Tagged: ism band

Video on Hacking 433 MHz Devices with an RTL-SDR and Raspberry Pi

Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators. 

Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.

Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.

Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.

#209 How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)

Building a NEST Thermostat with Arduino and an RTL-SDR

The Nest thermostat is a smart thermostat that learns your schedule and automatically adjusts the heat in your house for optimal energy savings.  Tristan didn’t want to buy a Nest, but wanted to replicate the Nest thermostat’s functionality by using an Arduino to automatically regulate his apartments central heating boiler. To do this he needed to find a way to turn the heating on and off programatically.

Fortunately Tristan’s current thermostat is wireless, so he decided to use his RTL-SDR to sniff the data it sends to try and find the on and off signals. By using SDR# he was able to discover the radio traffic stream in the ISM band at 433 MHz. After simply recording the signal audio, he passed the audio file into Audacity to analyze the messages. He discovered that the ON and OFF signals were on-off key (OOK) modulated, and he was able to discover the binary control string and pulse timings.

With this information at hand, Tristan was then able to use a cheap 433 MHz radio transmitter together with his Arduino to replicate the ON/OFF boiler control signals. In the future Tristan plans to add a temperature sensor and web interface to monitor everything.

In the past we’ve also posted about a similar project by Tom Taylor where he reverse engineers his thermostat with an RTL-SDR and controls it with an Arduino.


Reverse engineering a wireless thermostat with an RTL-SDR

When Tom Taylors home heating boiler was replaced the builders also replaced the old wired rotary thermostat with a digital wireless one. It sounds good, but Tom soon discovered that the thermostat UI was terrible and that the buttons were horrible to press, making him prefer to shiver in the cold. So Tom decided to see if there was a smarter way to control the heating.

When Tom investigated the thermostat, he discovered that the wireless unit transmitted in the unlicensed 433 MHz band and that the thermostat only transmitted two commands, turn on or turn off. By using his RTL-SDR and the CubicSDR software on his Mac he was able to detect the short blip of the thermostat wireless signal. Next he recorded the on and off signals and opened the sound files in Audacity, an audio processing software tool. In Audacity he was able to compare the sound waveforms of the on and off signals.

From his analysis he discovered that each signal consisted of a preamble and then an on or off command which is repeated twice, presumably to reduce the likelihood of interference. Tom also discovered that the commands were encoded with pulse width modulation.

From this knowledge Tom was then able to use a cheap 433 MHz transmitter together with an Arduino microcontroller board and a short script to create identical on or off transmissions that control the boiler. Tom writes that his next steps are now to create a heating schedule based on his families shared calender, make a thermostat control loop and create a web connected interface with a Raspberry Pi.

The 433 MHz thermostat on/off signal detected with an RTL-SDR in the CubicSDR software
The 433 MHz thermostat on/off signal detected with an RTL-SDR in the CubicSDR software

Wireless Door Bell 433 MHz ASK Signal Analysis with a HackRF

Paul Rascagneres, an RF experimenter has recently uploaded a document detailing his efforts at reverse engineering a wireless doorbell (pdf file) with a 433 MHz Amplitude Shift Keyed (ASK) signal with his HackRF software defined radio. The HackRF is a SDR similar to the RTL-SDR, but with a wider available bandwidth and transmit capabilities.

To reverse engineer the doorbell, Paul used GNU Radio with the Complex to Mag decoder block to receive and demodulate the ASK signal. Once demodulated he was able to visually see the binary modulated waveform, and manually obtain the serial bit stream. From there he went on to create a GNU Radio program that can automatically obtain the binary strings from the ASK waveform.

In order to replay the signal, Paul found that the simplest way was to use the hackrf_transfer program, which simply records a signal, and then replays it via the HackRF transmitter on demand. With this method Paul was able to ring his doorbell via the HackRF.

Paul also confirmed his SDR results with an Arduino and 433 MHz transceiver. He then took it a step further and used the Arduino to create a system that could automatically receive and replay signals at 433 MHz and 315 MHz.

