Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



The protocol for the AcuRite 00606TX is:


This sensor does not use a simple checksum or even a more advanced CRC. Instead data integrity is verified by a hash code, generated by multiplying the message bits with the byte sequence generated by a linear feedback shift register (LFSR). This algorithm has been referred to as "an LFSR-based Toeplitz hash" in some of the literature.



1. Generate LSFR sequence equal to the length of the message.

In our case, our message is 32 24 bits long, so we will need 32 values24 values plus an addition 5 since we are going to start at the fifth byte in the sequence.

  • Start with an 8-bit register initialized to the value 0x7C (0111 1100)
  • Generate a number of values equal to the message size in bits by repeating the following operations once for each bit.


• The register value after these two operations is the sequence value to be stored. Perform these steps once for each bit in the message. If the message contains 40 32 bits for example (as with the F007TH message) then you will need to generate a sequence of 40 bytes. Because this sequence does not depend on the data message contents and can be pre-computed once and stored to save time.


Start ValueShift Right

XOR with 0x18 if MSB =1

(flip bits 3 and 4)

10111 1100 (0x7C)→ 0011 1110 NO -0011 1110 (0x3e)
20011 1110 (0x3e)→ 0001 1111NO-0001 1111 (0x1f)
30001 1111 (0x1f)→ 1000 1111YESxor 0x181001 0111 (0x97)
41001 0111 (0x97)→ 1100 1011YESxor 0x181101 0011 (0xd3)
51101 0011 (0xd3)→ 1110 1001YESxor 0x181111 0001 (0xf1)

321000 0110 (0x86)→ 0100 0011NO-0100 0011 (0x43)

370011 0001 (0x31)→ 1001 1000YESxor 0x181000 000 (0x80)


2. Combines the LSFR sequence with message bits to form the final hash value

To compute the message hash value, sequence through the 24 message bits in the order they were received. Since everything here is big-endian, that means proceeding from MSB to LSB. Start by initializing the hash register to the value 0x00. As the message bits are read, for every bit in the message that is a one, exclusive-or the corresponding value (+5) from the LSFR sequence into the hash register.

For example, if the 10th bit is a one, then take the 15th value from the LFSR sequence and exclusive-or it into the hash register. If the message were all zeros, then nothing would be added to the hash register and the result would be the initial value of 0x00.


Register ValueIndexValueValue=1?Calculation

New Register Value

(xor with LSFR Sequence starting at the 5th (0xF1)

0023 -MSB1Yes00 xor f1f1
f1221Yesf1 xor e011
11211Yes11 xor 7061


Checksum/Hash Source Code

Code Block
#define MESSAGE_SIZE 32
#define OFFSET 4

uint8_t LSFR_sequence[MESSAGE_SIZE] = {0};

void calculateLSFR() {
	int i;
	uint8_t reg = 0x7C;
	uint8_t temp_reg = 0;

	for (i = 0; i < MESSAGE_SIZE; i++) {
		temp_reg = reg & 0x01;
		reg >>= 1;
		reg |= (temp_reg << 7);

		if (temp_reg) {
			reg ^= 0x18;

		LSFR_sequence[i] = reg;
		//printf("%02x\n", LSFR_sequence[i]);

uint8_t combineLSFR(uint8_t len, uint8_t *data) {
	uint8_t hash_reg = 0; // not 0x64
	int byte_idx, bit_idx;
	uint8_t byte, bit;

	for (byte_idx = 0; byte_idx < len; byte_idx++) {
		for (bit_idx = 7; bit_idx >= 0; bit_idx--) {
			bit = (data[byte_idx] & (1 << bit_idx)) >> bit_idx;
			if (bit) {
				hash_reg ^= LSFR_sequence[byte_idx * 8 + (7 - bit_idx) + OFFSET];
				//printf("[%d]: %02x\n", byte_idx * 8 + (7 - bit_idx), hash_reg);
			bit = 0;

	return hash_reg;

uint8_t Checksum(int length, uint8_t *buff) {
	return combineLSFR(length, buff);


In an effort to send our own temperatures to the receiver, we put together a program running on an ESP8266 (Wemos mini) connected with RF transmitter.

