(no title)

Like Andrew, I looked up the FCC ID to find the right frequency for Simplisafe. I used a RTL2832 USB device ($25, from Amazon) and SDRSharp on Windows to record the signals. I used Audacity to look at the raw recordings and figure out that it was on-off keying, with a pulse length of about 5 microseconds.

I fed those raw recordings into a Gnuradio program I built (on Kali - I had trouble setting it up on Ubuntu so I gave up and just used a Kali image). I realize now that Gnuradio can interface directly with an SDR, but at the time, I already had all the recordings saved, so I just worked with those. I wanted to use Gnuradio's fancy clock sync module to convert the pulses directly to symbols, but I couldn't get it to work. So I used a threshold detector instead, with a rate limiter, so the output consisted of strings about 120 1s or 0s per pulse. I wrote a Python script to convert those into a text representation with just a single 1 or 0 for each pulse.

It was easy enough to identify a preamble that comes with each transmission, and then most of my effort went into comparing like transmissions from different devices (e.g. "door open" from my three door sensors), or different messages from the same device (e.g. "door open" vs. "door closed" from the same sensor). If their encoding scheme is a standard or well-known one, I certainly wasn't able to find it. It took a lot of frustrating dead-ends to finally figure it out.

With that done, I wrote more Python code to decode a recorded transmission, or put together a transmission representing any device ID I want, any message I want, etc. I used an Arduino and a cheap 433MHz transmitter/receiver device ($5 from Amazon) to send my transmission, and my base station heard and acknowledged it. I haven't done much more with it since then.