Group Actions
Engagement
  • Author Author: shabaz
  • Date Created: Date Created
  • Views 317 views
  • Likes 15 likes
  • Comments 26 comments
Related
Recommended

FSK Demodulation with R&S FPC Spectrum Analyzers, or How I Achieved an Optimal Room Temperature

shabaz

Introduction

I wrote a review (and created a video) for a Rohde & Schwarz FPC series spectrum analyzer eight years ago, and although I explored some of the demodulation capability back then, I never used it for a real-life scenario. Fast-forward to the cold winter of 2025, and I had a need! This short blog post shows how useful that capability can be.

What was the Problem to Solve?

I have a pretty awful heating system controller at home; it never regulates the temperature all too well, and its user interface is buggy and difficult to use.

The controller relies on a radio transmission to switch the boiler on or off, and I fancied overriding the controller with my own custom system. This would involve reverse-engineering the radio protocol.

I was able to partially figure it out by probing around inside the transmitter, but the transmitter module was a black box (an unlabelled blob). I managed to narrow it down to possibly a Silicon Labs (Silabs) chipset range - perhaps Si443x series, and capture some of the bitstream using a logic analyzer.

image

It was a weird system, it used an out-of-band SPI interface for configuration, but the actual transmission was controlled through a kind of direct signal used for modulation on-the-fly (i.e. not a packet-oriented transfer from the microcontroller to the transmitter chip), at around 9600 bits per second, for a duration of about 176 bits. You can see this in the screenshot below, where firstly some of the purple data (configuration data) is sent together with the blue SPI clock signal, but then a load of purple data is sent without the blue clock signal changing. That clock-less portion of purple data is the direct signal that modulates the transmission, and that period length was measured to be 176 bits long, if the speed is 9600 bits/sec. The yellow signal appears to be an interrupt from the transmitter IC, paced at 9600 Hz, to act as a handshake to let the microcontroller know when it can apply the next data bit.

I didn’t manage to narrow down the SPI content to any specific chip, so I had no idea what frequency or modulation scheme was set up.

image

FPC Configuration

I decided to capture the transmission using the FPC1500 using its Digital Demodulation functionality. Here’s how I did it. The photo below shows in red all the buttons used.

image

I took a guess at the frequency being ballpark 868 MHz (easy to see from the length of the antenna wire inside the transmitter, but if you're unsure, just observe a span of spectrum until you see activity) and pressed Freq and set the FPC1500 center frequency to that value.

I pressed Ampt (Amplitude) and set the reference level to -20 dBm. Next, I pressed the Mode button and selected Digital Demodulation. Then I pressed the Meas button, and selected FSK (Frequency Shift Keying; I could have selected ASK [Amplitude Shift Keying] too). Within the Meas menu, you can configure demodulation parameters. I set the Symbol Rate to 9600, and Frequency Deviation to 5 kHz (since I expected it to be around that ballpark), and then set Number of Symbols to 176.

The FPC1500 needs to be told when to trigger to capture the data; to do that, I pressed Sweep, then selected Trigger, then selected IQ Power and set it to -30 dBm, again this was just a guess, it’s not too critical.

To view the captured data, I clicked on Meas again, then clicked on Symbols, for the binary data display whenever the trigger power level occurs.

Capturing the Data

I connected the FPC's RF input to a small 868 MHz antenna and placed it near the transmitter, and voila! The FPC1500 triggered and displayed all the binary data. If you look at the binary symbols in the screenshot, you'll see the signature of a healthy transmission, because it begins with an alternating pattern of ones and zero's, which is almost always a "preamble" sequence to train the receiver to get ready to receive the rest of the bits of data.

image

I manually typed the bit values into my PC (there may be a way to export it, but it’s not a lot of data), and then I was able to match it to the earlier logic analyzer capture. There was a slippage of 6 bits, but that’s not a big deal; I let AI (ChatGPT) figure that out.

Next Steps

Now that I knew the approximate frequency and modulation details, it would be possible to replicate things with a custom transmitter circuit. I decided to use a Texas Instruments CC1101 chip, since that’s super-flexible (and overkill admittedly). I purchased an EBYTE E07-900MM10S module (which contains a CC1101 inside) because it’s low-cost and has pads that are easyish to solder.

I attached the EBYTE module to a Pi Pico module, and wrote code to replicate the transmission. I used the R&S FPC Digital Demodulation functionality to troubleshoot the code, until the symbols looked similar, and then verified that it did indeed control the boiler. That still needs documenting, and so it is a write-up for another day. The photo below shows the EBYTE module dead-bugged onto a Pico-Eurocard board.

image

Circuit Diagram:

image

Summary

The R&S FPC Spectrum Analyzer can trigger on a received radio transmission, and directly convert digital modulation schemes such as ASK and FSK into a decoded bit sequence, and it's just a few button presses to configure it. This can be very helpful when reverse-engineering a radio transmission, or when writing code for a transmitter and using the FPC to check that the transmission is correct. If you don’t have an FPC instrument, an alternative method would be to use a software-defined radio (SDR), but usually there’s a significant learning curve with that. The FPC was far easier to use. It solved my problem and gave me control of my heating system.

