Home Automation: Reverse engineering a Worcester-Bosch DT10RF wireless thermostat.

Way back in 2007 I had a new boiler and central heating system installed. I chose the Worcester-Bosch Greenstar 30CDi combi-boiler as the heart of the system since the manufacturer has a very good reputation for reliability and efficiency.

Worcester-Bosch Greenstar 30CDi

This boiler has various control systems that can be used to operate the heating and direct hot water. I selected the DT10RF Optimising Digistat since, although it was quite expensive, it was the best Worcester-Bosch offer and promised further cost-savings through the use of its “optimising” feature.

Worcester-Bosch DT10RF Mk I

The DT10RF controls both the operation of the central heating, and also the timing of the hot-water pre-heat function which allows the boiler to deliver hot water more quickly. When running the heating, the optimiser function calculates the time the boiler needs to start in order to reach the correct temperature at the programmed times.

You can set up to four different time periods for each day of the week for heating. You can set the room temperature for each of these four periods. The timing for hot water can be different for each day of the week. The wall-mounted room thermostat is wireless and uses the standard 433MHz band. This controls the temperature for the heating, and the boiler mounted receiver controls the timings of the hot-water pre-heat.

Right from the beginning I’ve never been very satisfied with this control system. Firstly, the “optimising” feature only works to delay the on-time of the heating, and does nothing to optimise the time the heating turns off which it could do by learning the time it takes the house to cool down. Not only that, but it only optimises the first time-slot of the day so only the morning start-up is optimised. The time at which the temperature set-point changes from day-time to evening is not optimised. Also, the optimisation will only delay the heating coming on in the morning for up to one hour. Since it takes my heating at least one hour to warm the house up, the optimiser basically never did anything at all.

While it is true that you can set four different time periods each day for the heating, you can’t change the temperature set point. The set point for each of the four time slots is set once, and then applies every day. So you can’t have complete flexibility in how the heating is configured.

Even the wireless side of the thermostat has never been very reliable, with the signal constantly dropping out and requiring the transmitter to be temporarily moved closer to the boiler and the set point manually turned up and down to give the system a kick and get the communication going again. It’s certainly not fun waking up on a cold winter morning to find the heating hasn’t come on because, yet again, the wireless communication has failed over night. This is with a house of normal construction, and not a huge distance between the transmitter and receiver. I did have the control system replaced under warranty, but the new one was no better. There are lots of posts on the internet where people are experiencing the same problems with the DT10RF. Worcester-Bosch blame anything from too-thick walls to interference from WiFi access points. That is simply not acceptable, and the design of the wireless system is frankly not fit for purpose.

Since purchasing this thermostat Worcester-Bosch have released a new version, the DT10RF Digistat optimiser (MK II). From what I can tell, aside from having six time slots rather than four, it is simply a cosmetic change. I don’t expect this version to be any more reliable, and from forum posts it looks like the same problems still exist.

The last straw was when, during the previous winter, the thermostat simply refused to work when it was any further than about two metres away from the boiler. This was with a fresh set of batteries, and the whole thing reset and reprogrammed from scratch. Hardly any point in it even being wireless.

Time to start looking for a new heating control system.

Ideally I would like something that connects to my local network, either WiFi or Ethernet. This would make it easy to programme, and also remotely adjustable over the internet. This would mean that when I’m out somewhere and I’m going to be back home later than expected, I can easily change the timing of the heating so that it comes on later and does not burn gas unnecessarily.

I would also like something that is far more intelligent than the current heating control systems. I want it to learn how long it takes the house to warm up and cool down, and decide for itself when the heating needs to be on. Rather than saying “I want the set point to change from 12C to 20C at 4pm”, I want to be able to say “I want the house to be 20C at 5pm” and have the system work out itself when to fire the boiler, based on the outside temperature and its own knowledge of how quickly the house warms up. Likewise, I want to say “I’m happy for the temperature to have dropped to no less than 18C by 11pm” and have the system work out itself when it can stop heating, based on its knowledge of how quickly the house cools.

