Hi,
I was wondering if it would be possible to receive data from a 900 Mhz transmitter that has a custom frequency hopping scheme? Couldn’t I just use a standard transceiver that works in the 902-928 Mhz range and then change the firmware to receive the signal from a source transmitting on 910-920Mhz?
Thanks,
Tad
You need to know the hopping sequence. When I worked on military comms the sequence was varied, together with the crypto setting.
+2000 to Leon’s comment.
FH is a pain in the butt. If the transmitter is open source you should be able to extract the frequency hopping algorithm, otherwise there’s no real good way to do it. If it’s similar to the Mil-Spec stuff I work with, forget about being able to reverse engineer the pattern.
On the other hand, if the transmitter is open source you could just use their reciever code and modify the algorithm to suit your needs.
Ok, Thanks. Figured it might be difficult to figure out if we didn’t know the hopping sequence. We are trying to setup a water meter reading system based on whats already out there and of course without needing to re-engineer the meter side, only the receiver side. The current systems don’t give much detail of their hopping scheme so it would take a little work to figure it out although I don’t believe the signal is encrypted. Assuming I knew the hopping sequence I could probably set up the firmware on the receiver side to receive this data?
Thanks for the input, it’s very much appreciated.
Tad
If you know the hopping sequence, and you can synchronize the timing, you might be able to make it work.
A couple more questions:
Do you have access to swap the transmitter with another device?
Distance from transmitter to receiver?
Do you have line of sight from transmitter to receiver?
thebecwar:
If you know the hopping sequence, and you can synchronize the timing, you might be able to make it work.A couple more questions:
Do you have access to swap the transmitter with another device?
Distance from transmitter to receiver?
Do you have line of sight from transmitter to receiver?
No the transmitter is potted and integral to the water meter since it is possible it could be flooded in the case of a broken pipe.
Distance from transmitter to receiver is about 30 feet. Most of the time a car or person is walking down the street and the receiver picks up and sorts the serial numbers of the meters, and reads their current usage, then dumps them into a file on a flash stick so it can be given to the main office for billing.
Yes, typically the meter are within line of sight to the reader device.
This small water company that wants these built because cannot afford the staggering $50k American per reader unit that the other companies want, but up until now the other companies who make the RF circuits have had a complete monopoly on the market since they control the design of the meter side system (typically just a micro-controller interfaced with the RF transmitter). The idea here is to come up with a less expensive solution that will read the meter and dump the data into a text file in Flash etc, That part is very simple for me. I can have it done in a matter of days, but how to do the RF part is perplexing me.
Thanks,
Tad
You could hire a spectrum analyser and see if you can work out the hop sequence. It won’t be easy, though, and will only work if it is fixed. I don’t think what you are trying to do is feasible.
If you have a meter you could tear apart (scrap or dead is ok too) maybe they’re using a component like this one:
http://www.radiotronix.com/products/pro … ProdID=145
If so, it’s only got 6 different hop tables, so it should be easy enough to sample through the options and find one that connects. There are, of course, a lot of other protocol related variables, and things of that nature, but I’m not sure there’s even a standard applicable to this kind of thing. The IEEE does have a paper about AMR through a Zigbee interface, and a superseded standard about AMR over telephone lines, but I didn’t run across anything that looked like a protocol definition for a FHSS system.
[Edit: The 6 hop tables thing only applies to the one above. YMMV with anything else.]
You may be able to get some information from the manufacturers of the meters. They seem at cursory inspection to work together on some of their systems, but I doubt you’ll get far unless you have an established market segment.
[Edit 2: Moved the earlier edit so it makes sense. Man, it’s been a long day.]
Perhaps the data is encrypted as well, even if you crack the hopping sequence. And often, the sequence changes according to an encrypted hopping schedule that’s sent over the air. Or not.
