Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Reading the values from the Transmitter

Code Block
/* Convert RF signal into bits (temperature sensor version) 
 * Written by :/ ---------------------------------------------------------------------------------------
// Acurite 00606TX Reader
// Adapted from code by Ray Wang (Rayshobby LLC)

// ring buffer size has to be large enough to fit
// data  ---------------------------------------------------------------------------------------

#define DATAPIN  D2  

// ring buffer size has to be large enough to fit
// data between two successive sync signals
#define RING_BUFFER_SIZE  256

#define SYNC_LENGTH  9000
#define SEP_LENGTH   500
#define BIT1_LENGTH  4000
#define BIT0_LENGTH  2000

#define DATAPIN  D2  

#define LSFR_OFFSET 4

uint8_t LSFR_sequence[MESSAGE_SIZE] = {0};

//ringbuffer contains the time since the last signal was off.
unsigned long timings[RING_BUFFER_SIZE];

unsigned int syncIndex1 = 0;  // index of the first sync signal
unsigned int syncIndex2 = 0;  // index of the second sync signal
bool received = false;

void ICACHE_RAM_ATTR handler();

// detect if a sync signal is present
bool isSync(unsigned int idx) {
  unsigned long t0 = timings[(idx+RING_BUFFER_SIZE-1) % RING_BUFFER_SIZE];
  unsigned long t1 = timings[idx];

  // on the temperature sensor, the sync signal
  // is roughtly 9.0ms. Accounting for error
  // it should be within 8.0ms and 10.0ms
  if (t0>(SEP_LENGTH-100) && t0<(SEP_LENGTH+100) ){
    if (t1>(SYNC_LENGTH-1000) && t1<(SYNC_LENGTH+1000)){
      if (digitalRead(DATAPIN) == HIGH---------------------------------------------------------------------------------------
// setup
// ---------------------------------------------------------------------------------------
void setup() {
  pinMode(DATAPIN, INPUT);
  attachInterrupt(digitalPinToInterrupt(DATAPIN), handler, CHANGE);

// ---------------------------------------------------------------------------------------
// loop
// ---------------------------------------------------------------------------------------
void loop() {

  //Did we get a message?
  if (received == true) {
 return true;  // disable interrupt to avoid new data 
corrupting the buffer

  return false;

/* Interrupt handler */
void ICACHE_RAM_ATTR handler() {
  static unsigned long duration = 0;
  static unsigned long lastTime = 0;
  static unsigned int ringIndex = 0;
  static unsigned int syncCount = 0;

  // ignore if we haven't processed the previous received signal
  if (received == true) {
unsigned int bits[34];
    bool error = processSignal(bits); 


      //convert our bits to byte array
      byte data[4];
      bool success = bitsToByteArray(bits,32,data,4);

        byte rollingCode = data[0];
        Serial.printlnprintf("received==true"Rolling Code: 0x%02x\n",rollingCode);

  // calculating timing since lastbyte change
batteryStatus = long time = micros();
  duration = time - lastTime;
  lastTime = time;

  // store data in ring buffer
  ringIndex = (ringIndex + 1) % RING_BUFFER_SIZE;
  timings[ringIndex] = duration;

  // detect sync signal
  if (isSync(ringIndex)) {
    syncCount ++(data[1] & 0xf0) >> 4;
        Serial.printf("Battery Status: 0x%02x\n",batteryStatus);
         unsigned int rawTemperature = (((data[1] & 0x0f) << 8) + data[2]);
        float temperature = rawTemperature / 10.0;
    //  first time sync is seen, record buffer index
 Serial.printf("Temp: %0.1f C\n",temperature);
        ifbyte (syncCountchecksum == 1) {data[3];
      syncIndex1 = (ringIndex+1) % RING_BUFFER_SIZESerial.printf("checksum: 0x%02x\n",checksum);
    else if//uint8_t computeChecksum(syncCountint == 2length, uint8_t *buff) {
      // second timebyte synccomputedChecksum is= seen, start bit conversion
         syncCount = 0;
         syncIndex2 = (ringIndex+1) % RING_BUFFER_SIZE Serial.printf("Checksum Verified!\n");
      unsigned int changeCount}else{
 = (syncIndex2 < syncIndex1) ? (syncIndex2+RING_BUFFER_SIZE - syncIndex1) : Serial.printf(syncIndex2 - syncIndex1"Checksum Invalid!\n");
      // changeCount must}
 be 66 -- 32 bits x}else{
 2 + 2 for sync
//      Serial.printprintf("ChangeCount:");
//      Serial.println(changeCountFailed to convert bits to bytes array\n");
   }//if (changeCount < 66 || changeCount > 68) {