I want to have multiple temperature sensors around the house, to get an overall view of the system, rather than just the temperature state in one room. It could decide which sensor gets to control the heating based on the time of day. For example, in the mornings I only care about the temperature of the bedrooms. I’m not worried about the temperature of the downstairs open-plan area that typically takes a lot longer to warm up, since I’ll very shortly be leaving to go to work. So the master bedroom could control the system in the morning, while the lounge controls the system in the evening.

It could also do other nifty things, like if the current temperature is below the set point at 8am, but the local weather forecast pulled from the internet predicts that it is going to be a lovely day and warm up by 10am, then it could decide to not turn on the heating at all. I don’t want it to burn gas for two hours just because the morning is a little chilly, and then end up having to open a window once the sun comes out.

Looking around the central heating market, I see several manufactures are now producing WiFi enabled thermostats, such as the Heatmiser PRTHW-TS WiFi. However, not only are they very expensive and get some poor reviews, they also don’t appear to do what I want. They allow only programming over WiFi, they don’t do anything clever regarding heating control. If you’ve managed to find one that does – please do tell me about it in the comments section below!

I decided what I really want to be able to do is control the boiler from my PC. If I could send a command to turn the heating on or off, I could then write my own code to control it and have it do whatever I want.

I know that the DT10RF uses the 433MHz band to transmit the on/off signal. If only I could capture the signal it sends, I could then reproduce it and take control. I decided to purchase a 433MHz transmitter and receiver pair from eBay. At a price of just £2.80 it was worth a gamble as to whether I would be able to receive anything from the thermostat.

433MHz Wireless Receiver

One slightly annoying thing about these cheap 433MHz receivers is that when there is no signal present, their Automatic Gain Control circuit gets ramped up and all you get is receiver noise on the data pin. This makes it rather difficult to actually pick out any data from the noise. Luckily, you get about 100mS of “radio silence” after a signal has been received before the AGC winds back up again. So it is possible to look for this silence, and then look for the data immediately before it in order to “sniff” the signal.

I hooked up the data pin of the receiver to an oscilloscope, and sure enough when I turned the thermostat up I could see a signal go through. Likewise when I turned it back down, another signal was visible. It was impossible to capture the signal to analyse it since it was far too fast. Since I didn’t have access to a storage-oscilloscope, I decided to make use of a “soundcard logic analyser” that I had made previously.

Signal Capture

By feeding the signal from the receiver into the soundcard on my computer, I could capture the data continuously and then look at the signals at my leisure. I connected it all up, and turned up the thermostat until it started calling for heat. It visibly sent an “on” signal three times. I then turned it back down again, and it sent an “off” signal three times. You can see the data in the screenshot below. The 100mS periods of “radio silence” make the data stand out easily from the receiver noise. In the data below there are three on-pulses separated by approximately 1.9 seconds, followed by three off-pulses separated by 1.9 seconds.

DT10RF Transmission

Zooming in on one of the “on” transmissions we can see the following pulse train.

DT10RF Boiler ON

Zooming in on one of the “off” transmissions we can see the following pulse train.

DT10RF Boiler OFF

As you might expect, the signals are nearly identical except for the last few pulses. I haven’t made any attempt to work out what it is actually sending, except to recognise that there appears to be a “preamble” that is used to give the receiver time to adjust its AGC, followed by a series of pulses that represent the boiler/thermostat ID, followed by either the “on” or “off” message.

By simply writing down the lengths of the high and low pulses it is possible to reproduce them using a microcontroller and 433MHz transmitter. I’ve been using Atmel AVR ATMega328P microcontrollers in a lot of projects lately, so I decided to use one here as well. This one is mounted on an Arduino Uno board. It’s simple to connect up the transmitter, just power and ground, and the data pin connected to pin 2 of the Arduino (PORTD, PD2, pin 4 of the IC).

433MHz Wireless Transmitter

It works! I can turn the central heating on and off again using my PC. Now that I have full control of the system I can work on writing some algorithms that optimise comfort and, most importantly, minimise gas usage. Helpfully it also seems to have much better range than the transmitter in the commercial thermostat – I can easily activate the heating using my laptop over on the other side of the house from the boiler. If I find that I need even more range, the transmitter can be operated from up to 12V with increased transmission power. At the moment I am powering it with the normal 5V logic supply to the microcontroller.

