Hello,
Some friend of me has a trouble in not more working alarm sensor.
Its an old alarm sensor (15 years) are not more available at this time, so i tried to repair them.
As i analysed the sensors with sdrrtl i see - the most of them didn’t transmit a signal or in other cases the signal is transmittet away from center frequency of 433.92 MHz.
So i replace the SAW crystal and in 3 of them it worked and the sensors are recognised again…
1 i could not bring to live again.
Because the american variant of sensors is well analysed by Logan Lomb i think it would easy to emulate it.
(DEFCON-22-Logan-Lamb-HOME-INSECURITY-NO-ALARMS-FALSE-ALARMS-AND-SIGINT)
As Logan describe the Sensor transmitt OOK manchester modulated data.
So I tried to replace them by emulating with reprogrammed HC-11 as ask transmitter (STM8S0003/CC1101)
Also I use another CC1101 to verify if i can receive signals from a working remote control and an repaired burglar sensor.
Because I see my friend only 2 time at month so i try to verify without the alarm system.
I can receive some data -but this data seems to be wrong received.
The minimum bittime of raw data is 139-142µs so the datarate shuld be in a range of 7.2 kBaud or ?
For ASK setting of CC1101 i found not much information.
at this time i can receive the data.
two problems
- 1 Byte missed in recepted data after preambel and sync the data shopuld be:
6A559699595AXXXXXXXXXXXX
559699595AXXXXXXXXXXXX
what did i have done wrong?
- receiver sensivity is poor - should i modify some settings,if yes - which?
If someone has some Infos/Hints what should be done to find the rigth settings - please write me.
attached my register settings:
//#define CC1101_DEFVAL_IOCFG2 0x29 // GDO2 Output Pin Configuration
#define CC1101_DEFVAL_IOCFG2 0x2E // GDO2 Output Pin Configuration
#define CC1101_DEFVAL_IOCFG1 0x2E // GDO1 Output Pin Configuration
#define CC1101_DEFVAL_IOCFG0 0x06 // GDO0 Output Pin Configuration
#define CC1101_DEFVAL_FIFOTHR 0x07 // RX FIFO and TX FIFO Thresholds
#define CC1101_DEFVAL_SYNC1 0x55 // Synchronization word, high byte
#define CC1101_DEFVAL_SYNC0 0x56 // Synchronization word, low byte
// Gyaresu changing for max packet length
//#define CC1101_DEFVAL_PKTLEN 0x12 // Packet Length
#define CC1101_DEFVAL_PKTLEN 0x20 // Packet Length
#define CC1101_DEFVAL_PKTCTRL1 0x14 // Packet Automation Control
#define CC1101_DEFVAL_PKTCTRL0 0x00 // Packet Automation Control
#define CC1101_DEFVAL_ADDR 0x00 // Device Address
#define CC1101_DEFVAL_CHANNR 0x00 // Channel Number
#define CC1101_DEFVAL_FSCTRL1 0x06 // Frequency Synthesizer Control
#define CC1101_DEFVAL_FSCTRL0 0x00 // Frequency Synthesizer Control
// Carrier frequency = 868 MHz
#define CC1101_DEFVAL_FREQ2_868 0x21 // Frequency Control Word, High Byte
#define CC1101_DEFVAL_FREQ1_868 0x62 // Frequency Control Word, Middle Byte
#define CC1101_DEFVAL_FREQ0_868 0x76 // Frequency Control Word, Low Byte
// Carrier frequency = 902 MHz
#define CC1101_DEFVAL_FREQ2_915 0x22 // Frequency Control Word, High Byte
#define CC1101_DEFVAL_FREQ1_915 0xB1 // Frequency Control Word, Middle Byte
#define CC1101_DEFVAL_FREQ0_915 0x3B // Frequency Control Word, Low Byte
// Carrier frequency = 433.92z
//#define CC1101_DEFVAL_FREQ2_433 0x10 // Frequency Control Word, High Byte
//#define CC1101_DEFVAL_FREQ1_433 0xB0 // Frequency Control Word, Middle Byte
//#define CC1101_DEFVAL_FREQ0_433 0x71 // Frequency Control Word, Low Byte
// Carrier frequency = 433.92z
#define CC1101_DEFVAL_FREQ2_433 0x10 // Frequency Control Word, High Byte
#define CC1101_DEFVAL_FREQ1_433 0xB1 // Frequency Control Word, Middle Byte
#define CC1101_DEFVAL_FREQ0_433 0x3B // Frequency Control Word, Low Byte
