Over on his YouTube channel CWNE88 has posted how he has been using and RTL-SDR with the rtl_433 software to explore the data coming in from various 433 MHz ISM band devices in his neighborhood. In the video he explains how he has set up rtl_433 on his Raspberry Pi, and what sort of data he is receiving. Some examples of devices he's received include various weather stations, doorbells, remotes and car tyre pressure monitors.
He also mentions how these signals are unencrypted, noting that in a future video he will show on GNU Radio how a false signal could be synthesized.
Recently Marc has released his RTL433 plugin for SDR# over on GitHub and his Wixsite. RTL433 is a commonly used RTL-SDR command line program that provides decoders for a wide range of 433.92 MHz, 868 MHz, 315 MHz, 345 MHz, and 915 MHz ISM band devices. Examples of such devices include weather stations, alarm sensors, utility monitors, tire pressure monitors and more.
To install the plugin, go to the GitHub page and click on the green Code button, and select Download Zip. In the zip file open the "install" folder and extract the three .dll files into the SDR# folder. Now open the Plugins.xml file in Notepad and add the following line between the <sharpPlugins></sharpPlugins> tags.
Now you can add the plugin to the SDR# screen using the hamburger menu within SDR# on the top left. When a device is discovered it will open up a window for that device, logging data from it over time.
Over on Kickstarter we've recently come across a project called "WeatherSense" which is currently being crowdfunded. WeatherSense is a custom built set of 433 MHz wireless weather sensors made for makers. The outdoor "WeatherRack2" unit includes sensors and features like an anemometer, sunlight sensor, rain gauge, UV sensor, temperature and humidity sensor. wind direction sensor, as well as a solar panel for battery life extension and a Stevenson screen for shielding. They also have indoor units that measure temperature and humidity.
What's interesting to us is that they are using an RTL-SDR + Raspberry Pi as part of their 433 MHz receiver system. Their system includes a Raspberry Pi SD card image with built in Python software that is used with the RTL-SDR for receiving and decoding the weather sensor signals. They also provide an option for a simpler Arduino + 433 MHz receiver kit if you didn't want to use an SDR.
The campaign is currently fully funded, with 6 days left in the campaign. A kit including RTL-SDR and WeatherRack2 currently costs US$126 + shipping.
The ZIFON YT-500 is a pan-tilt tripod designed for mounting small cameras and smart phones. It also comes with an RF based 433 MHz wireless remote control that allows you to remotely control the positioning.
To do this he first used an RTL-SDR and SDR# to record the signals generated by each button press of the remote. He then opens the audio files in Audacity which allows him to inspect the signal's structure and determine some important information such as the preamble + payload timing and ON/OFF pattern.
Knowing this information he was then able to use an Arduino with a 433 MHz transmitter connected to replicate the signal exactly. His post contains the sample code that he used.
Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators.
Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.
Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.
Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.
#209 How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)
Fortunately Tristan’s current thermostat is wireless, so he decided to use his RTL-SDR to sniff the data it sends to try and find the on and off signals. By using SDR# he was able to discover the radio traffic stream in the ISM band at 433 MHz. After simply recording the signal audio, he passed the audio file into Audacity to analyze the messages. He discovered that the ON and OFF signals were on-off key (OOK) modulated, and he was able to discover the binary control string and pulse timings.
With this information at hand, Tristan was then able to use a cheap 433 MHz radio transmitter together with his Arduino to replicate the ON/OFF boiler control signals. In the future Tristan plans to add a temperature sensor and web interface to monitor everything.
When Tom Taylors home heating boiler was replaced the builders also replaced the old wired rotary thermostat with a digital wireless one. It sounds good, but Tom soon discovered that the thermostat UI was terrible and that the buttons were horrible to press, making him prefer to shiver in the cold. So Tom decided to see if there was a smarter way to control the heating.
When Tom investigated the thermostat, he discovered that the wireless unit transmitted in the unlicensed 433 MHz band and that the thermostat only transmitted two commands, turn on or turn off. By using his RTL-SDR and the CubicSDR software on his Mac he was able to detect the short blip of the thermostat wireless signal. Next he recorded the on and off signals and opened the sound files in Audacity, an audio processing software tool. In Audacity he was able to compare the sound waveforms of the on and off signals.
From his analysis he discovered that each signal consisted of a preamble and then an on or off command which is repeated twice, presumably to reduce the likelihood of interference. Tom also discovered that the commands were encoded with pulse width modulation.
From this knowledge Tom was then able to use a cheap 433 MHz transmitter together with an Arduino microcontroller board and a short script to create identical on or off transmissions that control the boiler. Tom writes that his next steps are now to create a heating schedule based on his families shared calender, make a thermostat control loop and create a web connected interface with a Raspberry Pi.
To reverse engineer the doorbell, Paul used GNU Radio with the Complex to Mag decoder block to receive and demodulate the ASK signal. Once demodulated he was able to visually see the binary modulated waveform, and manually obtain the serial bit stream. From there he went on to create a GNU Radio program that can automatically obtain the binary strings from the ASK waveform.
In order to replay the signal, Paul found that the simplest way was to use the hackrf_transfer program, which simply records a signal, and then replays it via the HackRF transmitter on demand. With this method Paul was able to ring his doorbell via the HackRF.
Paul also confirmed his SDR results with an Arduino and 433 MHz transceiver. He then took it a step further and used the Arduino to create a system that could automatically receive and replay signals at 433 MHz and 315 MHz.