May 082016
 

This post continues the tear down and reverse engineering of the Acurite 0077XW / 00592TX Wireless Remote Temperature Probe Part 1 & Part 2 & Part 3.

A small update to the decoding of the bit stream coming from the remote temperature probes.

It occurred to me the base station has an indicator of remote probe battery condition:

Remote Battery Indicator

If the base station can display the remote probe battery status, or at least low battery condition, the remote probe must be sending battery status as part of the data stream.

To test the idea that the remote probe sends a low battery status I removed the batteries from a remote probe and hooked up a variable power supply to the battery connections in the remote probe.

I loaded the bit stream decoder from my github repo and watched the bits from the remote probe.

I started with the variable supply set to 3V to match two fresh alkaline batteries. With the voltage at 3V the probe sent the familiar bit stream decoded in Part 3 of this series.

Remote Probe Battery voltage at 3V.

38,6c,44,90,09,50,d1,111000,1101100,1000100,10010000,1001,1010000,11010001,208,695,5836668 38,6c,44,90,09,d1,52,111000,1101100,1000100,10010000,1001,11010001,1010010,209,697,5853130 38,6c,44,90,09,d1,52,111000,1101100,1000100,10010000,1001,11010001,1010010,209,697,5869592

After getting stable readings I started turning down the voltage at the power supply to simulate low batteries. At around 2.5V the pattern changed:

Remote Probe Battery voltage at 2.4V.

38,6c,84,90,09,50,11,111000,1101100,10000100,10010000,1001,1010000,10001,208,695,6100054 38,6c,84,90,09,50,11,111000,1101100,10000100,10010000,1001,1010000,10001,208,695,6116509 38,6c,84,90,09,50,11,111000,1101100,10000100,10010000,1001,1010000,10001,208,695,6132973

Notice in the third byte bits 7 and 6 flip from 0 to 1 and 1 to 0 when the voltage drops below ~2.4V. The byte 0x44 changes to 0x84. The change of the upper nybble from 4 to 8 and back again is repeatable and consistent around 2.4 volts.

In Part 3 of this series I posted that the first and second bytes are the ID bytes, the fifth and sixth bytes are temperature, the seventh byte the checksum, and that the third and fourth bytes never change. During my earlier work I was using fresh batteries in all of the modules and never saw a change in the 3rd and 4th bytes. With a variable power supply hooked up to the probe I am able to simulate a low battery condition and observe a change in the 3rd byte.

Given this new information I can monitor the battery health of the remote probes and change batteries as needed. Monitoring the battery level also gives some insight into battery longevity at different temperatures. I will update my logging to capture battery low indication over time and temperature. I have some probes inside the house and some outside. It will be interesting to see how the batteries discharge compared to temperature history.


The first and second bytes of the data are the unique probe address. The upper two bits of the first byte are the probe channel indicator:

11 = channel A 10 = channel B 00 = channel C

The remaining 6 bits of the first byte and the 8 bits of the second byte are a unique identifier per probe.

The upper nybble of the third byte carries the remote probe low battery indication.

When the remote probe batteries are fresh, voltage above 2.5V, the third byte is 0x44. When the remote probe batteries get low, below 2.4V, the third byte changes to 0x84.

The fourth byte continues to stay at 0x90 for all conditions.

The next two bytes are the temperature value. The temperature is encoded as the lower 7 bits of both bytes with the most significant bit being an even parity bit. The MSB will be set if required to insure an even number of bits are set to 1 in the byte. If the least significant seven bits have an even number of 1 bits set the MSB will be 0, otherwise the MSB will be set to 1 to insure an even number of bits.

The last byte is a simple running sum, modulo 256, of the previous 6 data bytes.


Some other interesting blogs and posts on hacking the Acurite probes:

RF sniffing the Acurite data stream Acurite data stream reverse engineering OregonScientific-RF-Protocols-II.pdf Rays Hobby (great info here)

I hope this series was helpful and if you have any comments, questions, or suggestions please leave a comment below.

Feb 262015
 

This post continues the tear down and reverse engineering of the Acurite 0077XW / 00592TX Wireless Remote Temperature Probe Part 1 & Part 2.

