Author Topic: Cloning remote with RFM69  (Read 2330 times)

cptawesome_13

  • NewMember
  • *
  • Posts: 1
Cloning remote with RFM69
« on: July 11, 2021, 04:37:32 AM »
Hello first time poster here,

I bought a ceiling fan for my home office and it is controlled by an RF remote that I want to clone. Using an SDR I have determined that the frequency is 868 MHz and it uses pulse width modulation with fixed period. Since the only radio I have is a Feather M0 I couldn't use Kobuki's sniffer library and no matter how I tried porting it I couldn't quite figure out how to receive the remote signal on the Feather.

On the transmitting side I have tried to match it and came up short as well. This is the rtl_433 output for the remote:
Code: [Select]
Detected OOK package    2021-07-11 00:22:02
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
time      : [color=blue]2021-07-11 00:22:02[/color]
model     : [color=red]Akhan 100F14 remote keyless entry[/color]      ID (20bit): [color=red]0x220fe[/color]
Data (4bit): [color=green]0x2 (Unlock)[/color]
Analyzing pulses...
Total count:   25,  width: 32.32 ms             ( 8081 S)
Pulse width distribution:
 [ 0] count:   15,  width:  300 us [292;316]    (  75 S)
 [ 1] count:   10,  width:  968 us [964;972]    ( 242 S)
Gap width distribution:
 [ 0] count:   14,  width: 1028 us [1024;1036]  ( 257 S)
 [ 1] count:   10,  width:  368 us [368;376]    (  92 S)
Pulse period distribution:
 [ 0] count:   24,  width: 1332 us [1324;1348]  ( 333 S)
Level estimates [high, low]:  15894,    145
RSSI: -0.1 dB SNR: 20.4 dB Noise: -20.5 dB
Frequency offsets [F1, F2]:   -1301,      0     (-5.0 kHz, +0.0 kHz)
Guessing modulation: Pulse Width Modulation with fixed period
Attempting demodulation... short_width: 300, long_width: 968, reset_limit: 1040, sync_width: 0
Use a flex decoder with -X 'n=name,m=OOK_PWM,s=300,l=968,r=1040,g=0,t=264,y=0'
pulse_demod_pwm(): Analyzer Device
bitbuffer:: Number of rows: 1
[00] {25} dd f0 1d 80 : 11011101 11110000 00011101 1

And the output for my signal if I set the output to {0x22, 0x0F, 0xe2}:
Code: [Select]
Detected OOK package    2021-07-11 00:22:02
Analyzing pulses...
Total count:   24,  width: 30.82 ms             ( 7704 S)
Pulse width distribution:
 [ 0] count:   13,  width:  300 us [288;320]    (  75 S)
 [ 1] count:   10,  width:  968 us [964;976]    ( 242 S)
 [ 2] count:    1,  width:  132 us [132;132]    (  33 S)
Gap width distribution:
 [ 0] count:   13,  width: 1028 us [1020;1036]  ( 257 S)
 [ 1] count:   10,  width:  368 us [364;376]    (  92 S)
Pulse period distribution:
 [ 0] count:   23,  width: 1332 us [1324;1344]  ( 333 S)
Level estimates [high, low]:  15902,    159
RSSI: -0.1 dB SNR: 20.0 dB Noise: -20.1 dB
Frequency offsets [F1, F2]:    -900,      0     (-3.4 kHz, +0.0 kHz)
Guessing modulation: Pulse Width Modulation with sync/delimiter
Attempting demodulation... short_width: 300, long_width: 968, reset_limit: 1040, sync_width: 132
Use a flex decoder with -X 'n=name,m=OOK_PWM,s=300,l=968,r=1040,g=0,t=0,y=132'
pulse_demod_pwm(): Analyzer Device
bitbuffer:: Number of rows: 2
[00] {23} dd f0 1c  : 11011101 11110000 0001110
[01] { 0}           :

And the two signals on Universal Radio Hacker don't look similar as well:

Top one is the remote bottom one is the Feather output captured by the SDR.

I need some guidance on how to proceed. I believe I'm going wrong with the encoding of the signal (I don't encode mine, rtl_433 says the remote is Akhan encoded). But if I managed to capture the raw signal from the remote with the Feather I could just "dumbly" retransmit it right? And not worry about encoding. How would you proceed?

Thank you

Jason

  • Jr. Member
  • **
  • Posts: 57
Re: Cloning remote with RFM69
« Reply #1 on: July 14, 2021, 06:19:04 PM »
Hello :)

I haven't messed around with SDR. I do notice in the pictures, that the modulation is set to ASK, where as in the code snippets it shows OOK. I don't think that is your problem though, just something I noticed.

You can probably just "copy and paste" the signal from the radio as you mention and not worry about the encoding. The only potential problem is if they use some sort of rolling codes so the transmission would be different each time. Rolling can be used to prevent people from "copy and pasting" the signal to unlock car doors or garage doors. I doubt a ceiling fan would care, but you never know...

Just my 2cents.