Bridging RTL-433 To Home Assistant

December 6, 2025 by 18 Comments

If you’ve got an RTL-SDR compatible receiver, you’ve probably used it for picking up signals from all kinds of weird things. Now, [Jaron McDaniel] has built a tool to integrate many such devices into the world of Home Assistant.

It’s called RTL-HAOS, and it’s intended to act as a bridge. Whatever you can pick up using the RTL_433 tool, you can set up with Home Assistant using RTL-HAOS. If you’re unfamiliar with RTL_433, it’s a multitalented data receiver for picking up all sorts of stuff on a range of bands using RTL-SDR receivers, as well as a range of other hardware. While it’s most closely associated with products that communicate in the 433 MHz band, it can also work with products that talk in 868 MHz, 315 MHz, 345 MHz, and 915 MHz, assuming your hardware supports it. Out of the box, it’s capable of working with everything from keyless entry systems to thermostats, weather stations, and energy monitors. You can even use it to listen to the tire pressure monitors in your Fiat Abarth 124 Spider, if you’re so inclined.

[Jaron’s] tool integrates these devices nicely into Home Assistant, where they’ll appear automatically thanks to MQTT discovery. It also offers nice signal metrics like RSSI and SNR, so you can determine whether a given link is stable. You can even use multiple RTL-SDR dongles if you’re so inclined. If you’re eager to pull some existing environmental sensors into your smart home, this may prove a very easy way to do it.

The cool thing about Home Assistant is that hackers are always working to integrate more gear into the ecosystem. Oftentimes, they’re far faster and more efficient at doing this than big-name corporations. Meanwhile, if you’re working on your own hacks for this popular smart home platform, we’d probably like to know about it. Be sure to hit up the tips line in due time.

Shellcode Over MIDI? Bad Apple On A PSR-E433, Kinda

January 23, 2025 by 6 Comments

If hacking on consumer hardware is about figuring out what it can do, and pushing it in directions that the manufacturer never dared to dream, then this is a very fine hack indeed. [Portasynthica3] takes on the Yamaha PSR-E433, a cheap beginner keyboard, discovers a shell baked into it, and takes it from there.

[Portasynthinca3] reverse engineered the firmware, wrote shellcode for the device, embedded the escape in a MIDI note stream, and even ended up writing some simple LCD driver software totally decent refresh rate on the dot-matrix display, all to support the lofty goal of displaying arbitrary graphics on the keyboard’s dot-matrix character display.

Now, we want you to be prepared for a low-res video extravaganza here. You might have to squint a bit to make out what’s going on in the video, but keep in mind that it’s being sent over a music data protocol from the 1980s, running at 31.25 kbps, displayed in the custom character RAM of an LCD.

As always, the hack starts with research. Identifying the microcontroller CPU lead to JTAG and OpenOCD. (We love the technique of looking at the draw on a bench power meter to determine if the chip is responding to pause commands.) Dumping the code and tossing it into Ghidra lead to the unexpected discovery that Yamaha had put a live shell in the device that communicates over MIDI, presumably for testing and development purposes. This shell had PEEK and POKE, which meant that OpenOCD could go sit back on the shelf. Poking “Hello World” into some free RAM space over MIDI sysex was the first proof-of-concept.

The final hack to get video up and running was to dig deep into the custom character-generation RAM, write some code to disable the normal character display, and then fool the CPU into calling this code instead of the shell, in order to increase the update rate. All of this for a thin slice of Bad Apple over MIDI, but more importantly, for the glory. And this hack is glorious! Go check it out in full.

MIDI is entirely hacker friendly, and it’s likely you can hack together a musical controller that would wow your audience just with stuff in your junk box. If you’re at all into music, and you’ve never built your own MIDI devices, you have your weekend project.

Continue reading “Shellcode Over MIDI? Bad Apple On A PSR-E433, Kinda”

Decoding 433 MHz Signals With Arduino & Raspberry Pi

February 16, 2023 by 13 Comments

433 MHz radio signals are all around us. They’re used for things like smart power plugs, garage door openers, and home weather stations. Decoding these signals can allow you to interface and work with these devices on your own terms. To help in those efforts, [Joonas Pihlajamaa] has written a three-part tutorial on decoding these signals.

A soundcard makes for a very cheap oscilloscope.

The focus of the tutorials is decoding the signals of a Nexa radio-controlled smart plug. [Joonas] first explores using an Arduino to do the job, paired with a RFM210LCF-433D radio receiver module. This setup dumps out data to a computer over serial for decoding. [Joonas] then tried an alternative strategy, using a soundcard as a “poor man’s oscilloscope” to do the same job, using the same radio module and using Audacity for signal analysis. Finally, [Joonas] brought out the big guns, hooking up a Picoscope digital oscilloscope to a Raspberry Pi 4 for a more deluxe attempt at decoding the signals.

The tutorial goes to show that higher-end tools can make such a job much easier. However, the cheaper techniques are a great way of showing what can be done with the bare minimum in tools. We’re hoping for an exciting fourth part to [Joonas’s] work, where he instructs us on how to decode 433 MHz signals by drinking huge amounts of caffeine and staring at a very fast blinking LED. If you’ve got your own nifty signal analysis (or SIGINT!) hacks, be a good sport and drop them into the tipsline!

