SignalsEverywhere: Exploring Cable Modem Signals with Software Defined Radio

Over on YouTube SignalsEverywhere has just uploaded his latest video about using a HackRF and Airspy R2/Mini to explore the signals coming out of an internet cable modem's coax cable. In the video he performs a wideband scan with his Airspy R2 and the SpectrumSpy software which shows not only his, but the downstream signals from other users in his neighborhood on the cable network too.

Next using his HackRF with Spectrum Analyzer and the hackrf_sweep fast sweeping software, he was able to determine the uplink portion of his cable modem. By running an internet speed test in the background he was also able to visualize the increased cable data activity on the spectrum waterfall display.

Notify of

Inline Feedbacks
View all comments

Since the video is deleted, here’s a working link to an archive:


Dude your upstream Channels are clearly marked between 19.4 MHz and 37 MHz… see the Hz column? The 2560 and 5120 are how many symbols a sec are on the channel. 5120 means it’s 6.4 MHz wide and 2560 is 3.2 MHz wide.

Your looking at 2.4 GHz WiFi and I know your using WiFi since I see the WiFi signal meter on both the mobile and PC screen cast.

The 6 MHz chunks are QAM channels that can contain digital video or data. Wait until you find OFDM (DOCSIS 3.1) data, that’s anywhere from 48 MHz wide to 192 MHz wide (with the common configuration being 96 MHz).

Benjamin Larsson

The constant signals around 600MHz are the actual dvb-c muxes. If you look at the frequency offset you see that they are in 6MHz steps and the video states that they are QAM256 modulated. So this cable system is probably in the US.


I don’t think so. Is modem’s status page clearly shows is using Docsis downstream frequencies between 609 and 651 MHz. There are probably DVB-C or even analog TV/Radio frequencies, but not there. More probably in the 50/110 range (unused by Docsis 3 or lower).

DVB-C spec

Downstream is modulated in QAM256 and it is active constantly, even if there is no traffic at all. In most cases frequencies are shared between actual DVB-C muxes (QAM256 too) and downlink. Eg. 602 MHz might be DVB-C mux, 610 MHz – downlink. Spectrum can be shared between these two.
Because for downlink 256QAM is in use, it is possible to lock and grab data from downlink with any PC DVB-C device (for 8 MHz channel SR 6952 is in use in most cases), but as Gérald mentioned in his comment – stream is secured, so nothing readable will be found, just traffic


I believe that SignalsEverywhere is making quite a few wrong assumptions here.

These signals around 2.4GHz are certainly not upstreams channels, but rather Wifi interferences. Upstreams frequencies are between 5 to 42 MHz for standard US Docsis or 65 MHz for standard Eurodocsis, or upto 85 MHz for both for extended frequency plan.

Downstream frequencies are between 112 and 999/1002 MHz (extended US/Eurodocsis), but usually not above 867/858 MHz.

Downstreams frequencies are emitting permanently, while upstreams are only emitting when a modem is sending data. But of course, you will see some upstream activity even when downloading, since TCP protocol requires sending some acknowledgment packets to the sender.

Also, it seems that he’s inversing up/downstream usage: upstream is when your cable modem is sending data to the network (=upload from your computer point of view), downstream is data coming from the network to your and others modems (=download).

And also, i’m afraid he will not be able to decrypt anything, since with Docsis 3.0, communications are supposed to be AES encrypted (or maybe DES if Docsis 2.0 compatibility needed).