search

Portisch / RF-Bridge-EFM8BB1

Alternative Firmware for the Sonoff RF Bridge EFM8BB1 chip
293 stars 124 forks source link

5 button alarm key fob (g50a) - B1 new protocol #143

Open panste13 opened 4 years ago

panste13 commented 4 years ago

Latest firmware used?

Be sure you tried the latest release or the newest binary of the firmware! ==> RF-Bridge-EFM8BB1-20191006.hex

Information

What device you try to sniff data from? Description? Brand and type? Sonoff Rf with Tasmota 7.1.2

Sniffed data

Post your sniffed data by command 0xB1 or 0xA6. (only for disarm)

disarm

08:40:28 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:40:28","RfRaw":{"Data":"AA B1 03 062C 01CC 3606 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:41:24 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:41:24","RfRaw":{"Data":"AA B1 03 0622 01D6 35F2 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:42:08 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:42:08","RfRaw":{"Data":"AA B1 03 0618 01CC 35FC 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:42:39 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:42:39","RfRaw":{"Data":"AA B1 03 0622 01D6 35FC 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:43:13 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:43:13","RfRaw":{"Data":"AA B1 03 0622 01CC 3606 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:44:07 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:44:07","RfRaw":{"Data":"AA B1 03 0622 01D6 35FC 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:45:05 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:45:05","RfRaw":{"Data":"AA B1 03 0618 01D6 3610 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:45:36 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:45:36","RfRaw":{"Data":"AA B1 03 0618 01CC 3606 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:46:33 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:46:33","RfRaw":{"Data":"AA B1 03 0618 01CC 361A 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:46:49 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:46:49","RfRaw":{"Data":"AA B1 03 0622 01D6 3610 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:47:16 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T08:47:16","RfRaw":{"Data":"AA B1 03 0622 01D6 3610 281818181908190819090908181909081909090819090908190909090908190909 55"}} 08:47:16 MQT: Brifge/tele/RESULT = {"Time":"2019-12-07T10:18:05","RfRaw":{"Data":"AA B1 03 060E 01EA 3606 281818181908190819090908181909081909090819090908190909090908190909 55"}}

Good afternoon

I was wondering I anyone can help me with the protocol for this device (or point me out where I I going wrong)

I select the "RfRaw":{"Data":"AA B1 03 0622 01D6 3610 281818181908190819090908181909081909090819090908190909090908190909 55"}} as the probable candidate

AA is the start sync B0 is code received 03 is the bucket length

0622 (Bucket 0 length:1570)

01d6 (Bucket 1 length 470)

3610 (Bucket 2 length: 13840)

28 or 92 should be the sync bucket

so the decode data are
1818181908190819090908181909081909090819090908190909090908190909

At this point I am stuck ... how can I convert that ? Using BitBucketConverter.py (or BitBucketConverter.txt) I get an rfraw b0 command but an error as well

'RfRaw AAB0290314062201D6361028181818190819081909090818190908190909081909090819090909090819090955'

Traceback (most recent call last): File "main.py", line 181, in main(options.input, options.repeat) File "main.py", line 64, in main for i in range(0, iLength/2): TypeError: 'float' object cannot be interpreted as an integer

** Note that the command doesnt work

Any insights ??? Thank you for any help

panste13 commented 4 years ago

Some extra info..... 20151127161913174 This is the remote

IMG_20191217_065027 This is the front

IMG_20191217_070925 And the back (no model)

In the past with a previous firmware I was getting a 01 body code that I could replicate but alas I haven't kept the file and with current version I get a code that I can't convert.

Thank you for any insights

panste13 commented 4 years ago

Abit more research

"RfRaw":{"Data":"AA B1 03 0622 01D6 3610 281818181908190819090908181909081909090819090908190909090908190909 55"}} as the probable candidate

AA is the start sync B1 is code received to be replaced with b0

The length of the command is I am calculating correctly should be 41 decimal 29 hex

03 is the bucket length

0622 (Bucket 0 length:1570)

01d6 (Bucket 1 length 470)

3610 (Bucket 2 length: 13840)

28 or 92 should be the sync bucket

data 1818181908190819090908181909081909090819090908190909090908190909 (for 28) Or data 8181818190819081909090818190908190909081909090819090909090819090 (for 92)

Sync Ends 55

That will give me a command

AA B0 29 03 08 0622 01d6 3610 1818181908190819090908181909081909090819090908190909090908190909 55

or AA B0 29 03 08 0622 01d6 3610 8181818190819081909090818190908190909081909090819090909090819090 55

which both fail .....

Any ideas ???

panste13 commented 4 years ago

Managed to find some extra info from the manufacturer

Alarm Host RF receiving frequency: 433MHz(±75KHz),PT2262 / 4.7MΩ EV1527/300K (Customized for 315Mhz)

so its a PT2262

Anyone who has dealt with this kind of chip ???