After tearing apart the wireless temperature base station and seeing the straightforward electrical connection between the radio module and the base station logic board, Part 1, and then picking apart the remote probe temperature data protocol, Part 2, I was ready to read the wireless data into a microcontroller.

Given that I want to receive the data from the probes wirelessly then I am going to need a wireless receiver. Also given that I purchased 3 probe plus base station combos just to get the 3 probes I have extra base stations I wont be using. The obvious answer is to pull the wireless module from one of the base stations.

The surgery was pretty straightforward. I desoldered a wireless module from the ribbon cable in the base station, cleaned the solder out of the holes, and soldered in a 4 pin header so I could plug the module into a breadboard.

Acurite00771W_50s

Acurite00771W_51s

I plugged the wireless module into a breadboard with an Arduino Pro Mini 3.3V and an oled display.

For this exercise ignore the oled display and the wiring on the backside of the breadboard. We are only interested in the four wires going from the Arduino to the wireless module. The red wire is 3.3 volts, the black wire is ground, the yellow wire goes from D on the wireless module to digital pin D3 on the Pro Mini, and the green wire goes from SH on the wireless module to digital pin D4 on the Pro Mini.

Acurite00771W_52s

The squelch pin (SH) is an input to the wireless module and so is configured as an output on the Arduino.

The data pin (D) is an output from the wireless module and so is configured as an input on the Arduino.

Arduino pin D3 was specifically chosen as the data input as it is a change triggerable interrupt pin. The bit stream from the probe is captured by the Arduino by taking an interrupt on every level change of the data line from the wireless module and measuring the time from the last change in the data stream to this change. This allows the Pro Mini to measure the width of the high and low parts of each pulse and determine if the pulse is a data sync or data bit.

It is known that interesting pulses are close to 0.2 msec, 0.4 msec, and 0.61 msec long. Pulses that are significantly shorter than 0.2 msec or significantly longer than 0.61 msec are not interesting, are not part of the data stream, and signify the data stream is not yet in sync and Pro Mini should be looking for the data sync pulses.

It is known that the start of the interesting data, the data sync, is eight 0.61 msec pulses in a row. The data sync consists of a 0.61 msec high pulse followed by a 0.61 msec low pulse, with this combination repeated four times.

Since the Pro Mini interrupt pin is configured for change, every time the interrupt is called you can assume there is a change from high to low or low to high on the data line. If the Pro Mini measures the time between every interrupt and every sees eight 0.61 msec times in a row that indicates a data sync has been seen. If a data sync is seen the Pro Mini should immediately start measuring pulse times until 56 data bits, or 112 edges (interrupts) are counted.

Once the 112 high or low pulses are counted the data is filtered two pulses at a time to determine if a 0 or a 1 bit was detected. If the captured pulse stream is a 0.4 msec pulse followed by a 0.2 msec pulse a logic high (1) is recorded. If a 0.2 msec pulse followed by a 0.4 msec pulse is detected then a logic low (0) is recorded. All 112 pulses give the 56 bits or 7 data bytes of the data stream.

Once the data stream is recorded the bytes can be decoded as follows:


The first and second bytes of the data are the unique probe address. The upper two bits of the first byte are the probe channel indicator:

11 = channel A 10 = channel B 00 = channel C

The remaining 6 bits of the first byte and the 8 bits of the second byte are a unique identifier per probe.

[strike]The next two bytes are always 0x44 followed by 0x90, for all of the probes I tested (a sample of 6 probes).[/strike]

[update – see Part 4]
The upper nybble of the third byte carries the remote probe low battery indication.

When the remote probe batteries are fresh, voltage above 2.5V, the third byte is 0x44.
When the remote probe batteries get low, below 2.4V, the third byte changes to 0x84.

The fourth byte continues to stay at 0x90 for all conditions.
[/update]

The next two bytes are the temperature value. The temperature is encoded as the lower 7 bits of both bytes with the most significant bit being an even parity bit. The MSB will be set if required to insure an even number of bits are set to 1 in the byte. If the least significant seven bits have an even number of 1 bits set the MSB will be 0, otherwise the MSB will be set to 1 to insure an even number of bits.

