For the hackers among us, here is the X10 wireless protocol. I don't recall the original website I grabbed this from, but all credit goes to the gentlemen below: ---Data format for X-10 wireless units--- Edward Cheung, Ph.D. RF sampled data by: Paul Gumerman April 1997, v1.0 This document should be viewed in a mono-spaced font. --Format of RF envelope-- The carrier is at a nominal frequency of 300 Mhz. The envelope of the carrier is sketched below. Time progresses from left to right. --------------- --------- --------- - | | | | | | | | 8msec | 4msec | 0.4ms | 0.7ms | 0.4ms | 0.7ms 1.1 msec | - ---------- --------- --------+------------- RF preample + sampled '1' + sampled '1' + sampled '0' The data format is return-to-zero. A '1' is sampled when the envelope goes high for 0.4msec and then returns low for 0.7msec. Thus with the above waveform, the sampled data (left bit below is received first): 110....... Note that the RF preamble is not part of the sampled data, and that I make the distinction between the received envelope (sketched above) and the SAMPLED STREAM (the 110.. above). This sampled stream is converted to a DECODED STREAM and then converted to an actual X-10/security command using the procedure explained below. --Data format for the RT-504 X-10 wireless remote-- I will explain the data format using an example sampled stream. The right most digit is received first: 10101111 11011101 01010101 11011111 10101101 01010101 <-A1 OFF cmd The total length of the stream is 48 samples. Doing some inspection on this and other sample streams shows that there are multiple bit flips, even if the transmitted house code changes by only one bit. My hunch was that each bit of the house code is encoded as a varying number of samples in length. Changing a '1' to a '0' in the house code for example, will cause the samples to be shifted because a '0' has a different length than a '1'. Thus presumption was further enforced by counting the number of 0 samples and the number of 1 samples. All messages inspected have exactly 16 '0' samples and 32 '1' samples. This implies that one symbol contains a '1' and a '0', and the other symbol contains just a '1'. Making the assumption that a '0' bit is sampled as a '10', and a '1' bit is sampled as a '1', we can rewrite the sampled sequence into a DECODED STREAM: 00000100 11111011 00000110 11111001 byte 1 byte 2 byte 3 byte 4 Here, the first received bit is on the LEFT. Note that byte 1 and byte 2 are complementary, as well as byte 3 and byte 4. By sending the inverse of the bytes along as well, one can guarantee the same number of '1' and '0' bits in the decoded data, and the same number of '1' and '0' in the sampled stream regardless of the message. In addition, some simple error detection can be performed by making sure the complementary data is consistent. The house code can now be read in the stream. It is byte 3. Its associated complement is byte 4. Refering to the X-10 Faq (URL below), the bit patterns for the house codes are: House code Bit pattern (units 1-8, 9-16 add 100000) A 0110 B 1110 C 0010 D 1010 E 0001 F 1001 G 0101 H 1101 I 0111 J 1111 K 0011 L 1011 M 0000 N 1000 O 0100 P 1100 In this instance, the house code of the command is 'A'. One thing I noticed is that units 1 thru 8 have a different house code than units 9 thru 16. The house code for units 1-8 are as explained above, while the house code for units 9-16 have a '1' in bit 5 (where bit 0 is the right most bit). Thus the command A-9 OFF has the decoded stream: 00000100 11111011 00100110 11011001 ^--------^--------note difference here We can find the unit and function code in byte 1. Naming each bit in byte 1 by a number, where 7 is the most significant bit (received first & left most) and 0 is the least: bit function 7 always 0 6 always 0 5 always 0 |<--- from bit 5 of byte 3 4 bit 1 of unit number --------------->| 3 bit 0 of unit number ---------------->| 2 1 for OFF command. xxxx <--(unit number -1) 1 bit 2 of unit number -------------->| 0 1 for DIM (if bit 3=1) or BRIGHT (if bit 3=0) command To clarify bit 0, if the command is a BRIGHT command, byte 1=0x11, if it is a DIM command, byte 1=0x19. The unit number is reassembled by ordering bits 4,3,1 from