Close
0%
0%

Blanket: The Smoke Signal Gateway

An open source WiFi Gateway for the ThermoWorks Smoke thermometer.

skytoastarskytoastar
Following
Liked Like project

Just one more thing

To make the experience fit your profile, pick a username and tell us what interests you.

Pick an awesome username
hackaday.io/
Your profile's URL: hackaday.io/username. Max 25 alphanumeric characters.
Pick a few interests
Projects that share your interests
People that share your interests

We found and based on your interests.

Choose more interests.

OK, I'm done! Skip
Public Chat
Similar projects worth following
1.3k views
0 comments
8 followers
Public Chat
ThermoWorks sells a WiFi gateway for their Smoke thermometer. Let's make an open source version! Smoke uses a NRF24L01+ radio. Those are like $1. Combine that with a NodeMCU board to give this project its requisite ESP8266 then we can make a gateway for about $5 in parts! The rest is all software (famous last words).

So far the Smoke transmission signals have been decoded. No actual software has been written. Here are some things left that need to be done (no particular order):

  • NRF24L01+ driver for the ESP8266 (existing Arduino library?)
  • Coding up the receiver sync process
  • Radio sleep/wake cycles
  • ESP8266 gateway setup (https://github.com/tzapu/WiFiManager looks promising)
  • ESP8266 Device Discovery (by a computer on the local network)
  • Handling multiple gateways on the same network
  • Re-transmitting the data onto the WiFi network (MQTT? something else?)
  • Log the data to a database
  • Display the data
  • ...

  • 1 × NodeMCU Dev Board
  • 1 × NRF24L01+

  • Decoding the Smoke Signals

    skytoastar08/11/2018 at 14:26 1 comment

    It's surprising sometimes how much information a company hands over to the FCC. Our ID of interest is 2AI67-TX1300CH. If you look at the exhibits list you'll find internal photos (what's that I see? a NRF24L01+ radio?) and a handy test report (you say it broadcasts on Channels 10, 40, and 70?) and surprisingly even a "FREQUENCE AND HOPPING SYSTEM" report that describes how it broadcasts on those three channels (every ~16 seconds it broadcasts on each of the three channels). I didn't even have to take my device apart. There's also no report for the portable display that comes with the thermometer so we know the portable display doesn't transmit. Thanks FCC!

    That being said, there are still a number of NRF24L01+ parameters we still don't know. It is using ShockBurst? CRC length? Address length? Address value? Payload length? Data rate? (Someone smarter than me would have figured out data rate from the FCC test report. Someone like me ends up using that info to make an incorrect judgement and going down a dead end for several days.)

    I assumed the radio was using a 1 Mbps rate based on the test report. First I used an Arduino and NRF24L01+ to try to sniff for packets as described on Yveaux's blog and using an address of 0x0055 (the preamble). After many fruitless attempts I decided this was a good excuse to buy an ADALM-PLUTO SDR. (I thought about using a downconverter with an RTL-SDR but after considering the cost, an ADALM-PLUTO made more sense.)

    An entire project log needs to be dedicated to just setting up the ADALM-PLUTO SDR. Analog Device's wiki is sufficient but lacking, in my opinion, if you're running Windows. But for now I'll cut to the chase and say it is actually using 250 kbps. Finding that out reminded my face what my palm feel like. (Using this data rate with Yveaux's software was much more successful, though not needed after decoding with the SDR.)

    My Smoke was transmitting with an address of 0x36BD529F51. Does every Smoke use this address? I doubt it. BBQ competitions would be a problematic place to use a Smoke if that were the case. I don't have two Smoke thermometers to know for sure but if I had to guess they use the first three bytes (0x36BD52) for all units and then choose a random number for the last two bytes for each device. NRF24L01+ radios are designed to sync onto 3, 4, or 5 byte addresses. So a receiver sync process could be designed as follows:

    1. Listen always for a packet with: Address (0x36BD52)
    2. Take the first two "payload" bytes and append them to the base address.
    3. Sleep for ~16 seconds.
    4. Wake and listen for the next transmission, listening for the full 5 byte address.
    5. Repeat steps 3 and 4.

    This is speculation. It could be just one byte of uniquely identifying information. Or maybe it's zero bytes and it relies on the long sleep times to avoid collisions. Or maybe it's actually much more complicated than that. Having more information from more Smoke units would help clarify this information.

    Here's a brain teaser: With two bytes of uniquely identifying information, what's the likelihood of a collision? (Left as an exercise for the reader. Hint: birthday problem.)

    Here are the full details of the transmission:

    • 5 byte address
    • No ShockBurst
    • 21 byte payload
    • 2 byte CRC
    • Channels 10, 40, and 70
    • 250 kbps
    • 20 transmissions per channel every 16 seconds or so.
    • ~500ms per channel to perform the 20 transmissions.
    • ~15 seconds from the end of last transmission to the beginning of the next.

    And the payload:

    • Little endian byte order:
    • 2: Probe 1 Temp
    • 2: Probe 1 MAX Alarm Temp
    • 2: Probe 1 MIN Alarm Temp
    • 2: Probe 2 Temp 
    • 2: Probe 2 MAX Alarm Temp
    • 2: Probe 2 MIN Alarm Temp
    • 1: Alarm 1 ON(1)/OFF(0) 
    • 1: Probe 1 Inserted(0)/Not(3) 
    • 1: Alarm 2 ON(1)/OFF(0) 
    • 1: Probe 2 Inserted(0)/Not(3) 
    • 1: Units of C(0) or F(1) 
    • 1: Sync timing offset?
    • 3: Unknown (constant value of 0x009600)

    All two-byte temperatures are signed 16-bit integers and are in...

    Read more »

View project log

Enjoy this project?

Share

Discussions

Similar Projects

Write and Read data like text, images, etc which cannot be stored on Arduino due to large size
Project Owner Contributor

Reading and Writing Data to External EEPROM Using

naman-chauhanNaman Chauhan

Reverse engineering of proprietary RS-485 bus protocol
Project Owner Contributor

ASI Controls HVAC control bus investigation

mild-lee-interestedMild Lee Interested

Use LORA via GPIO and a full-duplex serial emulator for serial a connection intended for extended range use.
Project Owner Contributor

Chirppp, Serial over LORA

dominic-demarcoDominic DeMarco

Trying to communicate with a device with an undocumented protocol
Project Owner Contributor

WIERD PROTOCOL

gabrielGabriel

Does this project spark your interest?

Become a member to follow this project and never miss any updates

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2024 Hackaday

Yes, delete it Cancel

Report project as inappropriate

You are about to report the project "Blanket: The Smoke Signal Gateway", please tell us the reason.

Send message

Your application has been submitted.

Remove Member

Are you sure you want to remove yourself as a member for this project?

Project owner will be notified upon removal.