January 19, 2017

Hacking a Danfoss Wireless Thermostat with an RTL-SDR

Over on his blog Andy writes how he wanted a smart way to control his central heating system with a Raspberry Pi and Arduino microcontroller. He discovered that if he could reverse engineer his existing wireless thermostat then he would have an easy way to control the boiler in his house and with that a smart controller could be made. By reverse engineering the thermostat he also avoids the need to rig up his own control system.

The existing thermostat wireless receiver is a Danfoss RX2. In order to reverse engineer the protocol Andy opened up an older that one he had and saw that it used an Infineon TDA5210 RF receiver chip. Armed with this part number he was able to look up the datasheet and determine the operating frequency. Then by using an RTL-SDR he captured some packets while pressing buttons on the thermostat transmitter and piped the audio file into audacity, where he was able to clearly see the digital waveform.

Andy then wrote a Python program using the ‘wave’ library, which allowed him to easily read binary values for a .wav file. With his code he was able to extract the data from the signal and determine the preamble, sync word, thermostat ID and the instruction code (on/off/learn).

In a future post Andy hopes to show us how he’ll use an RF69 module with an Arduino to actually control the thermostat using the reverse engineered packet knowledge.

Danfoss Wireless Thermostat and a Received Binary Waveform in Audacity

January 14, 2016

Building a NEST Thermostat with Arduino and an RTL-SDR

The Nest thermostat is a smart thermostat that learns your schedule and automatically adjusts the heat in your house for optimal energy savings. Tristan didn’t want to buy a Nest, but wanted to replicate the Nest thermostat’s functionality by using an Arduino to automatically regulate his apartments central heating boiler. To do this he needed to find a way to turn the heating on and off programatically.

Fortunately Tristan’s current thermostat is wireless, so he decided to use his RTL-SDR to sniff the data it sends to try and find the on and off signals. By using SDR# he was able to discover the radio traffic stream in the ISM band at 433 MHz. After simply recording the signal audio, he passed the audio file into Audacity to analyze the messages. He discovered that the ON and OFF signals were on-off key (OOK) modulated, and he was able to discover the binary control string and pulse timings.

With this information at hand, Tristan was then able to use a cheap 433 MHz radio transmitter together with his Arduino to replicate the ON/OFF boiler control signals. In the future Tristan plans to add a temperature sensor and web interface to monitor everything.

In the past we’ve also posted about a similar project by Tom Taylor where he reverse engineers his thermostat with an RTL-SDR and controls it with an Arduino.