I have a wireless thermometer that I will try to hack since the wireless temperature sensor uses the same frequency as an antenna I can use with an arduino.
This thermometer communicates with a wireless sensor that emits information in the radio frequency of 433Mhz, a very common frequency since it is unregulated in the EU.
The sensor emits a message with the temperature and humidity that it detects once every 50 seconds. When the thermometer detects a message it updates its display with the new temperature and humudity sent by the sensor.
I can use an RTL-SDR dongle (A Software Defined Radio) to listen to this message
^SDR# software listening to 433MHz frequency (the high peak is the message being sent by the sensor)
After recording the message in RIFF format (.wav file), I can use the functions I created in this post to turn the message into a sequence of ints, each representing how long the antenna was on or off for during the message transmission. First of all, the message looks like this:
This is a portion of the message, as we can see, there are some short 'high' or '1' states which are immediately followed by long 'low' or '0' states. After looking at the duration of each pulse, I found out that all the '1' states are 520 microseconds long, and the '0' pulses are either 1930 or 3850 microseconds long.
I made a guess that a if a 520 microseconds '1' pulse was followed by a 1930 microseconds '0' pulse it would represent a binary 0, and if the 520 microseconds '1' pulse was followed by a 3850 microseconds '0' pulse, then it would represent a binary 1. Using this criteria I translated the message to binary and it looked like this:
1001011011010000000011010101001011111
This 37 bit message is actually repeated 8 times during the transmission from the sensor, I guess for redundancy.
Since I have the duration of how long the antenna is on or off for during the transmission I can reproduce the message that I recorded from the sensor with an arduino and also a 433MHz transmitter that I bought (3€ in aliexpress).
I did some tests transmitting different messages that I had recorded with differents temperatures and humidities and then I compared the messages in binary with the temperature and humidity that the message represented. And after some tests I found out which bits of the message represented both temperature and humidity
The first 12 bits I think are just there so that the thermometer doesn't confuse random noise with a transmission from the sensor, so the thermometer will only listen to transmissions that get the first 12 bits right. I think some of those bits also tell the channel number (the thermometer can listen to 3 different channels at the same time and the sensor can only transmit to any one of those 3 channels at a single time). All tests I did were on channel 1, so I don't know which of those bits represent the channel number.
The temperature is stored in the 16 bits from bit number 12 to bit number 27 (starting from bit 0), and it's stored multiplied by 10, for example, if the temperature that the sensor reads is 15.7 degrees celsius, then the binary number that will be sent in those 16 bits will be 0000000010011101, which is 157 in binary.
The humidity is stored normally, if the humidity is 43%, then the 8 bits, from bit 28 to bit 35 will be 00101011, which is 43 in binary.
The 36th bit is always 1.
Now knowing which bits represent humidity and which represent temperature, I can generate new messages from zero, making the thermometer display whatever values I want.
I 3d printed a case which holds an arduino nano, the 433MHz transmitter, a battery and a button, and programmed the arduino to transmit whatever message I want.
Given a temperature value and a humidity value it creates the 37 bit sequence, then it turns that sequence into how long the antenna should be on or off for, and then the arduino controlls the antenna to be on or off during those periods. After hearing the transmission, the thermometer then displays the values that the message wants. For example, setting the temperature to 42.0 degrees celsius and the humidity to 69% I can transmit the message with the arduino and the thermometer will display the numbers:
