RTL 433
(→Radio/RCSwitch 参考) |
(→门磁分析示例(QuickStart)) |
||
(未显示1个用户的12个中间版本) | |||
第146行: | 第146行: | ||
$ git clone https://github.com/merbanan/rtl_433 | $ git clone https://github.com/merbanan/rtl_433 | ||
$ cd rtl_4333 | $ cd rtl_4333 | ||
− | $ | + | $ mkdir build |
$ cd build | $ cd build | ||
+ | $ cmake -DENABLE_OPENSSL=OFF ../ | ||
+ | $ make | ||
$ sudo make install | $ sudo make install | ||
-- Installing: /usr/local/include/rtl_433_devices.h | -- Installing: /usr/local/include/rtl_433_devices.h | ||
第250行: | 第252行: | ||
<br> | <br> | ||
− | == | + | == 门磁分析示例(QuickStart) == |
@433.97MHz | @433.97MHz | ||
第265行: | 第267行: | ||
ch0, protocol 1, delay = 297us,则 1: H300x3_L300x1, 0: H300x1_L300x3 | ch0, protocol 1, delay = 297us,则 1: H300x3_L300x1, 0: H300x1_L300x3 | ||
+ | |||
+ | <source lang=bash> | ||
+ | # protocol 1, delay=300, 24bit | ||
+ | # | ||
+ | # pulse_len=350us | ||
+ | # 0: H350x1_L350x3 <--- s=350,l=1050 | ||
+ | # 1: H350x3_L350x1 | ||
+ | # pre: 350us x 31 | ||
+ | $ rtl_433 -f 433970000 -s 1024k | ||
+ | time : 2023-12-06 18:44:09 | ||
+ | model : Kerui-Security ID (20bit): 0xe9e55 | ||
+ | Command (4bit): 0xe opened : 1 State : open | ||
+ | _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ||
+ | time : 2023-12-06 18:44:09 | ||
+ | model : Smoke-GS558 id : 21820 | ||
+ | unit : 23 learn : 0 Raw Code : 7aa797 | ||
+ | </source> | ||
+ | |||
+ | s=900 即码 1 时高电平的时间 900us; l=300 即码 0 时,高电平的时间 300us | ||
+ | |||
+ | <source lang=bash> | ||
+ | comcat@nodetao:/data/sdr/rtl_433$ rtl_433 -f 433970000 -s 1024k -X "n=door,m=OOK_PWM,s=900,l=300,y=350,r=9300,g=1100,t=60" | ||
+ | _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ | ||
+ | time : 2023-12-07 10:48:26 | ||
+ | model : door count : 12 num_rows : 12 rows : | ||
+ | len : 1 data : 0, | ||
+ | len : 25 data : e9e55e0, | ||
+ | len : 25 data : e9e55e0, | ||
+ | len : 25 data : e9e55e0, | ||
+ | len : 25 data : e9e55e0, | ||
+ | len : 25 data : e9e55e0, | ||
+ | len : 25 data : e9e55e0, | ||
+ | len : 25 data : e9e55e0, | ||
+ | len : 25 data : e9e55e0, | ||
+ | len : 14 data : e9e4, | ||
+ | len : 10 data : af0, | ||
+ | len : 7 data : e8 | ||
+ | codes : {1}0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {14}e9e4, {10}af0, {7}e8 | ||
+ | _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ | ||
+ | time : 2023-12-07 10:48:26 | ||
+ | model : Smoke-GS558 id : 21820 | ||
+ | unit : 23 learn : 0 Raw Code : 7aa797 | ||
+ | </source> | ||
+ | |||
+ | Last version: | ||
+ | <source lang=bash> | ||
+ | comcat@nodetao:/data/sdr/rtl_433$ rtl_433 -f 433970000 -s 1024k -R0 -X "n=door,m=OOK_PWM,s=900,l=300,y=200,r=9300,g=1100,t=60,bits>=24,unique" | ||
+ | _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ | ||
+ | time : 2023-12-07 13:37:10 | ||
+ | model : door count : 26 num_rows : 27 len : 25 data : e9e55e0 | ||
+ | _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ | ||
+ | time : 2023-12-07 13:37:10 | ||
+ | model : door count : 1 num_rows : 1 len : 25 data : e9e55e0 | ||
+ | </source> | ||
<br> | <br> |
2023年12月7日 (四) 14:39的最后版本
目录 |
[编辑] 1 Overview
发射部分多是声表谐振器 (Surface Acoustic Wave Resonators):
常见频率 315MHz 和 433MHz
通电、信号脚为 1 就发射
发射编码部分通常用 PT2262/eV1527 编码芯片,也可直接通过程序控制发射
亦有采用 Si4010 这类 C51 mcu 集成 OOK&FSK RF 功能的超小体积芯片解决方案
