Reverse Engineering A Better Night’s Sleep

June 6, 2023 by Dan Maloney 8 Comments

All you want is a decent night’s sleep, so you decide to invest in one of those fancy adjustable beds. At first, it’s fine — being able to adjust the mattress to your needs on the fly is a joy, and yet…something isn’t quite right. Something nags at you every night, thwarting your slumber and turning your dreams of peaceful sleep into a nightmare once you realize your bed has locked you into a vertically integrated software ecosystem from which there’s no escape.

Or is there? That’s what [Chris Laplante] wanted to know, and why he reverse-engineered his Tempur-Pedic remote control. As many products these days do, his bed was touted as having an Android application for smartphone adjustability, but alas, the app hasn’t been updated since 2014 (!) and doesn’t appear to work on modern phones. [Chris] decided to take matters into his own hands and build a gateway to talk to the bed using its native RF protocol.

Most good reverse engineering stories start with research, and this one is no exception. Digging into the FCC database revealed a wealth of clues, such as the frequency — 433-MHz ISM band, no surprise — and even spectrum analyzer screenshots of the remote’s signals. A HackRF One revealed more about the signals, but it turned out that sniffing in on the SPI bus between the microcontroller and the Si4431 RF transceiver with a Salae logic analyzer was more fruitful, allowing him to dig into the packet structure.

The engineers at Tempur-Pedic threw quite a few challenges at [Chris], like an application-level CRC in addition to the CRC used by the Si4431, and interesting complications to control the massage features of the bed. In the end, [Chris] managed to get a pretty complete snapshot of the conversation between the bed and the remote, and is now in the process of building a gateway that’ll actually connect to his phone, plus integrate into his home automation system. We’re looking forward to updates on that.

Moon Bouncing And Radar Imaging With LoRa

December 3, 2021 by Ryan Flowers 16 Comments

The LoRa radio protocol is well known to hardware hackers because of its Long Range (hence the name) but also its extremely low power use, making it a go-to for battery powered devices with tiny antennae. But what if the power wasn’t low, and the antenna not tiny? You might just bounce a LoRa message off the moon. But that’s not all.

The team that pulled off the LoRa Moonbounce consisted of folks from the European Space Agency, Lacuna Space, and the CA Muller Radio Astronomy Station Foundation which operates the Dwingeloo Radio Telescope. The Dwingeloo Radio Telescope is no stranger to Amateur Radio experiments, but this one was unique.

LoRa Moonbounce plotted for doppler shift by frequency — A radar image of the moon generated from LoRa Moonbounce

Operating in the 70 cm Amateur Radio band (430 MHz) meant that the LoRa signal was not limited to the low power signals allowed in the ISM bands. The team amplified the signal to 350 Watts, and then used the radio telescope’s 25 Meter dish to direct the transmission toward the moon.

The result? Not only were they able to receive the reflected transmission using the same transceiver they modulated it with — an off the shelf IOT LoRa radio — but they also recorded the transmission with an SDR. By plotting frequency and doppler delay, the LoRa transmission was able to be used to get a radar image of the moon- a great dual purpose use that is noteworthy in and of itself.

LoRa is a versatile technology, and can even be used for tracking your High Altitude Balloon that’s returned to Terra Firma.

Cheap Sensors And An SDR Monitor Conditions In This Filament Drying Farm

September 14, 2019 by Dan Maloney 3 Comments

We don’t know where [Scott M. Baker] calls home, but it must be a pretty humid place indeed. After all, he has invested quite a bit in fancy vacuum storage containers to keep his 3D-printer filament dry, with the result being this sensor-laden filament drying farm.

[Scott] wasn’t content to just use these PrintDry containers without knowing what’s going on inside. After a little cleaning and lube to get all the containers working, he set about building the sensors. He settled on a wireless system, with each container getting a BME280 temperature/humidity/pressure sensor and an SYN115 315-MHz ISM band transmitter module. These go with an ATtiny85 into a compact 3D-printed case holding a little silica desiccant. The transmitters are programmed to comply with ISM-band regulations – no need to run afoul of those rules – while the receiver is just an SDR dongle and a Raspberry Pi running rtl_433. The long-ish video below details design and construction.

The idea behind these vacuum containers would seem to be to pull out humid air and prevent it from coming back in. But as [Scott] quickly learned from his telemetry, following the instructions results in the equivalent atmospheric pressure of only about 2700′ (823 meters) elevation – not exactly a hard vacuum. But as [Scott] points out, it’s enough to get a nice, tight seal, and his numbers show a lowered and constant relative humidity over time.

Continue reading “Cheap Sensors And An SDR Monitor Conditions In This Filament Drying Farm” →

Bidirectional IP With New Packet Radio

March 30, 2019 by Brian Benchoff 24 Comments

There are a few options if you want to network computers on amateur radio. There are WiFi hacks of sort, and of course there’s always packet radio. New Packet Radio, a project from [f4hdk] that’s now on hackaday.io, is unlike anything we’ve seen before. It’s a modem that’s ready to go, uses standard 433 ISM band chips, should only cost $80 to build, and it supports bidirectional IP traffic.

