Reverse engineering the ComfoFan ventilation RF-protocol

ComfoFan is a house ventilation model sold under several brands like Zehnder, StorkAir, BUVA and others.

RF protocol:

• Frequency: 868440000 Hz
• Modulation: GFSK (Gaussian Frequency Shift Keying) (nRF905 default)
• Bitrate: 100kbps (nRF905 default)
• Encoding: Manchester 1 (nRF905 default)
• Frame size: 6 bit preamble + 22 bytes (the nRF905 adds 6 bytes to the payload: 4 rx address bytes and 2 CRC bytes)
• nRF905 payload size: 16 bytes (from offset 0x04 to 0x13)

Frame format:

Transmitter and receiver types:

Commands:

Commands:

Command 0x01: Set voltage

Receiver ID at offset 0x05 is always 0x00: broadcast, but you can also target a specific fan.

Voltage at offset 0B is in the range from 0x00 - 0x7F, which is 000 - 127 decimal, and represents 0.0V to 12.7V. The maximum output voltage to the fan seems to be 10.5V, so all values from 106 to 127 result in an output voltage of 10.5V. Values from 0x80 to 0xFF (128 - 255 decimal) result in the same values from 0x00-0x7F. The MSB bit 7 therefore seems to be ignored.

Command 0x02: Set speed

To do.

Receiver ID at offset 0x05 is always 0x00: broadcast, but you can also target a specific fan.

Command 0x03: Set timer

To do.

Receiver ID at offset 0x05 is always 0x00: broadcast, but you can also target a specific fan.

For the official RF remote control the speed is always 0x03, but you can use custom values like 0x01 or 0x02 as well. Or 0x04 in case of a Timer RF control. Duration is always 0x0A (10) or 0x1E (30) for the official ZRF, but this is customizable as well.

Command 0x04: Current network address ?

To do.

Network address in parameters 1-4 (0x0B-0x0E) is the same as network address at 0x00-0x03. This frame is only sent by the RFZ during the linking sequence.

Command 0x05: Reply to set speed / timer ?

To do.

Values seen for parameter 1-3 (0x0B-0x0D) are:

0x49, 0x02, 0x20
0x4A, 0x02, 0x20
0x4B, 0x02, 0x20
0x4C, 0x02, 0x20
0x4D, 0x02, 0x20
0x50, 0x02, 0x20
0x51, 0x03, 0x20
0x52, 0x03, 0x20
0x54, 0x03, 0x20
0x57, 0x03, 0x20
0x5C, 0x03, 0x20
0x5D, 0x03, 0x20
0x5E, 0x03, 0x20

Command 0x06: Main unit available for linking

When the main unit is powered on it will be available for 10 minutes for linking to remote devices. During these 10 minutes the main unit will transmit the 0x05: Main unit available for linking frame every 420 ms.

Command 0x07: Current fan settings

To do.

Parameter 3 at offset 0x0D seems to be a flag byte. Values seen are: 0x00, 0x01, 0x02
bit 0: 0=timer is off / 1 = timer is on
bit 1: ???
bit 2: ???
bit 3: ???
bit 4: ???
bit 5: ???
bit 6: ???
bit 7: ???

Parameter 4 at offset 0x0E is still unknown. It seems to be always the same value. I have seen different values on different ComfoFan's, so it might indicate the type of Comfofan, software version, the dip-switch settings or maybe some other settings? Values seen are:
0x03: ?
0x05: seen on Comfofan CFMe R
0x06: ?

Command 0x08: ???

I haven't captured any frames of this type yet.

Command 0x09: ???

I haven't captured any frames of this type yet.

Command 0x0A: ???

I haven't captured any frames of this type yet.

Command 0x0B: Linking successful

This package is sent to acknowledge that a device has been successfully linked. The Main Unit will send it first, and the RFZ responds by also sending this frame.