[编辑] 2 Quick Start
$ rtl_433 -f 433.92M -X "n=Tesla,m=OOK_MC_ZEROBIT,s=400,r=1200,t=60" $ rtl_433 -c /usr/local/etc/rtl_433/tesla_charge-port-opener.conf
PWM
- short: Nominal width of 1 pulse [us]
- long: Nominal width of 0 pulse [us]
- sync: Nominal width of sync pulse [us] (optional)
OOK_MC_ZEROBIT : Manchester Code with fixed leading zero bit
[编辑] 2.1 Input
-d 0 # Using the first RTL-SDR found (by default) -d driver=lime -d rtl_tcp://192.168.1.2:1234 # input from a file -r g001_433.92M_250k.cu8
Config the input:
[-f <frequency>] Receive frequency(s) (default: 433920000 Hz) [-H <seconds>] Hop interval for polling of multiple frequencies (default: 600 seconds) [-E hop | quit] Hop/Quit after outputting successful event(s) [-s <sample rate>] Set sample rate (default: 250000 Hz) [-g <gain> | help] (default: auto) [-t <settings>] apply a list of keyword=value settings for SoapySDR devices e.g. -t "antenna=A,bandwidth=4.5M,rfnotch_ctrl=false" [-p <ppm_error>] Correct rtl-sdr tuner frequency offset error (default: 0)
[编辑] 2.2 Output
The default output is to the screen
-F kv prints to the screen -F json prints json lines -F csv prints a csv formatted file -F mqtt sends to MQTT -F influx sends to InfluxDB -F csv:log.csv # Append output to file -F mqtt:127.0.0.1:1514
Write all received RAW data to a file with:
- -w <filename>
- -W <filename> to overwrite an existing file
Store raw sample data:
rtl_433 can write a file for each received signal. This is the preferred mode for generating files to later analyze or add as test cases.
-S all to write all signals to files, -S unknown to write signals which couldn't be decoded to files, -S known to write signals that could be decoded to files.
The saves signals are raw I/Q samples (uint8 pcm, 2 channel).
-A # Pulse Analyzer. Enable pulse analysis and decode attempt. -R 0 # Disable all decoders -v to show detailed notes on startup, -vv to show failed decoding attempts, -vvv to show all decoding attempts,
[编辑] 2.3 Modulation
OOK_MC_ZEROBIT : Manchester Code with fixed leading zero bit OOK_PCM : Non Return to Zero coding (Pulse Code) OOK_RZ : Return to Zero coding (Pulse Code) OOK_PPM : Pulse Position Modulation OOK_PWM : Pulse Width Modulation OOK_DMC : Differential Manchester Code OOK_PIWM_RAW : Raw Pulse Interval and Width Modulation OOK_PIWM_DC : Differential Pulse Interval and Width Modulation OOK_MC_OSV1 : Manchester Code for OSv1 devices FSK_PCM : FSK Pulse Code Modulation FSK_PWM : FSK Pulse Width Modulation FSK_MC_ZEROBIT : Manchester Code with fixed leading zero bit
- FSK:两个不同的频率分别代表 0 和 1,FSK 信号要想准确判定是 1 还是 0 (高频率还是低频率), 总是要等几个信号周期
- OOK:On-Off Keying,当“1”出现时接通振幅为 A 的载波,“0” 出现时关断载波。是 ASK (Amplitude Shift Keying) 振幅键控调制的一个特例
- ASK:相当于模拟信号中的调幅,只不过与载频信号相乘的是二进制数。移幅就是把频率、相位作为常量,而把振幅作为变量。
如上图所示,载波经过调制之后可以有 4 个幅度,分别为 V0=00、V1=01、V2=10、V3=11, 每一个幅度可以代表 2 个 bit,这样它的传输速率就是 OOK 的 2 倍
更多参考:
[编辑] 3 Build
$ sudo apt-get install libtool libusb-1.0-0-dev librtlsdr-dev rtl-sdr build-essential cmake pkg-config $ git clone https://github.com/merbanan/rtl_433 $ cd rtl_4333 $ mkdir build $ cd build $ cmake -DENABLE_OPENSSL=OFF ../ $ make $ sudo make install -- Installing: /usr/local/include/rtl_433_devices.h -- Installing: /usr/local/bin/rtl_433 -- Installing: /usr/local/etc/rtl_433/CAME-TOP432.conf ......
