Davis Frequency Hopping Sequence Revealed!

I finally got my Open Workbench Logic Sniffer (ie logic analyzer) and got a chance to try it out this weekend. It is a powerful little device for $50.  There's also been some great work done on the VHDL code that gives it some powerful triggering capabilities equivalent to that of an HP unit not that many years gone by.  I like it.

I could have walked to Hong Kong in the time it took to get this

First thing I did was hook it up to the Davis VP2 console and see if I could sniff the configurations between the processor and the RF chip.  And whaddya know.

Purdy

Astute readers will see (click to embiggen) that the first two bytes decoded on the MOSI line (0x03, 0x02) sync with that in my earlier investigation using my scope.  It works!  Needless to say, using the logic sniffer goes much quicker.

One thing that was quite nice with the logic analyzer client is the built in protocol analyzers.  You tell it what pins map to what signal lines for a given protocol (SPI in this case), and it comes up with a table much like my first post on the topic.  It shows the time offset from the trigger for the start of each byte and the decoded value.  You can then export the data to a CSV file. Nice.

The problem I had was that the analyzer's buffer is nowhere near long enough to capture the data across 51 frequency hops.  About the most I was able to capture at this rate was a half second, and the station takes 51 * 2.5 seconds = 127.5 seconds to go through them all.  The answer was to use the console's display of what frequency index it was on (Hold Temp and then press Humidity, then 2nd Chill).  I'd just hit the trigger button on the analzyer between a transmission, analyze and save the data, rinse and repeat.  The console goes faster than I can do this, so it took many passes through the sequence before I had all 51 entries.  And here they are.



Here are what the columns mean:

• Chan is the channel number as displayed on the console
• FREQ_2A, FREQ_1A, and FREQ_0A are the three registers that need to be configured in the CC1021 RF chip to set its frequency
• Index is the value in the range of 0 - 50, where 0 represents the lowest frequency of 902.5 MHz and 50 represents 927.5 MHz.  The channels are spaced 500 kHz apart.
• RF Frequency is the nominal RF frequency the station receives on.

This sequence is for Transmitter ID 1.  Other transmitter IDs will have a different sequence, though I think they all share the same set of 51 frequencies.  Note that I said "think" there.  If you run the calculations based on the formulas in the CC1021 datasheet, you don't get the nice round nominal numbers shown above.  There are some significant frequency offsets that show up.  It is possible that the different transmitter IDs use a different set of frequencies.  Davis would actually have room within the frequency band they use to do this.  Though it might be possible, I don't think it is probable.  I'm going to have to dig into this a little more.

The other thing I need to do is figure out how to capture the initial configuration of the radio as the chip comes out of reset.  My half second capture length on the analyzer makes this kind of tricky.  You can specify a trigger delay in the analyzer client, but it doesn't give the units for the delay and the documentation isn't great.  There is also a serial trigger that is supposed to sort-of work that I'm going to give a try.  I know the bit pattern of the registers I'm interested in, so I should be able to set a trigger based on that bit pattern and see the subsequent value written to that register.

One more thing: now that I know the register configurations and the frequency hopping sequence, I thought it would be trivial to find the spot in the ROM where this stuff is stored.  No luck.  I tried searching based on the register sequence, the frequency index, etc.  If anyone wants to try their luck in poking around FLASH.BIN, give it a shot and let me know in the comments if you have any luck. This console is still managing to hang on to some of its secrets, at least for now.

Anyway, it is early days and there is more to come.  It's gotta get done to have any chance of success at building an alternative ISS receiver from a Pretty Pink Pager.