Transmitter Code

const int TX_PIN = 4; // ESP8266 pin D2 typedef struct { boolean power; int duration; // micro seconds } signal; const signal SHORT_ON { true, 500 }; const signal SHORT_OFF { false, 2000 }; const signal LONG_ON { true, 850 }; // not used const signal LONG_OFF { false, 4000 }; const signal STOP_OFF { false, 500 }; const int REST = 9000; // 9 ms gap // Here's a temperature of 24.5 forever... // signal sig_1 [] { SHORT_ON, // start bit SHORT_OFF, SHORT_ON, // a zero (0) bit LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit LONG_OFF, SHORT_ON, // a one (1) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit // LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit SHORT_OFF, SHORT_ON, // a zero (0) bit LONG_OFF, SHORT_ON, // a one (1) bit SHORT_OFF, SHORT_ON, // a zero (0) bit LONG_OFF, SHORT_ON, // a one (1) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit SHORT_OFF, SHORT_ON, // a zero (0) bit LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit LONG_OFF, SHORT_ON, // a one (1) bit SHORT_OFF, SHORT_ON, // a zero (0) bit STOP_OFF, SHORT_ON // stop bit }; void doTransmission(signal array[67]) { Serial.println("Doing transmission..."); for (int burst = 1; burst <= 7; burst++) { for (int idx = 0; idx < 66; ++idx ) { // payload digitalWrite(TX_PIN, array[idx].power); delayMicroseconds( array[idx].duration ); } delayMicroseconds(REST); // rest between bursts } } void setup ( void ) { pinMode(TX_PIN, OUTPUT); Serial.begin ( 115200 ); } void loop ( void ) { Serial.println("Sending..."); doTransmission(sig_1); delay(10000); }
Code Block
// ---------------------------------------------------------------------------------------
// Acurite 00606TX Transmitter
// ---------------------------------------------------------------------------------------

#define SYNC_LENGTH  9000
#define SEP_LENGTH   500
#define BIT1_LENGTH  4000
#define BIT0_LENGTH  2000

#define MESSAGE_SIZE 32
#define LSFR_OFFSET 4

uint8_t LSFR_sequence[MESSAGE_SIZE] = {0};

const int TX_PIN = D2;
byte payload[4];

// ---------------------------------------------------------------------------------------
// setup
// ---------------------------------------------------------------------------------------
void setup ( void ) {
    pinMode(TX_PIN, OUTPUT);
    Serial.begin ( 115200 );
// ---------------------------------------------------------------------------------------
// loop
// ---------------------------------------------------------------------------------------
void loop ( void ) {

// ---------------------------------------------------------------------------------------
// generatePayload
// ---------------------------------------------------------------------------------------
void generatePayload(){
      //define rolling code
    byte rollingCode = 0xAA;
    //generate random temperature
    int temperature = (int)random(-400,400);
    Serial.printf("Temp: %.1f\n",temperature/10.0);

    unsigned int hightByteTemp = temperature >> 8;
    unsigned int lowByteTemp = temperature & 0xff;

    //add battery OK flag to 
    hightByteTemp = 0x80 + (hightByteTemp & 0x0F);

    payload[0] = rollingCode;
    payload[1] = hightByteTemp;
    payload[2] = lowByteTemp;
    payload[3] = computeChecksum(3,payload);

    Serial.print("Payload: ");
    for(int i=0;i<4;i++){
      Serial.printf("%02x ",payload[i]);

// ---------------------------------------------------------------------------------------
// toggleLED
// ---------------------------------------------------------------------------------------
void toggleLED(){
    //flash led
    digitalWrite(LED_BUILTIN, HIGH);
    digitalWrite(LED_BUILTIN, LOW);

// ---------------------------------------------------------------------------------------
// doTransmission
// ---------------------------------------------------------------------------------------
void doTransmission() {

    Serial.println("Doing transmission...");

    for (int burst = 1; burst <= 7; burst++) {
      Serial.print("Sending: ");

// ---------------------------------------------------------------------------------------
// sendPayload
// ---------------------------------------------------------------------------------------
void sendPayload(){
  for(int i=0;i<4;i++){

// ---------------------------------------------------------------------------------------
// sendByte
// ---------------------------------------------------------------------------------------
void sendByte(byte b){
  for(int i=7;i>=0;i--){
    int bitValue = readBit(b,i); 
      Serial.print(" ");