The last byte is a simple running sum, modulo 256, of the previous 6 data bytes.


Code to capture and decode the bit stream can be found at my github repo.

I’ve created a spreadsheet ProbeX6.xls to paste the decoded data into to check the checksum of each transmission and decode the temperature data.

Decoded data from four different probes is shown here. The data is formatted as hex codes decoded and emitted by the Pro Mini followed by the same data in binary format, and then the calculated temperature.

Acurite00771W_SpreadSheet06C

One thing to keep in mind is that each probe requires a “correction factor” to convert from the probe reading to the correct temperature. After having such success with this portion of the project I went out and purchased three more probe / base station modules. I checked all six probes and each had a different offset to convert from sensor reading to actual temperature.

Acurite00771W_02cs

Acurite00771W_02ds

The next step is to pull the data into a RasPi and create a presentation layer to map temperatures around my house. The first part of this project, the reverse engineering and decoding of the 00592TX protocol was a blast. I expect the next phase of the project, the RasPi and data warehousing to be just as much fun.

I hope this series was helpful and if you have any comments, questions, or suggestions please leave a comment below.

Feb 252015
 

This post continues the tear down and reverse engineering of the Acurite 0077XW / 00592TX Wireless Remote Temperature Probe [Part 1] .

Knowing that the signals between the logic board and wireless module are standard 3.3 volt logic level signals with tens to hundreds of micro-second long pulses it is time to pick apart the bit stream and see if I can make heads or tails of the encoded data.

With the signal identified as a digital serial data stream the obvious tool to turn to is a logic analyzer, ideally one with protocol decoding built in.

I own multiple different logic analyzers but my goto analyzer for anything but the widest or fastest signals is the Saleae Logic. I own one of the older models but it works like a champ. Analyzing and picking apart digital signals is child’s play with the Saleae software.

Acurite00771W_40s

I soldered extension wires to the Ground (G), Squelch (SH), and Data (D) lines to make connecting the analyzer easier.

Acurite00771W_41s

After a bit of picking and probing, and a bit of web searching, I was able to pull apart the bit stream and protocol used by the temperature probes to communicate to the base station.

The SH pin turns out to be the SQUELCH signal from the logic board to the wireless module. When the squelch pin is low the radio module disables data output. I assume the logic board uses the squelch pin to limit the data transmitted from the wireless module between display updates. The base station logic board unsquelches the radio module on a regular periodic basis, reads the incoming temperature data, decodes the data, and updates the display.

The D pin is clearly the data from the temperature probe. The waveform is relative stable when the probe is at a constant temperature and changes when the temperature at the probe changes.

Reverse engineering the data protocol was the more difficult part of the whole effort. I captured multiple bit streams and some patterns were immediately obvious. There was random looking data followed by a consistent pattern followed by a series of wide and short pulses. Eventually I figured out the random pulses at the start of data must be for radio synchronization between the transmitter and receiver. None of the “random” data at the start of the bit stream was consistent between any runs and I ended up simply chopping it off and ignoring it in the data stream.

After the random bits there is a low pulse of varying length followed by 4 data sync pulses. The data sync pulses are 1.2 msec long, 50% duty cycle with 0.61 msec high and 0.61 msec low. Immediately after the 4 data sync pulses are 56 data bit pulses. Each data bit pulse is ~0.6 msec long. A logic high (1) bit is encoded as a 0.4 msec high pulse followed by a 0.2 msec low pulse. A logic low (0) bit is encoded as a 0.2 msec high followed by a 0.4 msec low.

The data stream transmitted by the 00592TX remote temperature probe to the base station is formatted as follows:


The probe first emits a seemingly random length string of random width hi/lo pulses, most like to provide radio (RF) synchronization.

A random length low signal is inserted between the RF synchronization bits and the data sync pulses.

The probe then sends 4 data sync pulses of approximately 50% duty cycle and 1.2 ms period. The sync pulses start with a high level and continue for 4 high / low pulses.