The following code-snippet shows how I control the 433MHz transmitter. It’s only intended to be an example, you probably wont be able to just cut and paste it into your own Arduino sketch since I don’t use the Arduino framework. But it is simple enough to follow and can easily be made to work in your own application.

  rf.cpp (3.2 KiB, 3,529 hits)

If you want to try to control your own Worcester-Bosch boiler and have a DT10RF thermostat, you should be able to use the same RF messages as me provided you put your boiler into “learn” mode and then transmit the “on” signal so that the boiler knows what messages to expect. If, like me, you want to be able to switch seamlessly between computer control and the thermostat whilst you develop your heating control application then you’ll need to follow the procedure I have detailed and capture the code your own thermostat is sending.

In the next tutorial, I’ll detail how to build your own inexpensive wireless temperature sensors for distributing all over your house. After all, what use is having control of the heating system if we don’t know what the temperature is?

Making a soundcard logic analyser.

Have you ever needed to capture a logic signal to check that your Arduino or Raspberry Pi project is doing what it’s supposed to be doing, but you don’t have an oscilloscope? Or maybe you do have a ‘scope but it doesn’t have a storage mode, so the signal goes past far too quickly to see.

No need to shell out loads of money on an expensive logic analyser, when you have one with virtually unlimited storage capability right in your PC! You can use the sound card to capture logic signals as they pass through the bus, and then investigate the signal timing at your leisure.

The only problem is logic signals are generally +5V or +3.3V, whilst the line-in on your soundcard is designed to capture only voltages between plus and minus 2V at most. We can easily get around that by making a voltage divider out of a couple of resistors. I used an 82K and an 18K resistor giving me a 1/5 voltage reduction. That makes my +5V logic signal just 0.9V which is well within the range of the soundcard input. The resistor values don’t matter too much, so long as they have a ratio that brings your logic level down to something appropriate for the soundcard. Although it’s best to try to keep the total impedance as high as possible to prevent the connection interfering with you circuit.

First, get an old stereo cable with a 3.5mm jack plug. Cut off one end and strip the insulation to reveal the shield braiding and the two conductors.

Logic Analyser

Unbraid the shielding, and solder on your 18K resistor, and a length of wire that will form the “ground” connection for your logic probe. I’ve used two since I’m making up both channels. Use the left and right stereo inputs to make a two-channel logic analyser!

Logic Analyser

Put a bit of heat shrink over the joint to isolate the connection. Next, solder your 82K resistor onto the other side of the 18K resistor, and attach the left and right signal cables to the centre point of the voltage divider.

Logic Analyser

Attach your signal probe wires to the far side of the 82K resistor. Again, isolate the connections with some heat shrink.

Logic Analyser

Finally, put some more heat shrink over the whole thing to secure it all together. Nice tidy job!

Logic Analyser

Now you’re ready to feed it some signals and capture them. I used Audacity under Linux which is a free, open source, cross-platform application for recording and editing sounds. It’s perfect for this task. Did I mention it was free?

Here we are capturing two square waves at 192kHz sampling frequency. You’ll notice that the square waves are not very square, especially at lower frequencies. This is because the soundcard has a high-pass filter and tries to reject DC offsets. As soon as the square-wave pulses to a positive or negative level, the soundcard starts to pull the signal back to zero and the signal “droops”. That’s not too much of a problem, since we’re only aiming to look at the pulses and be able to measure the timing and synchronisation with other logic channels. For this, it’s perfect for the job!

Logic Analyser

Don’t make the mistake of thinking you can use this as a replacement for a proper multi-meter or an oscilloscope. If you decide to try to measure the frequency of your mains electricity you will destroy your soundcard and probably your whole PC.

But for the purpose of capturing logic signals – it’s perfect!

Pi Power!


Pi power! The project is coming along nicely. It’s got a #raspberrypi for communication with the outside world, and a custom-made #arduino board for controlling the steering servo and L298-based DC motor driver. I’ve hacked a standard RC receiver to obtain the PPM signal which is decoded using the Input Capture function on pin 14 of the ATMega328.

