433MHz FSK Receiver modules

PhilHornby

Senior Member
I wish to read the transmissions from a Hyundai car Fob, using a Picaxe.

I have done this successfully on a PC - using a TV Tuner dongle and SDR software, so I know what the data looks like. Obviously, SDR is outside the Picaxe's capabilities, so I'm looking for a generic module that can handle 433MHz FSK modulated data and has a simple 'data out' pin (or maybe even a serial interface).

I have found all manner of candidates, but they're either out-of-stock, shipped from far away lands, use SPI, or cost a fortune etc etc :(

Can anyone recommend one?

Supplementary question: Is there a standard for the pairs of frequencies used for FSK; does auto-tuning handle it, or would it need configuring?
 
I would suspect that every manufacturer has their "own" definitions of "how much" FSK :-(

Perhaps something that an SDR with bandwidth sweep capability could show? Just press the button and see which frequencies move to where?
 
Are you sure it is FSK and not ASK?
When I worked for an automotive electronic module manufacturer, all the FOB receivers were ASK.

But that was in 1997. Things may have changed.
 
Are you sure it is FSK and not ASK?

You may regret asking ;)

Using an ASK receiver, this is the sort of response I see from a Hyundai Fob, when I probe it with an encoded 125KHz LFMC (Low Frequency Magnetic Communications) signal :-

MoreProbeAndReplyTiming.jpg

(Top is the outgoing 125KHz query, next is the UHF response. The bottom signal is a trigger for the logic analyser. This is the first part of the PKES exchange)

It's quite a distinctive pattern and is sufficient for my original project (I just needed to detect the presence of any response from the Fob). However, I'm moving onto TPMS sensors, so I thought I would start with fully understanding the Fob response (because I can experiment indoors!).

Using RTL-433 I can get sensible data from my two Fobs (both are different, but repeatable). It says the signal is FSK, and prints out received data. It even suggests the parameters to use to create a custom decoder. It tells me the frequency offsets are +8.6 kHz and -58.5 kHz.

A graphic view of what is received is here: https://triq.org/pdv/ (displayed URL is abbreviated for clarity)

FSKPIC.png

At this point my knowledge and understanding fail me :( ...

I thought the whole point of FSK, was that one received frequency is decoded as "1" and the other frequency is "0".

In other words (within limits), timing is totally unimportant. Yet, according to RTL-433, the signal is very much encoded; with different pulse-lengths (as per that graphic view). It even annotates it as "OOK"

The received signal it shows is very different to what I see on the ASK receiver. For all the world, it looks like it has used one frequency to denote 'HIGH' and the other to denote 'LOW' (rather than "1" and "0") and that the actual data is further encoded by those HIGH/LOW transitions.

(The graphical analysis of the signal says that it lasts for 26.08mS, which fits with what I see as a single 25mS pulse...)

Any insight welcomed :)
 
Last edited:
Hi,
I thought the whole point of FSK, was that one received frequency is decoded as "1" and the other frequency is "0".

Well yes, but you still need a Run-In or "AGC" period, a "Start" Pulse and/or a "Framing/Sync" pattern and probably some form of "Stop" signal (which might just be the end of the Carrier Wave). That could be done all in a continuous sequence of "0" and "1" levels, but you would still need some way to identify when each "bit" ends and another starts. Using "pulses" and/or "gaps" with different or unusual periods is a relatively easy way to identify the Start and Framing of each transmitted a message. Theoretically FSK (and FM in general) doesn't need any AGC control (because it could use zero-crossings) but in practice it's likely to be used to avoid overload/cross-modulation, etc.. However, the AGC doesn't get disturbed by the data modulation in the same way that "gaps" in the carrier (i.e. the modulation itself) affects the AGC level in an AM/ASK/OOK system. Also the "Capture Effect" of FM should greatly improve the resistance to interference........... Or perhaps the developers just started with an OOK system and decided to update it with some FSK hardware. ;)

I've only been lurking on this thread so far, because I'm considering a similar requirement and don't have an answer. :( There appear to be several competent "hardware-only" mosules for ASK/OOK on the 433 MHz band, but nothing equivalent for FSK on 434 MHz, or even ASK on 868 MHz (my requirement). Similarly, for Modem/AT command applications, there is the excellent HC-12 (if not fake) which although often "Headlined" as 434/868 MHz, I've never found anybody actually selling an 868 MHz version. However, AliExpress (if you choose carefully) and Ebay with SpeedPak shipping, do now achieve delivery in a little over a week, often fully tracked, which IMHO does make them a more acceptable source for ongoing projects.

It seems that the only solution is to use a "Programmable" or Configurable module, which in principle shouldn't be too difficult even with a PICaxe, but they all appear to use a "SPI" Bus. It would be much easier if there were any using the I2C Bus, but there's the "double-whammy" (or worse) that SPI not only needs more pins, but the on-chip hardware uses the same pins as I2C (at least on the smaller chips). This makes it a real challenge to mix the radio with established I2C chips such as many sensors, or the very useful little "0.9" or "1.3" inch bit-mapped OLED displays, etc.. My "ideal" is to use an 08M2 (and certainly avoiding the X2 chips) which has a physical size (DIL) comparable to these RF modules. However, SPI is really intended for "Bit Banging" interfaces, often directly in Assembler, but sadly the only Bit Banging possible with PICaxe is about 400 times slower than "real" Assembler (of the "Base PIC").