The data bits immediately follow the fourth low of the data sync pulses. Data bits are sent every ~0.61 msec as:

Logic High (1) bit is encoded as ~0.4 msec high pulse followed by ~0.2 msec low

Logic Low (0) bit is encoded as ~0.2 msec high followed by ~0.4 msec low


The 00592TX sends the 4 sync pulses followed by 7 bytes of data equaling data 56 data bits.

Four (4) high and low pulses in a row, 0.61 msec high, 0.61 msec low, constitute a data sync.

The remaining 56 bits of data, or 112 edges, are measured and converted to 1s and 0s by checking the high to low pulse times.


The first and second bytes of the data are the unique probe address. The upper two bits of the first byte are the probe channel indicator:

11 = channel A 10 = channel B 00 = channel C

The remaining 6 bits of the first byte and the 8 bits of the second byte are a unique identifier per probe.

The next two bytes are always 0x44 followed by 0x90, for all of the probes I tested (a sample of 6 probes).

The next two bytes are the temperature value. The temperature is encoded as the lower 7 bits of both bytes with the most significant bit being an even parity bit. The MSB will be set if required to insure an even number of bits are set to 1 in the byte. If the least significant seven bits have an even number of 1 bits set the MSB will be 0, otherwise the MSB will be set to 1 to insure an even number of bits.

The last byte is a simple running sum, modulo 256, of the previous 6 data bytes.


The sync pulses are high for 0.62 ms and then low for 0.62 ms.

Acurite00771W_D33.66F.3

Four sync pulses in a row constitute a sync condition.

Acurite00771W_D33.66F.2

A logic 1 bit is 0.4 msec high pulse followed by a 0.2 msec low.

Acurite00771W_D33.66F.HI

A logic 0 bit is a 0.2 msec high pulse followed by a 0.4 msec low.

Acurite00771W_D33.66F.LO

A sync pulse plus data stream looks like this.

Acurite00771W_D33.66F

In part 3 of the series I will go through capturing the data stream with an Arduino and decoding the captured bits.

Feb 252015
 

Were I live, up against the foothills just east of the Rocky Mountains, the temperatures can vary wildly in a single day, 40F degree swings are common and 60F+ degree swings are not unheard of. For a while now I have been wanting to measure and record the temperature variations inside my house in response to temperature swings outside the house. I want at least one temperature probe outside, another in the attic, one in the lower level on a north wall, one in each of the kids rooms, just to see if it is as cold as they complain it is, and maybe one in the garage. I’m talking about at least six probes. They should be wireless for ease of installation and the ability to talk to a remote base station where I can record the temperatures. I want to record the temperature over time so I need a computer interface of some kind. A web page displaying the results would be nice. Maybe push the results to an online data warehouse. Opportunities for fun are endless.

All of the pieces to build a system like this are readily available from the usual suspects, sparkfun, adafruit, ebay, dx, etc. Figure a temperature sensor, micro-controller, wireless module, battery case, wiring, etc. at each location, times six. I can find a temperature sensor for about fifty cents, Arduino mini for five bucks, wireless module for a buck fifty to three bucks, a case and miscellaneous parts for another two bucks, say a round $10 USD per node. Probably a RasPi for the base station, another $45 at least with power supply, case, and wireless receiver. And then I would have to put it all together and blah blah blah, I never got around to it.

The other day I was at Walmart and stumbled on a pile of wireless remote temperature base stations and probes in the clearance bin.

Acurite00771W front

When I flipped the package over I noticed the probe uses 433 MHz wireless to communicate with the base station. I know a lot of low end consumer wireless devices sourced out of China use a wireless module separate from the core logic of the device. Decoupling the wireless functionality from the core functionality makes a product more amenable to delivering to a worldwide market. Different parts of the world have different regulations on wireless transmissions so modularizing the wireless link allows it to be swapped out for different markets with minimal design and manufacturing changes.

Acurite00771W back

If the core and wireless functions were separate there was a possibility I could sniff the communication lines between the two and decode the data protocol. Once decoded I should be able tap the lines and record the received temperature data with an Arduino or RasPi.