The introductory documentation for this project (PDF) lays out the use case, protocol, and hardware for NPR. It’s based on chips designed for the 433MHz ISM band, specifically the SI4463 ISM band radio from Silicon Labs. Off the shelf amplifiers are used, and the rest of the modem consists of an Mbed Nucleo and a Wiznet W5500 Ethernet module. There is one single modem type for masters and clients. The network is designed so that a master serves as a bridge between Hamnet, a high-speed mesh network that can connect to the wider Internet. This master connects to up to seven clients simultaneously. Alternatively, there is a point-to-point configuration that allows two clients to connect to each other at about 200 kbps.

Being a 434 MHz device, this just isn’t going to fly in the US, but the relevant chip will work with the 915 MHz ISM band. This is a great solution to IP over radio, and like a number of popular amateur radio projects, it started with the hardware hackers first.

SDR Is At The Heart Of This Soup-Can Doppler Radar Set

November 29, 2018 by Dan Maloney 6 Comments

Want to explore the world of radar but feel daunted by the mysteries of radio frequency electronics? Be daunted no more and abstract the RF complexities away with this tutorial on software-defined radar by [Luigi Cruz].

Taking inspiration from our own [Gregory L. Charvat], whose many radar projects have graced our pages before, this plunge into radar is spare on the budgetary side but rich in learning opportunities. The front end of the radar set is almost entirely contained in a LimeSDR Mini, a software-defined radio that can both transmit and receive. The only additional components are a pair of soup can antennas and a cheap LNA for the receive side. The rest of the system runs on GNU Radio Companion running on a Raspberry Pi; the whole thing is powered by a USB battery pack and lives in a plastic tote. [Luigi] has the radar set up for the 2.4-GHz ISM band, and the video below shows it being calibrated with vehicles passing by at known speeds.

True, the LimeSDR isn’t exactly cheap, but it does a lot for the price and lowers a major barrier to getting into the radar field. And [Luigi] did a great job of documenting his work and making his code available, which will help too. Continue reading “SDR Is At The Heart Of This Soup-Can Doppler Radar Set” →

Flush Out Car Thieves With A Key Fob Jammer Locator

July 16, 2017 by Dan Maloney 97 Comments

We all do it — park our cars, thumb the lock button on the key fob, and trust that our ride will be there when we get back. But there could be evildoers lurking in that parking lot, preventing you from locking up by using a powerful RF jammer. If you want to be sure your car is safe, you might want to scan the lot with a Raspberry Pi and SDR jammer range finder.

Inspired by a recent post featuring a simple jammer detector, [mikeh69] decide to build something that would provide more directional information. His jammer locator consists of an SDR dongle and a Raspberry Pi. The SDR is set to listen to the band used by key fobs for the continuous, strong emissions you’d expect from a jammer, and the Pi generates a tone that varies relative to signal strength. In theory you could walk through a parking lot until you get the strongest signal and locate the bad guys. We can’t say we’d recommend confronting anyone based on this information, but at least you’d know your car is at risk.

We’d venture a guess that a directional antenna would make the search much easier than the whip shown. In that case, brushing up on Yagi-Uda antenna basics might be a good idea.

ISM Communications For Arduino

July 9, 2017 by Al Williams 14 Comments

If you want to wirelessly communicate between devices, WiFi and Bluetooth are obvious choices. But there’s also the ISM (industrial, scientific, and medical) band that you use. There are inexpensive modules like the SX1278 that can handle this for you using LoRa modulation, but they haven’t been handy to use with an Arduino. [Jan] noticed the same thing and set out to build a shield that allowed an Arduino to communicate using LoRa. You can find the design data on GitHub. [Jan] calls it the LoRenz shield.

According to [Jan], the boards cost about $20 to $30 each to make, and most of that cost was in having PC boards shipped. LoRa lets you trade data rate for bandwidth, but typical data rates are fairly modest. As for range, that depends on a lot of factors, too, but we’ve seen ranges quoted in terms of miles.

Depending on where you live, there may be legal restrictions on how you use a radio like the SX1278. You should understand your local laws before you buy into using the ISM bands. We aren’t sure it would be wise, but the board can coexist with three other similar shields. So you could get 4 radios going on one Arduino if you had too and could manage the power, RF, and other issues involved. The breakout board the module uses has an antenna connector, so depending on your local laws, you could get a good bit of range out of one of these.

[Jan] promises a post on the library that makes it all work shortly, but you can find the code on GitHub now. If you look at the code in the examples directory, it seems pretty easy. You’d have to sling some software, but the SX1278 can support other modes in addition to LoRA including FSK and other data modulation techniques.

We’ve seen other LoRa shields, but not many. If you are interested in other wireless technologies, we’ve talked about them quite a bit. If you want a basic introduction to LoRa, [Andreas Spiess’] video below is a good place to start.

Continue reading “ISM Communications For Arduino” →