"Burst" wide band frequency keying mode

[jinschoi]

I am looking at duplicating the protocol for my Honda key fob, for opening doors, unlocking, etc. It appears to be a simple sequence of 25ms bursts every 100ms at either 313.55 or 314.15 MHz (313.85 +-.30 MHz). I would like to be able to send this type of signal, but there is no easy way to do it at this time.

My thought for the easiest way to support this would be to extend the RAW .sub format for OOK to allow for a frequency change immediately after a mark duration:

Frequency: 313550000
RAW_Data: 25 -75 25
Frequency: 314150000
RAW_Data: -75 25 -75 25
Frequency: 313550000
...

[skotopes]

Current architecture doesn't allow to do that. Right now timings(CC/AR) are fed to TIM2 directly(DMA) from memory, that makes impossible to change frequency at the same time.

It is however possible: you will need to use lowest level of furi_hal_subghz and directly control gpio_cc1101_g0 from your code. Going to a be little bit challenging though.

[skotopes]

Can we also have FCCID/mode and/or recorder signal?

[jinschoi]

FCC ID KR5V1X (https://www.amazon.com/Honda-Odyssey-Keyless-Remote-KR5V1X/dp/B07KFK48CW)

Here is an IQ recording of the left door button: leftdoor5.complex16u.zip

Recorded using: rtl_sdr -f 313850000 -s 1300000 leftdoor5.complex16u

Format is 8-bit unsigned raw IQ samples (named complex16u because that is what URH expects, for some reason).

[skotopes]

@Skorpionm what do you think?

[Skorpionm]

I think that there can’t be a simple sequence of signals, at different frequencies, it’s still some kind of protocol, I still need to hold this key fob in my hands to say more

[jinschoi]

This is just a regular FSK burst with a rather wide 600 KHz offset. Would it be possible to extend the bandwidth of the raw FM reader to that much?

[skotopes]

https://fccid.io/KR5V1X/Test-Report/Occupied-Bandwidth-Plot-1913633

it is FSK

[Skorpionm]

https://fccid.io/KR5V1X/Test-Report/Occupied-Bandwidth-Plot-1913633

это ФСК

this shows that Deviation ~ 47.7k, more accurately you need to look at SDR. Write wav to SDRSharp, there will be a lot less questions

[Skorpionm]

the transmission frequency +- 30k indirectly confirms that this is FSK. you can also try recording RAW on "FM476" and attach it here, I'll look at it

[jinschoi]

I attached an IQ recording from an SDR up above in my second comment, looks like this in URH:

Recording raw at 313.85 with FM476 shows no signal being picked up. Not surprising as 476 I assume means 476KHz bandwidth? It would need 600 KHz.

[Skorpionm]

look carefully that I asked you to record the frequency range of the Sdrsharp program in order to accurately see the signal parameters. and not recording at 1 frequency, and don't make it up, fm476 is the frequency deviation equal to 47.68kHz. and the filter is 150

[jinschoi]

Here is a baseband recording using SDRSharp of the above signal. The frequency deviation is 600 KHz (313.55 MHz to 314.15 MHz). Sorry for the long delay.

SDRSharp_20220522_124911Z_313800000Hz_IQ.wav.zip

The charts in the FCC occupied bandwidth plot are confusing. They are showing the deviations for the two separate frequencies being used. Page 2 and page 3 are showing the characteristics of channel 1 and channel 2, at widely separated frequencies.

[Skorpionm]

you have a 2-frequency remote control, with FSK modulation, it looks like the deviation is 27.7 kHz, the transmission goes alternately on 1 then on 2 frequencies

[Skorpionm]

deceived 30-32 kHz although maybe 4FSK

[jinschoi]

A detailed spectogram of one of the pulses doesn't show any frequency shifting within the pulse, though.

[Skorpionm]

you just have a 2-frequency remote that transmits in turn