Project showcase
Arduino KNX RF packet sniffer

Arduino KNX RF packet sniffer © GPL3+

You can sniff an KNX RF network by an CC1101 radio transceiver. I sniffed my Siemens Synco Living Home automation system

  • 6,375 views
  • 11 comments
  • 10 respects

Components and supplies

About this project

I have a Siemens Synco Living home automation system. It use KNX RF communication. I want to check all rooms temperature and i want to display it together on an LCD screen.


So how its work?

1. Configure the radio chip

I read many, many, many documentation for find the right configuration values. 

Texas Instruments has a nice doc and software for setup the radio.

I downloaded and istalled Smart RF Studio from TI and set up the radio. You not need it, because i write the right parameters here.

I found a panstamp library for Arduino what is handle the cc1101 chip but i made some modification, example the chip conf for KNX-RF.

You will find the right parameters for KNX RF communication in the panstamp library cc1101.cpp

2. Download and install the libraries

You can find CRC and PANSTAMP lib on software tab. Use it.

I attached my SPI lib too if you like check it.

Dont forget, SPI lib has another path: 

"c:\Program Files (x86)\Arduino\hardware\arduino\avr\libraries\SPI"

3. Run the code

You can find the source code for KNX sniffing on the software tab. 

It has my own manchester decoding and has crc check.


So....


Good luck guys!


Code

Modified panstamp libraryArduino
You need to use this lib for the KNX RF communication.
You find the radio configuration in this files
No preview (download only).
The main codeArduino
You can run this code for sniff KNX RF packages
#include "EEPROM.h"
#include "cc1101.h"
#include <Wire.h> 
#include <Crc16.h>

// The connection to the hardware chip CC1101 the RF Chip
CC1101 cc1101;


// a flag that a wireless packet has been received 
boolean packetAvailable = false;         
boolean crcerror = false;         
int i;
int packetcounter=0;
int packeterrorcounter=0;
byte * buffer;
int mdec;
boolean flushed=false;
byte mrcsat;  //main radio control state
byte rxbytes;
byte ecounter=0;
CCPACKET packet;
Crc16 crc; 
unsigned short crcvalue;
byte data[120];
unsigned long timer=0;
unsigned long lcdtimer=0;

void setup()
{
  SPCR &= ~_BV(SPE);  //SPI switch off
  Serial.begin(115200);
  Serial.println("start");
  
  // initialize the RF Chip
  cc1101.init();
  delay(1000);
  Serial.println("device initialized");

  Serial.println("setup done");


  //chech the configuration values writed to the radio chip. I read the radio chip out
  //if you read zero or default values the configuration is not well, check the wiring 
  for(i=0 ; i<20 ; i++) {
     Serial.print(i, HEX);
     Serial.print(":");
     Serial.print(cc1101.readReg(i, CC1101_CONFIG_REGISTER), HEX);
     Serial.print(" ");
  }

   
  Serial.println("Go...");
  cc1101.flushRxFifo();
  delay(500);
  //set radio chip to listen mode 
  cc1101.setRxState(); 
  delay(500);
  
  //and waiting for any packet
  attachInterrupt(0, cc1101signalsInterrupt, RISING);
  
}

/**
* The loop method gets called on and on after the start of the system.
*/

void readr () {
    packet.ecode=0;
    packetAvailable=false;

    byte tot=0;
    byte len;
    byte chk;
    byte chk2;
    byte pckidx=0;
    unsigned long last=0;
    do {
      last++;
      cc1101.receiveData(&packet,tot);
      
      if (packet.length>0) {
        if (tot==0) {
            //calc and set pack length
            len=cc1101.mandecode(packet.data[0]*256+packet.data[1]);
            chk=cc1101.mandecode(packet.data[2]*256+packet.data[3]);
            chk2=cc1101.mandecode(packet.data[4]*256+packet.data[5]);
            len=14+((len-9)%16)+(((len-9)/16)*18);
            len=len*2;
            if (len>100) len=100;
            if ((chk==68)&&(chk2=255)) cc1101.writeReg(0x0006, len); //Package length
            else {
                cc1101.writeReg(0x0006, 16);
                len=packet.length;
                packet.ecode=1;
                packeterrorcounter++;
                cc1101.cmdStrobe(CC1101_SIDLE);
                cc1101.cmdStrobe(CC1101_SFRX);
            }

