Tagged: ism band

Reverse Engineering a Wirelessly Controlled Adjustable Bed with a HackRF and Logic Analyzer

Over on his blog Chris Laplante has written up a post showing how he was able to reverse engineer his wirelessly controlled adjustable "TEMPUR-Contour Elite Breeze" bed. Originally the bed did have an Android App for smartphone control, however it was never updated since 2014 and so it no longer works on his modern Google Pixel device. So in order to have it controllable by his home automation system Chris decided to reverse engineer the wireless signal used by the bed's remote control. 

He first searched the FCC filing, finding that it transmitted in the ISM band at 433.050 to 434.790 MHz. Then using his HackRF he was able to capture the signal and determine that it used Gaussian frequency shift keying (GFSK) modulation.

The GFSK signal from the Tempur Pedic wireless remote control.

While the HackRF got him this far, he decided to follow a new line of investigation next, instead now using a logic analyzer to probe the SPI bus which talks to an Si4431 RF transceiver on the remote control. From this he was able to determine the important properties of the signal such as the frequency, data rate, frequency deviation, channel mapping and packet structure.

With all this information Chris was in the end able to create a product called "Tempur Bridge" that he is now selling on Tindie. It consists of an ESP32 WiFi connected microcontroller and a Si4463 RF transceiver chip. With his product Chris is now able to control his bed through a WiFi connection in Home Assistant.

Chris's TemperBridge product for WiFi control of a Tempur Pedic adjustable bed.

[This story was also seen on Hackaday]

Tech Minds: Demonstrating RTL_433 Running on ESP32 Devices

Earlier in the month we posted about how rtl_433 has been ported to ESP32 devices that are combined with CC1101 or SC127X transceiver chips, such as the low cost LILYGO LoRa 32 boards available on Aliexpress.

Over on YouTube Matt from the Tech Minds channel has uploaded a video showing how to set up rtl_433 on an ESP32 device, and how to set it up with a home automation service like Home Assistant, Node Red or OpenHAB via an MQTT broker.

RTL 433 ON ESP32 DEVICE - MQTT HOME ASSISTANT

rtl_433 ported to ESP32 microcontrollers with CC1101 or SX127X Transceiver Chips

Receiving wireless sensors operating in the unlicensed ISM band has been made almost universal with rtl_433 and RTL-SDRs. However, recently rtl_433 has been ported over for use on ESP32 microcontrollers that are combined with CC1101 or SC127X transceiver chips.

PCB boards that combine these two chips can be found cheaply on Aliexpress as LoRa boards, under the name "LILYGO LoRa 32". If you are unaware, ESP32 chips cheaply combine a WiFi and Bluetooth modem with a microcontroller that is capable of hosting a webserver. CC1101 and SC127X are low cost low power hardware transceiver chips made for IOT devices. We've posted about LILYGO boards in the past as they've been used with interesting projects such as Meshtastic, and for weather balloon tracking.

This project could be useful for home automation as a module has been made available for openMQTTGateway. Instead of dedicating a more powerful Raspberry Pi and RTL-SDR, you can now dedicate a much cheaper and much lower power device to the task. 

[Also seen on Hackaday.]

RTL_433 running on a LILYGO LoRa V2 Board
RTL_433 running on a LILYGO LoRa V2 Board

TechMinds: Testing the ISM Packet Decoder Plugin for SDR Sharp

Over on the TechMinds YouTube channel Matt has uploaded a video demonstrating the use of the ISM Packet Decoder plugin for SDR# which was released a few months ago. The plugin authors website also contains more information about the installation and features of plugin.

The plugin makes use of the well known rtl_433 software behind the scenes, which is a command line based RTL-SDR compatible decoder for various wireless ISM band devices such as weather stations, car keys, tire pressure sensors, doorbells and various other remote controlled devices. The plugin GUI makes using and displaying data from rtl_433 much more convenient.