[编辑] 4 Radio/RCSwitch 参考
/* Sends a "0" Bit * _ * Waveform Protocol 1: | |___ * _ * Waveform Protocol 2: | |__ * __ * Waveform Protocol 4: | |_ */ void Radio::send0() { if (this->nProtocol == 1){ this->transmit(1,3); } else if (this->nProtocol == 2) { this->transmit(1,2); } else if (this->nProtocol == 3) { this->transmit(4,11); } else if (this->nProtocol == 4) { this->transmit(1,2); } } /* Sends a "1" Bit * ___ * Waveform Protocol 1: | |_ * __ * Waveform Protocol 2: | |_ * __ * Waveform Protocol 4: | |_ */ void Radio::send1() { if (this->nProtocol == 1){ this->transmit(3,1); } else if (this->nProtocol == 2) { this->transmit(2,1); } else if (this->nProtocol == 3) { this->transmit(9,6); } else if (this->nProtocol == 4) { this->transmit(2,1); } }
Protocol 1:
- pulse_len = 350us
- 0: H350x1_L350x3 <--- 则 s=350,l=1050
- 1: H350x3_L350x1
- pre = 350us x 31
Protocol 2: 650us,
Protocol 3: 100us,
Protocol 4:
- pulse_len = 350us
- 0: H350x1_L350x2 <--- s=350,l=700
- 1: H350x2_L350x1
- pre = 350us x 14
[编辑] 5 分析
原来老方法:天使之翼遥控晾衣架分析
$ rtl_433 -f 433.93M -A -S all # 生成文件: g001_433.93M_250k.cu8
在浏览器中分析生成的文件 g001_433.93M_250k.cu8
WJX 有频繁数据:
$ rtl_433 -f 433.25M -X 'n=WJX,m=FSK_PCM,s=4,l=4,r=4096'
PWM
- short: Nominal width of 1 pulse [us] (高电平时间)
- long: Nominal width of 0 pulse [us] (低电平时间)
- sync: Nominal width of sync pulse [us] (optional)
[编辑] 6 门磁分析示例(QuickStart)
@433.97MHz
| 1643104 | 2023-12-03 10:45:31 | {"meta":"0,4,337,40","value":"0000004F0546F011","fwver":"1.1.6"} | | 1643103 | 2023-12-03 10:30:19 | {"meta":"0,4,340,40","value":"000000B63E800011","fwver":"1.1.6"} | | 1643102 | 2023-12-03 10:30:07 | {"meta":"0,4,338,40","value":"000000B63E800011","fwver":"1.1.6"} | | 1643101 | 2023-12-03 10:29:14 | {"meta":"0,4,339,40","value":"000000B63E800055","fwver":"1.1.6"} | | 1643100 | 2023-12-02 23:04:48 | {"meta":"1,1,264,24","value":"00000000007D55F0","fwver":"1.1.6"} | | 1643099 | 2023-12-02 21:15:53 | {"meta":"0,1,356,24","value":"00000000006AAC45","fwver":"1.1.6"} | {"meta":"0,1,297,24","value":"0000000000E834DE"}
ch0, protocol 1, delay = 297us,则 1: H300x3_L300x1, 0: H300x1_L300x3
# protocol 1, delay=300, 24bit # # pulse_len=350us # 0: H350x1_L350x3 <--- s=350,l=1050 # 1: H350x3_L350x1 # pre: 350us x 31 $ rtl_433 -f 433970000 -s 1024k time : 2023-12-06 18:44:09 model : Kerui-Security ID (20bit): 0xe9e55 Command (4bit): 0xe opened : 1 State : open _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ time : 2023-12-06 18:44:09 model : Smoke-GS558 id : 21820 unit : 23 learn : 0 Raw Code : 7aa797
s=900 即码 1 时高电平的时间 900us; l=300 即码 0 时,高电平的时间 300us
comcat@nodetao:/data/sdr/rtl_433$ rtl_433 -f 433970000 -s 1024k -X "n=door,m=OOK_PWM,s=900,l=300,y=350,r=9300,g=1100,t=60" _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ time : 2023-12-07 10:48:26 model : door count : 12 num_rows : 12 rows : len : 1 data : 0, len : 25 data : e9e55e0, len : 25 data : e9e55e0, len : 25 data : e9e55e0, len : 25 data : e9e55e0, len : 25 data : e9e55e0, len : 25 data : e9e55e0, len : 25 data : e9e55e0, len : 25 data : e9e55e0, len : 14 data : e9e4, len : 10 data : af0, len : 7 data : e8 codes : {1}0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {25}e9e55e0, {14}e9e4, {10}af0, {7}e8 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ time : 2023-12-07 10:48:26 model : Smoke-GS558 id : 21820 unit : 23 learn : 0 Raw Code : 7aa797
Last version:
comcat@nodetao:/data/sdr/rtl_433$ rtl_433 -f 433970000 -s 1024k -R0 -X "n=door,m=OOK_PWM,s=900,l=300,y=200,r=9300,g=1100,t=60,bits>=24,unique" _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ time : 2023-12-07 13:37:10 model : door count : 26 num_rows : 27 len : 25 data : e9e55e0 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _ _ _ _ _ _ _ _ time : 2023-12-07 13:37:10 model : door count : 1 num_rows : 1 len : 25 data : e9e55e0
[编辑] 7 TSLA
@433.93MHz (433.933MHz)
- The button on the charge handle is pressed, the signal is repeated at 0.15s intervals for 10 times.