My intention is to use the on-chip SPI hardware, available in all of the M2 chips, using POKE/PEEKSFR commands, much as I have done with the UART (RS232) hardware register(s), in place of the (flawed) HSERIN command. This should/could be at least 10 times faster than direct Bit-Banging, but probably not as fast as can be achieved with the I2C commands of a PICaxe. In pinciple, the 08M2 has six "I/O" pins (which I think are usable), but strictly two pins are "Input Only" (better described as "Non-Output and Non-Analogue Input") and only three are truly "GPIO").

The transceivers that I had been considering are based on the RFM (e.g. 69) chips, but perhaps the (Texas) CC1101 is more appropriate. Their (free) "Smart RF Studio (7)" is available by jumping through a few hoops, but I still don't find even the latest version very intuitive for simply creating a list of Register values to (Manually) program into a PICaxe. At least there are a few relevant threads on the forum, but I'm concerned that even hippy struggled to interpret their (or Microchip's) application of the SPI interface, and another comment that the CC1101 can be "difficult to use". :(

Well, I drafted most of this before the forum Update, so I'll close now, until I get to grips with the new UI.

Cheers, Alan.
 
Makes sense that the automotive FOBs have changed to FSK for noise immunity improvements.

In reality, the only advantage of ASK/ OOK is a lower average current consumption, specifically for coin-battery powered FOBs

In my previous work I had access to a real spectrum analyzer. With a narrow span, the FSK’s modulation could be readily seen. And going to zero span one would demodulate ASK. For analyzers with a speaker, one could actually listen to the raspy sound.
 
Well yes, but you still need a Run-In or "AGC" period, a "Start" Pulse and/or a "Framing/Sync" pattern and probably some form of "Stop" signal (which might just be the end of the Carrier Wave). That could be done all in a continuous sequence of "0" and "1" levels, but you would still need some way to identify when each "bit" ends and another starts. Using "pulses" and/or "gaps" with different or unusual periods is a relatively easy way to identify the Start and Framing of each transmitted a message.

Ah ok; I can see you wouldn't even be able to transmit two consecutive identical bits, without defining the 'length' of a "0" or "1" frequency burst (unless you had periods of 'silence' between each bit).

AllyCat:

It seems that the only solution is to use a "Programmable" or Configurable module, which in principle shouldn't be too difficult even with a PICaxe, but they all appear to use a "SPI" Bus.

I'm sure CC1101 modules can do what I want, but that 107 page datasheet is mighty off-putting :eek:

As you said, HopeRF also have functionally equivalent modules, but I'm thinking I might be better off pursuing the simpler, receiver-only, offerings.

HopeRF RFM01 modules looked a lot more promising, but are apparently discontinued, as of 2022 :( - with a suggestion that the RFM219BW might be equivalent. Annoyingly, it appears that that module can 'decode' NRZI and Manchester all by itself, but I'd be on my own with Hyundai's PWM. I can't find a UK supplier, though eBay may come to the rescue.
 
Last edited:
The previous reply appeared to post itself, while I was away feeding the cat :oops:

What I was going to query, were the methods of implementing SPI. Don't we just have the built-in Basic functions hspiin etc or peeksfr/pokesfr. 'Bitbanging' (i.e. manually toggling data lines up and down would surely never be a sensible option?
 
Hi,

The HSPIIN and HSPIOUT functions are only available on X2 chips, which of course are only 20 pins and upwards. That's why I'm considering PEEKSFRing, etc. the SPI hardware, which should also solve the issue that SHIFTOUT and SHIFTIN can't both be used at the same time in X2 devices. In principle it should be quite possible, but I'm concerned with the difficulties described in the long thread that I linked towards the end of post #7, where the Hardware didn't appear to reproduce the functional Bit-Banging test code.

By Manual programming, I meant the ability to create and copy the required Register values into a PICaxe program, without the need for any custom hardware tools, and it appears that the recent version of Texas' Smart RF Studio does have "Copy to Clipboard" and file-writing capabiities, etc.. At least I can now see how to change a few values and generate some (potentially correct) Register values. Similarly, the Register Descriptions in the Data Sheet do at least appear to be "Comprehensible". Conversely, HopeRF documentation (and sales) to hobbyists seems to have been quite limited, and the RFM219 appears to be another SPI-programmed device?

ADDED : I have absolutely no experience of "TME" and the shipping looks a little pricey, but Google found: https://www.tme.eu/gb/details/rfm01_433s2/ which claims to have over 1000 pieces, available via PayPal and with no need to setup an account? I can't see where they're located but, "Estimated delivery time 2-4 working days by DHL". Also some documentation; Quite a lot of "pins" and they appear to be on a 2 mm pitch? :(

Cheers, Alan.
 
Last edited:
I've used TME several times. They deliver quickly (before Brexit I had a set of inrush relays delivered from Poland the next day) and their prices are reasonably competitive. The last delivery was for 5 pieces of ... RFM01 433S2 in 2023 to build a receiver for a Watson weather station. Cost was £23.94 including DHL delivery. I can post some of the code if anyone's interested.
 