Decoding an ASK modulated bitstream.
Decoding an ASK modulated bitstream.

Reverse Engineering a Radio Weather Station with an RTL-SDR

On his blog Josef Gajdysek has posted about his experience with using an RTL-SDR to reverse engineer the radio protocol used by his home weather station. Josef’s weather station is an ISM band device and transmits at 433 MHz. First he opened up GQRX and tuned to his weather station’s transmit frequency of 433.6 MHz and recorded some audio in AM mode. Josef initially assumed that the device would use on-off-keying (OOK) to encode the data. However, when he opened the sound file in Audacity and looked at it’s waveform he found that the weather station instead used Differential Pulse Position Modulation. In this modulation scheme the distance between pulses determines whether or not the binary bit is high or low.

Differential Pulse Position Modulation in Audacity
Differential Pulse Position Modulation in Audacity

To decode this Josef then wrote a python script to measure the distance between pulses and thus convert the pulses into a binary string. Then by decoding and analyzing the captured packets he was able to isolate the checksum, temperature, channel, and status flags. Knowing all this information finally allowed him to create a real time decoder that uses rtl_fm. The python script can be downloaded from his post.

The weather station transmitter.
The weather station transmitter.

Recovering 433MHz Messages with RTL-SDR and MATLAB

Recently RTL-SDR.com reader Ilias wrote in to let us know about a post he uploaded to his blog showing how he was able to decode data from a device transmitting at 433 MHz using an RTL-SDR and MATLAB. MATLAB is a technical computing language that can be used for signal analysis and processing. His post clearly explains the steps he took and is a great aide for anyone wanting to learn about decoding simple signals.

The goal of Ilias’ project was to be able to use the RTL-SDR and MATLAB to uncover the details of a 433 MHz transmitter he bought on Ebay. He wanted to see if he could determine the protocol and recover the data before even looking at the transmitter’s library code.

To do this he first used SDR# to record the data sent at 433 MHz. Then by looking at the waveform in the Audacity audio editor he was able to determine that the signal was on-off-key (OOK) modulated and from this knowledge he was able to manually recover the binary string. Next he used MATLAB to create a program that can automatically decode the received OOK signal. His post goes into further detail about the signal processing steps he took in MATLAB.

433 MHz OOK Transmitter
433 MHz OOK Transmitter

Decoding Oregon Scientific Weatherstation Messages using Gnuradio

Recently a reader of rtl-sdr.com, DO2BJK wrote in to let us know about his project where he used GNU Radio to decode Oregon Scientific V1 and V2 weather station messages. To receive the weather station messages which are sent in the ISM band at 433 MHz, DO2BJK used a USRP B210, but he writes that other SDRs such as an RTL-SDR or HackRF will also work. To decode the signal, DO2BJK took the usual steps of recording the signal and looking at the audio waveform in Audacity. From the waveform he was able to determine the bit string and discover the preamble, sync and data parts of a packet. He then used GNU Radio and wrote a Python program to receive the signal and automatically detect the preamble and extract the temperate data. His code is available on GitHub at https://github.com/bkerler/OregonDecoder/.

Bit string signal interpretation
Bit string signal interpretation

Analyzing 433 MHz Transmitters with the RTL-SDR

Over on his blog, Yashin has written a post showing how to analyze 433 MHz transmitters using several methods. Devices that transmit using low power 433 MHz are common and often include devices such as weather monitors, power monitors and alarm sensors.

To show his analysis methods Yashin used an ASK modulated FS1000A 433 MHz transmitter connected to an Arduino Teensy microcontroller. He first uses GQRX and baudline together with an RTL-SDR in Kali Linux to test that the transmitter is working and to visually inspect the RF spectrum. Then he shows how to use GNU Radio to receive the 433 MHz transmitter and how to record an audio file. The final tool he shows how to use is rtl_433 which will automatically decode the data into binary strings using the analysis option.

ASK 433 MHz Transmitter
ASK 433 MHz Transmitter