Davis Weather Station Wireless Sniffing: A Start

My last post discussed my dismal failure to get my Bus Pirate to take control of my IM-ME pretty pink pager. That battle has been lost, but the war is only beginning. I have a box of newly arrived electronic components sitting on my kitchen counter. Once I get my GoodFET circuit board in the mail (hopefully this week), the battle will begin anew. Reinforcements are en-route in the form of the Open Workbench Logic Sniffer that I have on the way. This is a $50 logic analyzer that is extremely capable, thanks to some recent updates to its firmware and GUI client. Unfortunately, I am once again at the mercy of the glacial shipping out of Hong Kong. I hope to see this in my lifetime.

A Can of Electronic Whoop-Ass

Why do I need a logic analyzer? First, I'm firmly convinced that everyone needs a logic analyzer. Second, I need to understand how the Davis firmware is configuring the CC1021 RF chip in the console. That way I can replicate the configuration in the Pretty Pink Pager and hopefully grab the wireless transmissions from the ISS.

My initial understanding is that the Davis firmware does an initial full-blown configuration of the RF chip on reset, and then does a smaller configuration each time it goes to read the ISS every 2.5 seconds.  Why would I suspect this?  I dunno.  Just a hunch.

More Interesting Than You Think - Keep Reading

The CC1021 configuration is done via a conventional SPI interface. I thought I could just use my Bus Pirate to sniff the SPI interface, but that doesn't seem to work. SPI sniffing from its interactive GUI gave me data that didn't make sense, and the binary SPI sniffing utility doesn't work at all. Drat.

So with some time on my hands (and it being -37C the morning I did this), I hooked up my scope to the expansion connector on the console and took a look. I put one channel on SCK and the other on MOSI (go here to find out what I'm talking about). As one would expect, the timing between each command per 2.5 second interval was very regular: it has to be if it wants to stay synced with the ISS transmission.   I was able to use my scope's trigger delay to look at each config command and associated data byte as explained in the datasheet.

Before getting too far, I should note that the CC1021 register configuration (gain control, frequency settings, etc) are controlled over a different interface from the actual data that goes back and forth.  I forgot that once and felt pretty dumb about it.  The data interface isn't available at the expansion connector, but the SPI interface is.  Of course I can use the STRMON command to the console to see the data coming back (or at least some of it - not sure about that yet).

After hooking up to the console, I waited for the asterisk on the LCD (indicating reception) to go away, and then triggered the scope.  This way I knew I was triggering in the dead-time between ISS transmissions and I'd get the start of an ISS transmission every time.  The scope display gave me SPI clock and data, and it was easy to read the binary 1's and 0's to the CC1021 and turn that into hex. After I got one command figured out, I adjusted the trigger holdoff until the next command showed up. Lather. Rinse. Repeat. Here is what I got:



Some things to note:

• the values for FREQ_2A, 1A, and 0A change each round because this system does the Frequency Hopped Spread Spectrum thing that scares so many people off.  There are 51 frequencies (see below) that it hops between.  You can bring up a debugging screen on the console (described in the manual) that shows the index of the hop.  Neat.
• timing gets a little variable at the end so that last AFC command might be a duplicate.  When my real logic analyzer shows up, I'll know for sure.

What is bugging me right now is that I haven't been able to find the hopping sequence in the firmware.  I sniffed consecutive writes of one of the FREQ registers, as well as consecutive writes of FREQ_2A, 1A, and 0A.  I had suspected these to be in an array in the firmware in one form or another, but no luck so far.  I'll poke around a little more, or use brute force once the logic analyzer arrives.  Either way, this is something I'll need to know if I'm going to try to attempt to build a compatible receiver.

Another items of interest.  TheVantage Vue Test Results are a great find. Click on the Test Report link and look on Page 28 if you want to see the frequencies this thing hops across. Lots of other good spectrum displays for things like occupied bandwidth and the like.

Now lets bring things full circle. Near the start of this blog post, I showed a screenshot out of a hex editor in the Davis FLASH.BIN firmware that runs the console. See the first four words there? If I type "main interface reset sequencing" into Google, I get a very interesting link to a guy who coded up some stuff for an amateur satellite link that used a minor variant of the CC1021 chip used in the Davis console.  Also interesting is that his work is labelled as being under the GNU General Public License, which means that the source code  has to be made available upon request if copied and distributed.  Now I'm certainly not accusing Davis of violating the GPL.  It is much more likely that there is a common source to a recommended configuration of this chip that I need to track down yet.  Gotta keep digging.