Following on from last night I decided to try turning off all bar one of the heaters to see if the 3 different "signatures" I was seeing were related to the 3 heaters.
The timing looks better with a nice consistent 40 second gap, until the larger packets are transmitted but then it returns to a regular spacing. My guess is that the 40 byte packets are essentially "heartbeat" traffic so having them reset following something else happening isn't a huge surprise.
Once again the 0xa7 0x46 0x99 starts the payload. The next 4 byte pattern shows some small differences.
- 0x71 0xc3 0x9a 0x97
- 0x71 0xc3 0x9a 0x9f
- 0xf1 0xc3 0x9a 0x97
I have seen these small differences before and while they could be reception errors, they seem quite consistent and regular, so they may reflect different flags being set in the header?
0x71 / 0111 0001 vs 0xf1 / 1111 0001
When I have seen this the bottom 4 bits seem to remain the same.
The final 4 bytes also show some variation, but again only one bit?
The captures from tonight were done with the heater in a different mode as I wanted to see if there was a difference. As there isn't this could simply be a very generic heartbeat?
However with only one heater every heartbeat has either 0x71 or 0xf1 for byte 3. With the other heaters on I also see 0x73 and 0x77 so possibly this byte does contain some elements of an heater specific address?
The lower 4 bits would provide for up to 15 heated towel radiators - which is likely enough for most homes! :-)