Author Topic: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions  (Read 63558 times)

0 Members and 1 Guest are viewing this topic.

Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
As some people might be aware, I've been investigating the idea of using a Pretty Pink Pager as an alternative console to my wireless VP2.  It seems that there are at least a couple other people out there interested in the wireless side of things, so I thought I'd start a thread about this to help share the knowledge and pass ideas back and forth.  I'd be posting the hardcore details I work out in posts to my blog and post the odd summary here.

The first of these posts can be read at this link.  There, I show how the console sets its receiver chip up for receiving ISS data every 2.5 seconds.  It shows which of the chip registers are configured and what they are set to.  Between that and the datasheet, you can get a very clear idea of how it does what it does.  You can also read about an extemely tenuous link I uncovered between the Davis console firmware and an amatuer satellite system.

There is still a lot of work to do of course, such as
  • how is the RF chip programmed out of reset?
  • what is the actual frequency hopping sequence that an alternate receiver could sync to?
  • is there anything on the data interface that doesn't show up in STRMON that might be important?
  • what are the compatible register settings for newer versions of the chip used by Davis, such as the CC1110 in the IM-ME?
  • does the console processor send anything on the data interface to the RF chip, or is it just receive?

Anyone who wants to dig in and lend a hand, please do.  Or just follow along and enjoy the show   :-)

Offline Bushman

  • Forecaster
  • *****
  • Posts: 7549
    • Eagle Bay Weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #1 on: February 22, 2011, 02:17:28 PM »
I noticed the sat guy was in the 400 mHz range.  Any issues translating that up to Davis' 902-928 DSS?
Also, I assume you have perused the docs over  at the FCC for Davis's ISS.  teh test lab reports are illuminating.
Need low cost IP monitoring?  http://wirelesstag.net/wta.aspx?link=NisJxz6FhUa4V67/cwCRWA or PM me for 50% off Wirelesstags!!

Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #2 on: February 22, 2011, 11:13:09 PM »
The key for my purposes is to sniff the writes that Davis is doing to the radio chip so I can be compatible.  The satellite application is very different but might have a few useful tidbits in it.  And I linked to the FCC docs for the Vue transmitter in my blog post.  Do you know of a link to the older VP2 ISS report?  I looked around a bit but couldn't find it.

Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #3 on: February 27, 2011, 01:59:09 PM »
Thought a few folks might be interested in my new development platform.   I believe the ISS transmissions are that bump on the left.  8-)


Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #4 on: March 20, 2011, 11:53:05 PM »
Finally got my logic analyzer and have done more sniffing on how the VP2 console processor configures the radio chip.  The work this weekend was figuring out the frequency hopping sequence.  I think I've got that sorted out now, at least for Transmitter ID 1.  More at this link if you are interested.  Still lots to do, but I'm having fun doing it.  Obligatory interesting picture:

Offline xykotik

  • DonkeyTailWX DW6891
  • Forecaster
  • *****
  • Posts: 696
  • I'll deal with it tomorrow
    • DonkeyTail Weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #5 on: March 21, 2011, 10:24:47 AM »
It is obvious what you are up to with that prototype, DeKay.  Just like "big tobacco" uses ad agencies to create cool cartoon camels to get young boys to start smoking, "big weather" is using you to turn our innocent pre-teen txt-princesses into gadget-geeks.  4000 members here can tell you what an expensively obsessive habit that can become.


Facit solem suum oriri super bonos et malos et pluit super iustos et iniustos.

Springtime in Seattle...  March comes in like a lion and out like a wet lion.

Offline SoMDWx

  • Forecaster
  • *****
  • Posts: 1014
    • Southern Maryland Weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #6 on: March 21, 2011, 11:23:15 AM »
Someone has way too much time on their hands....

Offline xykotik

  • DonkeyTailWX DW6891
  • Forecaster
  • *****
  • Posts: 696
  • I'll deal with it tomorrow
    • DonkeyTail Weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #7 on: March 22, 2011, 12:15:09 AM »
Someone has way too much time on their hands....

It's fun, and a great service to mankind!  Far from a waste of time, unless you consider these...

