Monday, December 27, 2010

Davis Weather Station Hacking

It is now the Christmas break and I've got a bit of time on my hands.  I have been bugged for some time by the fact that my Davis Vantage Pro 2 Wireless weather station is not very hacker friendly.  Maybe it is time to change that.  It is out of warranty now and I decided to open it up to see what makes this thing tick.

This is the guts of the VP2 Wireless Console.  The controller board is on the left and the display to the right.  The controller board PCB is just double-sided, and contains contact pads for the buttons on the other side.  The bottom part of the unit is where the batteries normally go.  There are just three screws holding the back on and it comes off pretty easily.  One thing you'll want to do before trying this is to put the console into config mode by hitting the Done button and then Down Arrow.  According to the manual, this ensures that the unit isn't trying to write to flash before it loses power.  And it will lose power.  The AC adapter has to be pulled before the back can come off, and the batteries make connection to the main board with just a couple of clips rather than a set of wires.  Losing power is no big deal though: the unit remembers its settings once power is restored again.  Nice.

And no "Warranty Void if Sticker Removed" nonsense either

The first thing I noticed is that the CPU is an Atmel ATMEGA 128L running at 1.8432 MHz.  I was afraid it might have some kind of a custom processor or something to keep power consumption low.  But you don't get more common than an ATMEGA chip, and there are a lot of freely available tools out there that should simplify digging into this.
Oh, you and I are going to get to know each other a lot better soon.
 The second thing I noticed was the radio transceiver chip.  Again, I feared something custom here.  But it turns out that this is a CC1021 from Texas Instruments (data sheet).  TI describes it as a "true single-chip UHF transceiver designed for very low power and very low voltage wireless applications."  Sounds about right.  Hanging off of it is a 833 MHz crystal.  Anywhere I've read about people trying to decode the transmissions from the station were always put off by Davis' "frequency hopping spread spectrum" advertising.  This is much more advanced than the old FSK method they used.  But hey, if you know the transceiver and you know how it is set up, then that opens up some interesting possibilities.
You don't scare me.  I do RF all day at work.

The one thing I don't care about much is the LCD.  It is apparently a custom unit built by Ocular LCD labeled A4144PCB-2.  It doesn't appear on their website (that I could find after 20 seconds of looking anyway).

So the next thing I'm planning to do is order up a Bus Pirate.  This will let me sniff the SPI interface between the Atmega and the transceiver to see how they are configuring it.  While that is in transit, I want to beep out the connection between these two chips, and the connection between the CPU and the expansion interface.  Davis also makes the CPU firmware available, and I might take a shot at building up an emulator so I could figure out how the raw data from the radio gets processed and put out to the interface.  One day it might be possible to
  • interface to the VP2 console without buying Davis' crappy Weatherlink software
  • build a standalone receiver around a CC1021 and something like an Arduino.  This would give me a low cost receiver with a proper computer interface.
Some pretty cool possibilities here.

PS.  If anybody knows what this is, please leave a comment.

46 comments:

  1. It may be a MEMS pressure sensor.

    ReplyDelete
    Replies
    1. It'S Science, But It Works Like Magic.: Davis Weather Station Hacking >>>>> Download Now

      >>>>> Download Full

      It'S Science, But It Works Like Magic.: Davis Weather Station Hacking >>>>> Download LINK

      >>>>> Download Now

      It'S Science, But It Works Like Magic.: Davis Weather Station Hacking >>>>> Download Full

      >>>>> Download LINK 9a

      Delete
  2. I think you might be right. I had been thinking for a while that it might be an RF switch of some kind supporting the console's retransmit function, but the connectivity isn't there in the circuit. Your idea makes more sense, combined with some other pictures I have here. Nice.

    ReplyDelete
  3. I wonder if the main board in the console is the same ones used in the Envoy's. Being that the display is connected separately, it seems that might be possible.

    The chip in question is more than likely the barometer transducer (just an absolute pressure gauge).

    The humidity and temperature sensor is an eight pin IC located just below the display header. It makes me sad that Davis didn't go by the datasheet's recommendation to thermally isolate the sensor from the main PCB, but whats new in that aspect anymore...

    ReplyDelete
  4. SHT1x.pdf Humidity Sensor Datasheet Sparkfun.com sells them.

    It also looks like there is a thermistor below the crystal on the transceiver.

    ReplyDelete
  5. Heh. Had to find this out for myself, only to find afterward that Blogger had marked your post as spam. Wrote a new post with a few more details on the subject.

    ReplyDelete
  6. The board is the same as the Weather Envoys, just with different firmware so that it doesn't get upset when it doesn't see the display. I used to service these as a uk service agent.

