Other Parts Discussed in Thread: TEST2
Does anyone know the correct settings for sniffing z-wave packets with CC1111?
This thread has been locked.
If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.
Does anyone know the correct settings for sniffing z-wave packets with CC1111?
Hi Paul,
I'm not sure if we have this capability, but I will look into this and get back to you.
Thanks,
Alexis
Based on the phy description listed here: https://www.rfwireless-world.com/Tutorials/z-wave-tutorial.html it should be possible.
Thanks for your response. I was pretty sure it should be possible in principle, but I've been unable so far to make it work in practice. I presume it is just a question of finding exactly the right combination of settings and was hoping someone would have been there before me and already found this out. Any suggestions would be welcomed.
Regards,
PaulK
We don't have any devices that sends a z-wave packet here and hence I'm not able to test it.
How have you set up CC1111 so far? Do you know the sync word the device you want to sniff uses?
I am trying to use the CC1111 to sniff z-wave traffic between a Aeotec z-stick (connected to a PC running Domoticz software) and a TKBHome z-wave plug-in switch. I can successfully turn the switch on and off using the Domoticz software, so I know that z-wave messages are being sent. However, I have not been able to detect them using the CC1111/Packet Sniffer despite trying various settings based on z-wave documentation and reports from projects such as Z-force (which used a CC1110).
Any suggestions would be welcomed.
How have you set up CC1111 so far? Do you know the sync word the device you want to sniff uses?
I have tried various register settings, e.g.
PKTLEN |0xDF02|0x30
PKTCTRL0 |0xDF04|0x04
FSCTRL1 |0xDF07|0x06
FREQ2 |0xDF09|0x24
FREQ1 |0xDF0A|0x2F
FREQ0 |0xDF0B|0x25
MDMCFG4 |0xDF0C|0xB9
MDMCFG3 |0xDF0D|0xA3
MDMCFG2 |0xDF0E|0x0C
MDMCFG1 |0xDF0F|0x23
MDMCFG0 |0xDF10|0x11
DEVIATN |0xDF11|0x36
MCSM0 |0xDF14|0x18
FOCCFG |0xDF15|0x17
BSCFG |0xDF16|0x6C
AGCCTRL2 |0xDF17|0x03
AGCCTRL1 |0xDF18|0x40
AGCCTRL0 |0xDF19|0x91
FREND1 |0xDF1A|0x56
FSCAL3 |0xDF1C|0xE9
FSCAL2 |0xDF1D|0x2A
FSCAL1 |0xDF1E|0x00
FSCAL0 |0xDF1F|0x1F
TEST2 |0XDF23|0x81
TEST1 |0xDF24|0x35
TEST0 |0xDF25|0x09
PA_TABLE0|0xDF2E|0x50
IOCFG0 |0xDF31|0x00
VERSION |0xDF37|0x04
Re the sync word, no, I don't know. Slides from the Z-force project I've seen include screen shots using either 'No preamble/sync, carrier-sense above threshold' or '16/16 + carrier sense above threshold'. I've tried both. I have noticed that changing the Sync Word settings in the SmartRF Studio device control panel doesn't cause the SYNC1 and SYNC0 register values in the register view to change -- I don't know if this is significant.
To be able to sniff a packet you have to use the same sync word as the device that sends the packet. You have to figure out this first. You can also try to set the sync word to 0xAAAA (16 bit, then you should receive something.
How do you know the center frequency used for the Z-wave device you are trying to sniff and which mode it operates on?
The Z-stick itself is marked as using 868.42MHz. I have tried using a USB SDR device and SDR# software to detect transmissions. I couldn't see anything around 868.42MHz, but there is a visible signal centred ~869.82MHz, which is close to one of the alternative frequencies used in Europe. I have been sniffing around both frequencies, trying channels from 0-20.
Can you clarify what you mean by mode, please?
When I did a quick google search on z-wave I got the impression that more than one data rate etc are possible.
Thanks for the reminder, I'm making progress at last. It looks like the message traffic I'm traffic I'm trying to sniff is using the highest rate (Rate 3). I can now see consistently repeated patterns in the messages detected using RF Studio. These patterns make sense (translate as Home ID, etc.) if I flip the bits. Do you know of any way I can instruct the CC1111 or RF Studio to flip the bits automatically?
Apologies if I have been slow on the uptake -- this is all new for me. I'm very grateful for your help.
PaulK
Don't think so, but this is something that it's easy to do on the MCU side.