Help decoding unknown modulation

[Alexander Morrison]

Hello. I've been capturing traffic from some old sensors with my SDR. I found out about rtl_433 which looks like a very handy tool for reverse engineering, however I need some help detecting the modulation used by these sensors.

Using rtl_433 with the -A and -v flags I've been able to collect some communication samples. Here's one of them:

Detected OOK package 2020-01-03 00:38:31

Pulse data: 11 pulses

[  0] Pulse: 2098, Gap:  742, Period: 2840

[  1] Pulse:  258, Gap:  989, Period: 1247

[  2] Pulse:  263, Gap: 1237, Period: 1500

[  3] Pulse:  261, Gap:  990, Period: 1251

[  4] Pulse:  257, Gap:  743, Period: 1000

[  5] Pulse:  257, Gap:  742, Period:  999

[  6] Pulse:  256, Gap: 1490, Period: 1746

[  7] Pulse:  263, Gap:  488, Period:  751

[  8] Pulse:  259, Gap:  742, Period: 1001

[  9] Pulse:  256, Gap:  990, Period: 1246

[ 10] Pulse:  260, Gap: 20981, Period: 21241

Analyzing pulses...

Total count:   11,  width: 55.36 ms (13841 S)

Pulse width distribution:

 [ 0] count:    1,  width: 8392 us [8392;8392] (2098 S)

 [ 1] count:   10,  width: 1036 us [1024;1052] ( 259 S)

Gap width distribution:

 [ 0] count:    4,  width: 2968 us [2968;2972] ( 742 S)

 [ 1] count:    3,  width: 3956 us [3956;3960] ( 989 S)

 [ 2] count:    2,  width: 5452 us [4948;5960] (1363 S)

 [ 3] count:    1,  width: 1952 us [1952;1952] ( 488 S)

Pulse period distribution:

 [ 0] count:    1,  width: 11360 us [11360;11360] (2840 S)

 [ 1] count:    4,  width: 5244 us [4984;6000] (1311 S)

 [ 2] count:    3,  width: 4000 us [3996;4004] (1000 S)

 [ 3] count:    1,  width: 6984 us [6984;6984] (1746 S)

 [ 4] count:    1,  width: 3004 us [3004;3004] ( 751 S)

Level estimates [high, low]:  15839,     59

RSSI: -0.1 dB SNR: 24.2 dB Noise: -24.4 dB

Frequency offsets [F1, F2]:   19089,      0 (+72.8 kHz, +0.0 kHz)

Guessing modulation: Pulse Width Modulation with multiple packets

Attempting demodulation... short_width: 1036, long_width: 8392, reset_limit: 5964, sync_width: 0

Use a flex decoder with -X 'n=name,m=OOK_PWM,s=1036,l=8392,r=5964,g=2976,t=2940,y=0'

pulse_demod_pwm(): Analyzer Device

bitbuffer:: Number of rows: 6

[00] { 2} 40        : 01

[01] { 1} 80        : 1

[02] { 1} 80        : 1

[03] { 3} e0        : 111

[04] { 3} e0        : 111

[05] { 1} 80        : 1

From the samples I collected there are some things I can notice:

• A part from a "long" preamble, all pulses have the same length (about 250)
• Gaps have several different lengths, all (about) multiples of 250 (values that can seen are: 250, 500, 750, 1000, 1250, 1500, 1750, 2000...)
• rtl_433 guesses a PWM modulation, which does not seem right given above assumptions (maybe the preamble is to blame?)

With this data, I hope you can help me figure it out. Thanks in advance.

[Christian Zuckschwerdt]

Just one sample of 11 "bits" isn't enough to make any assumption here.

You need to look at the sample with Pulseview to make sure this is demodulated properly. Perhaps post a screenshot.

If it's proper OOK then the raw OOK output might be more helpful (rtl_433 -w OOK:- )

[Benjamin Larsson]

On 1/3/20 1:04 AM, Alexander Morrison wrote:
> Hello. I've been capturing traffic from some old sensors with my SDR.
> I found out about rtl_433 which looks like a very handy tool for
> reverse engineering, however I need some help detecting the modulation
> used by these sensors.
>
> Using rtl_433 with the -A and -v flags I've been able to collect some
> communication samples. Here's one of them:
>
> |

> Detected OOK package2020-01-03 00:38:31

> Pulse data: 11 pulses
> [  0] Pulse: 2098, Gap:  742, Period: 2840
> [  1] Pulse:  258, Gap:  989, Period: 1247
> [  2] Pulse:  263, Gap: 1237, Period: 1500
> [  3] Pulse:  261, Gap:  990, Period: 1251
> [  4] Pulse:  257, Gap:  743, Period: 1000
> [  5] Pulse:  257, Gap:  742, Period:  999
> [  6] Pulse:  256, Gap: 1490, Period: 1746
> [  7] Pulse:  263, Gap:  488, Period:  751
> [  8] Pulse:  259, Gap:  742, Period: 1001
> [  9] Pulse:  256, Gap:  990, Period: 1246
> [ 10] Pulse:  260, Gap: 20981, Period: 21241
> Analyzing pulses...