I’ve had to move away from a lot of the Arduino framework since I wanted to use Timer1 for uS timing of the PPM signal. This meant I couldn’t use the standard Servo library either, so I had to write my own. Turns out it’s pretty easy.

I’m now considering ditching the Arduino framework completely given the only functions I really use are timekeeping and Serial communications. I’m intending to use SPI for communication with the Pi in order to free up the UART for connecting to a GPS module. The Arduino code can only work as a SPI master, and I want to set the uC up as a slave, so that’s something else I’ll have to write for myself anyway. I’ve also just had a bad experience with the String library, which it turns out is a pile of junk and I should have just stuck to char arrays – I’ve now got to rewrite a whole chunk of code. So all-in-all I may as well just ditch Arduino completely and simply use avr-gcc and avrdude directly with a makefile.

Now that I have full manual control of the car, it’s time to start adding sensors and writing the autopilot …


These look like a good set of ingredients for fun!


This is a Marui Ninja RC buggy.

It must be at least 20 years old. I dug it out the loft last night. I quite like the idea of taking a really old car, and upgrading it with a brushless motor, new ESC, LiPo battery etc. And then working on the Arduino automation to give it collision avoidance and the ability to follow a preset route using GPS.

It’s kinda a pre-quadcopter practise for when I’m ready to try something airborne!

#arduino #arduino-based #drones

SATA plug melted!

SATA fire


So I was making ISOs from some BD discs when I noticed a rather odd smell coming from my living room. Further investigation revealed that it was coming from my mediacentre PC that drives my projector.

The PC had shut down, and I assumed the PSU had died. But it turned out to be a Molex to SATA adapter that had caught fire and melted. Unfortunately it also wrote off the hard disk to which it was attached, since it destroyed the power socket. The PC had been running fine for the past three years without a hiccup.

A quick Google search revealed that this is actually quite common. It’s quite worrying that a little connector adaptor could have potentially burned my house down! Luckily the PSU had good short-circuit and overload protection and managed to shutdown before the whole PC burst into flames. Amazingly the PSU, motherboard, and all other components were perfectly fine once the hard disk had been replaced. I had to strip out everything from the case and clean out the bits of melted plastic and soot, and then rebuild the whole PC.

I certainly wont be using one of those Molex converters again. In fact I’m not even sure I trust SATA power connectors any more. They have always looked flimsy and had poor electrical contact areas. Not to mention they easily fall out if you so much as nudge a cable while putting the cover back on. Is this seriously the best they could come up with? But what else can you do?

Can I flash CWM recovery permanently?

In previous blog posts I’ve talked about booting the Samsung Galaxy Nexus from ClockworkMod recovery. This is a third-party open-source application that is very useful for performing system maintenance on an Android phone.

Personally I just manually boot the phone from a CWM image whenever I need to, but a few people have asked me if it’s possible to overwrite the stock Android recovery partition with CWM.

The answer is yes you can, but by default Android is set to automatically flash the stock-recovery on every boot. So as soon as you reboot CWM will be overwritten. We need to stop that happening, which luckily is easy enough to do. We just need to move two files out of the way.

As usual you’ll need the adb and fastboot commands from the Android SDK. At the time of writing, the most recent version of CWM for the GSM Galaxy Nexus is here.

First, from the bootloader flash CWM to the recovery partition and then boot into CWM.

# fastboot flash recovery recovery-clockwork-
# fastboot boot recovery-clockwork-

Now move both /system/recovery-from-boot.p and /system/etc/install-recovery.sh to a different location so they do not get executed. I recommend just renaming them to .bak. Some people say to delete them, but I prefer to make non-destructive modifications that I can undo.

$ adb shell mount /system
$ adb shell mv /system/recovery-from-boot.p /system/recovery-from-boot.p.bak
$ adb shell mv /system/etc/install-recovery.sh /system/etc/install-recovery.sh.bak
$ adb shell umount /system
$ adb reboot

And that’s it. You now have CWM installed permanently. Do bear in mind if you are running an otherwise-stock release of Android you will now no longer be able to install OTA updates since they require the stock recovery system in order to be installed.

If you decide you want to go back to the stock recovery system, then just rename those two files back again (remove the .bak) and reboot the phone.

Does an OTA update mean I lose root?

