This post continues the tear down and reverse engineering of the Acurite 0077XW / 00592TX Wireless Remote Temperature Probe [Part 1] .
Knowing that the signals between the logic board and wireless module are standard 3.3 volt logic level signals with tens to hundreds of micro-second long pulses it is time to pick apart the bit stream and see if I can make heads or tails of the encoded data.
With the signal identified as a digital serial data stream the obvious tool to turn to is a logic analyzer, ideally one with protocol decoding built in.
I own multiple different logic analyzers but my goto analyzer for anything but the widest or fastest signals is the Saleae Logic. I own one of the older models but it works like a champ. Analyzing and picking apart digital signals is child’s play with the Saleae software.
I soldered extension wires to the Ground (G), Squelch (SH), and Data (D) lines to make connecting the analyzer easier.
After a bit of picking and probing, and a bit of web searching, I was able to pull apart the bit stream and protocol used by the temperature probes to communicate to the base station.
The SH pin turns out to be the SQUELCH signal from the logic board to the wireless module. When the squelch pin is low the radio module disables data output. I assume the logic board uses the squelch pin to limit the data transmitted from the wireless module between display updates. The base station logic board unsquelches the radio module on a regular periodic basis, reads the incoming temperature data, decodes the data, and updates the display.
The D pin is clearly the data from the temperature probe. The waveform is relative stable when the probe is at a constant temperature and changes when the temperature at the probe changes.
Reverse engineering the data protocol was the more difficult part of the whole effort. I captured multiple bit streams and some patterns were immediately obvious. There was random looking data followed by a consistent pattern followed by a series of wide and short pulses. Eventually I figured out the random pulses at the start of data must be for radio synchronization between the transmitter and receiver. None of the “random” data at the start of the bit stream was consistent between any runs and I ended up simply chopping it off and ignoring it in the data stream.
After the random bits there is a low pulse of varying length followed by 4 data sync pulses. The data sync pulses are 1.2 msec long, 50% duty cycle with 0.61 msec high and 0.61 msec low. Immediately after the 4 data sync pulses are 56 data bit pulses. Each data bit pulse is ~0.6 msec long. A logic high (1) bit is encoded as a 0.4 msec high pulse followed by a 0.2 msec low pulse. A logic low (0) bit is encoded as a 0.2 msec high followed by a 0.4 msec low.
The data stream transmitted by the 00592TX remote temperature probe to the base station is formatted as follows:
The probe first emits a seemingly random length string of random width hi/lo pulses, most like to provide radio (RF) synchronization.
A random length low signal is inserted between the RF synchronization bits and the data sync pulses.
The probe then sends 4 data sync pulses of approximately 50% duty cycle and 1.2 ms period. The sync pulses start with a high level and continue for 4 high / low pulses.
The data bits immediately follow the fourth low of the data sync pulses. Data bits are sent every ~0.61 msec as:
Logic High (1) bit is encoded as ~0.4 msec high pulse followed by ~0.2 msec low
Logic Low (0) bit is encoded as ~0.2 msec high followed by ~0.4 msec low
The 00592TX sends the 4 sync pulses followed by 7 bytes of data equaling data 56 data bits.
Four (4) high and low pulses in a row, 0.61 msec high, 0.61 msec low, constitute a data sync.
The remaining 56 bits of data, or 112 edges, are measured and converted to 1s and 0s by checking the high to low pulse times.
The first and second bytes of the data are the unique probe address. The upper two bits of the first byte are the probe channel indicator:
11 = channel A 10 = channel B 00 = channel C
The remaining 6 bits of the first byte and the 8 bits of the second byte are a unique identifier per probe.
The next two bytes are always 0x44 followed by 0x90, for all of the probes I tested (a sample of 6 probes).
The next two bytes are the temperature value. The temperature is encoded as the lower 7 bits of both bytes with the most significant bit being an even parity bit. The MSB will be set if required to insure an even number of bits are set to 1 in the byte. If the least significant seven bits have an even number of 1 bits set the MSB will be 0, otherwise the MSB will be set to 1 to insure an even number of bits.
The last byte is a simple running sum, modulo 256, of the previous 6 data bytes.
The sync pulses are high for 0.62 ms and then low for 0.62 ms.
Four sync pulses in a row constitute a sync condition.
A logic 1 bit is 0.4 msec high pulse followed by a 0.2 msec low.
A logic 0 bit is a 0.2 msec high pulse followed by a 0.4 msec low.
A sync pulse plus data stream looks like this.
In part 3 of the series I will go through capturing the data stream with an Arduino and decoding the captured bits.
[…] These wireless temperature sensors are exactly what you would expect for a cheap piece of Chinese electronics found in the clearance bin at Walmart. There’s a small radio operating at 433MHz, a temperature sensor, and a microcontroller under a blob of epoxy. The microcontroller and transmitter board in the temperature sensor were only attached by a ribbon cable, and each of the lines were labeled. After finding power and ground, [bhunting] took a scope to the wires that provided the data to the radio and took a look at it with a logic analyzer. […]