Reverse Engineering A Better Night’s Sleep

June 6, 2023 by Dan Maloney 8 Comments

All you want is a decent night’s sleep, so you decide to invest in one of those fancy adjustable beds. At first, it’s fine — being able to adjust the mattress to your needs on the fly is a joy, and yet…something isn’t quite right. Something nags at you every night, thwarting your slumber and turning your dreams of peaceful sleep into a nightmare once you realize your bed has locked you into a vertically integrated software ecosystem from which there’s no escape.

Or is there? That’s what [Chris Laplante] wanted to know, and why he reverse-engineered his Tempur-Pedic remote control. As many products these days do, his bed was touted as having an Android application for smartphone adjustability, but alas, the app hasn’t been updated since 2014 (!) and doesn’t appear to work on modern phones. [Chris] decided to take matters into his own hands and build a gateway to talk to the bed using its native RF protocol.

Most good reverse engineering stories start with research, and this one is no exception. Digging into the FCC database revealed a wealth of clues, such as the frequency — 433-MHz ISM band, no surprise — and even spectrum analyzer screenshots of the remote’s signals. A HackRF One revealed more about the signals, but it turned out that sniffing in on the SPI bus between the microcontroller and the Si4431 RF transceiver with a Salae logic analyzer was more fruitful, allowing him to dig into the packet structure.

The engineers at Tempur-Pedic threw quite a few challenges at [Chris], like an application-level CRC in addition to the CRC used by the Si4431, and interesting complications to control the massage features of the bed. In the end, [Chris] managed to get a pretty complete snapshot of the conversation between the bed and the remote, and is now in the process of building a gateway that’ll actually connect to his phone, plus integrate into his home automation system. We’re looking forward to updates on that.

Name That Unknown RF Signal With A Little FFT Magic

February 11, 2020 by Dan Maloney 27 Comments

Time was once that the amateur radio bands were an aurally predictable place. Spinning the dial up and down the bands, one heard familiar sounds – the staccato of Morse, the [Donald Duck] of sideband voice transmissions, and the occasional flute-like warble of radioteletype signals. Now, the ham bands are full of exotic signals encoding all manner of digital signals, each one with a unique sound and unique demodulation needs. What’s a ham to do?

Help is on the way. [José Carlos Rueda] has made progress toward automatically classifying unknown signals by modifying a Shazam-like app. Shazam is a popular smartphone app that listens to a few seconds of a song, creates an audio fingerprint of it, and searches a massive database of songs for a match. [Rueda] used a homebrew version of the app to search a SQL-lite database of audio fingerprints populated not with a playlist of popular music, but with samples from every known signal type in the Signal Identification Wiki. The database contains hashes for an FFT of each sample, which can be easily searched. With a five to ten second sample of a signal, captured either live over a microphone or from a recording, he is able to identify the signal automatically.

Whether it be the weird, dissonant wail of PSK-31 or the angry buzzing of PACTOR, the goings-on across the bands no longer have to remain a mystery. We really like the idea here, and wonder if it can be expanded upon to visually decode signals based on their waterfall signatures using TensorFlow. There are some waterfall examples in [Danie Conradie]’s excellent article on RF modulation that could get you started.

[via RTL-SDR.com]

Demodulating BPSK31 With OpAmps And 555s

December 29, 2014 by Brian Benchoff 16 Comments

BPSK31 is an extremely popular mode for amateur radio operators; it’s efficient and has a narrow bandwidth and can be implemented with a computer sound card or an Arduino. Just like it says on the tin, it’s phase shift keying, and a proper implementation uses a phase detection circuit or something similar. [Craig] thought it would be fun to build an analog BPSK31 demodulator and hit upon the idea of doing this with amplitude demodulation. No, this isn’t the way you’re supposed to do it, but it works.

Data is transmitted via BPSK31 with a phase shift of 180 degrees being a binary 0, and no phase shift being a binary 1. [Craig]’s circuit uses an op-amp and a pair of diodes to do a full wave rectification of the signal, which basically makes a binary 1 logic high, and binary 0 logic low.

This rectified signal is then fed into a comparator, making the output go high when the signal is above 2V, and low when the signal is below 1V. That’s all you need to do to get bits out of the signal, all [Craig] had to do after that was figure out a way to sample it.

A 555 set up in astable mode running at 31.25 Hz provides the clock, synchronized with the signal by connecting the comparator’s output to the 555 trigger input. The timer clock ends up being slightly slower, but thanks to the varicode character set, the maximum number of binary ones the circuit will see is nine; every time the trigger sees a zero, the timer’s trigger is reset, re-synchronizing the receiver’s clock.

Yes, it’s a hack, and no, this isn’t how you’re supposed to receive PSK. It does, however, work, and you can thank [Craig] for that.

Direct Digital Synthesis (DDS) Explained By [Bil Herd]

November 24, 2014 by Bil Herd 42 Comments

One of the acronyms you may hear thrown around is DDS which stands for Direct Digital Synthesis. DDS can be as simple as taking a digital value — a collection of ones and zeroes — and processing it through a Digital to Analog Converter (DAC) circuit. For example, if the digital source is the output of a counter that counts up to a maximum value and resets then the output of the DAC would be a ramp (analog signal) that increases in voltage until it resets back to its starting voltage.

This concept can be very useful for creating signals for use in a project or as a poor-man’s version of a signal or function generator. With this in mind I set out here to demonstrate some basic waveforms using programmable logic for flexibility, and a small collection of resistors to act as a cheap DAC. In the end I will also demonstrate an off-the-shelf and inexpensive DDS chip that can be used with any of the popular micro-controller boards available that support SPI serial communication.

All of the topics covered in the video are also discussed further after the break.

Continue reading “Direct Digital Synthesis (DDS) Explained By [Bil Herd]” →

Long-distance High Frequency APRS Tracking Using The FreeTrak63

November 14, 2013 by Todd Harrison 21 Comments

If you dabble in the ham radio hobby we’re sure you’ve heard of GPS position monitoring or tracking using APRS packet data commonly transmitting over the VHF ham band and FM modulated. One of the issues you’ll face using this common method is range limitations of VHF. [Mike Berg] a.k.a [N0QBH ] tipped us off to his latest project to greatly increase the range of a standalone APRS system utilizing the HF bands on single-sideband (SSB).

There are some unique challenges transmitting packet data using SSB over HF bands. High Frequency APRS has been around for decades utilizing FSK AX.25 packet transmissions at 300 baud, but it was quite susceptible to noise and propagation aberrations. More recently PSK-31 at the slower 31 baud speed helped alleviate many of these issues. [Mike] utilized the somewhat updated APRS with PSK-63 and the “APRS Messenger” program to overcome these challenges. [Mike’s] hardware solution consists of a PIC 16F690 micro which is coded to receive data from a GPS receiver, convert it into PSK-63 and then transmit on 30 meters over an attached HF radio. A second receiving station or stations at great distances can pick up and decode the transmission using the “APRS Messenger” program connected to the receiving radio over the computer’s soundcard. The program can then forward the tracking information, if good, to tracking websites like FindU.com and APRS.FI.

You can build your own FreeTrak63 by downloading [Mike’s] parts list, assembly code, HEX file, manual and schematic. The PCB is available on OSH Park if you don’t want to make your own or wire point-to-point. Let’s not forget to mention how hackable this hardware is, being really just an eight bit DAC, micro, serial in and radio out. One could reprogram this hardware to do other modulation schemes like AX.25 packet or MFSK16, the sky’s the limit. If short-distance on VHF with existing Internet linked receiver networks using an Arduino compatible platform is more to your taste, then checkout the Trackuino open source APRS Tracker.