Reverse engineering 433MHz signals of Velleman P8078 and Holtek HT46R01T3 or HT48R01T3, HT48RXX, HT48XXX (Arduino Library)

  • Post published:October 30, 2015

[HACKS] uC & Arduino Library: reverse engineering 433mhz signals of Velleman P8078 and Holtek HT46R01T3 or HT48R01T3

I reverse engineered a 433mhz signal of the 4xR01T3v130 / 46R01T3v130 / 48R01T3v130 chips which are commonly used by Tevion (Aldi product in Germany). As I normally use an Arduino uC I hacked a small library that is capable to sniff the air for interesting packets.

The cause I needed to write it on my own and not using the various libs out there was: they just do not work (VirtualWire, RCSwitch, RemoteSwicth etc. etc.) as they are only for specific protocol types (called 1,2,3). I wanted to have a library that is capable to reverse EVERY 433mhz signal. That being said I proudly present my RxTx lib to you.

The basic principle behind it:
Measure the duration of changes of RX interrupts (high/low and low/high) and look for a so called “sync period” or “pausing duration”. These are steps you have to do manually.

//#include "RxTx.h"
//RxTx* rxtx;
//rxtx->Sniff();

If you found a proper sync period e.g. 36000 micro seconds you can sniff for packets:

//rxtx->SniffEstimatedPacketSize(36000);

If you found all the ranges/durations (e.g. min 200, max 400 for a short flank & min 500, max 700 for a long flank) you can decode the packets with:

//rxtx->SniffEstimatedPacketSize(36000, 200, 400, 500, 700, 35000, 40000); 

You will see something like: “SSLLSLSSLLSSLLSSLLSSLLSSLSLLSLSSLSLLSSLSLLSLSLSSLLSLSLSLSSLLSLSSLF”  which represents the chain of period lengths of your signal. Also keep in mind that you will start with a high flank. So the flank pattern is always something like: “101010101010101010101010101010101010101010101010101010101010101010″ this looks a little bit confusing, because it does not represent the data it only represents the state of the TX Pins output signal flank at a given time.

 

Holtek 48R01T3v130:
I decided to grab the signal directly from the DOUT to get exact signal patterns and tested them against the signals received by my XD-RF-5V RX unit.
IMG_2517 IMG_2518

The orange cable it connected to the DOUT of the 48R01T3v130 and pulled down with a 1kOhm resistor. I verified my reversed signals with a DSO

IMG_2508

 

The reversed signals can then be send via a FST FS100A like this:

//char* off_c = new char[67];
//String off_s = “SSLLSLSSLLSSLLSSLLSSLLSSLSLLSLSSLSLLSSLSLLSLSLSSLLSLSLSLSSLLSSLLSF”;
//off_s.toCharArray(off_c, 67);
//rxtx->SendMessage(off_c, 600, 300, 36000, 4);

 

 

Arduino Lib: Download ArduinoRxTxLib
Datasheet
: http://www.holtek.com/pdf/consumer/4xR01T3v130.pdf