This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC1111EMK868-915: Sniffing z-wave packets

Part Number: CC1111EMK868-915
Other Parts Discussed in Thread: TEST2

Does anyone know the correct settings for sniffing z-wave packets with CC1111?

  • Hi Paul,

    I'm not sure if we have this capability, but I will look into this and get back to you.

    Thanks,

    Alexis

  • Based on the phy description listed here: https://www.rfwireless-world.com/Tutorials/z-wave-tutorial.html it should be possible. 

  • Thanks for your response. I was pretty sure it should be possible in principle, but I've been unable so far to make it work in practice. I presume it is just a question of finding exactly the right combination of settings and was hoping someone would have been there before me and already found this out. Any suggestions would be welcomed.

    Regards,

    PaulK

  • We don't have any devices that sends a z-wave packet here and hence I'm not able to test it. 

    How have you set up CC1111 so far? Do you know the sync word the device you want to sniff uses? 

  • I am trying to use the CC1111 to sniff z-wave traffic between a Aeotec z-stick (connected to a PC running Domoticz software) and a TKBHome z-wave plug-in switch. I can successfully turn the switch on and off using the Domoticz software, so I know that z-wave messages are being sent. However, I have not been able to detect them using the CC1111/Packet Sniffer despite trying various settings based on z-wave documentation and reports from projects such as Z-force (which used a CC1110).

    Any suggestions would be welcomed.

  • How have you set up CC1111 so far? Do you know the sync word the device you want to sniff uses? 

  • I have tried various register settings, e.g.

    PKTLEN   |0xDF02|0x30
    PKTCTRL0 |0xDF04|0x04
    FSCTRL1  |0xDF07|0x06
    FREQ2    |0xDF09|0x24
    FREQ1    |0xDF0A|0x2F
    FREQ0    |0xDF0B|0x25
    MDMCFG4  |0xDF0C|0xB9
    MDMCFG3  |0xDF0D|0xA3
    MDMCFG2  |0xDF0E|0x0C
    MDMCFG1  |0xDF0F|0x23
    MDMCFG0  |0xDF10|0x11
    DEVIATN  |0xDF11|0x36
    MCSM0    |0xDF14|0x18
    FOCCFG   |0xDF15|0x17
    BSCFG    |0xDF16|0x6C
    AGCCTRL2 |0xDF17|0x03
    AGCCTRL1 |0xDF18|0x40
    AGCCTRL0 |0xDF19|0x91
    FREND1   |0xDF1A|0x56
    FSCAL3   |0xDF1C|0xE9
    FSCAL2   |0xDF1D|0x2A
    FSCAL1   |0xDF1E|0x00
    FSCAL0   |0xDF1F|0x1F
    TEST2    |0XDF23|0x81
    TEST1    |0xDF24|0x35
    TEST0    |0xDF25|0x09
    PA_TABLE0|0xDF2E|0x50
    IOCFG0   |0xDF31|0x00
    VERSION  |0xDF37|0x04

    Re the sync word, no, I don't know. Slides from the Z-force project I've seen include screen shots using either 'No preamble/sync, carrier-sense above threshold' or '16/16 + carrier sense above threshold'. I've tried both. I have noticed that changing the Sync Word settings in the SmartRF Studio device control panel doesn't cause the SYNC1 and SYNC0 register values in the register view to change -- I don't know if this is significant.

  • To be able to sniff a packet you have to use the same sync word as the device that sends the packet. You have to figure out this first. You can also try to set the sync word to 0xAAAA (16 bit, then you should receive something. 

  • I've tried setting the sync word to 0xAAAA and also )x5555. No joy. I pick up random packets - presumably noise -- but nothing correlated with the signals I'm transmitting. Do you have any other ideas I could try?

  • How do you know the center frequency used for the Z-wave device you are trying to sniff and which mode it operates on? 

  • The Z-stick itself is marked as using 868.42MHz. I have tried using a USB SDR device and SDR# software to detect transmissions. I couldn't see anything around 868.42MHz, but there is a visible signal centred ~869.82MHz, which is close to one of the alternative frequencies used in Europe. I have been sniffing around both frequencies, trying channels from 0-20.

    Can you clarify what you mean by mode, please?

  • When I did a quick google search on z-wave I got the impression that more than one data rate etc are possible. 

  • Thanks for the reminder, I'm making progress at last. It looks like the message traffic I'm traffic I'm trying to sniff is using the highest rate (Rate 3). I can now see consistently repeated patterns in the messages detected using RF Studio. These patterns make sense (translate as Home ID, etc.) if I flip the bits. Do you know of any way I can instruct the CC1111 or RF Studio to flip the bits automatically?

    Apologies if I have been slow on the uptake -- this is all new for me. I'm very grateful for your help.

    PaulK

  • Don't think so, but this is something that it's easy to do on the MCU side.