A base station plus probe was on clearance at just under $10 USD, I quickly picked up three. If the probe and base station were designed like I expected $10 seemed like a steal, I couldn’t even build the probe for $10, let alone have the base station along with it.

Acurite00771W receipt

Here is the base station and probe out of the packaging. My first impression is good. The buttons are clicky, the probe looks reasonably robust, the display is big enough to be useful.

Acurite00771W_03s

Removing the battery covers reveals that the probe takes 2 AA alkaline batteries and the base station 3 AA batteries. There is also a backup battery under a cover in the base station to keep time when the main batteries are being changed.

Under the battery cover in both the base station and the probe is a slide switch labeled A, B, C. I’m assuming the switch allows you to have up to three base stations and three probes in the same radio range.

Now was the moment of truth, time to open them up and see what the radio infrastructure looks like. First remove the two screws under the batter cover, shown just above. Next remove the three rubber feet from the bottom of the probe and remove the three screws found there.

Pop off the base plate and then pry the shell in two.

Acurite00771W_10s

Flipping open the base station revealed the gold! There is clearly a wireless module mounted at the top of the unit, with the blue antenna wire leading out of it and running around the inside of the case.

Acurite00771W_11s

As an added bonus the wireless module is completely separate from the logic board. The two boards are connected by a four wire ribbon cable.

Acurite00771W_13s

Even better, the cable between the boards is labeled, SH, D, V, G (click the image to enlarge). V and G seem obvious, D is probably data, SH could be anything but a reasonable guess might be chip select or data available.

Acurite00771W_12s

Popping open the probe revealed a similar construction, a wireless module near the top of the unit connected to a logic board with four wires.

Acurite00771W probe open

Acurite00771W_15s

Acurite00771W_16s

Putting batteries in the unit caused it to power up and within a few minutes it was displaying the temperature. Everything seemed to be working, the remote sensor was being read by the base station, it was time to start probing around to see what I could see.

Acurite00771W_20s

Step one is check the power, get an idea of what we are working with. As expected with three alkaline batteries the voltage going to the logic board was around 4.5 ~ 4.8 volts DC.

I confirmed connectivity between the ribbon cable ground (G) and the battery ground, that one seemed obvious and was.

Acurite00771W_24s

Next I probed the V pin between the logic board and the wireless module, a reasonable guess is the V pin is voltage into the wireless module. The V pin turned out to be a solid 3.25 volts, let’s call it 3.3 volts because that’s what it probably is supposed to be.

Next thing to do was unscrew the wireless module, unwrap the antenna, and get a better look at the board.

Acurite00771W_30s

A macro shot of the main chip on the wireless module revealed it to be a MICRF211, a 3V 433.92 MHz Receiver,

MICRF211 datasheet 1

MICRF211 datasheet 2

The next step was to probe the lines with an oscilloscope and see what the signals between the wireless module and the logic board looked like. This was where the rubber meets the road, if the signals were anything crazy the pain to condition and decode them might not be worth it.

Only one way to find out, start poking and probing and see what you see.

Acurite00771W_32s

I started with the SH line.

Acurite00771W_33s

It turned out to be pretty boring. It was clearly a gate or data available line. Nothing very interesting. The voltage was right around 3 volts.

Acurite00771W_34s

Time to probe the D line and see if it was more interesting.

Acurite00771W_35s

Probing the D line was way more interesting, something was happening here. The reasonable theory is this is the data being transmitted from the probe to the base station. The signal level is again around 3.3 volts, so no special conditioning required here. The fastest pulse found was on the order of a few micro-seconds, not slow, but not crazy fast either, something I could get a hold of with an Arduino.

Acurite00771W_36s

Putting both traces on the scope at once clearly shows the gating or data ready behavior of the SH line overlapping the D line.

Acurite00771W_37a

Acurite00771W_37b

Now that I know what is in the case and what the data signals look like between the logic board and the wireless module the next step is to decode the data stream and see if it looks like something I can read and decode with everyone’s favorite microcontroller.

Part 2 of this post can be found here.

Acurite 00754 / 00771W / 00772W / 00773W / 00774W / 00592 / 00592TX