# Testing the encoding scheme hypothesis

A project log for Sniff the Wireless Data of a Sports Wrist Watch

Reverse engineer the wireless protocol between a chest belt heart rate monitor and it's wrist watch that displays the beats per minute

First, thank you all for the effort put in reverse engineering the encoding scheme, great job!

Now, it's time to test some more the hypothesis.

To do this, it would be helpful to be able to transmit any code, valid or invalid, and see how the receiver will react. The Crivit chest belt can't do that, so we need to build our own radio transmitter. With a carrier frequency of only 110 KHz, it should be easy to digitally synthesize the entire modulated carrier.

A few lines of code later, it proves out that a simple wire connected to a digital output is good enough as a Tx antenna, and an Arduino UNO is fast enough to generate the carrier, modulate it, and in the same time talk to a computer over the serial port:

This will allow us to put on air any combination of 0's and 1's that we might want to test.

.

.

New findings

• for an invalid code, the wristwatch will keep displaying the last valid number received, but the heart symbol will stop blinking, just like in the case of no signal
• there is no handshake protocol, so the watch will display any valid code received, even if the chest belt ID is changed. All the following codes were displayed as one hundred:
```S 111100 0101000100011
S 111010 0101000100011
S 111001 0101000100011
S 110011 0101000100011```
• the total number of bits can vary, i.e. the following codes are both displayed as a valid one hundred:
``` S 110011 0101000100011
S 1100100 0101000100011```
• so far, the encoding scheme found by @killy.mxi can predict valid codes even for numbers that were out of reach for the original chest belt transmitter. The following codes predicted for numbers between 234..239 were displayed as valid:
```1110010010010
1110010011100
1110011001100
1110011010100
1110011100100
1110011111000```
Still, for predicted codes corresponding to numbers greater than 239, the blinking heart stops. This might be because the receiver was designed to act like that, but this it's not yet for sure.

Manually typing each code to be tested proves to be useful, but also very time consuming and prone to errors. Since our radio Tx is now able to transmit any codes coming from the serial port, it will allow us to do automated testing. This will be the next step.