HACKRF realization of wireless doorbell signal analysis and replay

The article features: Data decoding is really no confidence, there is the possibility of analysis of confusion, fortunately issued to discuss together, urge to spur.

0x01 Overview

This is a wireless remote doorbell working in the 315Mhz band, according to the official manual and chip information to determine its use of eV1527 million encoding chip. This is a wireless hair code ASIC, using CMOS process manufacturing, with 20-bit internal code, can pre-burn 1 million sets of internal code combination, the transmission frequency support 315Mhz and 433Mhz. In this paper, only the signal waveform based on the recording of simple analysis, detailed coding structure can refer to the relevant documents.

EV1527 Chip Description: http://www.sc-tech.cn/ev1527.pdfEV1527 Code bit waveform: http://wenku.baidu.com/ View/1b54c361ddccda38376baf7c.html

Code module Features:

0X02 Signal Analysis

First through the GQRX or sdr# to the wireless doorbell's operating frequency accurate positioning, my own this detection frequency value of 315.1Mhz, and the company's doorbell and the specification is the same as the nominal 315Mhz;

The difference is because the EV1527 chip can be based on the voltage and oscillation resistance matching situation to determine its oscillation frequency, the higher the voltage, the greater the frequency, the greater the resistance, the smaller the frequency, from the combination can constitute an infinite number of oscillation frequency, greatly reducing the repetition probability.

Next, capture recording of the work band data, and execute the following command:

315100000 8000000 40000000

Explanation: Record data to File Hell.iq, specify operating frequency is 315.1Mhz, specify sample rate 8msps/s, specify sample sample number is 40M, sampling time is 5 seconds

and press the Remote control button in 5 seconds, when the bell rings and the data is recorded.

Replay signal to test sample reliability:

315100000 8000000 1  +  -

Explanation: Specify the transmit signal source file, specify the operating frequency 315.1Mhz, specify the sample rate of 8Msps, turn on the antenna gain control, specify the RX LNA (IF) gain of 40, specify the TX VGA (IF) gain of 47

If you hear the bell ringing, it indicates that this signal is valid, if not sounded, may be recording the specified frequency is not correct or sampled signal sample is incomplete, you can try to record multiple times, if the car keys and other equipment, its signal only one or several validity, commonly known as rolling code, this note.

If the analysis of the signal from the perspective of the current stage does not necessarily need to replay signal;

Now we use the audio processing software Audacity The Hell.iq file for signal analysis, we can show the signal waveform diagram to determine the signal modulation and analysis

Click "File"-"import"-"raw data" after opening the program-configure as follows

After the import is successful, it appears as:

With 14 complete signal samples, we select a signal and click the magnifying glass to further observe the signal characteristics.

The above is the same pulse signal, composed of 1 and 0, because we have already known that the modulation mode of the wireless module is Ask/ook so the next analysis is relatively simple, the OOK is an ask of a special modulation mode, called (on-off-keying), In short, it is the way Morse code works. Because the anti-noise performance of ook is inferior to other modulation methods, the modulation method is not adopted in the current communication of satellite communication and digital microwave, but it is widely used in remote control, RFID and other fields because of its simple realization.

We regard the first narrowest-width blue bar as the standard width 1, the white space as 0, the width of the white space can accommodate a few standard-width blue bars, it represents a few 0, and so on, the wider blue bar can accommodate a few standard-width blue bars representing a few 1.

After calculation and statistics, we come to the following data:

1000100011101000111011101000100011101110100011101110100011101000111010001110100010001000100011101

As we press and hold the remote button, the signal is actually continuously repeated and the second pulse signal is calculated to be about 30 0, so the entire data is

1000100011101000111011101000100011101110100011101110100011101000111010001110100010001000100011101000000000000000000000000 000000

According to the EV1527 chip, when the operating voltage at 12V, the oscillation value of 80K, the pulse period of t≈400μs, that is, 0.4 milliseconds, the pulse period refers to the interval between the front and rear adjacent pulses, this parameter will be used to simulate the simulation later.

By the two groups of the same signal sample combined with the chip description that this is the same two sets of frame code, each frame code has 25 bits, by the synchronization code, internal code, data code composition, a frame code sent immediately after the next frame code.

Timing Diagram:

Data decoding:

Next to the data captured above the decoding, the other bits we can understand, the first SYN is 1000, this paragraph we do not analyze (really not, this is a high and low level than t:31t pulse signal), the latter part can be divided into "millions of code" and "Data Code", Data code We are known to be the latter four groups, that is, 1000100011101000, according to the analysis of the appeal can be solved 4 numbers for one, each digital pulse period is 4t, here the 1 is high, 0 is low, then 1000 can be solved 0, because 4t+12t first high and low means 0 yards, And 1110 can be solved for 12t+4t first high after low, representing 1 yards, the final decoding of 0010 This code combination, the reference chip shows a total of 15 key combinations, when the doorbell is pressed to send the corresponding code combination to the receiver of the EV1527 chip, the receiver will deal with the response after receiving, play the bell tone.

The inner code part is decoded in accordance with the above principle: 01011001101101010100, the binary conversion after the decimal: 3,674,446 binary: 0x59b54 that is the chip of the millions of code number.

Company doorbell inside code decoding after: 1,.10,100,110,110,11e,+19 binary: 4,329,976 binary: 0x69b65

0X03 Data Summary

#自己的门铃产品型号: Langritte LR-1688DC transmitter module: eV1527 million-pack encoding chip modulation mode: ASK/ook operating frequency:315. 1MhzVector: (1,0,0,0,1,0,0,0,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,0,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,0,1,0,0,0,1,1,1,0,1,0,0,0,1,1,1,0,1,0,0,0,1,1,1,0,1,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,1,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)

#公司门铃产品型号: Langritte LR-1688AC transmitter module: eV1527 million-pack encoding chip modulation mode: ASK/ook Operating frequency: 315MhzVector: (1,0,0,0,1,1,1,0,1,1,1,0,1,0,0,0,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,0,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,0,1,0,0,0,1,1,1,0,1,0,0,0,1,0,0,0,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)

0X04 Analog signal Source emission

The Repate module is used to set the pulse period;

Since the sampling rate in our block diagram is 1MHz, the time required for each number to be t=0.4ms is to repeat the 1e6*0.5*10^ (-3) = 400 times for each number in the vector source. The interpolation of the repeat module is then set to 400.

Gnuradio Block Diagram:

HACKRF realization of wireless doorbell signal analysis and replay