逆向工程 - 433Mhz射频遥控器逆向工程16位校验算法 - 吾爱随笔录

我一直想弄清楚如何计算这些数据包的最后两个校验和字节（16 位）。其余的数据字段是可以理解的，它只是我目前无法正确生成的最后两个字节。

下面是来自零售/原始遥控器的许多学习（记录）数据包的转储，最后（最后两个字节）具有正确的校验和（CRC？）值。此列表的格式是以十进制格式打印的逗号分隔字节。

196,215,0,14,197,176,7,50,1,155,165,1,133,220
196,215,0,14,197,176,7,50,2,155,165,1,30,0
196,215,0,14,197,176,7,50,2,155,165,2,46,99
196,215,0,14,197,176,7,50,2,155,165,2,46,99
196,215,0,14,197,176,7,50,3,155,165,2,88,215
196,215,0,14,197,176,7,50,4,155,165,17,43,168
196,215,0,14,197,176,7,50,5,155,165,17,93,28
196,215,0,14,197,176,7,50,5,155,165,17,93,28
196,215,0,14,197,176,7,50,5,155,165,17,93,28
196,215,0,14,197,176,7,50,5,155,165,18,109,127
196,215,0,14,197,176,7,50,6,155,165,18,246,163
196,215,0,14,197,176,7,50,6,155,165,18,246,163
196,215,0,14,197,176,7,50,8,155,165,33,82,201
196,215,0,14,197,176,7,50,8,155,165,33,82,201
196,215,0,14,197,176,7,50,8,155,165,33,82,201
196,215,0,14,197,176,7,50,9,155,165,34,20,30
196,215,0,14,197,176,7,50,9,155,165,34,20,30
196,215,0,14,197,176,7,50,9,155,165,34,20,30
196,215,0,14,197,176,7,50,11,155,165,176,90,141
196,215,0,14,197,176,7,50,16,155,165,49,222,156
196,215,0,14,197,176,7,50,16,155,165,49,222,156
196,215,0,14,197,176,7,50,16,155,165,50,238,255
196,215,0,14,197,176,7,50,18,155,165,66,125,0
196,215,0,14,197,176,7,50,19,155,165,66,11,180
196,215,0,14,197,176,7,50,19,155,165,66,11,180
196,215,0,14,197,176,7,50,19,155,165,65,59,215
196,215,0,14,197,176,7,50,19,155,165,65,59,215
196,215,0,14,197,176,7,50,21,155,165,82,62,28
196,215,0,14,197,176,7,50,21,155,165,82,62,28
196,215,0,14,197,176,7,50,22,155,165,81,149,163
196,215,0,14,197,176,7,50,22,155,165,81,149,163
196,215,0,14,197,176,7,50,23,155,165,176,14,24
196,215,0,14,197,176,7,50,23,155,165,176,14,24
196,215,0,14,197,176,7,50,24,155,165,176,218,246
196,215,0,14,197,176,7,50,24,155,165,176,218,246
196,215,0,14,197,176,7,50,27,155,165,160,83,27
196,215,0,14,197,176,7,50,30,155,165,161,255,127
196,215,0,14,197,176,7,50,34,155,165,162,172,199
196,215,0,14,197,176,7,50,37,155,165,192,177,14
196,215,0,14,197,176,7,50,42,155,165,192,101,224
196,215,0,14,197,176,7,50,45,155,165,100,193,163
196,215,0,14,197,176,7,50,48,155,165,96,163,6
196,215,0,14,197,176,7,50,50,155,165,96,78,110
196,215,0,14,197,176,7,50,52,155,165,100,41,115
196,215,0,14,197,176,7,50,53,155,165,101,79,230
196,215,0,14,197,176,7,50,53,155,165,105,142,106
196,215,0,14,197,176,7,50,54,155,165,106,37,213
196,215,0,14,197,176,7,50,55,155,165,107,67,64
196,215,0,14,197,176,7,50,55,155,165,108,51,167
196,215,0,14,197,176,7,50,55,155,165,109,35,134
196,215,0,14,197,176,7,50,56,155,165,110,199,11
196,215,0,14,197,176,7,50,56,155,165,110,199,11
196,215,0,14,197,176,7,50,57,155,165,110,177,191
196,215,0,14,197,176,7,50,57,155,165,110,177,191
196,215,0,14,197,176,7,50,57,155,165,110,177,191
196,215,0,14,197,176,7,50,58,155,165,109,26,0
196,215,0,14,197,176,7,50,58,155,165,108,10,33
196,215,0,14,197,176,7,50,59,155,165,107,12,114
196,215,0,14,197,176,7,50,59,155,165,106,28,83
196,215,0,14,197,176,7,50,59,155,165,105,44,48
196,215,0,14,197,176,7,51,0,155,165,104,164,182
196,215,0,14,197,176,7,51,0,155,165,103,85,89
196,215,0,14,197,176,7,51,1,155,165,102,51,204
196,215,0,14,197,176,7,51,1,155,165,101,3,175
196,215,0,14,197,176,7,51,1,155,165,100,19,142
196,215,0,14,197,176,7,51,2,155,165,99,248,181
196,215,0,14,197,176,7,51,2,155,165,98,232,148
196,215,0,14,197,176,7,51,3,155,165,97,174,67
196,215,0,14,197,176,7,51,3,155,165,97,174,67
196,215,0,14,197,176,7,51,3,155,165,97,174,67
196,215,0,14,197,176,7,51,4,155,165,97,255,110
196,215,0,14,197,176,7,51,4,155,165,97,255,110
196,215,0,14,197,176,7,51,7,155,165,96,116,147
196,215,0,14,197,176,7,51,9,155,165,113,212,217
196,215,0,14,197,176,7,51,12,155,165,112,120,189
196,215,0,14,197,176,7,51,15,155,165,113,243,64
196,215,0,14,197,176,7,51,16,155,165,114,12,106
196,215,0,14,197,176,7,51,16,155,165,115,28,75
196,215,0,14,197,176,7,51,16,155,165,116,108,172
196,215,0,14,197,176,7,51,17,155,165,117,10,57
196,215,0,14,197,176,7,51,17,155,165,118,58,90
196,215,0,14,197,176,7,51,17,155,165,119,42,123
196,215,0,14,197,176,7,51,18,155,165,119,177,167
196,215,0,14,197,176,7,51,18,155,165,119,177,167
196,215,0,14,197,176,7,51,19,155,165,119,199,19
196,215,0,14,197,176,7,51,19,155,165,119,199,19
196,215,0,14,197,176,7,51,19,155,165,119,199,19
196,215,0,14,197,176,7,51,20,155,165,118,134,31
196,215,0,14,197,176,7,51,20,155,165,117,182,124
196,215,0,14,197,176,7,51,20,155,165,116,166,93
196,215,0,14,197,176,7,51,21,155,165,115,160,14
196,215,0,14,197,176,7,51,21,155,165,114,176,47
196,215,0,14,197,176,7,51,21,155,165,113,128,76
196,215,0,14,197,176,7,51,22,155,165,113,27,144
196,215,0,14,197,176,7,51,22,155,165,113,27,144
196,215,0,14,197,176,7,51,22,155,165,113,27,144
196,215,0,14,197,176,7,51,22,155,165,113,27,144
196,215,0,14,197,176,7,51,23,155,165,113,109,36
196,215,0,14,197,176,7,51,26,155,165,112,68,131
196,215,0,14,197,176,7,51,30,155,165,176,87,62