The HSPIIN and HSPIOUT functions are only available on X2 chips, which of course are only 20 pins and upwards. That's why I'm considering PEEKSFRing, etc. the SPI hardware, which should also solve the issue that SHIFTOUT and SHIFTIN can't both be used at the same time in X2 devices.

I admit I've never read the SPI-related manual pages. Now I have, things seem slightly more complicated than anticipated :eek:.
In the first instance, it seems easiest to use a 20X2 for experimentation.

the RFM219 appears to be another SPI-programmed device?

I can't find anything that isn't, that isn't also proprietary (thus requiring the same device at each end of the link). In theory, the HC-12 (with its onboard SI4463) could do the job - but of course, the functionality isn't made available to us.

ADDED : I have absolutely no experience of "TME" and the shipping looks a little pricey, but Google found: https://www.tme.eu/gb/details/rfm01_433s2/ which claims to have over 1000 pieces

I've actually used TME for something in the past (though I can't remember what). Unfortunately, I've moved house since then and there doesn't seem to be a way to change your address, without manual intervention from a Polish person - so that may delay things.

Just restricting myself to HopeRf devices, there is a lot of confusion (even after separating out the Transceivers from the separate Transmitters and Receivers). I ordered a RFM219 from eBay, but it turns out to be a RFM219SW not an RFM219BW. The datasheet reveals major differences between the two :(

RS stock the RFM65W-433-S2 at a reasonable price, but the Postage is nearly as much as the device.
 
Last edited:
These are the main code (Slot1) - the RFM part is at TestSetup and the associated subroutines. The two include files are WeatherStation (for the specific program) and RFM01 (for the various RFM codes). The basinc files are suffixed .txt because the forum won't allow them to be directly loaded.

NOTE - I realised yesterday (21 November) that the original basinc file had been inadvertently changed when preparing to upload it. The correct version is now attached (DISCRIMINATOR in the first line was 16 - it should have been 160. Sorry)
 

Attachments

Last edited:
I ordered 5xRFM01's from TME in the early hours of Sunday 3/11 and they were shipped out the following day. They arrived Tue 5/11, so I can't complain about that service! All nicely packaged as well.

I also ordered a RFM219SW, which is to be drop-shipped from China, by a German eBay'er on ebay.co.uk :eek: ... no sign of that one yet ...

Chatgpt reckons the RFM219SW can be used without any configuration, just by sampling the "Dout" pin. I'm not convinced, but we'll see.

The conversation with Chatgpt got me thinking though ... these devices are quite keen on presenting whole bytes of received data. They'll even store them up in FIFO buffer, to avoid data overruns. However, none of that can happen, if they don't understand that 'PWM modulation' scheme that Hyundai are using.

Which they don't :(
 
The Weather Station program I posted above receives "short" and "long" pulses, corresponding to 0 and 1 respectively, by reading the output pin repeatedly and estimating the length of each pulse using pulsin. Depending on how fast your setup is (or needs to be) you might be able to do the same.
 
Hi,
The Weather Station program I posted above receives "short" and "long" pulses, corresponding to 0 and 1 respectively, by reading the output pin repeatedly and estimating the length of each pulse using pulsin.
.......... Or perhaps the developers just started with an OOK system and decided to update it with some FSK hardware. ;)
Is the Weather Station one of the Ecowitt (previously known as Fine Offset) stations? Do you have any formal specification of the (FSK) transmission details? I originlly "hacked" and reproduced (all) their original OOK transmission parameters with a PICaxe, but haven't done anything with the Ecowitt versions because of the (assumed) complications of obtaining "simple" FSK and/or 868 MHz receivers.

Chatgpt reckons the RFM219SW can be used without any configuration, just by sampling the "Dout" pin. I'm not convinced, but we'll see.
I've not looked at the full data sheet, but it appears that DOUT is "configurable" to appear on pins SDIO1 , ..2 or ..3 ; I guess at least one by default? Presumably there will be similar defaults around 433.72 MHz carrier and for a "typical" RF bandwidth, etc..

Since I don't normally use X2 PICaxes, it hadn't struck me that the "SPI" commands primarily use internal Bit-Banging (as do the SERIN/OUT commands within M2 and X2s), so the HSPI.... commands behave very differently, as do HSERIN... compared with SERIN... , etc..

Cheers, Alan.
 
The Weather Station program I posted above receives "short" and "long" pulses, corresponding to 0 and 1 respectively, by reading the output pin repeatedly and estimating the length of each pulse using Pulsin

I'll have a closer look at your code. So far, I've been cross referencing all the configuration stuff with the data sheet.
 
The Weather Station program I posted above receives "short" and "long" pulses, corresponding to 0 and 1 respectively, by reading the output pin repeatedly and estimating the length of each pulse using pulsin. Depending on how fast your setup is (or needs to be) you might be able to do the same.
There is still something confusing me...

The RFM01 data sheet says there is an OOK mode and there is a DATA pin and that valid data is anything > a preset RSSI (I paraphrase!)

Considering 'my' Hyundai Fob signal :-

Assuming an incoming signal that comprises 2 frequencies, one of which seemingly represents ON/HIGH and the other representing OFF/LOW, is it just picking one of them and signalling its presence on the DATA pin ❓
(Or does it just have a more sophisticated receiver, that can work with a conventional (single frequency) OOK modulated carrier ❓)

(I know that my simpler ASK/OOK receiver sees both frequencies, so the equivalent data pin just stays high for the entire transmission - which is presumably the 25mS pulse I see).