// ---------------------------------------------------------------------------------------
// readBit
// ---------------------------------------------------------------------------------------
int readBit(byte b, int bitPos){
  int x = b & (1 << bitPos);
  return x == 0 ? 0 : 1;

// ---------------------------------------------------------------------------------------
// sendBit
// ---------------------------------------------------------------------------------------
void sendBit(int val){
  digitalWrite(TX_PIN, HIGH );    
  delayMicroseconds(SEP_LENGTH );  

  digitalWrite(TX_PIN, LOW );
    delayMicroseconds(BIT0_LENGTH );    
    delayMicroseconds(BIT1_LENGTH );    

// ---------------------------------------------------------------------------------------
// sendSync
// ---------------------------------------------------------------------------------------
void sendSync(){
  digitalWrite(TX_PIN, HIGH );
  digitalWrite(TX_PIN, LOW );
  delayMicroseconds(SYNC_LENGTH );
  Serial.print(" -");

// ---------------------------------------------------------------------------------------
// calculateLSFR
// ---------------------------------------------------------------------------------------
void calculateLSFR() {
    int i;
    uint8_t reg = 0x7C;
    uint8_t temp_reg = 0;
    for (i = 0; i < MESSAGE_SIZE; i++) {
        temp_reg = reg & 0x01;
        reg >>= 1;
        reg |= (temp_reg << 7);
        if (temp_reg) {
            reg ^= 0x18;
        LSFR_sequence[i] = reg;
        //printf("%02x\n", LSFR_sequence[i]);
// ---------------------------------------------------------------------------------------
// combineLSFR
// --------------------------------------------------------------------------------------- 
uint8_t combineLSFR(uint8_t len, uint8_t *data) {
    uint8_t hash_reg = 0; // not 0x64
    int byte_idx, bit_idx;
    uint8_t byte, bit;
    for (byte_idx = 0; byte_idx < len; byte_idx++) {
        for (bit_idx = 7; bit_idx >= 0; bit_idx--) {
            bit = (data[byte_idx] & (1 << bit_idx)) >> bit_idx;
            if (bit) {
                hash_reg ^= LSFR_sequence[byte_idx * 8 + (7 - bit_idx) + LSFR_OFFSET];
                //printf("[%d]: %02x\n", byte_idx * 8 + (7 - bit_idx), hash_reg);
            bit = 0;
    return hash_reg;
// ---------------------------------------------------------------------------------------
// computeChecksum
// --------------------------------------------------------------------------------------- 
uint8_t computeChecksum(int length, uint8_t *buff) {
    return combineLSFR(length, buff);

Reading the values from the Transmitter

Receiver Code

Code Block
// ---------------------------------------------------------------------------------------
// Acurite 00606TX Reader
// Adapted from code by Ray Wang (Rayshobby LLC)
// ---------------------------------------------------------------------------------------

#define DATAPIN  D2  

// ring buffer size has to be large enough to fit
// data between two successive sync signals
#define RING_BUFFER_SIZE  256

#define SYNC_LENGTH  9000
#define SEP_LENGTH   500
#define BIT1_LENGTH  4000
#define BIT0_LENGTH  2000

#define MESSAGE_SIZE 32
#define LSFR_OFFSET 4

uint8_t LSFR_sequence[MESSAGE_SIZE] = {0};

//ringbuffer contains the time since the last signal was off.
unsigned long timings[RING_BUFFER_SIZE];

unsigned int syncIndex1 = 0;  // index of the first sync signal
unsigned int syncIndex2 = 0;  // index of the second sync signal
bool received = false;

void ICACHE_RAM_ATTR handler();

// ---------------------------------------------------------------------------------------
// setup
// ---------------------------------------------------------------------------------------
void setup() {
  pinMode(DATAPIN, INPUT);
  attachInterrupt(digitalPinToInterrupt(DATAPIN), handler, CHANGE);

// ---------------------------------------------------------------------------------------
// loop
// ---------------------------------------------------------------------------------------
void loop() {

  //Did we get a message?
  if (received == true) {
    // disable interrupt to avoid new data corrupting the buffer

    unsigned int bits[34];
    bool error = processSignal(bits); 


