When I moved to my flat, I noticed that the existing heaters could be programmed using an old RF emitter. The programming base was annoying to use and I didn't have the manual at first, so I gave up using it for a while. But still, considering the power costs of heaters in winter, I wanted to make use of these programming functionalities one day.
Playing around with Home Assistant at the time, and browsing the web looking for a ready-made solution to program the heaters alternatively, proved to be inconclusive. I decided to implement the reverse engineering of the RF protocol, a proprietary 433MHz one. I already knew that kind of reverse engineering was possible, but I lacked skills to do it myself. I purchased an RTL USB adapter, based on a Realtek chipset, in order to sniff the messages transmitted from the programming base to the RF cassettes plugged in the heaters.
Running Universal Radio Hacker (URH) on my Linux laptop, I managed to capture almost all the transmitted messages as files that I could replay using rtl_433 radio tool. And after playing around with URH, I noticed that the encoding was probably Manchester II based, but I was too lazy to analyze the bits by myself. I decided to ask Claude if it was possible to parse the capture files and the XML files resulting from Manchester II bit extraction, and it proved to be conclusive. Claude is already able to parse the uploaded capture files internally, which I found quite stunning. First, I wanted to create a protocol dissector for rtl_433 in order to be able to view message transmission in realtime. But Claude noticed by itself that the Manchester encoded signal was asymmetric, so an rtl_433 dissector proved to be complicated to develop, at least for now. It managed to decode almost all possible messages transmitted by the emitting base though, by analyzing the signal and extracting the bits I provided.
As an assistant, Claude allowed me to crack the protocol in one day. Although some mystery remains regarding a few unsupported message types and obscure bytes in frames, Claude was able to provide decoding scripts in Python, C dissector sources for rtl_433 and a draft of a ESPHome module that I could tailor for my own needs.
The next step will be building an ESPHome firmware for an ESP32 development kit, with a CC1101 driven with SPI. I plan to configure Home Assistant so as to program the heaters in a easier way, along with automations.
Some sources and documentation are available here.