    ReplyDelete
  7. Anonymous, that's very interesting. Thanks for pointing that out.

    ReplyDelete
  8. Yes, thanks anonymous! Thanks indeed!

    ReplyDelete
  9. Hi

    is it possible to change th quartz of the tranceiver that the us console work withh EU ISS ?

    US frequency: 902 to 928 MHz

    EU frequency: 868 MHz

    ReplyDelete
  10. @keving: I learned since I wrote this that the crystal is actually 14.7456 MHz. The frequency is multiplied up internally in the CC1021 to the appropriate band. My guess is that the only difference between the US and EU versions is firmware, but Davis *might* also have tweaked the components in the RF section around the CC1021 for better operation in that band.

    ReplyDelete
  11. Thanks Dekay for your answer, did you have tips for translating the firmware of the vp2 console (for displaying console's messages in french ) ? What soft un recommended for editing the fimware (.bin file) ?

    ReplyDelete
  12. Any hex file editor will do. The only one I've ever used is Okteta under Linux, but there are lots of these things out there for all platforms. See here for more tips: http://www.wxforum.net/index.php?topic=13939

    ReplyDelete
  13. Thanks, did you know any solution for udating the console firmware without the davis console updater ?

    ReplyDelete
  14. Nope. And for reasons I don't yet understand, the Davis console updater (or any other Davis software) doesn't work with my DIY interface, but every other piece of software does. Not sure if it is my OS (Vista x64) or the interface itself.

    ReplyDelete
  15. ok, it is easy to bluid a diy Davis Console updater ?

    I tryed to translate the firmware: http://www.wxforum.net/index.php?topic=532.msg137189#msg137189

    ReplyDelete
  16. Hi

    I just have confirmation with Texas Intruments tech:
    The CC1170 868 MHz and 915 MHz reference designs are equal. There are no difference in terms of component values.
    To make your 915 MHz design work at 868 MHz you simply change the register settings that sets the operating frequency (registers FREQ2, 1, 0). You get the register settings from SmartRF Studio.

    ReplyDelete
    Replies
    1. Did you find a way to manage that?

      Delete
  17. Météo: Very interesting. Thanks for passing this along. So it is very possible that the only difference between an EU and North American console is the firmware load. I suppose it is also possible that the console antenna could be a little different length for optimal performance in each frequency band, as done on the jeeNode: http://jeelabs.net/projects/hardware/wiki/JeeNode

    ReplyDelete
  18. Yes, the register settings that sets the operating frequency are opérated with the firmware loaded in the Atmel ATMEGA 128L

    ReplyDelete
    Replies
    1. Hi, do you know if there is a way to mod atmel firmware to change frequency?

      Delete
  19. hi, i really appreciate your work. but did you manage to hack the actual raw data from the davis weather station itself? what im planning is to interface the weather station [without the console] to my datalogger. thanks and keep up the good work..

    ReplyDelete
    Replies
    1. My ISS is wireless and I am playing with receiving its transmissions with a separate receiver (http://madscientistlabs.blogspot.com/2012/01/im-me-proof-of-life.html). I've never played around with the wired ISS if that is what you mean.

      Delete
    2. I have a wired ISS and I have played around with the protocol a bit a few years back. Davis does, or at least, did sell the instrument package as a seperate assembly. I am a ham radio operator and at that time I was trying to set up APRS weather stations around the area, I did not want or need the disply and certainly did not want to spend the close to 1k that Davis wanted for something that would smooze the data the way I needed. I got as far as finding the data is asynch serial, it is sent as a differential signal (easy to convert) and that 7 bytes are sent every 2 seconds, that the first (or seoond, working from memory here) is the wind speed, that the last is a checksum and the the ones inbetween somehow relate to termperature and humidity. I recall the humidity one was straighforward, the temperature seemed deliberately disguised. I believe this is the protocol the poster above is asking about. I am also very interested in this if anyone has cracked it. If anyone is working on this or has cracked this egg I can be reached at nd0b@arrl.net. So much for anonymity.

      Delete
  20. I know Im a bit late to the party, but your mystery component looks a lot like a barometric sensor I have used before.

    http://www.meas-spec.com/pressure-sensors/board-level-pressure-sensors/altimeter-pressure-sensor-modules.aspx

    Looks a lot like the backside of the MS5534
    :-)

    ReplyDelete
    Replies
    1. Welcome to October 2011 :-)

      http://madscientistlabs.blogspot.ca/2011/10/filling-in-few-gaps.html

      Delete
  21. Hi guys, I am thinking of converting my wireless VP2 to wired. Have a wired console, and the connecting cable with RJ11 plugs. I disconnected battery and solar panel from the ISS, and plugged the cable end into the COMMS socket, but no data shown on console. Is it possible to do this, or is a completely different PCB needed. The wireless one has the socket for the cable connection. Thanks.

