Dids Posted April 4, 2016 Share Posted April 4, 2016 I recently installed a very powerful LED based lighting solution to my office, but unfortunately it can only be controlled with a proprietary remote controller. As I've understood it, each remote and receiver are "paired" at the factory (no idea what kind of pairing technique they're using), and as far as I know they use one-way communication at 433 MHz (remote -> receiver). I've bought a SDR USB dongle which allowed me to accurately record the key presses, and it's relatively easy to see the signals. But since I'm very new to the world of SDR, I have no idea how to decode the signal, so I can replicate it on an Arduino or a Raspberry Pi, then use a 433 MHz transmitter (I have several transmitter boards) to send the replicated signal, to for example turn the lighting on or off.From all the guides and resources I've been researching, they all talk about OOK modulation, but my recorded data looks nothing like the ones I've seen online. I'm fairly sure it's not using OOK modulation, but then again, I know next to nothing about SDR or radio signals.Below is a link to a sample recording of a single recorded signal. I'm hoping that some of you who are more familiar with SDR could help me with this. Once I know how to decode or replicate one signal, I should be able to continue with the rest of them.Sample Recording (.wav): https://dl.dropboxusercontent.com/u/480/SDR_Sample.wavI've gathered the following information from these signals:- Bit rate is 40 nanoseconds- Preamble is 180 bits (90 highs and 90 lows)- Frequency is at around 433,895 MHz Quote Link to comment Share on other sites More sharing options...
Guest Josef K Posted April 4, 2016 Share Posted April 4, 2016 It looks like you're almost there. You can do a clock recovery in Gnuradio, but since this is a one-time-off, it's far easier to visually decode the signal. It definitely is OOK, and the symbols (bits) are easy to spot. The signal starts with 10101110101010110..... Replay can be done with a cheap transmitter (e.g. http://www.banggood.com/433Mhz-RF-Transmitter-With-Receiver-Kit-For-Arduino-ARM-MCU-Wireless-p-74102.html) Use the RCSwitch library, configure the timing you've already figured out, and that's it. Quote Link to comment Share on other sites More sharing options...
Dids Posted April 4, 2016 Author Share Posted April 4, 2016 Well that sure makes sense, now that I have something to compare it to! I hadn't realized how OOK actually worked, or even that it was in fact OOK, so I had no idea how to calculate the bits. It makes perfect sense now, and I can easily calculate all the signals by hand this way. Thanks Josef, you've been an absolutely huge help!I have pretty much those exact transmitters (got them from DealExtreme), so I should be good to go! Thanks again. :) Quote Link to comment Share on other sites More sharing options...
Dids Posted April 4, 2016 Author Share Posted April 4, 2016 Just tried RCSwitch, but it tries to send short and long pulses instead (like all other OOK stuff I've seen), my remote doesn't seem to do short & long pulses at all, but does this matter? It also doesn't seem to support sending a preamble? Quote Link to comment Share on other sites More sharing options...
bored369 Posted April 5, 2016 Share Posted April 5, 2016 You may want to check out some of the Yard Stick One Hak 5 episodes, what you are trying to do is almost exactly what it was designed for: https://revision3.com/hak5/how-to-hack-wireless-remotes-with-radio-replay-att You don't need to have that piece of hardware but those episodes could give you a good underlying basis for what you are trying to do and working with there. The maker of the ys1, Mke Ossmann, has some really good tutorials on his site as well going over the basics and working with they information here: https://revision3.com/hak5/how-to-hack-wireless-remotes-with-radio-replay-att Also any talk his given he usually goes into a ton of details. I can't remember if it's the ys1 or the hackRF (maybe both?) that there's basically a couple commands (record pattern/play pattern) where you don't even have to do all the decoding you just record it, then play it back. Quote Link to comment Share on other sites More sharing options...
