Skip to content

Decode 0xB1 sniffed data

Portisch edited this page Jan 31, 2019 · 8 revisions

If you successful sniffed RF data by command 0xB1 you may be able to decode the signal and to define a new protocol timing in RF_Protocols.h.

Since version 3 the firmware support a high/low bucket marking. Each nibble of one byte include the bucket number from 0 to a maximum of 7. The highest bit in the nibble is the high/low bucket marking.

Data Example:

Hex: ..38..

Each byte do have two bucket numbers in the higher and lower nibble:
Hex: [3][8]

First bucket number: [3] & 0x07 == 3
First bucket high/low marking: [3] & 0x08 > 0 == low

Second bucket number: [8] & 0x07 == 0
Second bucket high/low marking: [8] & 0x08 > 0 == high

Example:

Direction: EFM8BB1 -> host

Hex: AA B1 04 017C 046A 0BCC 2378 3818190908181908190909090908190819081818190909091A 55

Data Description
0xAA uart sync init
0xB1 uart command
0x04 number of buckets
0x01, 0x7C Bucket 0 length: 380µs
0x04, 0x6A Bucket 1 length: 1130µs
0x0B, 0xCC Bucket 2 length: 3020µs
0x23, 0x78 Bucket 3 length: 9080µs
3818190908181908190909090908190819081818190909091A RF data received (high/low nibbles denote buckets and high/low marking)
0x55 uart sync end

The sync bucket

The longest bucket found is taken as sync bucket and is placed as first bucket number in the sniffed data: ->3<- 818190908181908190909090908190819081818190909091A

Find the second sync bucket

The second sync bucket is every time located before or next to the [sync bucket](https://github.com/Portisch/RF-Bridge-EFM8BB1/wiki/_new#The sync bucket).

So it have to be one of this nibbles:
3818190908181908190909090908190819081818190909091 ->A<-
or
3 ->8<- 18190908181908190909090908190819081818190909091A

This is protocol dependent and can't be universal translated.

At this case it would be:
3818190908181908190909090908190819081818190909091 ->A<-
So the sync buckets are A3.
The rest of the RF data is the transmitted data.

Decode RF data

818190908181908190909090908190819081818190909091
For this example each bit do have two buckets.
Bucket 0 length: 380µs and Bucket 1 length: 1130µs.
If the protocol isn't inverted it can be decoded like this:
Long high followed by a short low: bit 1
Short high followed by a long low: bit 0

As bucket 1 is longer than bucket 0 a 10 does mean bit 1, 01 does mean bit 0.

First remove the high/low bucket marking by doing a logical and by 0x77 with each data byte:
818190908181908190909090908190819081818190909091
After AND 0x77:
010110100101100110101010100110011001010110101011

RF data: 01 01 10 10 01 01 10 01 10 10 10 10 10 01 10 01 10 01 01 01 10 10 10 11
Binary:  0  0  1  1  0  0  1  0  1  1  1  1  1  0  1  0  1  0  0  0  1  1  1  1

So the result is 0x32FA8F (b001100101111101010001111), 24 bit of data.

B1 to B0 helping tool

Use the BitBucketConverter to analyze and create 0xB0 commands from the sniffed 0xB1 data.
This version is also drawing a scope of the sniffed data:
oscilloscope
Here you find some information.

Clone this wiki locally