byte 1, and bit 5 from byte 3 above, add '1' to this, and you will have the unit number. In this case, the unit number's bit pattern is:0000, or unit #1. Since the OFF bit is set, the command represented by the sampled stream is: A-1 OFF. Another example: sampled RF stream: 10101110 11101110 10110101 10101010 11110111 11010101 decoded byte stream: 00011110 11100001 00100110 11011001 X-10 command: A-16 OFF --Data format for the security transmitters Using the same samples-to-decoded matching ('10'->0 and '1'->1), we find that the decoded stream from the security transmitters (door/window and PIR) are in general 32 bits in length. For example: sampled stream, first received on right: 10110111 01011011 01010111 11111010 11010101 01011101 decoded stream, first received on left: 01100000 10011111 11000101 00110101 byte 1 byte 2 byte 3 byte 4 We consider the most significant bit to be transmitted first and on the left, thus the upper nibble is to the left of the lower nibble. Note that the upper nibble of byte 1 is the complement of byte 2, and the lower nibble is the same. This same relationship holds for byte 3 and 4. Bytes 3 and 4 change when the 'code' button is hit on the security transmitter. We can consider these two bytes to encode the unit's 8 bit ID. Byte 1 is the message code. This is as follows for a few units: Large security remote (SH624): (has a min/max delay slide switch below the buttons) ARM HOME (min) 0x70 ARM AWAY (min) 0x60 ARM HOME (max) 0x50 ARM AWAY (max) 0x40 DISARM 0x41 SEC. LIGHT ON 0x42 SEC. LIGHT OFF 0x43 PANIC 0x44 The other buttons transmit normal X10 remote codes for an RT-504 remote. Pendant (KF574): ARM 0x60 (this is apparently min delay mode) DISARM 0x61 LIGHTS ON 0x62 LIGHTS OFF 0x63 Old door/window sensor (DW 534) NORMAL 0x21 (for when security violation is removed) ALERT 0x20 (for when sensor is tripped) Supervision Code: transmits a NORMAL New door/window sensor NORMAL 0x31 ALERT 0x30 The newer security transmitters append 9 extra bits that do not vary to the above 32 bit sequence (a total of 41 bits). These bits appear to always be 000000101 (left most is rx first). References: [1] X10 faq (http://www.homation.com/x10faq/x10faqd.html) Appendix The following is a listing of the decoded bytes from many units compiled by Paul. The unindented line is the command. The next (indented) line contains the decoded bytes. Note one difference with his convention compared to mine. In my text above, I list the decoded bytes in the order byte1, byte 2, byte 3, byte 4. His listing has them in byte 4, byte 3, byte 2, byte 1 order (from left to right). In other words, for X-10 commands, the house code is in the two left most bytes in the listing below. A- 00001 OFF 00032: 11111001 00000110 11111011 00000100 A- 00002 OFF 00032: 11111001 00000110 11110011 00001100 A- 00003 OFF 00032: 11111001 00000110 11101011 00010100 A- 00004 OFF 00032: 11111001 00000110 11100011 00011100 A- 00005 OFF 00032: 11111001 00000110 11111001 00000110 A- 00006 OFF 00032: 11111001 00000110 11110001 00001110 A- 00007 OFF 00032: 11111001 00000110 11101001 00010110 A- 00008 OFF 00032: 11111001 00000110 11100001 00011110 A- 00009 OFF 00032: 11011001 00100110 11111011 00000100 A- 00010 OFF 00032: 11011001 00100110 11110011 00001100 A- 00011 OFF 00032: 11011001 00100110 11101011 00010100 A- 00012 OFF 00032: 11011001 00100110 11100011 00011100 A- 00013 OFF 00032: 11011001 00100110 11111001 00000110 A- 00014 OFF 00032: 11011001 00100110 11110001 00001110 A- 00015 OFF 00032: 11011001 00100110 11101001 00010110 A- 00016 OFF 00032: 11011001 00100110 11100001 00011110 ============================================= A- 00001 ON 00032: 11111001 00000110 11111111 00000000 A- 00002 ON 00032: 11111001 00000110 11110111 00001000 A- 00003 ON 00032: 11111001 00000110 11101111 00010000 A- 00004 ON 00032: 11111001 00000110 11100111 00011000 A- 00005 ON 00032: 11111001 00000110 11111101 00000010 A- 00006 ON 00032: 11111001 00000110 11110101 00001010 A- 00007 ON 00032: 11111001 00000110 11101101 00010010 A- 00008 ON 00032: 11111001 00000110 11100101 00011010 A- 00009 ON 00032: 11011001 00100110 11111111 00000000 A- 00010 ON 00032: 11011001 00100110 11110111 00001000 A- 00011 ON 00032: 11011001 