Command 0x0C: RFZ available for linking

When you press the Timer button together with one of the other buttons on the RFZ remote control unit, the RFZ will switch to linking mode. It will now transmit a 0x0C: RFZ available for linking frame every 240ms or so.

Command 0x0D: ???

To do.

Command 0x10: Query device

Query device (fan) for last known settings. The fan unit will reply with 0x07

Command 0x1D: Reply to set voltage ?

To do.

Parameter 1 at offset 0x0B is still unknown. Values seen: 0x05, 0x11, 0x76
Parameter 3 at offset 0x0D is still unknown. It seems to be almost always the same value. Only 1 user has seen different values for the same setup (0x33 and 0x34). Different ComfoFans report different values, so it might indicate the type of Comfofan, software version, the dip-switch settings or maybe some other settings? It could also mean the CO2-level?
When parameter 1 is 0x05 the values seen so far are: 0x4C, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5D
When parameter 1 is 0x11 the values seen so far are: 0x21, 0x26, 0x28, 0x2A, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37
When parameter 1 is 0x76 the values seen so far are: 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C
0x00, 0x2C, 0x33, 0x34: unsure if these relate to a specific value for parameter 1
This message differs from other message types because the 0x1D message is always a broadcast to all (0x00 0x00).

Capturing and analyzing RF signals

There are currently 3 known methods for capturing and analyzing RF signals from your ComfoFan system:

1. Use the nRF905-API
2. With rtl_433 and a RTL-SDR
3. With URH and a RTL-SDR

Analyzing RF signal with nRF905-API

See the nRF905-API page for building/installing. Use the /api/v1/receive.json API endpoint to capture data.

Analyzing RF signal with a RTL-SDR and rtl_433

1. Install rtl_433
2. Plug your RTL-SDR into an USB port
3. Start rtl_433 using the following command:

rtl_433 -f 868400000 -g 10000 -S known -R 0 -X n=zehnder,m=FSK_MC_ZEROBIT,s=10,r=100,preamble={10}fd4,invert -F csv:Zehnder-log.csv

The readable data will be written to the Zehnder-log.csv file.

Analyzing RF signal with a RTL-SDR and Universal Radio Hacker

1. Install Universal Radio Hacker (URH)
2. Plug your RTL-SDR into an USB port
3. Start URH
4. Go to File -> New Project and create a new project. And adjust the settings as shown below.
5. Go to File -> Spectrum Analyzer and adjust the settings as shown below.
6. Click Start and press a button on the Zehnder ZRF remote control. You should see a couple of pulses in the spectrum analyzer
7. Close the Spectrum Analyzer and open the recorder with File -> Record Signal. And adjust the settings as shown below.
8. Make a separate recording of each of the buttons on your remote control
9. Open a signal and click Autodetect parameters. Samples/Symbols should be 10 if you recorded with a sample rate of 1M (1 million samples per second at a bitrate of 100,000 bits per second makes 10 samples per bit)
10. Go to the Analysis tab and select Manchester I as decoding method
11. Enter 1111110101 (the 10-bit nRF905 preamble bits) in the Search box and click Search
12. Congratulations! You just found the start of a frame sent by your Zehnder ZRF remote control! Select the first 176 columns after the preamble (176 bits = 22 bytes), select the Hex value and copy/paste them to your favourite text editor

Reference links

• Reverse Engineering Weather Station RF Signals with an RTL-SDR
• Reverse Engineering - Weather Station RF signals with an SDR and URH
• Using a RTLSDR dongle to validate NRF905 configuration
• Universal Radio Hacker
• Spektrum SV Mod: RTL-SDR Spectrum Analyzer Software Now with Improved UI
• NRF905 RTL-SDR Decoder
• tweakers.net - Zehnder comfofan s aansturen via RPi, Arduino
• tweakers.net - DIY: Itho ventilatie aansturen via 868Mhz transmitter
• Zehnder ComfoAir RS232-port protocol description