 

Arduino Library Brings Rtl_433 To The ESP32

January 13, 2023 by 9 Comments

If you have an RTL-SDR compatible radio there’s an excellent chance you’ve heard of the rtl_433 project, which lets you receive and decode signals from an ever-expanding list of supported devices in the ISM radio bands. It’s an incredibly useful piece of software, but the fact that it requires an external software defined radio and a full-fledged computer to run dictated the sort of projects it could realistically be used for.

But thanks to the rtl_433_ESP Arduino library developed by [NorthernMan54], we’re now able to pack that functionality into a much smaller package. All you need is an ESP32 microcontroller and a CC1101 or SX127X transceiver module. If you’re looking for a turn-key hardware platform, the documentation notes the LILYGO LoRa32 V2 board includes the required hardware, plus adds a handy OLED display and microSD slot. It should be noted that the range of these radios don’t compare particularly well to a full-size RTL-SDR device, but that probably won’t come as much of a surprise. Continue reading “Arduino Library Brings Rtl_433 To The ESP32”

Low-Cost 433 MHz Door Sensors Get Open Firmware

January 8, 2023 by 38 Comments

It’s an unfortunate reality these days that if you see a cheap piece of consumer electronics, there’s a good chance its only cheap because it’s designed to lock you into some ecosystem where you’ll either end up paying a subscription, or worse, have your personal information sold behind your back. One of the best tools we have against these sort of anti-consumer practices is the development of open source firmware replacements that put control of the device into the hands of the community, rather than a corporation.

Now, thanks to the work of [Jonathan Armstrong] we have such a firmware for the 433 MHz magnetic door and window sensors that you can pick up on AliExpress for $4 USD a piece. The new firmware not only ensures you can use these sensors with a wide array of receivers, but adds a number of new features over their stock configuration. Continue reading “Low-Cost 433 MHz Door Sensors Get Open Firmware”

Connecting Commercial 433 MHz Sensors To MQTT And Home Assistant With RTL-SDR

December 26, 2022 by 37 Comments

When [Elixir of Progress] was looking at setting up environmental sensors around their home to keep track of temperature, humidity and such, the obvious ideas of using WiFi-connected sensors didn’t work due to lack of WiFi range. Although Zigbee (Z-wave) sensors have longer range than WiFi, they are decidedly more expensive, proprietary and require a special transceiver hub. That’s where 433 MHz sensors for weather stations come into the picture.

The idea is simple: virtually all of those sensors – many of them rated for outdoor use – use the unlicensed 433 MHz spectrum that can easily be captured using cheap RTL-SDR (software defined radio) USB dongles. With the data stream from these sensors captured, the open source rtl_433 project enables automatic decoding of these data streams for a wide range of supported sensors.

While Realtek RTL2832-based and other RTL-SDRs can be found for quite cheap, it should be noted that these can run quite hot. Rather than heatsinking the IC, for this project it was elected to only listen sporadically and allow the RTL-SDR receiver to cool down in between listening sessions.

Getting the data from there into Home Assistant, InfluxDB or similar is easy, as rtl_433 can output the decoded data directly to an Influx database, MQTT broker as well as other formats. In this case, the data was sent via MQTT with the Home Assistant instance configured to treat these MQTT topics as sensors. With each sensor’s location carefully registered, this allows for setting up a dense, very low-power network of 433 MHz sensors for monitoring and home automation purposes.

Teardown: Impassa SCW9057G-433 Alarm System

September 9, 2021 by 15 Comments

This series of monthly teardowns was started in early 2018 as an experiment, and since you fine folks keep reading them, I keep making them. But in truth, finding a new and interesting gadget every month can sometimes be a chore. Which is why I’m always so thankful when a reader actually sends something in that they’d like to see taken apart, as it absolves me from having to make the decision myself. Of course it also means I can’t be blamed if you don’t like it, so keep that in mind as well.

Coming our way from the tropical paradise of Eastern Pennsylvania, this month’s subject is an ADT branded Impassa SCW9057G-433 alarm system that was apparently pulled off the wall when our kind patron was moving house. As you might have guessed from the model number, this unit uses 433 MHz to communicate with various sensors and devices throughout the home, and also includes a 3G cellular connection that allows it to contact the alarm monitoring service even if the phone line has been cut.

Diagram of Impassa home security setup
The alarm can connect to a wide array of 433 MHz devices.

From how many of these are on eBay, and the research I’ve done on some home alarm system forums, it appears that you can actually pick one of these up on the second-hand market and spin your own whole-house alarm system without going through a monitoring company like ADT. The extensive documentation from Impassa covers how to wire and configure the device, and as long as the system isn’t locked when you get it, it seems like wiping the configuration and starting from scratch isn’t a problem.

If it’s possible to put together your own homebrew alarm system with one of these units at the core, then it seems the least we can do is take it apart and see what kind of potentially modifiable goodies are waiting under that shiny plastic exterior.

Continue reading “Teardown: Impassa SCW9057G-433 Alarm System”