      //convert our bits to byte array
      byte data[4];
      bool success = bitsToByteArray(bits,32,data,4);

        byte rollingCode = data[0];
        Serial.printf("Rolling Code: 0x%02x\n",rollingCode);
        byte batteryStatus = (data[1] & 0xf0) >> 4;
        Serial.printf("Battery Status: 0x%02x\n",batteryStatus);

        float temperature = computeTemperature(data[1],data[2]);
        Serial.printf("Temp: %0.1f C\n",temperature);
        byte checksum = data[3];
        Serial.printf("checksum: 0x%02x\n",checksum);
        //uint8_t computeChecksum(int length, uint8_t *buff) {
        byte computedChecksum = computeChecksum(3,data);
          Serial.printf("Checksum Verified!\n");
          Serial.printf("Checksum Invalid!\n");
        Serial.printf("Failed to convert bits to bytes array\n");

    // delay for 1 second to avoid repetitions
    received = false;
    syncIndex1 = 0;
    syncIndex2 = 0;

    // re-enable interrupt
    attachInterrupt(digitalPinToInterrupt(DATAPIN), handler, CHANGE);
  }//if (received == true) {


// ---------------------------------------------------------------------------------------
// computeTemperature
// ---------------------------------------------------------------------------------------
// Temperature is a signed 12-bit value with resolution of 0.1C. For example,
// 25.6C is encoded as the value 256 (0x100 hexadecimal). A value of -0.1C is
// encoded as -1 (0xFFF hexadecimal).         
// ---------------------------------------------------------------------------------------
float computeTemperature(byte highbyte, byte lowbyte){
    bool negative=false;
    Serial.printf("highbyte : 0x%02x \n",highbyte);
    if((highbyte & 0x08) == 0x08){
    int rawTemperature = ((highbyte & 0x0f) << 8) + lowbyte;
    Serial.printf("rawTemperature: %d\n",rawTemperature);
      rawTemperature = rawTemperature - 4096;
      //limit to -40C like the acurite receiver
      if(rawTemperature < -400){
        rawTemperature = -400;
    float temperature = rawTemperature / 10.0;
    return temperature;

// ---------------------------------------------------------------------------------------
// processSignal
// ---------------------------------------------------------------------------------------
// Message is composed of:
// - Rolling Code(2 nibbles - 8 bits), 
// - Status(1 nibble - 4 bits), 
// - Temperature (signed binary - 3 nibbles - 12 bits ), 
// - Hash Code (2 nibles - 8 bits)
// Each bit is composed of two signals - a seperator signal followed by a short/long
// ---------------------------------------------------------------------------------------
bool processSignal(unsigned int *bits){
    bool error = false;
    int totalSignalsInMessage = 32 *2;
    int count =0;
    for(unsigned int i=syncIndex1; i!=(syncIndex1+totalSignalsInMessage)%RING_BUFFER_SIZE; i=(i+2)%RING_BUFFER_SIZE) {

      unsigned long t0 = timings[i];
      unsigned long t1 = timings[(i+1)%RING_BUFFER_SIZE];

      if (t0>(SEP_LENGTH-150) && t0<(SEP_LENGTH+150)){
        if (t1>(BIT1_LENGTH-1000) && t1<(BIT1_LENGTH+1000)) {
        } else if (t1>(BIT0_LENGTH-1000) && t1<(BIT0_LENGTH+1000)) {
        } else {          
      }else {
//        Serial.printf("** t0: %d, t1: %d\n",t0,t1);
//        Serial.printf("Read Error\n");


      //print bits received
      Serial.print("bits: ");
      for(int i=0;i<32;i++){
          Serial.printf(" ");
  return error;
// ---------------------------------------------------------------------------------------
// isSync
// ---------------------------------------------------------------------------------------
// Detect if a sync signal is present. A sync signal is composed of a seperator signal 
// (short off 0.5ms) followed by a sync signal (9ms off).
// ---------------------------------------------------------------------------------------
bool isSync(unsigned int idx) {

  //get the last two indexes from the ring buffer
  int t0Index = (idx+RING_BUFFER_SIZE-1) % RING_BUFFER_SIZE;
  unsigned long t0 = timings[t0Index];
  unsigned long t1 = timings[idx];

  //check that t0 is a seperator signal, should be around 0.5ms
  if (t0>(SEP_LENGTH-100) && t0<(SEP_LENGTH+100) ){
    //check that t1 is a sync signal, allow for anything between 8-10ms
    if (t1>(SYNC_LENGTH-1000) && t1<(SYNC_LENGTH+1000)){
      if (digitalRead(DATAPIN) == HIGH) {
//        Serial.printf("toIndex=%d, idx=%d, RING_BUFFER_SIZE=%d \n",t0Index, idx, RING_BUFFER_SIZE);
//        Serial.printf("t0=%d, t1=%d\n",t0,t1);

        return true;         
  return false;