...Charles Darwin sketched a lot of finches...
...Ben Franklin liked to fly kites in storms...
...Isaac Newton did a lot of daydreaming under apple trees...
...Eratosthenes liked measuring shadows...
...Archimedes spent a lot of time in the bathtub...

If you like the fact that personal computers are cheap and abundant, you will appreciate the term "reverse engineering."  If you ever destroyed an alarm clock or radio as a kid just to figure out how it worked, then you understand "hacking."  For those who still don't get it I recommend this book.

I for one feel I have become a better person by witnessing both the making of sausages and laws.


Facit solem suum oriri super bonos et malos et pluit super iustos et iniustos.

Springtime in Seattle...  March comes in like a lion and out like a wet lion.

Offline SoMDWx

  • Forecaster
  • *****
  • Posts: 1014
    • Southern Maryland Weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #8 on: March 22, 2011, 07:52:21 AM »
It was meant to be taken as a joke... :roll:

Offline xykotik

  • DonkeyTailWX DW6891
  • Forecaster
  • *****
  • Posts: 696
  • I'll deal with it tomorrow
    • DonkeyTail Weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #9 on: March 22, 2011, 09:15:51 AM »
Of course.  Your post sounded like my wife.  Self-defense is a natural instinct.  My response was to that voice in my head, not you in particular.

It's hard to type in this canvas jacket.  They put it on backward and the sleeves are waaaay too long.


Facit solem suum oriri super bonos et malos et pluit super iustos et iniustos.

Springtime in Seattle...  March comes in like a lion and out like a wet lion.

Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #10 on: April 03, 2011, 03:10:22 PM »
The time I've had for weather station hacking has been somewhat limited lately.  I had to:
  • fix various problems with my MythTV PVR box
  • figure out why my satellite cable reception suddenly dropped to nothing
  • root my Barnes and Noble Nook Color eBook reader

With that now out of the way and My Lovely Wife now happily playing Angry Birds on the latter, I've finally been able to sniff how the Davis console configures the key register settings in its radio chip as it powers up.  This is key if I have any hope of to building a compatible ISS receiver.

I now know that the number of known unknowns are small.  But, of course, we all know that it is the number of unknown unknowns that kill ya.  More here if you are interested.

Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #11 on: April 11, 2011, 11:37:31 PM »
So I spent a little time this weekend figuring out some real world numbers out of the register definitions the Vantage Console does as it comes out of reset.  Some things make perfect sense.  For example, the console receives data from the ISS at the same 19.2 kHz rate that the console's expansion port runs at.  Some things make less sense, like a frequency spacing that isn't as regular as once thought.  Regardless, there is that much more information now to support the build of a compatible receiver.  More here if you are interested.

Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #12 on: March 11, 2012, 01:35:01 PM »
I thought a few folks might be interested in my latest work in developing an alternative receiver to the Davis console.  I've been able to sniff the raw data stream that comes from the ISS and make sense out of it.  This screenshot shows that there is a lot more to it than just the seven data bytes you see from the STRMON output.  I'm just happy that I didn't fry my console again in the process.  More details in this blog post


Offline dalecoy

  • Forecaster
  • *****
  • Posts: 6447
    • Lee's Summit, MO
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #13 on: March 11, 2012, 03:19:22 PM »
That's very nice work.  Looking forward to the next chapter.

Offline C5250

  • Forecaster
  • *****
  • Posts: 840
    • Local weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #14 on: March 11, 2012, 11:18:21 PM »
This screenshot shows that there is a lot more to it than just the seven data bytes you see from the STRMON output.

Take another look at the CC1021  datasheet, each transmission has a preamble of 0x55, 0x55, 0x55, 0xD3, 0x91. Each packet also has a CRC suffix.


Precious little in your life is yours by right and won without a fight.

Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #15 on: March 12, 2012, 10:33:52 PM »
This screenshot shows that there is a lot more to it than just the seven data bytes you see from the STRMON output.

Take another look at the CC1021  datasheet, each transmission has a preamble of 0x55, 0x55, 0x55, 0xD3, 0x91. Each packet also has a CRC suffix.