ISM Packet Decoder Plugin For SDR Sharp - RTL 433

Exploring 433 MHz Devices in the Neighborhood with RTL-SDR and rtl_433

Over on his YouTube channel CWNE88 has posted how he has been using and RTL-SDR with the rtl_433 software to explore the data coming in from various 433 MHz ISM band devices in his neighborhood. In the video he explains how he has set up rtl_433 on his Raspberry Pi, and what sort of data he is receiving. Some examples of devices he's received include various weather stations, doorbells, remotes and car tyre pressure monitors.

He also mentions how these signals are unencrypted, noting that in a future video he will show on GNU Radio how a false signal could be synthesized.

Decoding 433 MHz Devices With SDR

RTL433 Plugin for SDR# Now Available

Recently Marc has released his RTL433 plugin for SDR# over on GitHub and his Wixsite. RTL433 is a commonly used RTL-SDR command line program that provides decoders for a wide range of 433.92 MHz, 868 MHz, 315 MHz, 345 MHz, and 915 MHz ISM band devices. Examples of such devices include weather stations, alarm sensors, utility monitors, tire pressure monitors and more.

To install the plugin, go to the GitHub page and click on the green Code button, and select Download Zip. In the zip file open the "install" folder and extract the three .dll files into the SDR# folder. Now open the Plugins.xml file in Notepad and add the following line between the <sharpPlugins></sharpPlugins> tags.

<add key="RTL_433" value="SDRSharp.Rtl_433.Rtl_433_Plugin, SDRSharp.Rtl_433" />

Now you can add the plugin to the SDR# screen using the hamburger menu within SDR# on the top left. When a device is discovered it will open up a window for that device, logging data from it over time.

RTL433 SDRSharp Plugin
RTL433 SDR# Plugin Device Windows

WeatherSense: A Wireless 433 MHz Weather Station with RTL-SDR Receiver

Over on Kickstarter we've recently come across a project called "WeatherSense" which is currently being crowdfunded. WeatherSense is a custom built set of 433 MHz wireless weather sensors made for makers.  The outdoor "WeatherRack2" unit includes sensors and features like an anemometer, sunlight sensor, rain gauge, UV sensor, temperature and humidity sensor. wind direction sensor, as well as a solar panel for battery life extension and a Stevenson screen for shielding. They also have indoor units that measure temperature and humidity.

What's interesting to us is that they are using an RTL-SDR + Raspberry Pi as part of their 433 MHz receiver system. Their system includes a Raspberry Pi SD card image with built in Python software that is used with the RTL-SDR for receiving and decoding the weather sensor signals. They also provide an option for a simpler Arduino + 433 MHz receiver kit if you didn't want to use an SDR.

The campaign is currently fully funded, with 6 days left in the campaign. A kit including RTL-SDR and WeatherRack2 currently costs US$126 + shipping.

The Weather Sense WeatherRack2
WeatherSense 433 MHz Weather Sensors. Using RTL-SDR for the receiver.

Reverse Engineering and Controlling a Pan-Tilt Camera Servo with an RTL-SDR and Arduino

The ZIFON YT-500 is a pan-tilt tripod designed for mounting small cameras and smart phones. It also comes with an RF based 433 MHz wireless remote control that allows you to remotely control the positioning.

However, Konstantin Dorohov wanted to be able to control the camera positioning from his PC rather than through the remote control, so he set out to reverse engineer and clone the 433 MHz wireless control signal.

To do this he first used an RTL-SDR and SDR# to record the signals generated by each button press of the remote. He then opens the audio files in Audacity which allows him to inspect the signal's structure and determine some important information such as the preamble + payload timing and ON/OFF pattern. 

Knowing this information he was then able to use an Arduino with a 433 MHz transmitter connected to replicate the signal exactly. His post contains the sample code that he used.

Reverse Engineering the Pan/Tilt Servo with an RTL-SDR, and replicating the signal with an Arduino.
Reverse Engineering the Pan/Tilt Servo with an RTL-SDR, and replicating the signal with an Arduino.