Deciphering analogue signals was Re: Drayton Digistat heating controller
165 views
Skip to first unread message
Darren Beale
Jul 7, 2010, 7:05:56 PM7/7/10
to home...@googlegroups.com
Hello all,
> I managed to de-cipher the packets sent by the Digistat into 9 hex pairs,
> and get a low cost micro and 433MHz ASK transmitter module to emulate these.
Ken, at the risk of asking a very stupid question - hardware hacking
is very new to me - how does one decipher said packets?
Obviously there is a hardware component and some software to take the
signal and break it down. If I were armed with my Arduino (which is on
order) where would I start to try and do this?
For context I've a few different commercially available energy meters
communicating with a master (over M-Bus) that deals with external
comms for AMR purposes.
What I'd like to get a better handle on is a) the information getting
passed around between the meters and the master and b) the contents of
the output from the master when queried by various bits of closed
source software.
Hopefully my question is on-topic?
db
--
Darren Beale
http://bealers.com
@bealers
Ken Boak
Jul 8, 2010, 6:49:52 AM7/8/10
to home...@googlegroups.com
Darren,
I used a 433MHz receiver and a digital oscilliscope to literally see what was being sent over the air.
I captured the packet on screen and manually worked out the sequency of ones and zeros that made up the packet. I split these up into 8 bit sections and wrote them down as hex
I could then see that the first 6 bytes were common to both the "boiler-on" and "boiler-off" packets, and that the 9th byte was common too. Only the 7th and 8th bytes defined the command.
I looked at the length of each individual bit, and saw that it was 500nS long - so it was using a baud rate of 2000 baud.
I then adapted some PIC code that I had and got it to emulate the serial packets and send them to a low cost 433MHz transmitter module. The Drayton receiver was none-the-wiser, that these were not genuine packets from its own transmitter.
Regarding the second part of your question about M-bus. M-bus is a standard communications bus for metering arising out of work from the University of Paderborn, Germany. Subsequently wireless M-bus has been developed.
Wireless M-bus is generally confined to some specialist blogs:
http://livemetering.blogspot.com/2009/03/wireless-mbus-implementation-with.html
Whilst it may have found favour amongst larger European manufacturers (principally Germany), there is little evidence of it yet being widely used for domestic meters in the UK.
http://www.ubitronix.com/en/produkte/zaehlermanagement/wireless-m-bus-bridge.html
Manufacturers will only implement anything extra that costs them money if they are mandated to do so. We will have to wait for the widescale introduction of Smart meters, before we see this technology in the cost sensitive domestic market.
The exception to this might be the introduction of smart meters by First Utility and possibly some other newer utilities
http://www.first-utility.com/residential-energy/smart-meter
Smart meters will probably be offered first to high users - such as businesses and industry, before the general public.
In the meantime, most UK domestic customers are faced with counting LED flashes or monitoring open collector contacts on digital meters - or watching the Ferraris disc revolve. Sadly - That is about the height of sophistication in the UK.
Ken
I used a 433MHz receiver and a digital oscilliscope to literally see what was being sent over the air.
I captured the packet on screen and manually worked out the sequency of ones and zeros that made up the packet. I split these up into 8 bit sections and wrote them down as hex
I could then see that the first 6 bytes were common to both the "boiler-on" and "boiler-off" packets, and that the 9th byte was common too. Only the 7th and 8th bytes defined the command.
I looked at the length of each individual bit, and saw that it was 500nS long - so it was using a baud rate of 2000 baud.
I then adapted some PIC code that I had and got it to emulate the serial packets and send them to a low cost 433MHz transmitter module. The Drayton receiver was none-the-wiser, that these were not genuine packets from its own transmitter.
Regarding the second part of your question about M-bus. M-bus is a standard communications bus for metering arising out of work from the University of Paderborn, Germany. Subsequently wireless M-bus has been developed.
Wireless M-bus is generally confined to some specialist blogs:
http://livemetering.blogspot.com/2009/03/wireless-mbus-implementation-with.html
Whilst it may have found favour amongst larger European manufacturers (principally Germany), there is little evidence of it yet being widely used for domestic meters in the UK.
http://www.ubitronix.com/en/produkte/zaehlermanagement/wireless-m-bus-bridge.html
Manufacturers will only implement anything extra that costs them money if they are mandated to do so. We will have to wait for the widescale introduction of Smart meters, before we see this technology in the cost sensitive domestic market.