    // delay for 1 second to avoid repetitions
    received = false;
        syncIndex1 = 0;
        syncIndex2 = 0;
    //  else {re-enable interrupt
    attachInterrupt(digitalPinToInterrupt(DATAPIN),    received = truehandler, CHANGE);


void setup(}//if (received == true) {
  pinMode(DATAPIN, INPUT);
  attachInterrupt(digitalPinToInterrupt(DATAPIN), handler, CHANGE);

void loop() {
  if (received == true) {
    // disable interrupt to avoid new data corrupting the buffer

    // loop over the lowest 12 bits of the middle 2 bytes
    unsigned long temp = 0;
    bool negative = false;
    bool fail

// ---------------------------------------------------------------------------------------
// processSignal
// ---------------------------------------------------------------------------------------
// Message is composed of:
// - Rolling Code(2 nibbles - 8 bits), 
// - Status(1 nibble - 4 bits), 
// - Temperature (signed binary - 3 nibbles - 12 bits ), 
// - Hash Code (2 nibles - 8 bits)
// Each bit is composed of two signals - a seperator signal followed by a short/long
// ---------------------------------------------------------------------------------------
bool processSignal(unsigned int *bits){
    bool error = false;
   for(unsigned int totalSignalsInMessage = 32 *2;
    int count =0;
    for(unsigned int i=(syncIndex1+24)%RING_BUFFER_SIZE; i!=(syncIndex1+48totalSignalsInMessage)%RING_BUFFER_SIZE; i=(i+2)%RING_BUFFER_SIZE) {

      unsigned long t0 = timings[i],;
      unsigned long t1 = timings[(i+1)%RING_BUFFER_SIZE];

      if (t0>(SEP_LENGTH-100150) && t0<(SEP_LENGTH+100150)) {
        if (t1>(BIT1_LENGTH-1000) && t1<(BIT1_LENGTH+1000)) {
          if(i == (syncIndex1+24)%RING_BUFFER_SIZE) negative = true;
     temp = (temp <<} 1) + 1;
  else if (t1>(BIT0_LENGTH-1000) && t1<(BIT0_LENGTH+1000)) {
        } else {          
        else if (t1>(BIT0_LENGTH-1000) && t1<(BIT0_LENGTH+1000)) {
          temp = (temp << 1) + 0;
        else {
          fail = true;
      else {
        fail = true;

    if (!fail) {
      if (negative) {
        temp = 4096 - temp; 
      Serial.print(temp/10.0);  //temp in C
      Serial.write(176);    // degree symbol
      Serial.print((temp)*9/50.0+32);  // convert to F
      Serial.write(176);    // degree symbol
    } else {
      Serial.println("Decoding error.");
    // delay for 1 second to avoid repetitions
    received = false;
    syncIndex1 = 0;
    syncIndex2 = 0;

    // re-enable interrupt
    attachInterrupt(digitalPinToInterrupt(DATAPIN), handler, CHANGE);
else {
           Serial.printf("Read Error\n");


      //print bits received
      Serial.print("bits: ");
      for(int i=0;i<32;i++){
          Serial.printf(" ");
  return error;
// ---------------------------------------------------------------------------------------
// isSync
// ---------------------------------------------------------------------------------------
// Detect if a sync signal is present. A sync signal is composed of a seperator signal 
// (short off 0.5ms) followed by a sync signal (9ms off).
// ---------------------------------------------------------------------------------------
bool isSync(unsigned int idx) {

  //get the last two indexes from the ring buffer
  int t0Index = (idx+RING_BUFFER_SIZE-1) % RING_BUFFER_SIZE;
  unsigned long t0 = timings[t0Index];
  unsigned long t1 = timings[idx];

