Skip to content

Home

Jump to bottom
bggardner edited this page Jan 22, 2017 · 15 revisions

RF Protocol

From the timing diagrams on the FCC applications and sniffing the waveforms, the RF protocol was discovered and is described below.

Modulation

The protocol uses on-off keying (OOK), so in the presence of the high frequency (315MHz or 433MHz) signal, there is a "high" pulse, and low pulse in its absence. The receiver/transmitter pairs take care of this modulation, so the waveform seen by the Raspberry Pi (or other digital controller) is a series of high and low pulses of various duration.

Framing

The encapsulating "frames" are comprised of four main elements:

  • SYNC: a 500 Hz square wave, first low for 1 ms then high for 1 ms
  • Preamble: comprised of a 2 ms low pulse, following by a 2 ms high pulse
  • Data: Least significant bit first, most significant byte first, encoded as follows:
    • Logic "1": 1 ms pulse (high or low)
    • Logic "0": 0.5 ms pulse (high or low)
  • End Delimiter (encoded like Data):
    • Base station frames: 0x3F
    • Other frames: Logic 0xF

Base Station Frames

  1. 150 periods of SYNC
  2. Preamble
  3. Data
  4. End Delimiter (0x3F)
  5. 18 periods of SYNC
  6. Preamble
  7. Data
  8. End Delimiter (0x3F)
  9. 18 periods of SYNC
  10. Preamble
  11. Data
  12. End Delimiter (0x3F)

Keypad Frames

  1. 40 periods of SYNC
  2. Preamble
  3. Data
  4. End Delimiter (0xF)
  5. Preamble
  6. Data
  7. End Delimiter (0xF)

Sensor Frames

  1. 20 periods of SYNC
  2. Preamble
  3. Data
  4. End Delimiter (0xF)
  5. Preamble
  6. Data
  7. End Delimiter (0xF)

Message Structure

The Data portion of the frame I will henceforth refer to as the Message. The names and encodings of the fields that comprise the Message are my best guess, and are by no means verified with SimpliSafe developers. The fields of the Message are, in order:

  1. Vendor Code: 2 bytes, always 0xCC05 (this could actually be part of the Preamble)
  2. Payload Length Code (PLC): 1 byte, a code that signifies a Payload type and length
    • 0x00: 7 bytes, only seen in a Keypad Out of Range message
    • 0x11: 3 bytes
    • 0x22: 4 bytes
    • 0x33: 5 bytes
    • 0x66: 7 bytes
  3. Serial Number: 5 bytes, ASCII-encoded
    • If sent by a base station, the serial number of the destination keypad
    • Otherwise, the serial number of the device
  4. Payload: length varies, see individual Payload definitions
  5. Checksum: 1 byte, sum of Payload bytes (truncated to one byte)
  6. Footer: 6 bytes, only present in base station messages
    1. Base station serial number: 5 bytes, 6 hexadecimal characters "stuffed" into 5 bytes
      • Bytes are all 0xFF for keypad "menu" responses
      • 1st character: least significant nibble (LSN) of 1st byte
      • 2nd character: LSN of 2nd byte
      • 3rd character: LSN of 3rd byte
      • 4th character: LSN of 4th byte
      • 5th character: LSN of 5th byte
      • 6th character: most significant nibble (MSN) of 4th byte
      • Other nibbles are 0x0
    2. Sequence/Response Type: 1 byte
      • Sequence number: MSN, increments by one
      • Response type: LSN
        • 0x2: Status (non-keypad menu response)
        • 0x6: Menu
Clone this wiki locally