CRC?

The datasheet for the SPIRIT1 chip provides for 4 different CRC configurations.

  • 8 bit, polynomial 0x07
  • 16 bit, polynomial 0x8005
  • 16 bit, polynomial 0x1021
  • 24 bit, polynomial 0x864CFB

It specifies that all fields except the preamble and sync words are included and the initial bit of all 1's. Armed with this I was sure I would find a CRC at the end of each transmission, but that doesn't appear to be the case. None of the configurations allows for a valid CRC check. Of course it could be my code...

Assumption #8 - No CRC is sent.

Recurring Sequence?

Having imported the raw bits and converted to bytes, I am left with the first 22 bytes being this...

    0                                            15
    -----------------------------------------------------------------
00: aa aa aa aa aa 5a 47 52 50 3d ee 1d 92 a3 47 36 2e a9 33 5a ca 7d
01: aa aa aa aa aa 5a 47 52 50 3f e9 15 a6 a3 47 36 2e ed 7f ea 3a fc
02: aa aa aa aa aa 5a 47 52 50 3f e9 15 a7 a3 47 36 2e e1 7b e6 0a 98
03: aa aa aa aa aa 5a 47 52 50 3f e9 15 a6 a3 47 36 2e ea 77 de 32 cc
04: aa aa aa aa aa 5a 47 52 50 3d ee 1d 92 a3 47 36 2e ae 3b 6e c2 7d
05: aa aa aa aa aa 5a 47 52 50 3f e9 15 a6 a3 47 36 2e e6 73 d2 02 c0

The 5 byte preamble shows clearly, as do the sync words.

However, the next 4 bytes are slightly variable with the next block of 4 bytes being identical in all packets.

    9                 15                                              31
    --------------------------------------------------------------------
00: 3d ee 1d 92 a3 47 36 2e a9 33 5a ca 7d 90 54 36 b0 b1 8d d8 71 2e c3
01: 3f e9 15 a6 a3 47 36 2e ed 7f ea 3a fc bb 33 36 95 66 9a ab 29 3d fe
02: 3f e9 15 a7 a3 47 36 2e e1 7b e6 0a 98 0f 8b 7a 66 17 4a 97 29 3d fe
03: 3f e9 15 a6 a3 47 36 2e ea 77 de 32 cc fb 73 b6 66 d6 a2 f0 29 3d fe
04: 3d ee 1d 92 a3 47 36 2e ae 3b 6e c2 7d 90 54 36 40 b1 0d 58 22 eb 3c
05: 3f e9 15 a6 a3 47 36 2e e6 73 d2 02 c0 cb 43 a6 c3 de 0b c7 29 3d fd

                a3 47 36 2e

I am assuming that this is a two way conversation, so the recurring bytes could be a unit identifier? Could it be the controller configuration?

Again, I will be able to test this when I am home with multiple controllers and receivers to provide captures.

Data Volume?

It's a little puzzling why the conversations are so verbose. Given it's a simple controller I had thought it would simply tell the receiver what to do, but given the volume of data exchanged I feel there must be more to it than that very simple scenario. When the mode changed from Comfort to P1 there were a total of 23 packets seen.

Analog signal detections after button pressed

My working assumption is that the smaller signals originate from the receiver as it was further away from the SDR. With this in mind it appears that the controller sent 13 packets and received 8 when woken up by pressing the mode button. Nothing was changed in the configuration, the button press simply woke up the controller.