Clone heating control with a 868,3MHz c1101 module

Other Hardware Device Hacking
1

Hi !

I want to clone the heating control of my boiler using an arduino nano and a c1101 module. In between, I have a level shifter.

The command I want to clone is a 868,3MHz transmitter.

Well, with universal radio hacker (URH), I was able to decode the different messages. I have 3 or 4 different messages (very simple rolling code?) to switch on the pump and 3 or 4 different messages to switch off the pump.

Using RadioLib, I try to send the same packets but until now, it is a failure and I have multiple questions :

1/ I was able to decode the message but I do not understand how is it possible as the carrier is at 868MHz and the sampling in URH is at 1Msample/s. Why? I thought initially that I need at least 2x868,3x1000 samples per sec? Or I misunderstood URH parameters...

2/ Not really a question but when I saw the signal I thought it was a psk modulation but when I decode it, it is FSK modulation, so is it related to a sample rate issue if the shape of the analog signal looks like a psk modulated signal?

3/ I write the simple program starting from Radiolib example and, adapted to my case:

#include <RadioLib.h>

// CC1101 has the following connections:
// CS pin:    10
// GDO0 pin:  2
// RST pin:   unused
// GDO2 pin:  3
CC1101 radio = new Module(10, 2, RADIOLIB_NC, 3);

int has_transmitted;

void setup() {
  Serial.begin(9600);

  Serial.print(F("[CC1101] Initializing ... "));
  int state = radio.begin(868.29,33.3, 5.0, 135.0,10.0,128.0);
  if (state == RADIOLIB_ERR_NONE) {
    Serial.println(F("success!"));
  } else {
    Serial.print(F("failed, code "));
    Serial.println(state);
    while (true);
  }
  radio.setEncoding(RADIOLIB_ENCODING_NRZ);
  radio.setCrcFiltering(false);
  radio.setSyncWord(85,85);    //55,55 from 11-138 (2octs)
  //message 555555547696a9a99a9a5555aaa6aaaaaa69aa56999a9666aa9695aa5965aaaaaa995555aaaaaaa65666aaaa6aa9a59a595a550000   139 - 562 (53 octs)
  has_transmitted = 0;
}

void loop() {
  Serial.print(F("[CC1101] Transmitting packet ... "));

  byte byteArr[]={
    0x55,0x55,0x55,0x54,0x76,0x96,0xa9,0xa9,0x9a,0x9a,
    0x55,0x55,0xaa,0xa6,0xaa,0xaa,0xaa,0x69,0xaa,0x56,
    0x99,0x9a,0x96,0x66,0xaa,0x96,0x95,0xaa,0x59,0x65,
    0xaa,0xaa,0xaa,0x99,0x55,0x55,0xaa,0xaa,0xaa,0xa6,
    0x56,0x66,0xaa,0xaa,0x6a,0xa9,0xa5,0x9a,0x59,0x5a,
    0x55,0x00,0x00
  };

  if (has_transmited == 0) {
    int state = radio.transmit(byteArr, 53);
    has_transmited  = 1;
  
  
    if (state == RADIOLIB_ERR_NONE) {
      Serial.println(F("success!"));
  
    } else if (state == RADIOLIB_ERR_PACKET_TOO_LONG) {
      Serial.println(F("too long!"));
  
    } else {
      Serial.print(F("failed, code "));
      Serial.println(state);
  
    }
  } else {
    
  }
  delay(1000);
}

but this does not produce the same message. It seems to me that there is only one sine curve when I catch it with URH.

What can be wrong? In FSK modulation, we have to change the carrier frequency, is it possible that mine is not correct? The documentation states:

begin(
float freq=RADIOLIB_CC1101_DEFAULT_FREQ,
float br=RADIOLIB_CC1101_DEFAULT_BR,
float freqDev=RADIOLIB_CC1101_DEFAULT_FREQDEV,
float rxBw=RADIOLIB_CC1101_DEFAULT_RXBW,
int8_t pwr=RADIOLIB_CC1101_DEFAULT_POWER,
uint8_t preambleLength=RADIOLIB_CC1101_DEFAULT_PREAMBLELEN
)

I am not sure that I set up correctly « br » or « freqdev », I do not know how to set them up.

4/ Minor and I have to fixe my signal before fixing this point but, in radiolib, the prembulelength (or certainly on the c1101) is limited. But when I decode the signal I have long serie of 55 (ie 0,1,0,1..) so I set the preamble length to the highest possible value and I start my message with the missing values in the preamble, is it correct? (that is the reason why my message start by 0x55,0x55...)

I am sorry if my questions are too vague but I do hope that someone can help me. Thank you in advance...

J.F
Note : I send a picture of the signal I get from the heating control (analog/spectrum and demodulated signal) and the signal I emit...

packets
packets981×1500 75.9 KB

2

Sorry but I will not answer your question because of the possibility of somebody getting hurt if something goes wrong. Also depending on where you are there are legal liability concerns as well. Be sure you are allowed to make those changes.

3

Thank you for taking the time to respond to my post and for highlighting these majors points!

Regarding to law : I know that in my country, 433Mhz and 868Mhz are allowed. Moreover I want to send exactly the signal of my device so I deduced that it is legal.

Regarding the danger: It is a major question. In practice, it is not the remote control of the boiler itself, it does not command the burner for example. It is an external device that asks the boiler to activate the pumps (but can not even force it, just ask for but the boiler decides if it activates the pump or not – I mean it is not a direct command for the pump).

The worst case is to ask for the activation of the pump and never ask for the pump to stop. It is not unsafe but very stupid. Today, unfortunately this situation already appears from time to time, and it is one of the multiple reasons why I want to clone this remote controller. (This remote does not have an acknowledgment when it asks for the pump to stop – and assumes that it is done. If the boiler does not receive the message, the pump keeps on working, and the temperature does not decrease – so the remote, assuming the pump to be off does not send anything else – and the pump keeps on)*.

It would be easier for me to completely change the command (both the emitter and the receiver) and write my own protocol but this strategy is more dangerous as I have to change electric circuits around the boiler and for safety reason, I do not want to – and I won’t do that. Only cloning the remote controller is then much safer – I do not change anything around the boiler and do not modify electric circuits.

About the questions :

Note that if your still not convinced and do not want to respond to the questions that would help me to solve the pb – I am still curious to understand the theory independently to the application and the two first questions remain open questions – As I have already decoded the signal, IMHO the response of these two questions is not related to the main target – but it is obliviously up to you – and again I already thank you for taking the time to respond.

  • I will not add an acknowledgment as I do not want the change the receiver but I can have multiple strategies: resend stop message if the temperature does not decrease (or at least temperature of radiators), or I can send automatically a notification to me for a manual verification or anything else.
4

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.