I'm looking into a fun but challenging personal project and would love some guidance from anyone who might have some to share!
In my house is a combi-boiler which comes with a wireless box in which we can set the temperature. It's as simple as a dial and an LCD display. When we move the dial, the set temperature goes up or down and is immediately transmitted to the boiler which adjusts itself to match that temperature. Not unique by any means and in theory a very simple design.
From my limited research and dangerous assumptions, I'm led to believe the data is transmitted over an RF signal, and as I do not recall ever having to 'pair' the two devices, I imagine there is primitive/no authentication.
I've worked with Bluetooth before (in fact I have a project on the go at the moment thanks to some great help from people on this forum) but never RF and know very little about how to reverse engineer the signals and their frequency.
So, I have three major questions currently:
How do I work out what frequency it transmits on?
How do I intercept the signal? (So I know what to send from the arduino)
What kind of parts (generically speaking) will I need?
The workflow I have in my head currently is:
Listen to signal and note down the protocol
Build Arduino based device that has bluetooth/wired connection to PC and an RF antenna of correct freq.
Build PC/Phone app to instruct arduino to transmit relevant signals and change heating setting
Enjoy being able to set the heating in my house from the comfort of the sofa (instead of wherever the hell we left the ugly wireless thermostat thing)
(I'm looking to integrate a few other household appliances into a centralized 'House Controller' app)
Here are some pictures of the wireless thermostat, and it's underlying circuit:
To confirm or deny what I surmised about the transmitter frequency, you could try consulting the datasheet of the 8 pin IC that I have circled in red on the photograph below.
I couldn’t read the type number of this IC, it is obscured by the transparent plastic ring.
Could you tell us what it is please?
Also try measuring the length of the track that I have coloured yellow, which I believe is the antenna. I’m predicting it should be close to a quarter wavelength at the transmitter frequency, which is 300/(433.92 x 4) metres = 173mm.
Measuring was rather difficult, I used a piece of wire and got a rough estimated reading of 147mm, or 132mm from the large gold square about 1cm from the beginning of the track (first solder joint from the resistor)
I see that the large TQFP is a Atmel device. You may dump the code running on it. Please share it's number too.
I see 5 pads next to the atmel part(m169PA),MAY BE SPI interface ??,so you wont need a spoofer/scope to find the protocol.
These both sound like really interesting things to do, please could you point me int the right direction/ roughly outline the steps I'd need to do? I'm a confident programmer but have never delved into pulling code off a chipset before!
This is only possible if they have not put a lock on their flash,probably not,it is a simple controller. When I looked at the datasheet(>60MB) The SPI pins are NOT FREE. MISO is connected to a tact switch,MOSI is connected to something other. SCK is free. Reset is tied to some SOT23. I wonder how they programmed that thing. Do you have any experience with an "arduino as isp" or a "usbtiny" or similar ?
Even if you read the flash, you need to disassemble it. I think that they may have the instructions for setting the temp in the EEPROM
we may go like-
Read the flash and store it safely on the PC.
Reflash it with a code to read the EEPROM
Read the EEPROM
See if data in the EEPROM is useful or not
If yes,Use it for Arduino
If not,then disassemble the flash read and find their code
Use a scope to find the packets sent and received,but I don't know how.