  //check that t0 is a seperator signal, should be around 0.5ms
  if (t0>(SEP_LENGTH-100) && t0<(SEP_LENGTH+100) ){
    //check that t1 is a sync signal, allow for anything between 8-10ms
    if (t1>(SYNC_LENGTH-1000) && t1<(SYNC_LENGTH+1000)){
      if (digitalRead(DATAPIN) == HIGH) {
//        Serial.printf("toIndex=%d, idx=%d, RING_BUFFER_SIZE=%d \n",t0Index, idx, RING_BUFFER_SIZE);
//        Serial.printf("t0=%d, t1=%d\n",t0,t1);

        return true;         
  return false;

// ---------------------------------------------------------------------------------------
// handler
// ---------------------------------------------------------------------------------------
// Interrupt handler - reads incoming signal changes from receiver
// ---------------------------------------------------------------------------------------
void ICACHE_RAM_ATTR handler() {
  static unsigned long duration = 0;
  static unsigned long lastTime = 0;
  static unsigned int ringIndex = 0;
  static unsigned int syncCount = 0;

  // exit out if we are in processing a signal.
  if (received == true) {
//    Serial.println("received==true");

  // calculating timing since last change
  long time = micros();
  duration = time - lastTime;
  lastTime = time;

  // store data in ring buffer
  ringIndex = (ringIndex + 1) % RING_BUFFER_SIZE;
  timings[ringIndex] = duration;

  // detect sync signal
  if (isSync(ringIndex)) {
    syncCount ++;
    if (syncCount == 1) {
       // first time sync is seen, record buffer index      
      syncIndex1 = (ringIndex+1) % RING_BUFFER_SIZE;
    }else if (syncCount == 2) {
      syncCount = 0;
      // second time sync is seen, start bit conversion
      syncIndex2 = (ringIndex+1) % RING_BUFFER_SIZE;

      //check how many signals we have received between syncs
      unsigned int changeCount  = 0;
      if(syncIndex2 < syncIndex1){
        changeCount = syncIndex2+RING_BUFFER_SIZE - syncIndex1;
        changeCount = syncIndex2 - syncIndex1;
      if (changeCount < 66 || changeCount > 68) {
        //too many signals, disregard
        received = false;
        syncIndex1 = 0;
        syncIndex2 = 0;
      } else {
        //we found our signal
        received = true;


// ---------------------------------------------------------------------------------------
// calculateLSFR
// ---------------------------------------------------------------------------------------
void calculateLSFR() {
    int i;
    uint8_t reg = 0x7C;
    uint8_t temp_reg = 0;
    for (i = 0; i < MESSAGE_SIZE; i++) {
        temp_reg = reg & 0x01;
        reg >>= 1;
        reg |= (temp_reg << 7);
        if (temp_reg) {
            reg ^= 0x18;
        LSFR_sequence[i] = reg;
        //printf("%02x\n", LSFR_sequence[i]);
// ---------------------------------------------------------------------------------------
// combineLSFR
// --------------------------------------------------------------------------------------- 
uint8_t combineLSFR(uint8_t len, uint8_t *data) {
    uint8_t hash_reg = 0; // not 0x64
    int byte_idx, bit_idx;
    uint8_t byte, bit;
    for (byte_idx = 0; byte_idx < len; byte_idx++) {
        for (bit_idx = 7; bit_idx >= 0; bit_idx--) {
            bit = (data[byte_idx] & (1 << bit_idx)) >> bit_idx;
            if (bit) {
                hash_reg ^= LSFR_sequence[byte_idx * 8 + (7 - bit_idx) + LSFR_OFFSET];
                //printf("[%d]: %02x\n", byte_idx * 8 + (7 - bit_idx), hash_reg);
            bit = 0;
    return hash_reg;
// ---------------------------------------------------------------------------------------
// computeChecksum
// --------------------------------------------------------------------------------------- 
uint8_t computeChecksum(int length, uint8_t *buff) {
    return combineLSFR(length, buff);

// ---------------------------------------------------------------------------------------
// bitsToByteArray
// ---------------------------------------------------------------------------------------
// Convert array of integers containing the bits received into byte array
// ---------------------------------------------------------------------------------------
bool bitsToByteArray(unsigned int *bits, int len, byte* buffer, int bufferLen){

  int bidx=0;
  unsigned int sum = 0;
  for(int i=0;i<len;i++){
    //break out if we have filled up the buffer    
    if(bidx >= bufferLen){
      return false;
    sum += bits[i];

    //new byte?
      //save to buffer, reset sum and increment bidx
  return true;


View file
nameRF Hacking -- Irdeto Hackday Oct-3-2019.pdf
