Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
Decoding the wireless heating control Vaillant CalorMatic 340f (868MHz)
In our appartment, we have a wireless heating control system made by Vaillant (probably 8-10 years old). Since I recently started into Smart Home and Home Automation (well, so far, i have mainly set up a huge net of all different kinds of sensors and some light bulbs, as I have hardly anything that could be controlled wirelessly), of course I wanted to figure out how the wireless device works and in particular whether I could include it into my OpenHAB-based home network of things…
To detect and analyze the wireless signals, I'm using an RTL282x-based DVB-T dongle together with the RTL-SDR software.
Figuring out the Frequency
From the outside it does not give any indication about which frequency it uses.
I figured it could only be one of the ISM bands, which in Europe are 433MHz, 868MHz and 2.4GHz and 5GHz. Since the latter two are mainly used for WLAN, Bluetooth, etc. that left me with two possible frequency ranges. Firing up gqrx, tuning to either 433MHz and 868MHz and changing the target temperature of the thermostat, gave me perfect bursts in the 868MHz band with peaks around 868.275 MHz:
 
The device
Curious as I am, I decided to disassemble the thermostat and check which chips and which transceiver are used:
 
  
While the back does not give any indication, dismantling the thermostat even further reveals the transceiver and its chip: an Infineon TDA5250D2 for the 868 MHz band.
Detecting the Signal
As we now know the frequency, let's take a look at the signal. There are multiple ways to transport digital data at a certain frequency. Most 433.92MHz devices use ASK (Amplitude Shift Keyring, the binary equivalent of amplitude modulation, i.e. AM) in its simplest form of OOK (On-Off-Keyring), which simply means that the frequency has either full amplitude (to indicate 1) or is absent (indicating 0). The 868MHz band and even more the 2.4GHz band use all different kinds of modulations, like FSK (frequency-shift keyring, i.e. the digital equivalent of FM) or even Phase-shift keyring, etc.
The transceiver data sheet states it is an ASK/FSK receiver for the 868MHz band, so let's first try to demodulate the signal as ASK. A hint that the signal really uses ASK can be seen from the waterfall chart in gqrx, as the peak stays at a fixed frequency, while a signal in FSK typically shows two peaks (as the modulation works by switching between two frequencies to indicate 0 and 1 respectively).
So, let's try demodulating the signal as ASK and in particular check for OOK.
In gqrx, I tune to the 868MHz band (near, but not exactly at the 868.275MHz we determined above) and record the signal to a wave file. To do this, make sure you set the mode to „AM“ (i.e. use ASK demodulation) and press the „Rec“ button at the bottom. This will create a file called gqrx_[ISO-Data]_[time]_[frequency].wav in your home directory, which holds the signal demodulated as a wave file. Even though the signal is not an actual sound, one can still use the audacity application to look at the waveform of the signal. Playing it as sound would not result in anything meaningfull except for a few clicks.
Recording a transmission by the thermostat and opening it in audacity gives this picture:
 
Not bad. We clearly see that there are two spots where the wave form obviously changes its form. Let's zoom in a little bit in audacity:
 
This signal seems to be repeated twice.
Yay, it seems our first guess to use ASK / OOK was right. We clearly see a signal with some long and short bursts, all with roughly the same amplitude and consistent on/off durations.
An alternative way to obtain a AM-demodulated signal for inspection in audacity is the command-line utility rtl_fm from the RTL-SDR project:
   reinhold@zweistein:~$ rtl_fm -f 868275000 -M am -s 44100 `date -I`_test.sdr
   Found 1 device(s):
     0:  Realtek, RTL2838UHIDIR, SN: 00000001
   
   Using device 0: Generic RTL2832U OEM
   Found Rafael Micro R820T tuner
   Tuner gain set to automatic.
   Tuned to 868528575 Hz.
   Oversampling input by: 23x.
   Oversampling output by: 1x.
   Buffer size: 8.08ms
   Exact sample rate is: 1014300.020041 Hz
   Sampling at 1014300 S/s.
   Output at 44100 Hz.
The resulting file (in the above example 2017-04-21_test.sdr) is not a wav file, but contains raw data that can be imported into audacity with the menu item File → Import → Raw data. The import settings are „Signed 16-bit PCM“, „Little Endian“, „1 channel (Mono)“ and the sampling rate is 44100. I had to zoom in vertically, as the signal appeared very faind. Personally, I find the resulting wave form easier to handle, as it shows the absolute values and shows the on/off signals even clearer:
 
What is clearly visible already in these images is that there are only two different lengths of the UP and the DOWN pulses: long and short. But what do they actually mean?
Figuring out the encoding of the signal
Now that we have a signal, let's try to understand the data that is sent over the ether. Unfortunately, the signal did not resemble anything that I had seen with my 433MHz devices. With them, either it was all short UP bursts of idential length and the 0/1 information as encoded in the DOWN time distance between the bursts (i.e. it was very short UP, and then either short or long DOWN), or the UP and DOWN signals together always had the same length (Pusle-width modulation, i.e. it was either short UP + long DOWN or long UP + short DOWN).
In our case, we have all different combinations of UP and DOWN: long UP + long DOWN, long UP + short DOWN, short UP + long DOWN, short UP + short DOWN. So maybe the up and down both encode one bit, i.e.
| UP | DOWN | binary value | 
| short | short | 0 0 | 
| short | long | 0 1 | 
| long | short | 1 0 | 
| long | long | 1 1 | 
Let's put our hypthesis to the test: Simply transcribe our signal from above (and it's repeat sequence) using this decoding:
111111111111111110000000000001001000010000110000100000000111111111111100111111111111111111111111100110010000100111111110010000000000100001100110010000000000000000111111111 111111111111111110000000000001001000010000110000100000000111111111111100111111111100111111111111110011001000010011111111001000000000010011100110010000000000000000111111111
Hmm, we clearly see some longer sequences of 0 and 1 repeated (at the beginning and end it might make sense as kind of preamble and epilogue). However, the irritating fact is that the repeat is apparently not an exact repeat, especially towards the end all bits appear shifted. And in some other cases it does not even have the same signal length, but two bits more! Something can't be right….
Until I compared the signal and its „repeat“ in Audacity (signal is on top, repeat on the bottom):
 
Surprisingly, both signals always have exactly the same length in milliseconds and can be perfectly aligned, they just sometimes have a different number of UP/DOWNs!
Do you see where the difference starts and where it ends? Also, do you see why the bits in our simple transcription above are shifted?
 
So clearly one long and two short pulses correspond… Something else to notice: There is a transition from UP to DOWN or from DOWN to UP every time interval that corresponds to one long pulse. Check my annotated signal: Every ten long pulses I placed a red bar. I.e. at regular intervals there is a guaranteed transition from UP to DOWN or vice versa. For short pulses there is an additional transition in between, but the regular transitions appear through the whole signal…
If we look at the signal in the application inspectrum (you need to use the output of a rtl_sdr recording!) and lay a grid with the proper width over the whole signal, we can confirm that no long UP or long DOWN pulses cross a grid line:

 
For now, we have determined that the basic time interval of the signal is that of one short pulse and the long pulses are exactly twice as long.
That sounds a log like Manchester Code, see below. But