00100110 11101111 00010000 A- 00012 ON 00032: 11011001 00100110 11100111 00011000 A- 00013 ON 00032: 11011001 00100110 11111101 00000010 A- 00014 ON 00032: 11011001 00100110 11110101 00001010 A- 00015 ON 00032: 11011001 00100110 11101101 00010010 A- 00016 ON 00032: 11011001 00100110 11100101 00011010 ===================================================== A - BRIGHT 00032: 11011001 00100110 11101110 00010001 A - DIM 00032: 11011001 00100110 11100110 00011001 =================================================== A- 00001 OFF 00032: 11111001 00000110 11111011 00000100 B- 00001 OFF 00032: 11110001 00001110 11111011 00000100 C- 00001 OFF 00032: 11111101 00000010 11111011 00000100 D- 00001 OFF 00032: 11110101 00001010 11111011 00000100 E- 00001 OFF 00032: 11111110 00000001 11111011 00000100 F- 00001 OFF 00032: 11110110 00001001 11111011 00000100 G- 00001 OFF 00032: 11111010 00000101 11111011 00000100 H- 00001 OFF 00032: 11110010 00001101 11111011 00000100 I- 00001 OFF 00032: 11111000 00000111 11111011 00000100 J- 00001 OFF 00032: 11110000 00001111 11111011 00000100 K- 00001 OFF 00032: 11111100 00000011 11111011 00000100 L- 00001 OFF 00032: 11110100 00001011 11111011 00000100 M- 00001 OFF 00032: 11111111 00000000 11111011 00000100 N- 00001 OFF 00032: 11110111 00001000 11111011 00000100 O- 00001 OFF 00032: 11111011 00000100 11111011 00000100 P- 00001 OFF 00032: 11110011 00001100 11111011 00000100 ================================================= KF574 Security Pendant Unit # 00197: ARM AWAY (min) 00032: 00110101 11000101 10011111 01100000 Unit # 00197: Pendant DISARM 00032: 00110101 11000101 10011110 01100001 Unit # 00197: Pendant LIGHT ON 00032: 00110101 11000101 10011101 01100010 Unit # 00197: Pendant LIGHT OFF 00032: 00110101 11000101 10011100 01100011 (pushed code, and resampled, note unit # changes) Unit # 00061: ARM AWAY (min) 00032: 11001101 00111101 10011111 01100000 Unit # 00061: Pendant DISARM 00032: 11001101 00111101 10011110 01100001 Unit # 00061: Pendant LIGHT ON 00032: 11001101 00111101 10011101 01100010 Unit # 00061: Pendant LIGHT OFF 00032: 11001101 00111101 10011100 01100011 ================================================ DW534 old model Door/Window Sensor -- strapped for N.O. operation pushed test button Unit # 00007: ALERT, N.O. old 00032: 11110111 00000111 11111111 00000000 Unit # 00007: Normal, N.O. old 00032: 11110111 00000111 11111110 00000001 ======================================================== DW534 old model Door/Window Sensor -- N.C. operation pushed test button Unit # 00122: ALERT, old 00032: 10001010 01111010 11011111 00100000 Unit # 00122: Normal, old 00032: 10001010 01111010 11011110 00100001 ================================================== SP554A old model PIR sensor - set to Home/Away Mode Unit # 00035: PIR ALERT, old 00032: 11010011 00100011 11001111 00110000 Unit # 00035: PIR Normal, old 00032: 11010011 00100011 11001110 00110001 ================================================= SP554A old model PIR sensor - set to Normal Mode Unit # 00035: Normal, old 00032: 11010011 00100011 11011110 00100001 Unit # 00035: ALERT, old 00032: 11010011 00100011 11011111 00100000 ================================================ MS10A new model PIR sensor Unit # 00210: ALERT, new 00041: 00100010 11010010 11001111 00110000 00000010 0 Unit # 00210: Normal, new 00041: 00100010 11010010 11001110 00110001 00000010 0 ======================================================= SH624 Security/Home Automation Remote Unit # 00130: Remote PANIC! 00032: 01110010 10000010 10111011 01000100 Unit # 00130: Remote DISARM 00032: 01110010 10000010 10111110 01000001 Unit # 00130: Remote LIGHT OFF 00032: 01110010 10000010 10111100 01000011 Unit # 00130: Remote LIGHT OFF 00032: 01110010 10000010 10111100 01000011 Unit # 00130: Remote ARM HOME (min) 00032: 01110010 10000010 10001111 01110000 Unit # 00130: ARM AWAY (min) 00032: 01110010 10000010 10011111 01100000 Unit # 00130: Remote LIGHT ON 00032: 01110010 10000010 10111101 01000010 Unit # 00130: Remote ARM HOME (max) 00032: 01110010 10000010 10101111 01010000 Unit # 00130: Remote ARM AWAY (max) 00032: 01110010 10000010 10111111 01000000 ======================================================= End of RF protocol document.