CHATgpt says said:
In OOK mode, the RFM01 directly outputs a digital signal that reflects the presence or absence of the carrier signal. This can be easily read and processed by a microcontroller, making the RFM01 suitable for simple ASK/OOK data reception without the need for extensive SPI-based data handling.

But it's been known to be wrong ;)
 
Hi,

I think it's probably correct on that. AFAIK the 2012 vintage "Maplin" WH1081s used OOK, although some earlier versions did use FSK, decoded within an(other) FSK chip and output via a SPI Bus. Although there is a close relationship between HopeRF and Fine Offset, the OOK stations didn't use an "RF module", but custom circuitry directly on the PCBs. The OOK nature of the signal appears to be confirmed in the linked article from post #19 :

"... the range of the RFM01 in OOK mode is noticeably better. ..... The VDI setting follows RSSI in the above example, because I’m not sure how relevant the other settings are to an OOK signal."

In principle, an OOK signal can be detected by the RSSI (i.e. AGC / Signal Strength) from a FM/FSK receiver (typically driving a comparator / threshold detector). Theoretically, a very narrow band (and highly stable) "OOK" receiver could extract just one of the shifted frequencies as an amplitude modulated signal, but in practice you almost certainly need a custom-designed FSK receiver. Swapping which of the FSK frequenecies you choose as a "1" is simply equivalent to Inverting an OOK output signal.

Cheers, Alan.
 
Last edited:
Perhaps then, I have to let the RFM01 receive the data as FSK bytes (ie Freq #1 =1, Freq #2 = 0) and then re-interpret them as PWM to get new actual bytes :unsure:

So that something like :-

"11 0 11 00 1""0 11 00 1 0 0 "
"Lh Sl Lh Ll Sh""Sl Lh Ll Sh Sl Sl "

where
Lh = "long HIGH"
Sl = "Short LOW"
Ll = "Long LOW"
Sh = "Short HIGH"

Visually :-

Screenshot 2024-11-07 014803.png

(Just a made up, incomplete example!)

Which is then reinterpreted as PWM data to give the final Byte string, using an as yet, unknown algorithm :unsure:

IYSWIM :eek:


Perhaps if I look closer at that "Watson W-8681", for which we have working Picaxe code using an RFM01, it will become clearer...
 
Hi,

I don't see why you are considering the On-Chip Buffer, because I thought you were attempting to AVOID Writing even a few configuration bytes via SPI, whilst the Buffer will need a large number of Bits or Bytes to be Read over the Bus. I've not read the data sheet(s) but doubt if the chip will be able to interpret "PWM" encoding. In principle what you want to do appears to be much the same as reading simple OOK Radio or even Infra Red Remote Control signals, which I believe you've done before.

Generally, any Radio signal (carrier) will have two parameters, the Frequency and Amplitude, where each might be used to carry either Data (Modulation) or as a "Reference". Amplitude Shift Keying (ASK or OOK) is basically a binary subset of (Analogue) Amplitude Modulation whilst the Frequency is nominally a constant Reference for the channel being received. Prior to modern, precise Crystal-Controlled Frequency Synthesiser receivers, the receiver Frequency could drift, so an Automatic Frequency Control (AFC) system might use a very low-pass filter to correct for this, but could be used instead to detect Frequency Modulation. Frequency Shift Keying is basically a Binary subset of Frequency Modulation, where the (transmitted) Amplitude will be constant, with the received Amplitude being either "Don't Care" or stabilised with an Automatic Gain Control system (cf. AFC).

Therefore, both FSK or ASK modulation systems will deliver just two output voltage levels, nominally named 0 and 1. But a "One Wire Bus" (which is basically what a Radio or IR RC channel is) needs some method for Synchronisation, typically a "Start" or "Framing" pattern, a "Stop" or other method of End detection, a "known" bit-length period and maybe a method of error-detection. "RS232" is perhaps the best known and used protocol, where the Data Line has an Idle Level (often "1") and the Start (pulse) is initiated by a change of Level. Then the Data Bits are polled at times of 1.5T , 2.5T up to 8.5T (or also 9.5 or 10.5T for Parity and/or Stop Bits) where T is the nominal Bit (or Baud) period. The Stop bit is actually at the Idle Level, so a subsequent byte can follow immediately (i.e. be concatonated), or after ANY arbitrary delay, if using an Asynchronous UART.

A problem with RS232 is that the timing accuracy must be better than about +/- 5%, which can be tricky with a simple R-C oscillator, but the main problem is that many Higher-Level Computer languages (of which PICaxe Basic is one) have little concept of the flow of time. Thus the predominace of Two-Wire (or more) Buses, such as I2C or SPI (3 or more wires, because Read , Write and Enable Lines are separate), so that the "Host" can specify when each bit-period is to Start and/or Stop. But for One-Wire systems we must adopt a protocol which is tolerant of large timing errors (or "unknowns"), for example Pulses or Gaps of ratio 2 : 1 or even greater.

