So a while back, I purchased this driveway sensor kit from Amazon. After a while, I got tired of the beeps nor could you really tell WHICH sensor was going off; however, each sensor has a different channel. Being the techy I am, I wanted to dig further and figure out if I could intercept the sensor signal, and have it send me text messages when the sensor was triggered.
Since these devices operate over the 433mhz band, I figured it would be easy. So I fired up rtl_433 and started listening, but never saw the signal. So got out the flipper zero and tried to capture what frequency it was on. I should mention this was my first mistake. The flipper zero was TERRIBLE about guessing the correct frequency. So this only lead down a tangent until a friend told me to lookup the FCC-ID. There are sites like fccid.io that allow you take the FCCID on the device and look up what frequency the device was operating on. So I did and found it was on 433.98mhz. Once I knew this, I fired up rtl_433 again, only to find I didn't see anything.... So I began to RTFM...
By default, rtl_433 only captures and decodes known or registered protocols. Since this device isn't exactly popular, you have to have rtl_433 analyze all signals broadcasted on that frequency. So you use something like the following command:
# rtl_433 -f 433.98M -A
rtl_433 version 21.12 (2021-12-14) inputs file rtl_tcp RTL-SDR SoapySDR
Use -h for usage help and see https://triq.org/ for documentation.
Trying conf file at "rtl_433.conf"...
Trying conf file at "/root/.config/rtl_433/rtl_433.conf"...
Trying conf file at "/usr/local/etc/rtl_433/rtl_433.conf"...
Trying conf file at "/etc/rtl_433/rtl_433.conf"...
Registered 176 out of 207 device decoding protocols [ 1-4 8 11-12 15-17 19-23 25-26 29-36 38-60 63 67-71 73-100 102-105 108-116 119 121 124-128 130-149 151-161 163-168 170-175 177-197 199 201-207 ]
Detached kernel driver
Found Rafael Micro R820T tuner
Exact sample rate is: 250000.000414 Hz
[R82XX] PLL not locked!
Sample rate set to 250000 S/s.
Tuner gain set to Auto.
Tuned to 433.980MHz.
Allocating 15 zero-copy buffers
baseband_demod_FM: low pass filter for 250000 Hz at cutoff 25000 Hz, 40.0 us
Detected FSK package 2023-11-18 14:58:56
Analyzing pulses...
Total count: 302, width: 631.46 ms (157864 S)
Pulse width distribution:
[ 0] count: 1, width: 0 us [0;0] ( 0 S)
[ 1] count: 132, width: 1284 us [1276;1292] ( 321 S)
[ 2] count: 168, width: 420 us [420;432] ( 105 S)
[ 3] count: 1, width: 60 us [60;60] ( 15 S)
Gap width distribution:
[ 0] count: 1, width: 4656 us [4656;4656] (1164 S)
[ 1] count: 132, width: 424 us [420;432] ( 106 S)
[ 2] count: 156, width: 1284 us [1280;1292] ( 321 S)
[ 3] count: 12, width: 10764 us [10716;11208] (2691 S)
Pulse period distribution:
[ 0] count: 1, width: 4656 us [4656;4656] (1164 S)
[ 1] count: 288, width: 1708 us [1700;1716] ( 427 S)
[ 2] count: 12, width: 11188 us [11140;11632] (2797 S)
Pulse timing distribution:
[ 0] count: 1, width: 0 us [0;0] ( 0 S)
[ 1] count: 288, width: 1284 us [1276;1292] ( 321 S)
[ 2] count: 300, width: 424 us [420;432] ( 106 S)
[ 3] count: 1, width: 60 us [60;60] ( 15 S)
[ 4] count: 1, width: 4656 us [4656;4656] (1164 S)
[ 5] count: 12, width: 10764 us [10716;11208] (2691 S)
[ 6] count: 1, width: 0 us [0;0] ( 0 S)
Level estimates [high, low]: 15965, 527
RSSI: -0.1 dB SNR: 14.8 dB Noise: -14.9 dB
Frequency offsets [F1, F2]: -3586, -15965 (-13.7 kHz, -60.9 kHz)
Guessing modulation: Pulse Width Modulation with sync/delimiter
view at https://triq.org/pdv/#AAB02A07010000050401A8003C12302A0C00008492A1A19292A192A1A1A19292A19292A1A1A192A1A1A19292A555+AAB029070B0000050401A8003C12302A0C000092A1A19292A192A1A1A19292A19292A1A1A192A1A1A19292A555+AAB01107010000050401A8003C12302A0C0000B055
Attempting demodulation... short_width: 420, long_width: 1284, reset_limit: 11212, sync_width: 60
Use a flex decoder with -X 'n=name,m=FSK_PWM,s=420,l=1284,r=11212,g=0,t=0,y=60'
pulse_demod_pwm(): Analyzer Device
bitbuffer:: Number of rows: 2
[00] {300} 65 c9 dc b2 e4 ee 59 72 77 2c b9 3b 96 5c 9d cb 2e 4e e5 97 27 72 cb 93 b9 65 c9 dc b2 e4 ee 59 72 77 2c b9 3b 90
[01] { 0}
In the output above, you'll see something like, "Use a flex decoder..." Once you have that, issue the following command to decode the popular FSK protocol.