    ReplyDelete
  22. Hi,some awesome work you've done! I just got a VP2 weather station. Not the wireless version. So basically the output from VP2 is from a RJ11 jack on the board. Do you mind helping me understanding what's the output and pins are like on the RJ11 jack. I really appreciate if you can.Would like to read the data on a microcontroller.

    ReplyDelete
    Replies
    1. I don't have a wired VP2. This is where Google comes in handy.

      http://www.flickr.com/photos/30112397@N06/2879504922/sizes/l/in/set-72157607366155684/

      http://www.wxforum.net/index.php?topic=13205.0

      Delete
    2. Thank you for your reply, yeah i've googled about it and that's how i got to know your site. But its hard to find the specific thing that i need to know. I guess my googling skill is not that great.
      Thanks for the links its a great help. I've learned some new information about the ISS that I've bought. It is not the normal ISS. The board on ISS is some other type that is compatible with eko pro node.
      From what I've searched the communication seems like it is using memsic esb protocol. Right now I'm searching how the protocol works.

      Delete
  23. Hallo' all,
    does anyone craked the cabled iss protocol?
    Im interesting too ! I whant to build my hardware cabled receiver
    thanks in advance.

    Mr Europe

    ReplyDelete
  24. hi there i used too have a davis vantage pro 2 oh yes specs included 1 gb of data storage for data logging

    ReplyDelete
  25. If you have the weather link installed and connect to ir with hyper terminal, it is possible to activate packet monitoring, and the packets from ISS are displayed in hex. Nice for reverse engineering

    ReplyDelete
  26. I bought a Davis weather station last month for my Mom but it seems the quality of the item is not worthy for the price. I returned my weather station back to them and got my money back.

    So I would like to recommend you the weather station I bought a year ago from eBay, this weather station is still working and I am happy with it, the cost of the item is very cheap, but the quality is really good. You guys should try this also.

    http://www.ebay.com/itm/2-Wireless-Sensor-Weather-Station-Thermometer-RCC-DCF77-Temperature-Humidity-/171806182271

    ReplyDelete
  27. Hi Guys,

    I purchased DAVIS Vantage 6152 US version but have to send it to my family in Europe. I checked Davis website about a FW that will convert my US station to EU version. Unfortunately, this doesn't help, they have only one Firmware for all their models.

    Obviously, there is one same FW for all the versions and the unit run the FW in dependence on a hardware difference defineing the station type US, EU and etc..

    Is there any info what is the hardware difference between the US and EU versions

    Thanks in advance!
    John

    ReplyDelete
    Replies
    1. John, sorry for the late reply. Check this link out.

      http://www.wxforum.net/index.php?topic=18614.0

      Delete
  28. Hello,

    I have a Vantage Pro2 and it looks that I have a faulty circuit board.

    When I power up the board, the diode marked “D11” gets really hot.

    The screen looks like working, all the icons are ok at reset but it cannot get readings from the sensors.

    Any idea??

    Thank you for your support

    gsbaul@gmail.com

    ReplyDelete
    Replies
    1. Sounds like a short circuit or faulty component pulling a lot of load. Could be many different things.

      Delete
  29. I recently got involved with a VP2 FW rev 1.8.
    I noticed you have to enter you location, this may be used to determen the frequentie

    ReplyDelete
  30. There is J72 section named ISS ( means pinouts to station ? )
    Is it a serial port ? Do You know the pinouts ?

    ReplyDelete
  31. Cool you inscribe, the info is really salubrious further fascinating, I'll give you a connect to my scene. air monitor

    ReplyDelete
  32. This comment has been removed by the author.

    ReplyDelete
  33. Wow :)
    This is an incredible collection of ideas!
    Waiting for more helpful pieces.
    You would amazing to read a similar one here-
    Besttoolsbrand

    ReplyDelete
  34. It'S Science, But It Works Like Magic.: Davis Weather Station Hacking >>>>> Download Now

    >>>>> Download Full

    It'S Science, But It Works Like Magic.: Davis Weather Station Hacking >>>>> Download LINK

    >>>>> Download Now

    It'S Science, But It Works Like Magic.: Davis Weather Station Hacking >>>>> Download Full

    >>>>> Download LINK

    ReplyDelete