The PULSIN command in PICaxe Basic is one of the few ways available to measure time intervals but it has several issues. Firstly it measures the interval between two pulse-edges, so it CANNOT measure the width of the subsequent (or prior) "Gap" or Idle period. Secondly, a potential problem is that it creates a WORD value which is not compatible with the often necessary @BPTR (INC) variable. If selecting one Byte from the Word, the LSB resolution is just over 1 microsecond (at 32 MHz clock) which may be unnecessarily short, but the MSB resolution is over 300 us, sometimes "too long" to accurately identify Short and Long Pulses or Gaps. Furthermore, the whole PULSIN command requires a Run-In period (where the Interpreter reads and decodes the instruction token and initialises the measurement), a measurement period which "counts" whilst the input signal is stable, and a Run-Out where the result is stored or reported. Thus the execution time may be significantly longer than the actual Pulse, and in the case of a Square Wave (i.e. 1 : 1 duty cycle) there may be little (or no) time to "close the loop" in preparation for the next Pulse.

Thus many RF/IR communication protocols (such as the Watson / Fine Offset, SIRC , NEC , etc.) vary either the "Pulse" or the "Gap" in the carrier waveform, but NOT both. However, the wavforms in posts #5 and #22 above show BOTH the Pulse and the Gap changing (as also happens with Manchester Coding and RC5, etc.) so you CANNOT use the PULSIN command. Thus I think the only solution is to Bit-Bang a fast and efficient Algorithm, which does at least obviate the need to "Post Process" a sequence of PULSIN results, and to detect when a "Data Packet" has ended. Sometimes the End Of Packet can be detected by simply counting the number of Bits or Bytes received, or by detecting a Long Idle Time, but this may fail if there are any "Interference" signals from other systems (using either a similar or totally different protocol).

I have been considering writing a "Hints and Tips to Faster Bit-Banging (for RF and IR Protocols)" in a suitable thread, but now is not an ideal time, so I'll just give a few Bullet Points here:

+ Never use Subroutines, nor "slow" instructions such as SWAP and PWMDUTY. These can sometimes be detected from the number of bytes they add into the program (so do a Syntax Check with the instruction active and commented out). Interrupts are risky unless the program is expecting them (for example executing a PAUSE), and the RETURN is slow.

+ The best flow control is the IF {pin , bit or variable } {Conditional expression} THEN GOTO label instruction, noting that the Fall-Through (i.e. Not True) path is faster than the GOTO path. Therefore, direct the GOTO into the "acceptably slower" path and/or take advantage of "jumping backwards" in the program, to help close any Loops (i.e. avoid the Unconditional GOTO whenever possible).

+ Sometimes using the BITn variables contained within b0 to b3 can save some time. Note that the ON {variable} GOTO (aka the BRANCH instruction) can use just a single label (for a bit or variable zero value) with both the Fall-Through and Jump paths slightly faster than the IF .... THEN .. construct.

+ PAUSEUS has rather a high overhead (almost 100 us at 32 MHz) so use with caution. PAUSE 0 is about twice as fast as PAUSEUS 0 , if you need some padding. PAUSEUS and PULSOUT actually have exactly the same execution times, so PULSOUT can be useful for test markers during development or debugging.

+ Use @BPTRINC in place of @BPTR when possible because the execution times are identical (but beware there are some bugs in the more complex constructs, e.g. using POKE/PEEKSFR). Also, WORD execution times are exactly the same as for BYTES, so when handling serial bits a Word variable may reduce the number of necessary operations.

+ If a Program Loop takes too long, then partial Linear Coding may help. Recently, I went rather Off Topic in post #33 of This Thread discussing my "Butterfly" Program Structure for faster Bit-Banging.

Cheers, Alan.
 
Last edited:
I don't see why you are considering the On-Chip Buffer, because I thought you were attempting to AVOID Writing even a few configuration bytes via SPI, whilst the Buffer will need a large number of Bits or Bytes to be Read over the Bus.

Just because I've not yet figured out, what (if anything) appears at the Dout pin in FSK mode. The presence of a FIFO buffer might make decoding easier. I'm not averse to using SPI mode, but won't if I don't need to.
 
Hi,
Maybe you're looking at 4FSK and trying to make sense of it as if it were 2FSK. I didn't know what FSK is so I looked it up and came across THIS page.
 
No, it's definitely 2FSK. I've been using an RTL-SDR TV dongle and software such as SDR# and RTL_433 to view the received signal - there are definitely only two frequencies present.

Of course, most of the time, there are NO frequencies present ... so the DOUT pin must be used in conjunction with some other signal (clock?), because effectively, there are three states (Freq #1 = "1", Freq #2 = "0" and no signal).

I'll get there :-) I'm just waiting for the other module to arrive and some PCBs, so I can plug them into a breadboard.
 
Hi,

Yes I agree it's 2FSK; the frequencies of +8.6 kHz and -58.5 kHz in post #5 look a little odd, but the "Centre Frequency" is probably about 25 kHz off, perhaps because (one of) the Frequency Synthesiser(s) doesn't have sufficient Divider Resolution. The "No Signal" condition is probably detectable on a/the RSSI (signal strength) output pin.

