Reverse Engineering Wireless Mobile Traffic Lights with an RTL-SDR

When roadworks suddenly appeared on Bastian Bloessl’s girlfriends street the workers put up a set of automated wireless traffic lights to control the flow of traffic during the works. Seeing these lights, Bastian quickly grabbed his RTL-SDR dongle and got to work on reverse engineering the status telemetry signals transmitted by these lights.

Wireless traffic lights reverse engineered with an RTL-SDR
Wireless traffic lights reverse engineered with an RTL-SDR

Bastian discovered two signals at around 170 MHz which corresponded to two pairs of lights. By analyzing the signal in Baudline and Audacity he discovered that the signal was AFSK1200 modulated between 1200Hz and 2400Hz. He then created a simple GNU Radio program which was able to output the frame bit data. After some analysis he was able to make sense of the structure and create a simple web interface that visualized the data as virtual traffic lights on his PC. The YouTube video below shows the signal and his RTL-SDR decoding software in action.

It seems that the telemetry is unencrypted, however we would assume that the control signals are encrypted.

Traffic Lights + GNU Radio + RTL SDR

Notify of

Inline Feedbacks
View all comments

where can I buy such a receiver?



this is very funny. A few days ago I said to my wife that someone could by interested in analyze this signals of traffic lights, maybe. Now Bastian was already *lol*.

Dave H

I wouldn’t be too sure about the command signals being encrypted. You’d be amazed (and probably dismayed) at how much temporary traffic equipment relies on human laziness for security.