        }
   //     Serial.print("*");
        tot=tot+packet.length;
        for(int i=0 ; i<packet.length; i++) {
           if (i%2==1) {
               data[pckidx]=cc1101.mandecode(packet.data[i-1]*256+packet.data[i]);
//               Serial.print(data[pckidx],HEX);
//               Serial.print(";");
               pckidx++;
           }
        }
      }
      delayMicroseconds(1000);
    } while ((tot<len)&&(last<100)); 
    if (tot>0) {
    packetcounter++;
    if (packet.ecode!=0) ecounter++;
    else ecounter=0;
    crcerror=false;
    Serial.print(";CRC:");
    crcvalue = crc.fastCrc(data,0,10,false,false,0x13D65,0,0,0x8000,0)^0xFFFF;
    if (crcvalue!=data[10]*256+data[11]) {Serial.print("ERROR1");crcerror=true;}
    else {
           crcvalue = crc.fastCrc(data,12,min(pckidx-14,16),false,false,0x13D65,0,0,0x8000,0)^0xFFFF;
           if (crcvalue!=data[min(pckidx-2,28)]*256+data[min(pckidx-1,29)]) {Serial.print("ERROR2");crcerror=true;}
           else {
                  if (pckidx>32) {
                      crcvalue = crc.fastCrc(data,30,min(pckidx-32,16),false,false,0x13D65,0,0,0x8000,0)^0xFFFF;
                      if (crcvalue!=data[pckidx-2]*256+data[pckidx-1]) {Serial.print("ERROR3");crcerror=true;}
                      else Serial.print("OK3");
                  } 
                  else Serial.print("OK2");
                }
         }
//    if (crcerror==false)
    {
        for(int i=0 ; i<pckidx; i++) {
               if ((i==10)||(i==11)) {;}
               else if ((i==28)||(i==29)) {;}
               else if ((i==pckidx-1)||(i==pckidx-2)) {;}
               else { 
                 Serial.print(";");
//                 if (data[i]<10) Serial.print("  ");
//                 else if (data[i]<100) Serial.print(" ");
                 Serial.print(data[i]);
               }
        }
        Serial.println(";");
    }
    if (crcerror==true) 
    {
       packeterrorcounter++;
       Serial.print("Total:");
       Serial.print(tot);
       Serial.print(";Error:");
       Serial.print(packet.ecode);
       Serial.print(";RXCount:");
       Serial.print(packet.rxcount);
       Serial.print(";Overflow:");
       Serial.print(packet.overflow);
       Serial.print(";MRCS:");
       mrcsat=cc1101.readReg(CC1101_MARCSTATE,CC1101_STATUS_REGISTER);    
       Serial.print(mrcsat);
       Serial.println(";");
    }
    if (ecounter==3) {
        Serial.println("***RESET***");
        cc1101.reset();
        delay(500);
        ecounter=0;
    } 
    cc1101.setRxState();
    cc1101.writeReg(0x0006, 100);
    }
}

void cc1101signalsInterrupt(void){
  //if it has some received byte in the fifo and reach the defined count the the chip send an interrupt to the arduino
  packetAvailable=true;
}


void loop() {
  //this is an unlimited loop
  if (packetAvailable) {
     timer=0;
     //if received some bytes i call my own read out procedure
     readr();
  } else {
     timer++;
     if (timer%100000==0) {
        //sometimes i check the chip, maybe it freezed, and sometimes need to reboot
        timer=0;

        mrcsat=cc1101.readReg(CC1101_MARCSTATE,CC1101_STATUS_REGISTER); 
  
        cc1101.cmdStrobe(CC1101_SIDLE);
        cc1101.cmdStrobe(CC1101_SFRX);
        cc1101.cmdStrobe(CC1101_SRX);
        
                
      
     }
  }


  
}
My SPI libArduino
I dont remember, maybe has some modification in my SPI lib...
You can read it if something not working, or if you use another chip, like MEGA
No preview (download only).
CRC check libraryArduino
I used an CRC library. Thank you.
No preview (download only).

Schematics

Wiring diagram
Knxrf wiringcirc

Comments

Similar projects you might like

Low Power RF Beacon for Remote Sensing & Communication

Project tutorial by Shahariar

  • 1,887 views
  • 0 comments
  • 16 respects

Weather Station v1.3 with RF Transmission

Project showcase by derapados

  • 5,326 views
  • 1 comment
  • 22 respects

Nano IR Remote for DC Motors

Project showcase by Boaz Lawnce

  • 1,522 views
  • 2 comments
  • 4 respects

Beehive Monitoring and Tracking

Project in progress by sgoutteb

  • 2,588 views
  • 5 comments
  • 21 respects

Reef Controller

Project showcase by Shawn Leclair

  • 13,538 views
  • 0 comments
  • 19 respects

IoT for coins

Project tutorial by Erik Moran

  • 8,373 views
  • 1 comment
  • 42 respects
Add projectSign up / Login