#define CC1101_DEFVAL_MDMCFG4 0x28
#define CC1101_DEFVAL_MDMCFG3 0x2C // Modem Configuration
#define CC1101_DEFVAL_MDMCFG2 0x36 // Modem Configuration
#define CC1101_DEFVAL_MDMCFG1 0x02 // Modem Configuration
#define CC1101_DEFVAL_MDMCFG0 0xF8 // Modem Configuration
//
//#define CC1101_DEFVAL_MDMCFG4 0x28
//#define CC1101_DEFVAL_MDMCFG3 0x28 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG2 0x35 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG1 0x03 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG0 0x3B // Modem Configuration
//worked
//#define CC1101_DEFVAL_MDMCFG4 0x68 // Modem Configuration#define CC1101_DEFVAL_MDMCFG4_M 0x98 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG3 0x2E // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG2 0x33 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG1 0x00 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG0 0x00 // Modem Configuration
//t1
//#define CC1101_DEFVAL_MDMCFG4 0x28 // Modem Configuration#define CC1101_DEFVAL_MDMCFG4_M 0x98 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG3 0x33 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG2 0x35 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG1 0x02 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG0 0xF8 // Modem Configuration
//org
//#define CC1101_DEFVAL_MDMCFG4 0x88 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG3 0x33 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG2 0x30 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG1 0x02 // Modem Configuration
//#define CC1101_DEFVAL_MDMCFG0 0xF8 // Modem Configuration
#define CC1101_DEFVAL_DEVIATN 0x15 // Modem Deviation Setting
#define CC1101_DEFVAL_MCSM2 0x07 // Main Radio Control State Machine Configuration
//#define CC1101_DEFVAL_MCSM1 0x30 // Main Radio Control State Machine Configuration
#define CC1101_DEFVAL_MCSM1 0x20 // Main Radio Control State Machine Configuration
#define CC1101_DEFVAL_MCSM0 0x18 // Main Radio Control State Machine Configuration
#define CC1101_DEFVAL_FOCCFG 0x16 // Frequency Offset Compensation Configuration
#define CC1101_DEFVAL_BSCFG 0x6C // Bit Synchronization Configuration
//#define CC1101_DEFVAL_AGCCTRL2 0x03 // AGC Control
//#define CC1101_DEFVAL_AGCCTRL1 0x00 // AGC Control
#define CC1101_DEFVAL_AGCCTRL2 0x03 // AGC Control
//#define CC1101_DEFVAL_AGCCTRL1 0x00 // AGC Control
#define CC1101_DEFVAL_AGCCTRL1 0x38 // AGC Control
//#define CC1101_DEFVAL_AGCCTRL0 0x91 // AGC Control
#define CC1101_DEFVAL_AGCCTRL0 0xF3 // AGC Control
#define CC1101_DEFVAL_WOREVT1 0x87 // High Byte Event0 Timeout
#define CC1101_DEFVAL_WOREVT0 0x6B // Low Byte Event0 Timeout
#define CC1101_DEFVAL_WORCTRL 0xFB // Wake On Radio Control
#define CC1101_DEFVAL_FREND1 0xB6 // Front End RX Configuration
#define CC1101_DEFVAL_FREND0 0x11 // Front End TX Configuration
#define CC1101_DEFVAL_FSCAL3 0xE9 // Frequency Synthesizer Calibration
#define CC1101_DEFVAL_FSCAL2 0x2A // Frequency Synthesizer Calibration
#define CC1101_DEFVAL_FSCAL1 0x00 // Frequency Synthesizer Calibration
#define CC1101_DEFVAL_FSCAL0 0x1F // Frequency Synthesizer Calibration
#define CC1101_DEFVAL_RCCTRL1 0x41 // RC Oscillator Configuration
#define CC1101_DEFVAL_RCCTRL0 0x00 // RC Oscillator Configuration
#define CC1101_DEFVAL_FSTEST 0x59 // Frequency Synthesizer Calibration Control
#define CC1101_DEFVAL_PTEST 0x7F // Production Test
#define CC1101_DEFVAL_AGCTEST 0x3F // AGC Test
#define CC1101_DEFVAL_TEST2 0x88 // Various Test Settings
#define CC1101_DEFVAL_TEST1 0x31 // Various Test Settings
#define CC1101_DEFVAL_TEST0 0x0B // Various Test Settings
Best regards,
Frank
