[HACKS] uC & Arduino Library: Reverse engineering 433mhz signals of Velleman P8078 and Holtek HT46R01T3 or HT48R01T3, HT48RXX, HT48XXX (SmartHome, rf remote switch, low cost smart home)

[HACKS] uC & Arduino Library: reverse engineering 433mhz signals of Velleman P8078 and Holtek HT46R01T3 or HT48R01T3

I reverse engineered a 433mhz signal of the 4xR01T3v130 / 46R01T3v130 / 48R01T3v130 chips which are commonly used by Tevion (Aldi product in Germany). As I normally use an Arduino uC I hacked a small library that is capable to sniff the air for interesting packets.

The cause I needed to write it on my own and not using the various libs out there was: they just do not work (VirtualWire, RCSwitch, RemoteSwicth etc. etc.) as they are only for specific protocol types (called 1,2,3). I wanted to have a library that is capable to reverse EVERY 433mhz signal. That being said I proudly present my RxTx lib to you.

The basic principle behind it:
Measure the duration of changes of RX interrupts (high/low and low/high) and look for a so called “sync period” or “pausing duration”. These are steps you have to do manually.

//#include "RxTx.h"
//RxTx* rxtx;
//rxtx->Sniff();

If you found a proper sync period e.g. 36000 micro seconds you can sniff for packets:

//rxtx->SniffEstimatedPacketSize(36000);

If you found all the ranges/durations (e.g. min 200, max 400 for a short flank & min 500, max 700 for a long flank) you can decode the packets with:

//rxtx->SniffEstimatedPacketSize(36000, 200, 400, 500, 700, 35000, 40000); 

You will see something like: “SSLLSLSSLLSSLLSSLLSSLLSSLSLLSLSSLSLLSSLSLLSLSLSSLLSLSLSLSSLLSLSSLF”  which represents the chain of period lengths of your signal. Also keep in mind that you will start with a high flank. So the flank pattern is always something like: “101010101010101010101010101010101010101010101010101010101010101010″ this looks a little bit confusing, because it does not represent the data it only represents the state of the TX Pins output signal flank at a given time.

 

Holtek 48R01T3v130:
I decided to grab the signal directly from the DOUT to get exact signal patterns and tested them against the signals received by my XD-RF-5V RX unit.
IMG_2517 IMG_2518

The orange cable it connected to the DOUT of the 48R01T3v130 and pulled down with a 1kOhm resistor. I verified my reversed signals with a DSO

IMG_2508

 

The reversed signals can then be send via a FST FS100A like this:

//char* off_c = new char[67];
//String off_s = “SSLLSLSSLLSSLLSSLLSSLLSSLSLLSLSSLSLLSSLSLLSLSLSSLLSLSLSLSSLLSSLLSF”;
//off_s.toCharArray(off_c, 67);
//rxtx->SendMessage(off_c, 600, 300, 36000, 4);

 

 

Arduino Lib: Download ArduinoRxTxLib
Datasheet
: http://www.holtek.com/pdf/consumer/4xR01T3v130.pdf

 

2 Comments

  1. Christian Novak

    Hallo Tobia,

    Ich nehme mal an, ich darf hier Deutsch schreiben 🙂

    Mit großer Freude bin ich auf Deinen Blog gestoßen, da ich seit ca. 24 Stunden versuche eine Steckdose mit dem HT48R01T3 Empfänger zu schalten.

    Leider gelingt es mir nicht die Signale auszulesen ?
    Ich habe mir dazu Deine Bibliothek installiert, das Programm erstellt und in den Arduino Mega geladen.
    Es kommt auch schön:”Starting RxTx – signal analyser hack..”
    aber Leider wird kein Signal erkannt.
    Die Hardware funktioniert aber, den mit RCSwitch konnte ich zumindest die Signale der Standard Steckdosen empfangen…
    Was kann ich falsch gemacht haben ?

    Das Dateneingangsignal habe ich am Mega 2650 an PIN 0 gesteckt.

    Muss ich in den anderen Files auch noch was umstellen? Außerhalb der .ino ?

    Liebe Grüße aus Österreich

    Christian N.

  2. Ashish

    Hi

    Thanks for sharing library.

    I have Arlec RC210 remote and try to decode rf signal using your library but on stag 1 not getting any result

    Starting RxTx – signal analyser hack…
    ……………………………………………………………………………………….
    …………………………………………….

    Arduino Nano connection
    RX data to D2
    TX data to D4
    and other 5v and GND

    if you can forward me in right direction?

    Thanks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.