Karit Posted April 5, 2016 Share Posted April 5, 2016 I can't remember if it's the ys1 or the hackRF (maybe both?) that there's basically a couple commands (record pattern/play pattern) where you don't even have to do all the decoding you just record it, then play it back. Yard Stick one does RF Cat which makes it simple python commands. (As is a hardware define radio) A hackRF is an SDR and isn't that simple but more powerful not as restricted with frequencies or modulation types. Quote Link to comment Share on other sites More sharing options...
bored369 Posted April 5, 2016 Share Posted April 5, 2016 A hackRF is an SDR and isn't that simple but more powerful not as restricted with frequencies or modulation types. http://x8x.net/2014/08/23/hackrf-doorbell-ringer-part-2/ That link shows off what I meant and it was the hackRF that has the two simple commands to record and then playback. Though that page does mention some of the downsides and why it's possibly better to decode and transmit exactly what you need, but if you are in a controlled environment or add some filtering it's not that big a deal. hackrf_transfer -r filename -f frequency hackrf_transfer -t filename -f frequency -x #ofPlayback The yard stick one is supposed to be really easy to use with rf cat and the python commands though. I just remembered seeing how simple one of them made it and it looks like it's the hackRF I was thinking of. Quote Link to comment Share on other sites More sharing options...
Dids Posted April 5, 2016 Author Share Posted April 5, 2016 Since my recordings don't have short and long pulses, I'm assuming I'm actually dealing with ASK modulation. There's a ton of things that are hard to figure out, including timing (mostly due to Audacity and microseconds). With this information, I'm fairly sure my preamble calculations are wrong, as I'm assuming I'll need to find a way to chop the recordings into equally sized bits (ie. length of one bit, or the bit rate), so I can clearly calculate the preamble length, silence length (or just instead X number of 0's there) and then figure out a way to send this data with more or less the same timing as with the recording. I'm not using a hackRF, as I'm creating a small embedded device with built-in wifi. Quote Link to comment Share on other sites More sharing options...
Dids Posted April 5, 2016 Author Share Posted April 5, 2016 Err, I guess OOK is a type of ASK modulation, according to wikipedia. Still doesn't explain why 99% of the articles I've found have short/long pulses instead of silence/pulse (0/1). Quote Link to comment Share on other sites More sharing options...
Dids Posted April 5, 2016 Author Share Posted April 5, 2016 You may want to check out some of the Yard Stick One Hak 5 episodes, what you are trying to do is almost exactly what it was designed for: https://revision3.com/hak5/how-to-hack-wireless-remotes-with-radio-replay-att You don't need to have that piece of hardware but those episodes could give you a good underlying basis for what you are trying to do and working with there. The maker of the ys1, Mke Ossmann, has some really good tutorials on his site as well going over the basics and working with they information here: https://revision3.com/hak5/how-to-hack-wireless-remotes-with-radio-replay-att Also any talk his given he usually goes into a ton of details. I can't remember if it's the ys1 or the hackRF (maybe both?) that there's basically a couple commands (record pattern/play pattern) where you don't even have to do all the decoding you just record it, then play it back. I should've watched the episode first. I'm guessing my data has padding, which is why there are no continuous 1's. Quote Link to comment Share on other sites More sharing options...
Guest Josef K Posted April 5, 2016 Share Posted April 5, 2016 Since my recordings don't have short and long pulses, I'm assuming I'm actually dealing with ASK modulation. There's a ton of things that are hard to figure out, including timing (mostly due to Audacity and microseconds). With this information, I'm fairly sure my preamble calculations are wrong, as I'm assuming I'll need to find a way to chop the recordings into equally sized bits (ie. length of one bit, or the bit rate), so I can clearly calculate the preamble length, silence length (or just instead X number of 0's there) and then figure out a way to send this data with more or less the same timing as with the recording. I'm not using a hackRF, as I'm creating a small embedded device with built-in wifi. If you're uncertain about the timing, load the .cfile in 'inspectrum'. The Inspectrum demo on youtube[1] clearly shows how to figure out the timing. Also, capture the transmitted data from the Arduino with an SDR and make sure it's the same as from the original before you start to play with the signal. It's quite easy to make mistakes with timing, invert the signal etc. I'm not sure about the long and short pulses. Maybe you can modify this with RCSwitch::setProtocol(int nProtocol) [2] ?? [1] at 23 sec.[2] https://developer.mbed.org/users/TheChrisyd/code/RCSwitch/docs/6f4be1a7962c/RCSwitch_8cpp_source.htmlline 101 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.