The exception to this might be the introduction of smart meters by First Utility and possibly some other newer utilities
http://www.first-utility.com/residential-energy/smart-meter
Smart meters will probably be offered first to high users - such as businesses and industry, before the general public.
In the meantime, most UK domestic customers are faced with counting LED flashes or monitoring open collector contacts on digital meters - or watching the Ferraris disc revolve. Sadly - That is about the height of sophistication in the UK.
Ken
--
You received this message because you are subscribed to the Google Groups "homecamp" group.
To post to this group, send an email to home...@googlegroups.com.
To unsubscribe from this group, send email to homecamp+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/homecamp?hl=en-GB.
Darren Beale
Jul 8, 2010, 8:01:42 AM7/8/10
to home...@googlegroups.com
> I used a 433MHz receiver and a digital oscilliscope to literally see what
> was being sent over the air.
>
> I captured the packet on screen and manually worked out the sequency of ones
> and zeros that made up the packet. I split these up into 8 bit sections and
> wrote them down as hex
>
> I could then see that the first 6 bytes were common to both the "boiler-on"
> and "boiler-off" packets, and that the 9th byte was common too. Only the
> 7th and 8th bytes defined the command.
>
> I looked at the length of each individual bit, and saw that it was 500nS
> long - so it was using a baud rate of 2000 baud.
> was being sent over the air.
>
> I captured the packet on screen and manually worked out the sequency of ones
> and zeros that made up the packet. I split these up into 8 bit sections and
> wrote them down as hex
>
> I could then see that the first 6 bytes were common to both the "boiler-on"
> and "boiler-off" packets, and that the 9th byte was common too. Only the
> 7th and 8th bytes defined the command.
>
> I looked at the length of each individual bit, and saw that it was 500nS
> long - so it was using a baud rate of 2000 baud.
Ken,
Very useful, ta.
db
yellowpark
Jul 8, 2010, 8:47:58 AM7/8/10
to homecamp
Hi Ken
I just started having a play with a 433 transmitter and receiver last
night for the first time. Managed to get a door alarm working -
basically a reed switch, when the door opens it sends an OPEN message
to the receiver and vice versa. The receiver is attached to an
arduino which is plugged into my Viglen. I have a script monitoring
the serial port to the arduino which publishes an MQTT message if the
door is open or closed.
So, my question Ken, if I were to start tinkering with an
oscilliscope, what would be a good one to buy (or make) and any
suggestions where I start!
Chris
I just started having a play with a 433 transmitter and receiver last
night for the first time. Managed to get a door alarm working -
basically a reed switch, when the door opens it sends an OPEN message
to the receiver and vice versa. The receiver is attached to an
arduino which is plugged into my Viglen. I have a script monitoring
the serial port to the arduino which publishes an MQTT message if the
door is open or closed.
So, my question Ken, if I were to start tinkering with an
oscilliscope, what would be a good one to buy (or make) and any
suggestions where I start!
Chris
mikethebee
Jul 8, 2010, 9:48:23 AM7/8/10
to homecamp
I used to use a Tektronix digital scope which locked onto high
frequency data very reliably, the cheaper scopes we used would often
lose sync with the signal a higher data speeds. However it was an
expensive unit and needed a company budget to justify it.
frequency data very reliably, the cheaper scopes we used would often
lose sync with the signal a higher data speeds. However it was an
expensive unit and needed a company budget to justify it.
Ken Boak
Jul 8, 2010, 9:52:14 AM7/8/10
to home...@googlegroups.com
Chris,
You can get some low cost scope meters UNIT 81B from China is one example.
http://www.soselectronic.com/?str=371&artnum=59919
I think Farnell sell these too.
Alternatively a USB plug in scope from pico technology.
http://www.rapidonline.com/Tools-Fasteners-Production-Equipment/Test-Equipment/Oscilloscopes/Picoscope-hand-held-PC-oscilloscopes/77295/kw/85-7425?source=googleps&utm_source=googleps
Aim for at least 50 - 100 MS/s (mega samples per second) in order to get reasonable time resolution of high frequency signals.
At least one person has made a low cost scope from an Arduino.
Ken
You can get some low cost scope meters UNIT 81B from China is one example.
http://www.soselectronic.com/?str=371&artnum=59919
I think Farnell sell these too.