Looking at the waveform in #5, there appear to be approximately 125 "timeslots" of 200 us each, in just over 25 ms. Mainly "Pulses" AND "Gaps", of both 1 or 2 timeslots (i.e. 200 us or 400 us), but with a "synchronisation" pulse near the start, consisting a 600 us Gap and 800 us Pulse. It would be useful to have (at least) one more example burst to see which regions might be fixed and which variable data. Almost certainly the first eight "1"s are a fixed Run-In / AGC, but I wonder if the first wide pulse ever changes? The main issue is decoding the sequence after the (probably) 800 us start pulse, because both the Pulses AND the Gaps are Width-Modulated. It might be a Manchester Coded sequence, but I'm not sure it fits.

Repeated timing intervals of (potentially) only 200 us are getting very close to (or beyond) the PICaxe's limit, even at 32 MHz with an 08M2 (which is marginally the fastest of the M2s because it has less "hardware" to control). Probably an X2 at 64 MHz is faster, but not as much as double because I believe it uses 5-bit rather than 4-bit Tokens. I think it would be an interesting challenge (for me) to try to decode that sequence in Real Time. ;) I'm not sure which strategy I'd use: One could either just poll (and store) the 0/1 value for the about 100 timeslots and then Post-Process the data into Wide and Narrow Pulses and Gaps. The problem might be keeping the edges "In Sync" as the reception progresses. Alternatively, a Real-Time algorithm might continuously search for "Edges" and store the width (i.e. delay from the previous Edge) as either a 0 or 1 (i.e. Short or Long), once it is past the "super-wide" Sync pulse.

To add a little to my Tips above, I usually do my timing estimations with a 4 MHz clock (where each "Base PIC Instruction Cycle" takes 1 us) and multiply up the "required or available execution time" by the relative clock frequency. Thus the equivalent target execution time to detect those minimum-width Pulses or Gaps at 32 MHz is around 1600 PIC Instruction cycles or 1.6 ms. This does look very tight because for example, an IF ... THEN fall-through (i.e. False Condition) takes about 800 ICs, an IF ... GOTO (i.e. True Condition) takes 1200 ICs and a PAUSEUS 1 (or similar PULSOUT) takes about 700 ICs. The ON bitn GOTO might save around 100 ICs when appropriate. However, we can pre-fill the output data field with zeros (i.e. narrow pulses or gaps) and have the duration of the "wider" period to over-write a "1" when appropriate. The 08M2 perhaps doesn't have enough RAM to write/store every BIT with an @BPTRINC , but I did devise a trick where EITHER an @BPTR was shifted Left by one bit OR an @BPTRINC (pointer address change) was executed when the byte was becoming full. I'll think a little more about this, but no promises (and not a great deal of confidence).

Radiosparks: Program memory space is much less of an issue with the more recent PICaxe chips, but feel free to reproduce some of my Tips and Tricks if you find them useful. There is more information and my measurement method of Instruction Execution Times in my Code Snippet Thread.

Cheers, Alan.
 
Last edited:
Yes I agree it's 2FSK; the frequencies of +8.6 kHz and -58.5 kHz in post #5 look a little odd, but the "Centre Frequency" is probably about 25 kHz off, perhaps because (one of) the Frequency Synthesiser(s) doesn't have sufficient Divider Resolution. The "No Signal" condition is probably detectable on a/the RSSI (signal strength) output pin.

I don't trust those earlier reported frequency deviations either. Looking at the visual 'Waterfall Display' in SDR#, they look more like ±30KHz, but I'll refine that later. Good idea on the RSSI pin.

Looking at the waveform in #5, there appear to be approximately 125 "timeslots" of 200 us each, in just over 25 ms. Mainly "Pulses" AND "Gaps", of both 1 or 2 timeslots (i.e. 200 us or 400 us), but with a "synchronisation" pulse near the start, consisting a 600 us Gap and 800 us Pulse. It would be useful to have (at least) one more example burst to see which regions might be fixed and which variable data. Almost certainly the first eight "1"s are a fixed Run-In / AGC, but I wonder if the first wide pulse ever changes? The main issue is decoding the sequence after the (probably) 800 us start pulse, because both the Pulses AND the Gaps are Width-Modulated. It might be a Manchester Coded sequence, but I'm not sure it fits.

It may even be, that the data is not actually PWM encoded at all - after all, looking at RS232 data might give a similar first impression...

Also, I've yet to figure out, how the transmitter end is sending this data. Is it doing the opposite of what I'm contemplating for the receiver (and periodically checking with the MCU, that the data it is presenting on the "Din" pin is valid)? I expected that the data would be 'clocked in' and then a "Go" signal sent. After all, there are parameters for setting "Data Rate. "

Datasheet for the RFM02 transmitter here ;) .

I have some more signal analyses :-

The one I presented earlier, was done quite a while ago and was analysed on a cheap dongle, using a fairly old version of the software. Since then, I managed to lose the Fob that created the signal and had to buy a replacement. On the Hyundai, at least, adding a new Fob means removing any existing ones and starting again. This re-paired everything and meant that a different 125KHz LFMC signal was needed to 'excite them' and the data they sent back changed. The signal structure has changed a little as well, but I'm not sure if that is an artefact created by the new dongle.

3 Signals.png

Top signal is the original - also available HERE in more detail

Lower two traces are from my existing, working Fobs. Available here and here.

I don't know what's happened to that leading 800µS pulse, but it now has almost joined itself to the previous one. The gap between the two is too small to measure.
 