Thanks for reading.

  • in reply to shabaz

     I've been running the code continuously for the past fortnight, and it's been reliable. The screenshot shows the network activity over a typical 24-hour period (I've been checking this regularly).

    image

    However, for the last day or so (I don't know the precise time on Sunday that it occurred), the network activity is different:

    image

    It may well be API reattemps, but, I have no idea, because I cannot peek at any detailed status, nor observe error codes (there's no display, and no serial interface). Boilers themselves have interfaces (there are at least a couple of popular serial ones). I could implement a serial interface as one option. It could even be an API change (the fact that it occurred on a Sunday could be a smoking gun), although to me it seems the API response still looks approximately what I expect, when I test the API from a web browser).

    I've been working on a separate project to provide general external logging and alarms and data querying. It appears to function, but I'm refining it. At some stage I'll port that to this project.

    For now I could power-cycle the system to see if the traffic goes back to normal, but I'll give it a day or two, to continue to see what happens. Right now it's too warm for the boiler to switch on, but the heartbeat LED indicates that the main code loop is running, and the router log shows that the WiFi has not disconnected. There may well be bugs related to reattempts, but I've improved that greatly recently (not ported that across to the live system yet either) - a good tool is called WireMock, that allows you to simulate API failures, and I've been using that for testing (will write a blog at some point).

  • in reply to shabaz

    I think the "secret sauce" is air circulation.  Where I live (Wisconsin), we primarily use forced hot air furnaces. When I had to replace my furnace a number of years ago, the upgrade was a two speed blower fan.  Of course, it required a thermostat that could control that feature.  If the ΔT is small, the furnace uses the slower blower speed - but runs longer - creating more circulation of the air in the house and a more even distribution of the heat generated.  We perceive a more even distribution of heat in the house - so I'm guessing that it is real.  The "new" furnace produces 35% less heat but the house feels warmer over all.  I think the hysteresis on the old furnace was pretty large to compensate for the overshoot/undershoot.  On the newer furnace... +/- 2 degrees.  If it hits 5 degrees, the blower kicks up to high speed but backs off when it gets within 2 degrees of the target temperature.  Sudo-proportional response - I guess. Relaxed

    For those with radiator heat, a possible solution is the one we use when it gets really cold (single digit Fahrenheit); the ceiling fan.  We use them so the stagnant air in the corners of the ceilings doesn't condense and drop water on our heads - while we sleep.  Yes.  It has really happened.  It also mixes that cold "wall air" into the flow that the return air draws from.  If you don't have a ceiling fan, any fan should help - including a repurposed PC fan.

    I don't have a solution for perceived cold - like why my wife feels cold when the sun starts to set - regardless of the temperature of the house.  Or why she feels hot if I put the fireplace DVD in the player.

  • in reply to shabaz

    I'm sitting here just now with two t-shirts on, the room thermometer is saying 17°C the Winter sunlight is making it into the room either side and I'm feeling pretty comfortable.

    By the evening though, even though the room thermometer is still saying 17°C, I'll likely be wearing a thin fleece layer to feel the same level of comfort but will still notice the lack of radiated heat from the windows.

    Using my funky e14 solar power meter (thanks e14 !) , I'm seeing readings of about 2W/m² and 4W/m² from either side of me, whilst sat at the desk.

    So having a couple of small IR panel heaters either side that activate when sat at the desk, might be able to compensate for this.

  • in reply to shabaz

    Reading is a passion I won't shake. It salves the introvert in me. Three books on the go at the moment. I have over 200 unread books on my tablet. I subscribe to a book advertising service bookbub.com. They post notices of books at reduced prices, less than two bucks. I've groomed the filter to send me a daily list of possible reads. My last holiday I finished 12 books in 14 days. Can't beat a reader for making book selection portable.

    In my books (ha) you are one of the senior members of this community. I look forward to your posts. When I have a technical problem that gives me cause to post here. Your response are insightful. Thanks for giving up some time to the community. I know I benefit.

  • in reply to colporteur

    I have a load of dev boards that I've not had a chance to use. Sometimes I really want to, but it's hard to dedicate enough time to learn them in enough depth so they end up almost permanently on hold : (

    I particularly have a problem with books.. I'll buy them frequently, but finding time to read them sometimes seems impossible... I'll planning to drop off a load of them at the local hospital library, many still brand new and unread.

    I might actually start and finish this one, because it's attractively got few pages : )  And it's in the theatre in a few months, so I have plenty of time. (I've seen the Barbara Stanwyck movie a few times).

    image