Alternatively a USB plug in scope from pico technology.
http://www.rapidonline.com/Tools-Fasteners-Production-Equipment/Test-Equipment/Oscilloscopes/Picoscope-hand-held-PC-oscilloscopes/77295/kw/85-7425?source=googleps&utm_source=googleps
Aim for at least 50 - 100 MS/s (mega samples per second) in order to get reasonable time resolution of high frequency signals.
At least one person has made a low cost scope from an Arduino.
Ken
--
Adrian McEwen
Jul 8, 2010, 8:10:15 PM7/8/10
to home...@googlegroups.com
Darren, Ken, anyone who's interested...
There's a pretty in-depth series of blog posts looking at deciphering
433MHz (and other) wireless signals over on the Jee Labs blog. Most of
his blogging for April in fact.
See <http://news.jeelabs.org/2010/04/> for them, starting with the "OOK
plugs" post from April 12th and running through to the "(Not So) Home
Easy" post of April 23rd. You'll have to scroll down a fair bit, but it
was easier to post a link to the month's archive than pull out the dozen
or so blog posts about it.
The JeeNode boards that are mentioned in it are some he sells, but I
think they're roughly Arduino compatible, so the code should be fairly
portable to it.
Cheers,
Adrian.
> <mailto:home...@googlegroups.com>.
> To unsubscribe from this group, send email to
> homecamp+u...@googlegroups.com
> <mailto:homecamp%2Bunsu...@googlegroups.com>.
Ken Boak
Jul 9, 2010, 4:03:13 AM7/9/10
to home...@googlegroups.com
Adrian, HomeCamp
Thanks for the link to Jee Labs. The Jee Node appears to be an ATmega328 interfaced to the Hope RF RFM12B transceiver.
This makes a compact and low cost wireless node - and the use of the Hope RF module points to some degree of compatability with the RF modules used in the Current Cost monitors.
JeeLabs ( Jean-Claude Wippler) has been very prolific with his RF decoding work, investigating the various common protocols used with various home automation devices. This should be a useful resource to anyone thinking of interfacing to various systems.
Speaking of Current Cost, it is entirely to their credit that they have sold in excess of 1.1 million energy monitors. They have become central to the supply of energy monitoring devices in the UK (and elsewhere), and their policy of making dev-boards and protocols available to developers and hackers has given them a major reputation within the Homecamp Community.
It is commendable that they have worked with Tinker on developing their Ethernet Bridge, which has ensured that there is a high degree of compatability with existing Arduino hardware.
The concept of having a "multi-channel" display is excellent - allowing the other channels to be used for monitoring other parameters around the household. For those with solar water heating or even pV, Current Cost could be hacked to monitor those systems too.
Ken
Thanks for the link to Jee Labs. The Jee Node appears to be an ATmega328 interfaced to the Hope RF RFM12B transceiver.
This makes a compact and low cost wireless node - and the use of the Hope RF module points to some degree of compatability with the RF modules used in the Current Cost monitors.
JeeLabs ( Jean-Claude Wippler) has been very prolific with his RF decoding work, investigating the various common protocols used with various home automation devices. This should be a useful resource to anyone thinking of interfacing to various systems.
Speaking of Current Cost, it is entirely to their credit that they have sold in excess of 1.1 million energy monitors. They have become central to the supply of energy monitoring devices in the UK (and elsewhere), and their policy of making dev-boards and protocols available to developers and hackers has given them a major reputation within the Homecamp Community.
It is commendable that they have worked with Tinker on developing their Ethernet Bridge, which has ensured that there is a high degree of compatability with existing Arduino hardware.
The concept of having a "multi-channel" display is excellent - allowing the other channels to be used for monitoring other parameters around the household. For those with solar water heating or even pV, Current Cost could be hacked to monitor those systems too.
Ken
mikethebee
Jul 9, 2010, 6:03:24 PM7/9/10
to homecamp
I found some Arduino digital oscilloscope code at http://www.sharpley.org.uk/page/blog/23
Seems the Ardiuno is faster enough for radio data work, which is
v.good.
The last time I built something similar it was with a BBC 'B' Micro
which was so much slower, funny to think about that.
I'm looking forward to getting back to such projects.
Seems the Ardiuno is faster enough for radio data work, which is
v.good.
The last time I built something similar it was with a BBC 'B' Micro
which was so much slower, funny to think about that.
I'm looking forward to getting back to such projects.
Reply all
Reply to author
Forward
0 new messages