The datasheet is nowhere near that precise.  My blog post quotes the datasheet directly and demonstrates how vague it is.  The datasheet simply recommends a sync word that can be two to four bytes long but nothing in hardware enforces that.  It also states what can be achieved with a three byte preamble but nothing says it can't be longer or shorter (and my blog clearly shows a preamble four bytes long from the ISS).

Offline ajayabb

  • Member
  • *
  • Posts: 9
    • My Weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #16 on: March 13, 2012, 10:26:22 AM »
I often wonder why Davis didn't release the Echo receiver for the VP2 like they had for the VP1?

Offline C5250

  • Forecaster
  • *****
  • Posts: 840
    • Local weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #17 on: March 14, 2012, 10:22:23 PM »
The datasheet is nowhere near that precise.  My blog post quotes the datasheet directly and demonstrates how vague it is.  The datasheet simply recommends a sync word that can be two to four bytes long but nothing in hardware enforces that.  It also states what can be achieved with a three byte preamble but nothing says it can't be longer or shorter (and my blog clearly shows a preamble four bytes long from the ISS).

I thought that was in the datasheet... In any case, when a console retransmits, the preamble is 3 * 0x55 and then the sync word, followed by the data. Which reminds me of a bug in the retransmit code. A low battery in the transmitter being retransmitted, will be reported as a low battery in the transmitter retransmitting.
Precious little in your life is yours by right and won without a fight.

Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #18 on: April 08, 2012, 01:07:56 PM »
I can now receive data from the ISS.  More here in case you are interested.  Anybody want to help build an open source receiver?   \:D/


Offline Devonian

  • Member
  • *
  • Posts: 17
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #19 on: April 24, 2012, 05:26:02 PM »
Interesting project.
I've landed here as I've been Googlin' around, finding info on wireless weather stations and the interception and re-use of the data.
There are several snippets on various forums, using various different radio modules, mostly on 433MHz.

I've recently been playing with the HopeRF modules and a couple projects based around them using Arduino to get them to talk and listen, most recently, a Spectrum Analyser, based on RSSI within a frequency band.  All open source of course.
I'm no code writer, but can glue some bits to a PCB to get a project running.

I like the idea of a PC-less, online station using small, low power, embedded device.
http://wiki.meteohub.de/Introduction

Watching with interest...

Nigel.




Offline DeKay

  • Forecaster
  • *****
  • Posts: 399
    • Mad Scientist Labs
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #20 on: April 24, 2012, 11:38:33 PM »
Interesting project.

Thanks.

I've landed here as I've been Googlin' around, finding info on wireless weather stations and the interception and re-use of the data.
There are several snippets on various forums, using various different radio modules, mostly on 433MHz.

I've recently been playing with the HopeRF modules and a couple projects based around them using Arduino to get them to talk and listen, most recently, a Spectrum Analyser, based on RSSI within a frequency band.  All open source of course.
I'm no code writer, but can glue some bits to a PCB to get a project running.

If you're playing with HopeRF, I'd recommend a JeeNode from JeeLabs.  That gets you HopeRF built right onto an Arduino compatible board with lots of libraries of goodies.  And cheap too.  I've got a couple down in the basement but haven't played much with it yet.

I want to move from the IM-Me to an XRF module at some point because of the compatibility with the radio chip in the Davis ISS.  I have one of these XRF modules in the basement too.

I like the idea of a PC-less, online station using small, low power, embedded device.
http://wiki.meteohub.de/Introduction

Watching with interest...

Nigel.

And I like the idea of driving all this stuff with a Raspberry Pi.

An interesting project would be to try receiving ISS transmissions with a HopeRF module.  My skim of the datasheet shows it might be possible.  All you need to know is either posted on this forum somewhere or on my blog.  Give it a shot!

Unfortunately, my time to play around with this stuff really tails off in the summer months.  It won't be until the snow flies once again until I expect I can put significant amounts of time in to this again.