# rtl_433 -f 433.98M -X 'n=name,m=FSK_PWM,s=420,l=1284,r=11212,g=0,t=0,y=60'
rtl_433 version 21.12 (2021-12-14) inputs file rtl_tcp RTL-SDR SoapySDR
Use -h for usage help and see https://triq.org/ for documentation.
Trying conf file at "rtl_433.conf"...
Trying conf file at "/root/.config/rtl_433/rtl_433.conf"...
Trying conf file at "/usr/local/etc/rtl_433/rtl_433.conf"...
Trying conf file at "/etc/rtl_433/rtl_433.conf"...
Registered 177 out of 207 device decoding protocols [ 1-4 8 11-12 15-17 19-23 25-26 29-36 38-60 63 67-71 73-100 102-105 108-116 119 121 124-128 130-149 151-161 163-168 170-175 177-197 199 201-207 ]
Detached kernel driver
Found Rafael Micro R820T tuner
Exact sample rate is: 250000.000414 Hz
[R82XX] PLL not locked!
Sample rate set to 250000 S/s.
Tuner gain set to Auto.
Tuned to 433.980MHz.
Allocating 15 zero-copy buffers
baseband_demod_FM: low pass filter for 250000 Hz at cutoff 25000 Hz, 40.0 us
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
time : 2023-11-18 15:00:54
model : name count : 2 num_rows : 2 rows :
len : 300 data : 65c9dcb2e4ee5972772cb93b965c9dcb2e4ee5972772cb93b965c9dcb2e4ee5972772cb93b9,
len : 0 data :
codes : {300}65c9dcb2e4ee5972772cb93b965c9dcb2e4ee5972772cb93b965c9dcb2e4ee5972772cb93b9, {0}
Now that the signal is decoded, we have to test each of the 4 "channels" to know what the code will be and we find the following:
# channel 1
65 C9 DE B2 E4 EF 59 72 77 AC B9 3B D6 5C 9D EB 2E 4E F5 97 27 7A CB 93 BD 65 C9 DE B2 E4 EF 59 72 77 AC B9 3B D0# channel 2
65 C9 DD B2 E4 EE D9 72 77 6C B9 3B B6 5C 9D DB 2E 4E ED 97 27 76 CB 93 BB 65 C9 DD B2 E4 EE D9 72 77 6C B9 3B B0# channel 3
65 C9 DC B2 E4 EE 59 72 77 2C B9 3B 96 5C 9D CB 2E 4E E5 97 27 72 CB 93 B9 65 C9 DC B2 E4 EE 59 72 77 2C B9 3B 90# channel 4
65 C9 DB B2 E4 ED D9 72 76 EC B9 3B 76 5C 9D BB 2E 4E DD 97 27 6E CB 93 B7 65 C9 DB B2 E4 ED D9 72 76 EC B9 3B 70
So now that we know the code for each channel, we can begin by writing a python syslog server to accept the logs and turn them into text messages. That command would look like this:
rtl_433 -f 433.98M -X 'n=name,m=FSK_PWM,s=420,l=1284,r=11220,g=0,t=0,y=56' -F syslog:127.0.0.1:5555
The basics of how to take in a syslog would look like this:
#!/usr/bin/env python
import logging
import socketserverLOG_FILE = 'syslog_test.log'
HOST, PORT = "0.0.0.0", 5555logging.basicConfig(level=logging.INFO, format='%(message)s', datefmt='', filename=LOG_FILE, filemode='a')
class SyslogUDPHandler(socketserver.BaseRequestHandler):
def handle(self):
data = bytes.decode(self.request[0].strip())
socket = self.request[1]
print( "%s : " % self.client_address[0], str(data))
logging.info(str(data))if __name__ == "__main__":
try:
server = socketserver.UDPServer((HOST,PORT), SyslogUDPHandler)
server.serve_forever(poll_interval=0.5)
except (IOError, SystemExit):
raise
except KeyboardInterrupt:
print ("Crtl+C Pressed. Shutting down.")
From here, you can use a basic gmail email account to send text messages to your phone by using the
A github repo may be released later once I have this more polished.