Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators.
Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.
Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.
Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.
How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)
Johannes Smit wanted to be able to view the live data from his SWR WH2303 weather station and send it to a database. Whilst the weather data acquisition software that he paid for worked well, he thought that there must be a cheaper and more fun way to grab the data. But unfortunately the manufacturers would not respond to his request for the RF protocol specifications. So Johannes decided to reverse engineer the protocol using his RTL-SDR instead.
Next he fired up Universal Radio Hacker (URH) and captured a sample of the weather station signal. Using URH he was able to determine the modulation type (FSK) and the bit length parameter (150us). Johannes' next step was to open the weather station, find the RF chip, look up the RF chip information on the web and find the spec sheet. From the spec sheet and internet forum searches he was able to determine the properties of the packet including the sync word and preamble. With this data he was able to determine the packet structure.
Finally he captured a packet and recorded the exact data shown on the weather station at the time of the packet. With this he was able to search the binary data string for the data shown on the weather station, indicating the location of a particular piece of data within the string.
Johannes' tutorial shows just how powerful tools like Universal Radio Hacker can be, and his tutorial is an excellent start for those looking at reverse engineering any of their own local RF protocols.
On his blog Josef Gajdysek has posted about his experience with using an RTL-SDR to reverse engineer the radio protocol used by his home weather station. Josef’s weather station is an ISM band device and transmits at 433 MHz. First he opened up GQRX and tuned to his weather station’s transmit frequency of 433.6 MHz and recorded some audio in AM mode. Josef initially assumed that the device would use on-off-keying (OOK) to encode the data. However, when he opened the sound file in Audacity and looked at it’s waveform he found that the weather station instead used Differential Pulse Position Modulation. In this modulation scheme the distance between pulses determines whether or not the binary bit is high or low.
To decode this Josef then wrote a python script to measure the distance between pulses and thus convert the pulses into a binary string. Then by decoding and analyzing the captured packets he was able to isolate the checksum, temperature, channel, and status flags. Knowing all this information finally allowed him to create a real time decoder that uses rtl_fm. The python script can be downloaded from his post.
Recently a reader of rtl-sdr.com, DO2BJK wrote in to let us know about his project where he used GNU Radio to decode Oregon Scientific V1 and V2 weather station messages. To receive the weather station messages which are sent in the ISM band at 433 MHz, DO2BJK used a USRP B210, but he writes that other SDRs such as an RTL-SDR or HackRF will also work. To decode the signal, DO2BJK took the usual steps of recording the signal and looking at the audio waveform in Audacity. From the waveform he was able to determine the bit string and discover the preamble, sync and data parts of a packet. He then used GNU Radio and wrote a Python program to receive the signal and automatically detect the preamble and extract the temperate data. His code is available on GitHub at https://github.com/bkerler/OregonDecoder/.
In Boulder, Colorado (and possibly other US cities) there is a radio based weather monitoring system known as ‘Urban Drainage and Flood Control’. This is a system that monitors rainfall and other weather information and transmits data using the ALERT protocol.
Using his RTL-SDR and GQRX, he made a recording of some of the weather station packets on that frequency. Next he used a command line utility called minimodem to convert the recorded packets into binary data. After looking up the protocol online, he was then able to understand the binary string and extract the station ID information from it. Cparker then went on to write code that would plot the received stations on a map by cross referencing the station ID with a website containing location information about these sensors. Finally, he managed to get the whole system running live on a Raspberry Pi.
Gough shows how he was able to receive and decode the data from an Aldi weather station device and a wireless doorbell transmitter. He also was able to modify the rtl_433 code slightly to produce a CSV log file of the temperatures that were received and decoded from the weather station.