Ok, Thanks guys. I can and will find out of the data is encrypted but I doubt it is. It at least sounds possible given your understanding of it. I have worked with many 802.3 2.4Ghz systems (IP bridges and such) and have played with hopping sequences and such so I can probably figure it out once I know if the data has been encrypted.
Spectrum analyzer should not be a problem after that. If I can get a meter I certainly will although getting through the potting might take some work.
Thanks,
Tad
you said 802.3 2.4GHz - that's wired ethernet. Perhaps you meant 802.11 or 802.15.4, or Bluetooth 802.15.3mrenergy:
Ok, Thanks guys. I can and will find out of the data is encrypted but I doubt it is. It at least sounds possible given your understanding of it. I have worked with many 802.3 2.4Ghz systems (IP bridges and such) and have played with hopping sequences and such so I can probably figure it out once I know if the data has been encrypted.Tad
A spectrum analyzer w/peak hold might tell you what frequencies are used, but not the time domain information re hopping sequence, etc.
stevech:
you said 802.3 2.4GHz - that's wired ethernet. Perhaps you meant 802.11 or 802.15.4, or Bluetooth 802.15.3mrenergy:
Ok, Thanks guys. I can and will find out of the data is encrypted but I doubt it is. It at least sounds possible given your understanding of it. I have worked with many 802.3 2.4Ghz systems (IP bridges and such) and have played with hopping sequences and such so I can probably figure it out once I know if the data has been encrypted.Tad
A spectrum analyzer w/peak hold might tell you what frequencies are used, but not the time domain information re hopping sequence, etc.
Sorry, yes, it’s been quite a few years since I worked on Cisco and Breezecom 2.4 Ghz wireless systems. 802.11. We were using them for setting up internet connections for people who could not get DSL/Cable broadband. Sounds like I will have many hours of trial and error checking different hopping schemes.
Thanks for the help. I will be working on figuring out whether the systems use encryption or not, and then choose where to go from there assuming the signal is not encrypted.
Tad
Right… BreezeCom was available for both 900MHz and 2.4GHz but not 802.anything
stevech:
Right… BreezeCom was available for both 900MHz and 2.4GHz but not 802.anything
Ok = ), well regardless of what standard they used, they sent wireless data from our client to our central network, and the client paid us to deliver bandwidth. I set up the bandwidth control systems at our office and controlled how much bandwidth the client could send and receive. Sorry if I was not accurate enough in my description.
I am working on obtaining the information on encryption of the metering systems at the moment. I sincerely appreciate all your input on this system.
Tad
If it were me, and I did not have any fancy microwave test gear, I would build a delay line frequency discrimator. It converts frequency to voltage, and then you can easily view the frequency hopping around on any oscilloscope. You need an RF mixer (like a mini circuits one), a signal splitter, and some lengths of flexible 50 ohm cable. A diagram is attached.
Observing the oscilloscope will give you the pattern. You might have to calibrate the discrimator (volts out for frequency in) if you can not easily derive the absolute frequency steps from your knowledge of the circuitry (such as knowing the clock input to the PLL).
In operation, you use small lengths of trim cable to get the output to be around zero volts, then the output varies +/- 200 mv or so as the frequency hops. Cables longer than 30" give more sensitivity, but might give ambiguous readings, as you might end up with two frequencies at the same output voltage. Cables smaller than 30" give smaller volts/mhz frequency change.
Here is a typical oscilloscope plot for ONE of the frequency steps. The big output change is the change from F1 to F2. The small “noise” dithering on it a little afterward is the actual FSK data being modulated onto the frequency channel. 
Thanks! That is a great work-around.
I found out the data is not encrypted and uses and industry standard TI based chip (CC1101) that uses standard SPI bus to communicate and set the registers with a 24 bit word. Should be very simple to set up since I have already written a system for doing that with a frequency generation chip from Analog devices.
So it looks like this will be very fast and easy to do with the development board I already have (ATMega 128).
Thanks for all your help.
Tad