Do you “lose root” if you install an over-the-air update on a stock Android phone? No! All that happens is that the permissions on the “su” file get changed so it is no longer executable. Those l33t haxors will have you thinking you need to do something terribly complicated in order to “get root” but it’s really quite simple. As usual you’ll need the adb and fastboot commands from the Android SDK.

The easiest way to fix this is to boot into ClockworkMod recovery. At the time of writing, the most recent version for the GSM Galaxy Nexus is here. From the bootloader, run

# fastboot boot recovery-clockwork-

Note, we are not flashing anything to the phone here. We are not flashing a custom recovery image or a custom ROM. We are not changing anything in any way. All we are doing is a one-time boot from a different image. If you turn your phone off and on again it will boot back into Android just as it has always done.

Once CWM is running, type the following commands

$ adb shell mount /system
$ adb shell chmod 06755 /system/bin/su
$ adb shell umount /system
$ adb reboot

All we are doing is mounting the /system partition, changing the “su” file to be executable, unmounting the filesystem, and rebooting the phone. You now “have root” again. Don’t you feel like a l33t haxor?

Obtaining root privileges on the Galaxy Nexus – the easy way!

Many people refer to “rooting” an Android phone, and almost seem to make out that you have to be some sort of l33t haxor in order to do it. Indeed, they provide “simple 1-click methods” so that the poor simple users can do it for themselves, because it would be far too difficult for them otherwise.

The truth is, for anyone even vaguely familiar with the Linux command line it is incredibly easy. And I’m going to tell you how to do it. Under Linux, there is a command called “su” for “superuser” that can be typed in order to raise the privileges of the current terminal session to “root” or “administrator”. This command is missing from Android phones. All you need to do to “root” an Android phone is copy a suitably-compiled “su” binary to /system/bin and chmod it to be executable. There. Was that so hard?

Unfortunately the /system partition is, by default, mounted read-only and so you can’t copy “su” to it. No problem, you say, we’ll just remount it read/write. But that needs root-privileges. Ah.

The easiest way to get around this is to boot into “ClockworkMod Recovery” a sort of “linux rescue” mode for Android. Since this is a third-party open-source application we need to unlock the bootloader of the Galaxy Nexus before the phone will allow us to boot from the image. This is just a one-step process, but you’ll need the adb and fastboot commands to do it. The simplest way to get these is to download the Android SDK. The current version for Linux at the time of writing is here.

Once the SDK is setup, reboot your Galaxy Nexus into the bootloader by turning the phone off, and then back on again while holding down both vol-up and vol-down at the same time. Once at the bootloader you can unlock it by simply running

# fastboot oem unlock

WARNING: This will completely wipe your phone. So please ensure you have a backup of your photos etc.

Now we can boot the phone using ClockworkMod recovery. At the time of writing, the most recent version for the GSM Galaxy Nexus is here. From the bootloader, run

# fastboot boot recovery-clockwork-

Note, we are not flashing anything to the phone here. We are not flashing a custom recovery image or a custom ROM. We are not changing anything in any way. All we are doing is a one-time boot from a different image. If you turn your phone off and on again it will boot back into Android just as it has always done.

Now you need to download the su binary file. At the time of writing the latest release for every version of Android from Eclair onwards is here. Unzip that file, and run the following commands

$ adb shell mount /system
$ adb push su /system/bin
$ adb shell chmod 06755 /system/bin/su
$ adb shell umount /system
$ adb reboot

Wasn’t that easy? All we did was mount the /system partition, copy the “su” file to /system/bin, changed the permissions to make it executable, and then unmounted the filesystem and rebooted the phone. Congratulations, you now “have root” as those l33t haxors like to say. How simple was that? Do you really need a “1-click method” that does God knows what behind your back to do it for you? Everything we’ve used here is open-source so if you’re really paranoid you can even compile CWM and su from source to be sure there’s nothing nasty hidden within.

There’s only one last step. At the moment any application on your phone can gain elevated permissions since su does not require a root-password. To prevent this it’s best to install the Superuser app from the market since this allows you to accept or deny when an application requests root privileges. The .apk will have been included in the zip file you downloaded earlier, but there’s really no reason not to just install it direct from the market.