Large Scale Central

Reverse Engineering Airwire

I had been wondering about how the Airwire system actually works, as I’d like to build my own devices, and be able to program decoders with a computer instead of the throttle. I finally dug into it, and here’s what I have learned. It may be of some interest.

The Airwire devices use the Anaren A1101R09x RF modules, which consist of a TI CC1101 RF modem packaged with supporting hardware (crystal, antenna (or port), etc.). The CC1101 is a popular device, and is quite versatile. There are a lot of configuration options, and the modem can do things like addressing packets, error correction, etc. My first step was to figure out how it’s configured. On the RF spectrum, I could see that the modulation is 2-FSK, but there are a lot of other variables.

I figured the easiest way to see the configuration settings would be to dump the data transmitted from the microcontroller in the throttle to the modem at power up. I did this by tapping the 4 lines that make up the SPI bus between the two parts by soldering wires to the appropriate pins on the RF module.

What I discovered from the configuration data is that it’s bypassing most of the fancy stuff and putting the modem into asynchronous mode. This means that an auxiliary input line is able to just drive the FSK output of the modem directly in realtime. No buffering, framing, etc. Next step was to tap this line and see what’s actually going to the modem. It turns out it’s plain old DCC.

Looking at a capture of the RF data, I can confirm that it’s transmitting DCC as and FSK signal, where the higher frequency is V+ and the lower is V-.

These CC110x modules are dirt cheap. Theoretically, to get DCC (as a logic-level signal) from an Airwire throttle, all you’d need to do is have a microcontroller to throw it into async mode and then listen to the output. I’ll keep you all posted on my progress.

OK, thats really nifty. I dont have the know-how to debug like this, but I’m definitely an electronics junkie. Looking forward to your progress.

Yeah, that’s cool. I had heard that’s how they were doing it but I wasn’t sure. Thanks for the engineering investigation. Much appreciated.

Unless Airwire gets cranky, I could see this kind of investigation opening up the market to compatible hardware from other manufacturers. That’s my largest gripe with battery power, there’s no transmitter/receiver standards, and you can get quickly orphaned if a manufacturer decides to stop production.

Shortcomings of DCC notwithstanding, it seems like a smart approach to use the existing standard. They haven’t made any attempt to obfuscate the data or disguise the components on their boards - things that would have been trivial to do if they wanted to head off reverse engineering efforts. I really just want to make my own stuff, but there do seem to be some holes in their product lineup that could be filled by a third party.

Good stuff, Eric. Thanks for that. That’s something that it’s essentially DCC signals going to the modem.

The components are off-the-shelf and cheap, but the transmitter and boards aren’t. I’m willing to pay the price for a high quality product.

Michael Kirrene said:

Good stuff, Eric. Thanks for that. That’s something that it’s essentially DCC signals going to the modem.

The components are off-the-shelf and cheap, but the transmitter and boards aren’t. I’m willing to pay the price for a high quality product.

I agree 100%. I will still buy their products wherever a product exists for the application.

One of the garden RR magazines had an article a couple of years ago that shows how to make a compatible receiver and transmitter. I met a fellow who had built a set and my AirWire transmittef ran it fine.

Bill, I followed that article and the thread(s) on the GR forums. My interest started to wane when errors were reported in the forums, hacks to make it work were presented, but no complete corrected documentation was ever published in GR or anywhere else I am aware of. I am NOT an electronics wizard, just an every day electronics hacker slasher that can follow clear instructions and wield a soldering iron. I had hoped that one day the completed article would be published, but I have long lost hope for that.

So, a question- How fast does this unit go through batteries? That sure is a brute force way to get DCC over wireless.

Martin Sant said:

So, a question- How fast does this unit go through batteries? That sure is a brute force way to get DCC over wireless.

I’m new to this, so others will have more practical experience. But a review of the current throttle claimed 5 hours. It’s dependent on RF gain, though.

Brute force is right. It even injects idle packets. The other drawback is that you can’t really have more than one throttle on a given frequency, since packet collision would be guaranteed.

Hi Eric, sorry we didn’t talk at the meeting. The AirWire has been around a long time, however today most of the newer systems use the 2.4GHZ radios with frequency hopping. So when you run with the club somebody needs to change channels.

As mentioned earlier there are no standards. So AirWire offers DCC but limited radio performance. The Revolution and RailPro offer unlimited radio channels using their sound receivers.

You might this interesting. Dave Bodnar has been creating some interfaces to take advantage of the Revolution transmitter. His work is posted on http://www.trainelectronics.com/

Don

Hi Don - I thought your name sounded familiar. It must have been from seeing you on here.

I looked at both options a year ago when I was getting started, and chose AirWire because it seemed more hackable, which was one of the things that drew me to G scale. Revolution also seemed to be somewhat unavailable at the time, but it seems that’s changed.

Even though I don’t have a layout yet, I’ve converted 3 locomotives (and a caboose) to Airwire, so I’m pretty embedded.

Off topic: Does the club have some kind of band plan for Airwire at shows? I hadn’t really thought of that.

Eric

When the club attends shows there is usually someone in charge in organizing the frequencies. FYI. At the 2016 East Coast Show somebody did a reset and any AirWire TX that was on also was reset. OOPS.

Don

Don,

Tx or decoder got reset? You both must have been on the same frequency?

Don Sweet said:

When the club attends shows there is usually someone in charge in organizing the frequencies. FYI. At the 2016 East Coast Show somebody did a reset and any AirWire TX that was on also was reset. OOPS.

Don

Opps. Reminds me of a story the NMRA guys told me. At a show on the one club layout, someone tried resetting a decoder on their locomotive, on the main. Then everything went south, because all the locomotives on the layout were on address 03. During a show for the public.

Since the power is out at home for the next several days (2/3 of Maine lost power Sunday night) and I can’t work on the layout, I’m back to some lab work at the office (where there’s power). I had ordered a couple of CC1101 modules from eBay/China, which arrived a few weeks ago. I want to try using these as receivers. To put them into raw mode, I have to send the appropriate setup info, so today I’ve rigged up a Airwire Drop-In to the logic analyzer to dump the setup data from the SPI bus at power-up and whenever CV 200 (RX Freq) is changed. I have good data, so the next task is to try to mimic the startup sequence on the Chinese parts. Stay tuned.

I so want to get back into electronics experimenting. Things are so much simpler now with all the building blocks. It’s been almost 20 years since I breadboarded anything. Back then I was still using TTL ICs to make my own logic circuits. I was just starting to get a handle on it when a job change took me out of an electronics repair center and into software support. It would be starting over, but you can do so much more now. Good luck with your project.

Jon Radder said:

I so want to get back into electronics experimenting. Things are so much simpler now with all the building blocks. It’s been almost 20 years since I breadboarded anything. Back then I was still using TTL ICs to make my own logic circuits. I was just starting to get a handle on it when a job change took me out of an electronics repair center and into software support. It would be starting over, but you can do so much more now. Good luck with your project.

Thanks, Jon. Yes, the tools are remarkable. This logic analyzer fits in my shirt pocket, and blows away my previous one, which I could barely lift.

Success!

https://www.youtube.com/watch?v=x4KdDP_gCjs