Last edited:
Hi,

At least the new waveforms still have an "AGC" string and an 800 us Start/Framing pulse. For more clarity, I would perhaps copy the waveforms at an accurately consistent scale onto transparent "foils" so that one could overlay them, to see the exact differences and correlations. However, it looks to me that the data packet has a constant length, with exactly equal High and Low Times and with never more than two consecutive Highs or Lows. Thus it can't be RS232 which could have runs of up to 9 High or Low timeslots and there would be some repeated High and Low bits (i.e. Start and Stop) every tenth or eleventh timeslot. The identical Duration and High and Low times also may discount a "PWM" coding, although some schemes transmit both the Data and its Complement, which effectively balance themselves out.

But I'm coming to think that the data could be Manchester-Coded, which uses one High and one Low level (i.e. two timeslots) for each bit. On that assumption, there appear to be "always" 52 data bits (i.e. 104 timeslots) or 6.5 bytes after the Framing, which is at least plausible. Note that the number of (0/1) digits that the Web "analyser" is inserting are not as many as 52, but only about 37 - 40. There are other "Lookup Table" based coding schemes, for example converting groups of 4 bits to 6 bit patterns (to increase the number of transistions). But I don't think that these entirely meet the maximum 2-timeslot "runs" and exactly equal High and Low levels criterea.

Having looked in more detail at my estimated PICaxe instruction execution times, I'm fairy sure that it's not possible to write an on-the-fly decoding algorithm for these complex waveforms. If the fob transmitted exactly the same data at least twice consecutively, then one possibility would be to measure and store (PULSIN ... @BPTRINC) all the High Pulse lengths on a first pass, repeat for all the Low Pulses (Gaps), and then Post-process the data to merge (interleave) the two streams.

However, I think a better possible scheme is to simply sample and store the complete waveform like a Logic Analyser or Sampling 'Scope. Since the sampling (polling) would be asynchronous, ideally at least two samples are required for each timeslot, thus around 200 samples. No time for a closed loop, so the algorithm probably would be a list of around 200 consecutive instructions, but that should still leave around half of the Program Memory free. A lttle tedious to write, but mainly just a multiple block Copy and Paste. Most M2s have sufficient RAM to use each byte to store just a single sample-bit, but it might be possible to incorporate a (Left) Shift (plus a carry in from the data input pin) for the 08M2. If there is insufficient time to store a minimum of two samples per timeslot, then it may be possible for the program to maintain a "sampling offset" value, calcuated from the known number of samples taken during the total sampling period (i.e the change in BPTR value). The offset value then might be refined (updated) from the number of samples actually encountered within each detected High or Low period (i.e. 1 or 2 two samples expected for a single timeslot and 2 or 3 for a double timeslot).

But it's probably best to first try to analyse the data format from some more SDR or Sigrok (Logic Analyser) measurements.

Cheers, Alan.
 
But it's probably best to first try to analyse the data format from some more SDR or Sigrok (Logic Analyser) measurements.
Hi,

The (Open Source) SIGROK PC Program contains an enormous number of Code Analysers (I2C, IR-NEC, RS232, etc., etc. and even CC1101 and RFM12) . However, Manchester is not listed, but https://www.sigrok.org/wiki/Protocol_decoder:Ook_vis says :

" Using the OOK decoder with this one allows you to try NRZ, Manchester and Differential Manchester "

Personally, I use the Pulseview + Sigrok + Zadig package with the ubiquitous "24 MHz , 8-channel Logic Analysers" (Originally a Saleae rip-off) which can now cost around £11**, but Sigrok has interfaces to many Digital 'Scopes and Logic Analysers, and a number of Import (file) options.

**ADDED: Or about £5 from Ali-Express, some now with Type C USB connectors.
FWIW, on 1st November, I ordered a bundle of 6 items from different Ali-Express "shops", but under their "Choice" Umbrella, for just over £8 (+VAT) to reach their Free Shipping level (otherwise £2). The most expensive item (still less than £2) is a 434 MHz "Green" CC1101 Transceiver with attached coil Antenna and 0.1" pitch header pins (but in two rows, so still not ideal to test with a solderless breadboard). Mainly as a "makeweight"/stock, so don't expect any immediate results. Fully tracked from China to the door, "guaranteed" for delivery by 12th, but actually delivered on 8th, so just a week!

Cheers, Alan.
 
Last edited:
Personally, I use the Pulseview + Sigrok + Zadig package with the ubiquitous "24 MHz , 8-channel Logic Analysers" (Originally a Saleae rip-off) which can now cost around £11**, but Sigrok has interfaces to many Digital 'Scopes and Logic Analysers, and a number of Import (file) options.

I've tried Sigrok Pulseview previously (with my own Saleae clone), but wasn't convinced enough to move to it from Saleae's "Logic". However, I had another look and found it also supports my old Hantek 6022BE as a two channel analyser, so I'll definitely have a play with that.

I ordered a RFM02 transmitter from a UK eBay'er, to further my knowledge on all things FSK, but it's not here yet.

I probably don't need to proceed any further with the Fob transmissions - I was just viewing them as a source of repeatable FSK data ... but when all's said and done, what it's sending is a "secret password" - so I may never get to the bottom of what it actually means.

The next step is to venture outside and try and capture the car's 125KHz magnetic signal, that is used to 'excite' the TPMS sensors. Hopefully I can then reproduce that and start to get some data out of the spare TPMS sensor that I acquired for these experiments.