> Total count:   11,  width: 55.36 ms(13841 S)

> Pulse width distribution:
>  [ 0] count:    1,  width: 8392 us [8392;8392](2098 S)
>  [ 1] count:   10,  width: 1036 us [1024;1052]( 259 S)
> Gap width distribution:
>  [ 0] count:    4,  width: 2968 us [2968;2972]( 742 S)
>  [ 1] count:    3,  width: 3956 us [3956;3960]( 989 S)
>  [ 2] count:    2,  width: 5452 us [4948;5960](1363 S)
>  [ 3] count:    1,  width: 1952 us [1952;1952]( 488 S)
> Pulse period distribution:
>  [ 0] count:    1,  width: 11360 us [11360;11360](2840 S)
>  [ 1] count:    4,  width: 5244 us [4984;6000](1311 S)
>  [ 2] count:    3,  width: 4000 us [3996;4004](1000 S)
>  [ 3] count:    1,  width: 6984 us [6984;6984](1746 S)
>  [ 4] count:    1,  width: 3004 us [3004;3004]( 751 S)
> Level estimates [high, low]:  15839,     59
> RSSI: -0.1 dB SNR: 24.2 dB Noise: -24.4 dB

> Frequency offsets [F1, F2]:   19089,      0(+72.8 kHz, +0.0 kHz)

> Guessing modulation: Pulse Width Modulation with multiple packets
> Attempting demodulation... short_width: 1036, long_width: 8392,
> reset_limit: 5964, sync_width: 0
> Use a flex decoder with -X
> 'n=name,m=OOK_PWM,s=1036,l=8392,r=5964,g=2976,t=2940,y=0'
> pulse_demod_pwm(): Analyzer Device
> bitbuffer:: Number of rows: 6
> [00] { 2} 40        : 01
> [01] { 1} 80        : 1
> [02] { 1} 80        : 1
> [03] { 3} e0        : 111
> [04] { 3} e0        : 111
> [05] { 1} 80        : 1
> |
>
> From the samples I collected there are some things I can notice:
>

> * A part from a "long" preamble, all pulses have the same length
> (about 250)
> * Gaps have several different lengths, all (about) multiples of 250

> (values that can seen are: 250, 500, 750, 1000, 1250, 1500, 1750,
> 2000...)

> * rtl_433 guesses a PWM modulation, which does not seem right given

> above assumptions (maybe the preamble is to blame?)
>
> With this data, I hope you can help me figure it out. Thanks in advance.

Hi, the guess is as you say incorrect. The modulation is some kind of
PPM-flavour. But more samples are needed to figure out the modulation.
The analyzer output seems to indicate non binary symbols which is not so
common. More signals are needed to really say what it is.

MvH

Benjamin Larsson

[Benjamin Larsson]

On 1/3/20 2:14 PM, Alexander Morrison wrote:
> Thank you for your answers. All signals send from this device have the
> same structure: 11 pulses (1 long preamble + 10 short) and variable gaps.
>
>

What type of device and values are transmitted.


MvH

Benjamin Larsson

[Benjamin Larsson]

On 1/3/20 5:44 PM, Alexander Morrison wrote:

> It's an old fire sensor from ITI, which presumably sends its device
> ID, battery status and possibly other relevant information to a CPU
> (which I don't have). The label with the exact model number is also
> missing.
>

This device might use the Interlogix protocol. Anyway without the
possibility to change protocol parameters it is hard to figure out more
regarding this signal.

MvH

Benjamin Larsson

[Christian Zuckschwerdt]

Looks like the base timing might be 1000µs, i.e. 1ms. The OOK in ms would be:

4 3

1 4
1 5
1 4
1 1
1 4
1 4
1 4
1 4
1 5
1 40

Or expanded (with every 0 or 1 taking one ms)

1111000100001000001000010100001000010000100001000001

Maybe you can collect more pattern and put them all in a BitBench (like this: http://triq.net/bitbench?c=y1111000100001000001000010100001000010000100001000001&f=v )

Wild guess: could that 4 time slots encode 2.5 bits? There is only a single bit in every group of 4 ms: http://triq.net/bitbench?c=y1111000100001000001000010100001000010000100001000001&f=4b%20

[Alexander Morrison]

Maybe you can collect more pattern and put them all in a BitBench (like this: http://triq.net/bitbench?c=y1111000100001000001000010100001000010000100001000001&f=v )

 That looks like a handy tool, I'll be sure play around with it.

The fact that there is only one bit in every group of 4 is also very interesting, however I didn't quite grasp what you mean by

[Christian Zuckschwerdt]

If it where always exactly 1 bit in a group of 4 that would be nice. But there is also a 0000 group. So 5 possible "states" is log2(5) = 2.3 bits. And likely only a coincidence :/

[Alexander Morrison]

Ahhh, got it. Well I just managed to record a signal which has two '1' in a group of 4, so it may be just a coincidence indeed. I'll keep playing around and I'll update you if I find something new.