilias wrote in to let us know about a post he uploaded to his blog showing how he was able to decode data from a device transmitting at 433 MHz using an RTL-SDR and MATLAB. MATLAB is a technical computing language that can be used for signal analysis and processing. His post clearly explains the steps he took and is a great aide for anyone wanting to learn about decoding simple signals.

The goal of Ilias’ project was to be able to use the RTL-SDR and MATLAB to uncover the details of a 433 MHz transmitter he bought on Ebay. He wanted to see if he could determine the protocol and recover the data before even looking at the transmitter’s library code.

To do this he first used SDR# to record the data sent at 433 MHz. Then by looking at the waveform in the Audacity audio editor he was able to determine that the signal was on-off-key (OOK) modulated and from this knowledge he was able to manually recover the binary string. Next he used MATLAB to create a program that can automatically decode the received OOK signal. His post goes into further detail about the signal processing steps he took in MATLAB.

433 MHz OOK Transmitter
433 MHz OOK Transmitter

Looking at the 432 to 438 MHz ISM Band

Amateur radio hobbyist LA3ZA shows an image on his blog showing how busy the 70cm ISM band can be in his area in Norway. He uses a roof mounted 1.7 m long vertical antenna with 7.2dBi gain in the 70 cm band. Each signal burst may come from a remote car key, weather monitor, electricity monitor, or other telemetry device. Some of these signals may be decodeable with rtl_433.

Busy ISM Band
Busy ISM Band

Using an RTL-SDR and RTL_433 to Decode Various Devices

Over on his blog, Gough Lui has posted about his experiences with decoding various ASK/OOK devices on the unlicenced 433 MHz ISM band using an RTL-SDR and the command line program rtl_433.

Gough shows how he was able to receive and decode the data from an Aldi weather station device and a wireless doorbell transmitter. He also was able to modify the rtl_433 code slightly to produce a CSV log file of the temperatures that were received and decoded from the weather station.

rtl_433 output of the weather station
rtl_433 output of the weather station