Offline Devonian

  • Member
  • *
  • Posts: 17
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #21 on: April 25, 2012, 03:14:30 AM »
I'm pretty much the same, time wise as during the summer, I fly radio control model aircraft.
A number of us are also using the HopeRF modules for R/C...
http://flytron.com/16-openlrs
and some are now making their own boards for the same thing + other ideas
http://arduino.cc/forum/index.php/topic,93777.0.html

I have my name down for a Raspberry-Pi, but it's a waiting game.

I've seen others beginning to consider using the HopeRF modules to intercept the signals from various WX transmitters and thought it might be an interesting project.
Once you know the WX Tx protocol, you're in with a chance.

I'll keep my eye on this and we'll see what develops...

Nigel.

Offline rdsman

  • Senior Contributor
  • ****
  • Posts: 249
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #22 on: September 30, 2012, 11:01:33 AM »
DeKay:

You have certainly put a lot of effort into this!  I had some spare time this weekend and I thought I would start helping out.  I have the Vantage Vue installed and fully operational.  My first thought was to peek inside the console just to see what is in there.  No luck - The keyboard overlay is glued so well to the main board, that I was afraid to pry it loose.  I'll just have to try another way.

Maybe I could just ask the console?  Lets try a few commands:

TEST<CR>
TEST

TST 1<CR>
OK

CHAN 0<CR>
OK

GETREG
OK
==============================================
IOCFG2(00) 2E           IOCFG1(01) 2E
IOCFG0(02) 2F           FIFOTHR(03) 42
SYNC1(04) CB            SYNC0(05) 89
PKTLEN(06) 0A           PKTCTRL1(07) 04
PKTCTRL0(08) 00        ADDR(09) 00
CHANNR(0A) 00          FSCTRL1(0B) 06
FSCTRL0(0C) 00          FREQ2(0D) 22
FREQ1(0E) B4             FREQ0(0F) B4
MDMCFG4(10) C9         MDMCFG3(11) 83
MDMCFG2(12) 12         MDMCFG1(13) 21
MDMCFG0(14) F9         DEVIATN(15) 24
MCSM2(16) 07             MCSM1(17) 00
MCSM0(18) 18             FOCCFG(19) 16
BSCFG(1A) 6C              AGCCTRL2(1B) 43
AGCCTRL1(1C) 40        AGCCTRL0(1D) 91
WOREVT1(1E) 87         WOREVT0(1F) 6B
WORCTRL(20) F8         FREND1(21) 56
FREND0(22) 10            FSCAL3(23) EF
FSCAL2(24) 2B            FSCAL1(25) 28
FSCAL0(26) 1F            RCCTRL1(27) 00
RCCTRL0(28) 00          FSTEST(29) 59
PTEST(2A) 7F              AGCTEST(2B) 3F
TEST2(2C) 88              TEST1(2D) 31
TEST0(2E) 0B              PARTNUM(30) 00
VERSION(31) 04          FREQEST(32) 00
LQI(33) FF                  RSSI(34) 80
MARCSTATE(35) 01        WORTIME1(36) 00
WORTIME0(37) 00         PKTSTATUS(38) 90
VCO_VC_DAC(39) F4       TXBYTES(3A) 00
RXBYTES(3B) 00          RCCTRL1_STATUS(3C) 00
RCCTRL0_STATUS(3D) 00   PATABLE(3E) C6

==============================================

I'm out of time for now, I'll continue this later!




Ray

Offline chief-david

  • Educational Weather
  • Forecaster
  • *****
  • Posts: 2845
  • Space Academy for Educators
    • Benilde-St. Margaret's Weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #23 on: September 30, 2012, 11:04:57 AM »
Sometimes there are posts that just make me feel dumb   ](*,) ](*,)

-I know that is not your intent.

I have no clue what any of that means.



You can't phase me-I teach Middle School.
It's not you-It's WU.

Offline C5250

  • Forecaster
  • *****
  • Posts: 840
    • Local weather
Re: A Walk on the Wireless Side: Deciphering ISS to Console Transmissions
« Reply #24 on: September 30, 2012, 01:26:23 PM »
It's a dump of the radio registers. Already aware of it and they are playing with some risky commands to be using when one doesn't know what they do.

Precious little in your life is yours by right and won without a fight.