数据格式：

196,215,0,REMOTESERIAL_hibyte,REMOTESERIAL_lobyte,176,TIME_HOUR,TIME_MINUTE,TIME_SECOND,ALARM_HOUR|(ALARM_ENABLE<<7),ALARM_MINUTE,COMMAND,CHECKSUM1,CHECKSUM2

前两个字节 (196,215) 可能是一个 16 位同步字 [magic value]。前面有一个带有 4 倍 0xAA 字节的前导码来同步接收器时钟，但我认为这不是校验和的一部分，因为数据用于同步接收器，因此在接收器 AGC 稳定之前经常会出现乱码。在任何情况下，这些初始值都是静态的，不会改变数据包之间的校验和值。

遥控器内部有一个 RTC（实时时钟）芯片，每个数据包都包含 HH:MM:SS 时间，因此即使重复之前的命令，它也会经常更改校验和值。我从未见过只有一个校验和值单独改变。当数据包数据发生变化时，两个校验和字节似乎总是在变化，而不仅仅是其中一个。

遥控器使用的芯片是 ChipCon CC1050 (433MHz)。根据数据表，该芯片没有内置 CRC 支持，这与 CC1101 等后来的型号不同。设计说明 DN502 中详细介绍了该芯片和其他芯片的 CRC 算法：https ://www.ti.com/lit/an/swra111e/swra111e.pdf ? ts = 1618523904103

我已经尝试过这个算法（以及我在网上找到的另外两个 CRC16 算法），使用数据包数据和它的各个部分，有和没有前导码和同步字都无济于事。我还对 16 位 CRC 的所有 65536 个可能的初始值进行了蛮力操作，但无济于事。

我希望有人能解决这个问题，因为我尝试了很多不同的方法，但此刻似乎正在撞墙。:)