Of course, I could just email Schrader and/or Hyundai and they'll furnish me with all the technical details I require ;)
 
Hi,

Yes, I was originally very impressed with the "usability" of the original Saleae software and their User-Interface. But with Saleae's (not unreasonable) attempts to Protect their software (IPR) and with the passage of time, I now find Sigrok to be very acceptable, so "promote" that. However, when I select the CC1101 analyser, at least in Test/Demo mode, it totally crashes Pulseview. :(

No, I don't really have any ideas how one would crack a "security" key system like this. But I do find it fascinating to see the methods that are/were used to "break" Tesla's 36-bit "Ignition Key"/PKES in two seconds, and of course for the Enigma machine.

Cheers, Alan.
 
One key to breaking the Enigma encoding was that the "encoded" character could never be the "unencoded" character. "G" could be any other character but never "G". For those into breaking codes, that appears to have been a useful point from which to work backwards. Of course, the universal code "failure" of a tired or lazy user who did not set up the current day's key sequence (switches and/or jumpers) meant that the people doing the code breaking sometimes had two encoded versions of the same original data (the daily weather reports/forecasts were sent encoded).
And the Brits did build the first code-breaking "computer" - but it was somewhat larger than the biggest PICAXE ;-)
 
No, I don't really have any ideas how one would crack a "security" key system like this.

The Fob "stuff" comes from an experiment to prove that Hyundai's security sleep mechanism works (to prevent Relay Attacks).

Unfortunately, I proved that it doesn't :( - at least not reliably, so it turned from a breadboard experiment, into a finished project. Since a response (any response) from the Fob is bad news, that's all I needed to test for. The PKES system uses a pair of challenge-responses and the first one at least, is the same every time. They appear to be given a time-slot in which to respond, so there's no clash between Fobs. I've had no need to look at the second exchange, but you would hope it uses a Rolling Code...

My replacement (non-OEM) Fob has the accelerometer components missing, so has to live in a Faraday Pouch. In this case, my project has become a 'Faraday Pouch' tester, as well ;)

It would be quite neat to open the garage door using the PKES response from the Fob. I could probably cobble together something that tells the Fobs apart, without fully understanding what the code actually 'means'.
 
Last edited:
The "No Signal" condition is probably detectable on a/the RSSI (signal strength) output pin.

to which I replied ...

Good idea on the RSSI pin.

Unfortunately, after reading the datasheet more closely, I've concluded that there isn't an "RSSI" pin on the RFM01 module :(

(There is supposedly an analogue "ARSSI" pin(15), that is to be used in conjunction with a capacitor, but that is not brought to out to a physical pin anyway! )

So the mystery of decoding the three states of the "DATA" pin remains...

EDIT: The "VDI" signal looks like it can fulfil this function.

(I've got as far as making my RFM01 'breadboard-able' and connecting power. I have a 1MHz clock signal coming out of the CLK pin, so it does at least seem to be up and running.

Next step, I suppose, is to see if I can get anything out of "DATA" and "DCLK", in response to a signal (without configuring it) - which I doubt - in which case, I will be entering the "SPI" rabbit hole head-first :) )
 
Last edited:
Unfortunately, after reading the datasheet more closely, I've concluded that there isn't an "RSSI" pin on the RFM01 module :(
No, there isn't. However, RSSI is provided on the return from (dare I say it) SPI comms with the RFM01. You can see this in the SampleRSSI subroutine in the code I posted earlier.
 
“My replacement (non-OEM) Fob has the accelerometer components missing, so has to live in a Faraday Pouch”

Pardon my ignorance, what is a Faraday Pouch and how this relates to an accelerometer?
 
A Faraday Pouch looks something like this:-

s-l1600.webp


and its purpose is to block the UHF (315/433/868MHz) signal from the Fob. In Passive Keyless Entry Systems (PKES), the Fob responds to the presence of a (specific) modulated 125KHz Magnetic Field and responds via UHF. The Faraday Pouch is just a simple version of a Faraday Cage.

In order to prevent Relay Attacks - where the 125KHz signal is 'relayed' to a location close to where your Fob is stored - manufacturers have started adding 'time-out' mechanisms to their Fobs, whereby they stop responding to the incoming signal. In Hyundai's case, this is achieved using an accelerometer, to detect movement (of the Fob). So in theory, if you've got the accelerometer, you don't need the pouch and vice-versa.
 
Next step, I suppose, is to see if I can get anything out of "DATA" and "DCLK", in response to a signal (without configuring it) - which I doubt - in which case, I will be entering the "SPI" rabbit hole head-first :) )

Well I seem to be quite a way from understanding the HopeRF RFM01, given that it's presenting my FSK signal (post #5) as :-

SDS00010.png :cry:

I can see the overall data envelope (as I can on a simple "3 pin OOK" receiver), but the actual data is gibberish. Maybe I need to make some much bigger changes to the parameters I've tried.

Speaking of parameters...

It turns out that the HopeRF RFM01 uses the Si Labs SI4320 chip. At the very least, this means that a non-blurry datasheet is available :rolleyes:
(HopeRF seem to have created their datasheet by simply pasting "HopeRF" anywhere "Silicon Labs" appeared. Hence the reference to pins that don't exist and lots of other nonsense).
 
Back
Top