Now that the days are shorter and the nights darker I have a bit more time to revisit some of the projects that I didn't really get traction earlier in the year. One of those was looking to see if I could emulate the operation of an RF controller we have for our heated towel rails.

I've been unable to find any details about the frequency or protocols used, so it's a little bit of a shot in the dark :-)

Chip?

I've been unable to find much information about this controller beyond what it does and the information in the instruction manual relating to using it. To try and find out more I popped the cover and had a look at the board.

Image of the RF Controller main board

The chip I was interested in was the one attached to the aerial.

Image of RF chip

With the STMicroelectronics logo displayed I had a look at their website for which chip I was dealing with. My initial feeling was it could be a SPIRIT1 but I couldn't find any solid matches, so asked on Twitter where a few very helpful souls agreed and even provided me with the proof I wanted.

Frequency?

As it's a european manufacturer and the device has the CE label displayed I assumed that it would operate in either the 431MHz or 868MHz range. Given the move away from the lower range,

Assumption #1 - the frequency will be in the 868Mhz range.

Firing up the RTL-SDR I started looking at the 868MHz range while pressing buttons on the remote. Sure enough, there was a spike near to 868.175MHz whenever a button was pressed.

Capture

The next step was to capture some data to evaluate. For this I turned to URH. As I have no clue about the structure of the transmission I decided to capture a series of button presses in a single pass hoping this would give me a lot of data to compare. The button I chose to use was Mode, which cycles between Eco, Comfort, P1 and P2 and Away mode.

It took me a while to refine the settings for gain and centering the frequency, but eventually I had a reasonable looking capture.

Assumption #2 - The encoding will be FSK although it was hard to find an obvious default setting for the chip.

URH interpretation screen showing the capture

The next step was to analyze the capture as I had intentionally used a high sample rate (1M). The Autodetect button worked well and gave 20 samples per symbol. With this applied, would the encoding produce sensible data when converted to hex?

URH interpretation screen showing Hex values following application of parameters

This looks promising...