Gerrit's weather station wirelessly displays data on a wirelessly connected LCD screen, but he notes how difficult it is to view historical data, or to graph trends. Having discovered that the rtl_433 RTL-SDR decoder supports his particular weather station (a Fine Offset Electronics WH1080/WH3080 compatible Weather Station (Alecto WS-4000)), Gerrit decided to write some code to log data to a SQL database, and display that data via a Python Dash.plotly web interface. The RTL-SDR, rtl_433 and custom software all run on a Raspberry Pi.
The interface allows Gerrit to view live and historical data all on neatly plotted graphs. HIs complete open source code can be found on Github.
The La Crosse weather station system consists of a LCD base station, and various wireless sensors. Ryan first discovered that the devices used the 915 MHz frequency band via details written on the device itself. His next step was to open up Universal Radio Hacker and use one of his SDRs to record a packet. URH then allowed him to convert that data into bits for packet analysis. The rest of his post goes into detail on how he set the symbol rate, discovered the preamble and reverse engineered the CRC code.
The next step he took was to generate a spoofed packet generated by URH and transmitted by the PlutoSDR. This allowed him to set the base station display to any temperature that he specified. But he ran into a problem where only the first packet he sent after power up was received. Eventually he discovered that the system sets a randomized interval for each of the transmitters at startup, and data outside of that interval is ignored.
Ryan's post explains his whole though process and progress in detail, so is an excellent study for anyone looking to get into reverse engineering wireless signals.
Over on YouTube user mostlychris has uploaded a helpful tutorial video show how to use an RTL-SDR to collect data coming from a personal weather station and graph it on the home automation software known as Home Assistant.
To do this he uses an RTL-SDR on a Raspberry Pi running rtl_433 which receives and decodes the weather station data. He then configures rtl_433 to output data in the MQTT protocol which Home Assistant can receive and understand. Finally he configures Home Assistant to plot the received data. The tutorial is comprehensive covering every step required from start to finish.
Take charge of your own Ambient weather data with Raspberry Pi, MQTT, and Home Assistant.
Over on YouTube user Andreas Spiess has uploaded a video showing how to use an RTL-SDR to reverse engineer 433 MHz ISM band devices such as Internet of Things (IoT)/home automation sensors and actuators.
Andreas decided to do this because he has a 433 MHz remote controlled actuated outdoor awning which he wants to have automatically retract when the wind speed gets too high. To do this he wanted to use a wireless 433 MHz ISM band weather station with wind speed sensor. But unfortunately he discovered that it has a proprietary protocol that can't talk to his awning, which also has it's own proprietary protocol.
Andreas' solution is to use an RTL-SDR and Raspberry Pi running the rtl_433 decoder software to receive the weather station data. The rtl_433 software already contained a decoder for his weather station, so no further reverse engineering was required. The data is then converted into MQTT which is a common TCP/IP protocol for IoT devices. MQTT is then read by Node-RED which is a flowgraph based programming environment for IoT devices.
Next, unlike the weather station rtl_433 did not already have a decoder implemented for his awning. So Andreas had to reverse engineer the signal from scratch using the Universal Radio Hacker software. Using the reverse engineered signal information, Andreas then uses an ESP32 processor/WiFi chip and cheap 433 MHz transmitter to implement a clone of the awning's remote control signals. The ESP32 is programmed to understand the MQTT data sent from the Raspberry Pi via WiFi, so now the weather station can control the awning with a little bit of logic code in Node-RED.
#209 How to Hack your 433 MHz Devices with a Raspberry and a RTL-SDR Dongle (Weather Station)
Johannes Smit wanted to be able to view the live data from his SWR WH2303 weather station and send it to a database. Whilst the weather data acquisition software that he paid for worked well, he thought that there must be a cheaper and more fun way to grab the data. But unfortunately the manufacturers would not respond to his request for the RF protocol specifications. So Johannes decided to reverse engineer the protocol using his RTL-SDR instead.
Next he fired up Universal Radio Hacker (URH) and captured a sample of the weather station signal. Using URH he was able to determine the modulation type (FSK) and the bit length parameter (150us). Johannes' next step was to open the weather station, find the RF chip, look up the RF chip information on the web and find the spec sheet. From the spec sheet and internet forum searches he was able to determine the properties of the packet including the sync word and preamble. With this data he was able to determine the packet structure.
Finally he captured a packet and recorded the exact data shown on the weather station at the time of the packet. With this he was able to search the binary data string for the data shown on the weather station, indicating the location of a particular piece of data within the string.
Johannes' tutorial shows just how powerful tools like Universal Radio Hacker can be, and his tutorial is an excellent start for those looking at reverse engineering any of their own local RF protocols.
On his blog Josef Gajdysek has posted about his experience with using an RTL-SDR to reverse engineer the radio protocol used by his home weather station. Josef’s weather station is an ISM band device and transmits at 433 MHz. First he opened up GQRX and tuned to his weather station’s transmit frequency of 433.6 MHz and recorded some audio in AM mode. Josef initially assumed that the device would use on-off-keying (OOK) to encode the data. However, when he opened the sound file in Audacity and looked at it’s waveform he found that the weather station instead used Differential Pulse Position Modulation. In this modulation scheme the distance between pulses determines whether or not the binary bit is high or low.
To decode this Josef then wrote a python script to measure the distance between pulses and thus convert the pulses into a binary string. Then by decoding and analyzing the captured packets he was able to isolate the checksum, temperature, channel, and status flags. Knowing all this information finally allowed him to create a real time decoder that uses rtl_fm. The python script can be downloaded from his post.
Recently a reader of rtl-sdr.com, DO2BJK wrote in to let us know about his project where he used GNU Radio to decode Oregon Scientific V1 and V2 weather station messages. To receive the weather station messages which are sent in the ISM band at 433 MHz, DO2BJK used a USRP B210, but he writes that other SDRs such as an RTL-SDR or HackRF will also work. To decode the signal, DO2BJK took the usual steps of recording the signal and looking at the audio waveform in Audacity. From the waveform he was able to determine the bit string and discover the preamble, sync and data parts of a packet. He then used GNU Radio and wrote a Python program to receive the signal and automatically detect the preamble and extract the temperate data. His code is available on GitHub at https://github.com/bkerler/OregonDecoder/.
In Boulder, Colorado (and possibly other US cities) there is a radio based weather monitoring system known as ‘Urban Drainage and Flood Control’. This is a system that monitors rainfall and other weather information and transmits data using the ALERT protocol.
Using his RTL-SDR and GQRX, he made a recording of some of the weather station packets on that frequency. Next he used a command line utility called minimodem to convert the recorded packets into binary data. After looking up the protocol online, he was then able to understand the binary string and extract the station ID information from it. Cparker then went on to write code that would plot the received stations on a map by cross referencing the station ID with a website containing location information about these sensors. Finally, he managed to get the whole system running live on a Raspberry Pi.