rtl-wmbus icon indicating copy to clipboard operation
rtl-wmbus copied to clipboard

Published 20 hours ago verified publisher icon xaelsouth

cannot recover corrupted preamble

Open Freax13 opened this issue 11 months ago • 0 comments

I'm trying to receive the messages from HCA E2 sensors. I can receive messages sent by other sensors, but for some reason, rtl-wmbus doesn't receive the messages sent by my HCA E2 sensors. I saved some IQ data using rtl_sdr -f 868.95M -s 1.6e6 data.dat, truncated it, and attached it to this issue here. rtl_433 seems to be able to receive messages from the sensors (including from the attached file), so I don't think it's an issue in my radio receiver setup.

I tried debugging this issue, and it seems that the preambles for the T1 messages sent by the sensors are severely corrupted. When I increase ACCESS_CODE_T1_C1_ERRORS to 6, I can receive the messages sent by the HCA E2 sensors:

diff --git a/rtl_wmbus.c b/rtl_wmbus.c
index f026700..a34fb7d 100644
--- a/rtl_wmbus.c
+++ b/rtl_wmbus.c
@@ -73,7 +73,7 @@
 
 static const uint32_t ACCESS_CODE_T1_C1 = 0b0101010101010000111101u;
 static const uint32_t ACCESS_CODE_T1_C1_BITMASK = 0x3FFFFFu;
-static const unsigned ACCESS_CODE_T1_C1_ERRORS = 1u; // 0 if no errors allowed
+static const unsigned ACCESS_CODE_T1_C1_ERRORS = 6u; // 0 if no errors allowed
 
 static const uint32_t ACCESS_CODE_S1 = 0b000111011010010110u;
 static const uint32_t ACCESS_CODE_S1_BITMASK = 0x3FFFFu;

I used the following patch to print out the preambles (executed with ./build/rtl_wmbus -t 0):

diff --git a/rtl_wmbus.c b/rtl_wmbus.c
index f026700..00d5866 100644
--- a/rtl_wmbus.c
+++ b/rtl_wmbus.c
@@ -721,6 +721,7 @@ static void runlength_algorithm_t1_c1(unsigned raw_bit, unsigned rssi, struct ru
 
             if (count_set_bits((algo->bitstream & ACCESS_CODE_T1_C1_BITMASK) ^ ACCESS_CODE_T1_C1) <= ACCESS_CODE_T1_C1_ERRORS)
             {
+                printf("Preamble detected. bits=%08x error=%08x\n", algo->bitstream, (algo->bitstream & ACCESS_CODE_T1_C1_BITMASK) ^ ACCESS_CODE_T1_C1);
                 bit |= (1u<<PACKET_PREAMBLE_DETECTED_SHIFT); // packet detected; mark the bit similar to "Access Code"-Block in GNU Radio
             }

One of the preambles preceding a message by sensor 02717473 looks like this:

Preamble detected. bits=99353625 error=00206218

As you can see, a large number of bits are incorrect.

Oddly enough, it seems to me that only the preambles are corrupted, the following messages themselves seem completely fine (the CRC check passes and I can decrypt the payload). What's going wrong here? Why is the preamble so corrupted and is there a way to recover from that?

Freax13 avatar Mar 21 '24 15:03 Freax13