// ---------------------------------------------------------------------------------------
// handler
// ---------------------------------------------------------------------------------------
// Interrupt handler - reads incoming signal changes from receiver
// ---------------------------------------------------------------------------------------
void ICACHE_RAM_ATTR handler() {
  static unsigned long duration = 0;
  static unsigned long lastTime = 0;
  static unsigned int ringIndex = 0;
  static unsigned int syncCount = 0;

  // exit out if we are in processing a signal.
  if (received == true) {
//    Serial.println("received==true");

  // calculating timing since last change
  long time = micros();
  duration = time - lastTime;
  lastTime = time;

  // store data in ring buffer
  ringIndex = (ringIndex + 1) % RING_BUFFER_SIZE;
  timings[ringIndex] = duration;

  // detect sync signal
  if (isSync(ringIndex)) {
    syncCount ++;
    if (syncCount == 1) {
       // first time sync is seen, record buffer index      
      syncIndex1 = (ringIndex+1) % RING_BUFFER_SIZE;
    }else if (syncCount == 2) {
      syncCount = 0;
      // second time sync is seen, start bit conversion
      syncIndex2 = (ringIndex+1) % RING_BUFFER_SIZE;

      //check how many signals we have received between syncs
      unsigned int changeCount  = 0;
      if(syncIndex2 < syncIndex1){
        changeCount = syncIndex2+RING_BUFFER_SIZE - syncIndex1;
        changeCount = syncIndex2 - syncIndex1;
      if (changeCount < 66 || changeCount > 68) {
        //too many signals, disregard
        received = false;
        syncIndex1 = 0;
        syncIndex2 = 0;
      } else {
        //we found our signal
        received = true;


// ---------------------------------------------------------------------------------------
// calculateLSFR
// ---------------------------------------------------------------------------------------
void calculateLSFR() {
    int i;
    uint8_t reg = 0x7C;
    uint8_t temp_reg = 0;
    for (i = 0; i < MESSAGE_SIZE; i++) {
        temp_reg = reg & 0x01;
        reg >>= 1;
        reg |= (temp_reg << 7);
        if (temp_reg) {
            reg ^= 0x18;
        LSFR_sequence[i] = reg;
        //printf("%02x\n", LSFR_sequence[i]);
// ---------------------------------------------------------------------------------------
// combineLSFR
// --------------------------------------------------------------------------------------- 
uint8_t combineLSFR(uint8_t len, uint8_t *data) {
    uint8_t hash_reg = 0; // not 0x64
    int byte_idx, bit_idx;
    uint8_t byte, bit;
    for (byte_idx = 0; byte_idx < len; byte_idx++) {
        for (bit_idx = 7; bit_idx >= 0; bit_idx--) {
            bit = (data[byte_idx] & (1 << bit_idx)) >> bit_idx;
            if (bit) {
                hash_reg ^= LSFR_sequence[byte_idx * 8 + (7 - bit_idx) + LSFR_OFFSET];
                //printf("[%d]: %02x\n", byte_idx * 8 + (7 - bit_idx), hash_reg);
            bit = 0;
    return hash_reg;
// ---------------------------------------------------------------------------------------
// computeChecksum
// --------------------------------------------------------------------------------------- 
uint8_t computeChecksum(int length, uint8_t *buff) {
    return combineLSFR(length, buff);

// ---------------------------------------------------------------------------------------
// bitsToByteArray
// ---------------------------------------------------------------------------------------
// Convert array of integers containing the bits received into byte array
// ---------------------------------------------------------------------------------------
bool bitsToByteArray(unsigned int *bits, int len, byte* buffer, int bufferLen){

  int bidx=0;
  unsigned int sum = 0;
  for(int i=0;i<len;i++){
    //break out if we have filled up the buffer    
    if(bidx >= bufferLen){
      return false;
    sum += bits[i];

    //new byte?
      //save to buffer, reset sum and increment bidx
  return true;


View file
nameRF Hacking -- Irdeto Hackday Oct-3-2019.pdf