- The code is the same for all Tesla charge port
- The transmitter hardware is reported to be using a Si4010
- There is always 2 rows = 094aa9b38da19 and 1 row = 094aa9b38da18.
time : @0.203604s model : Tesla charge port opener count : 5 num_rows : 5 rows : len : 13 data : 0000, len : 52 data : 094aa9b38da19, len : 52 data : 094aa9b38da19, len : 51 data : 094aa9b38da18, len : 1 data : 0 codes : {13}0000, {52}094aa9b38da19, {52}094aa9b38da19, {51}094aa9b38da18, {1}0
# Tesla charge port opener decoder { name = Tesla charge port opener, modulation = OOK_MC_ZEROBIT, short = 400, reset = 1200, tolerance = 50, match = 094aa9b38da19, rows = 5 repeats = 2, countonly, }
$ rtl_433 -f 433930000 -X "n=Tesla,m=OOK_MC_ZEROBIT,s=400,r=1200,t=60" $ rtl_433 -c /usr/local/etc/rtl_433/tesla_charge-port-opener.conf
https://github.com/merbanan/rtl_433/blob/master/conf/tesla_charge-port-opener.conf
https://github.com/merbanan/rtl_433_tests/pull/392
https://github.com/fredilarsen/TeslaChargeDoorOpener
发射采用 6SC2 (CP7L, MSOP10) + loop 天线,体积极小。核心芯片 6SC2 应该类似 https://www.silabs.com/documents/public/data-sheets/Si4010.pdf
[编辑] 8 Lifesense LS102
Body scale @433.24MHz or 433.35MHz
原接收端使用一个 Si4431 的模块 (FSK & OOK) https://www.silabs.com/documents/public/data-sheets/Si4430-31-32.pdf
比较接近:
$ rtl_433 -f 433.25M -X 'n=LS102,m=FSK_PCM,s=400,l=400,r=2000'
# cat /jffs/configs/dnsmasq.d/apiiot #address=/lifesense.com/192.168.1.79 address=/lsdevicedata.lhealthcenter.com/192.168.1.79 #address=/lsdevicedata.lhealthcenter.com/101.36.126.202: GET /devicedataservice/dataservice?data=25645dd70011650000000000000000000041374104000000000000000000c4ebb14f HTTP/1.1 Host: lsdevicedata.lhealthcenter.com Connection: keep-alive 64:5d:d7:00:11:65 --------------------- HTTP/1.1 200 Server: Tengine Date: Mon, 10 Oct 2022 00:21:19 GMT Content-Type: text/html; charset=utf-8 Content-Length: 58 A00000000000000001000000000000000000000000000000bec650a1
[编辑] 9 PH sensor
decoder { name = Given Imaging Bravo, modulation = OOK_PWM, short = 360, long = 711, gap = 1070, reset = 12000000, bits = 59, invert, get = @10:{16}:txid, get = @26:{8}:msgid, get = @34:{8}:pH1, get = @42:{8}:pH2, get = @50:{8}:crc }
https://analogist.net/post/decoding-radio-ph-capsules-with-rtl_433/
[编辑] 10 Reference
- https://github.com/merbanan/rtl_433
- Transform SDR I/Q data
- LimeSDR 无线信号重放攻击和逆向分析
- http://www.quassi.nl/2014/05/19/sdr-433-mhz-door-bell/
- https://goughlui.com/2013/12/20/rtl-sdr-433-92mhz-askook-decoding-of-various-devices-with-rtl_433/
- https://analogist.net/post/decoding-radio-ph-capsules-with-rtl_433/