January 8, 2018

Unknown Signal Reverse Engineering and Decoding AFSK Signals Tutorial

Over on his blog "ele y ciencia" has written up two very useful blog posts - one on how to decode AFSK signals from scratch and the other on how to reverse engineer any unknown digital signal. The blog is written entirely in Spanish, but Google translate does a decent enough job at getting the message across (in Chrome right click anywhere on the page and select Translate to English or use the Google translate webpage).

The first post is about decoding an AFSK protocol and explains that you need to record the signal with an RTL-SDR or other SDR, apply a low pass filter to obtain the signal envelope and then apply thresholding with the known baud rate to obtain the demodulated digital signal. The tutorial is high level and just explains the process, but doesn't show how to do it in any software. Later on in the post he goes on to show how he reverse engineered a train-land radiotelephone system and a TCM3105 modem chip which utilizes a FSK system.

In the second post he shows how to decode any unknown digital signal using just an RTL-SDR and Audacity. He starts off with finding and recording an unknown digital signal with an RTL-SDR and then reverse engineers it in a sort of manual fashion without using any tools like Universal Radio Hacker. The post goes through the full details and steps that he took, and in the end he gets data out of the signal discovering that it is data from a Fleet Management System used in his country for monitoring data such as speed and engine data from commercial vehicles like trucks and buses.

The two posts are very detailed and could be an excellent reference for those interested in reverse engineering some unknown digital signals in your area.

Decoding an Unknown "Fleet Management" signal from scratch.

Radio Signal Identification Guide

NOTE: Recent changes to WordPress seem to have broken the audio on this page. Please use the new Signal Identification Wiki which has many new signals. Anyone can edit and improve the information on the pages on the wiki.

A guide to help you identify some amateur and utility digital radio signals and sounds which you may find on the frequency spectrum. Most of these have been received with an RTL-SDR software defined radio. I will be slowly adding more to this list over time. If you enable stereo mix and pass the sample audio to an appropriate decoding program the sample audio should be decodable for most samples.

If you would like to suggest a modification or contribute a sample, please send a sample, waterfall image and information about the signal to [email protected], or post in the comments. (Note I am currently backlogged with contributed signals, if I haven’t replied or added your signal yet it will be done within a month or two).

More sites with sample audio can be found at this list on dxzone.com. A very nice overview video of the HF spectrum by balint can be found here. There are also two paperback books: Technical Handbook for Radio Monitoring VHF/UHF (PDF Excerpt) & Technical Handbook for Radio Monitoring HF (PDF Excerpt) which have a very comprehensive list, description and images of many signals.

ACARS Sample Audio: Typical Frequency: 131.550 MHz Mode: AM Bandwidth: 5000-8000 Hz Description: Aircraft Communications Addressing and Reporting System (ACARS). Short messages sent to and from aircraft. Decoding Software: PlanePlotter, ACARSD Video Examples: [1], [2]
P25 Phase 1 (C4FM Modulation) (Encrypted) Sample Audio: Typical Frequency: ~860 MHz, ~500 MHz + others Mode: NFM Bandwidth: 10000 Hz Description: P25 encrypted digital voice signal with C4FM modulation. Decoding Software: Digital Speech Decoder (DSD). Note, only unencrypted can be decoded. Video Examples: [1], [2], [3]
DMR/MotoTRBO Sample Audio: Typical Frequency: ~860 MHz Mode: NFM Bandwidth: 10000 Hz Description: Motorola digital voice signal known as MotoTRBO (pronouced Moto-Turbo). Decoding Software: Digital Speech Decoder (DSD). Note, only unencrypted can be decoded. Video Examples: [1], [2]
POCSAG/FLEX-A Sample Audio: Typical Frequency: ~151 MHz, ~900-950 MHz Mode: NFM Bandwidth: 10000 Hz Description: Pager digital signal known as POCSAG. An acronym of Post Office Code Standardization Advisory Group. Decoding Software: PDW Video Examples: [1], [2]
Weather Balloon (Radiosonde) Vaisala RS92SGP Sample Audio: Typical Frequency: ~400 MHz Mode: NFM Bandwidth: ~5500 Hz Description: Weather balloon (Radiosonde) telemetry data. Only transmits during a weather balloon launch. Decoding Software: SondeMonitor Video Examples: [1], [2]
TETRA Downlink Sample Audio: Typical Frequency: 380 – 430 MHz Mode: – Bandwidth: 25000 Hz Description: Terrestrial Trunked Radio (TETRA), also know as Trans-European Trunked Radio is a professional mobile radio and two-way transceiver (walkie-talkie) specification. Modulated with π/4 DQPSK. Audio sample recorded in NFM mode. Thanks to Jenda for the submission. Decoding Software: osmocomTETRA Video Examples: [1], [2]
Trunking Control MPT1327 Sample Audio: Typical Frequency: ~420 MHz Mode: NFM Bandwidth: 10000 Hz Description: Radio trunking control channel. Decoding Software: Trunkview, UniTrunker Video Examples: [1]
Trunking Control Motorola Type II Smartnet Sample Audio: Typical Frequency: ~860 MHz Mode: NFM Bandwidth: 8000 Hz Description: Radio trunking control channel. Decoding Software: UniTrunker Video Examples:
Trunking Control EDACS96 Sample Audio: Typical Frequency: ~860 MHz Mode: NFM Bandwidth: 10000 Hz Description: Radio trunking control channel. Decoding Software: UniTrunker Video Examples:
Trunking Control APCO P25 Sample Audio: Typical Frequency: ~860MHz Mode: NFM Bandwidth: 12500 Hz Description: Radio trunking control channel. Decoding Software: UniTrunker Video Examples:
AFSK1200 Sample Audio: Typical Frequency: ~144 MHz Mode: NFM Bandwidth: 10000 Hz Description: Audio frequency-shift keying (AFSK). Used by amateur radio hams for packet radio, Automatic Packet Reporting System (APRS) and telemetry. Decoding Software: QTMM Video Examples: [1]
AIS Sample Audio: Typical Frequency: Marine Channel 87 – 161.975 MHz Marine Channel 88 – 162.025 MHz Mode: NFM Bandwidth: 12500 Hz OR 25000 Hz Description: Automatic Identification System (AIS). Used by ships to broadcast position and vessel information. Uses 9.6 kbit GMSK modulation. Decoding Software: ShipPlotter, AISMon (In the Files Section of the Yahoo Group) Video Examples: [1], [2]
NOAA Weather Satellite (APT) Sample Audio: Typical Frequency: NOAA 15 137.620 NOAA 18 137.9125 NOAA 19 137.100 Mode: WFM Bandwidth: 30000 Hz Description: NOAA Automatic Picture Transmission (APT) signal. Used to by the NOAA weather satellites to transmit satellite weather photos. Only transmits at certain times throughout the day when the satellite passes overhead at your location. Decoding Software: WXtoImg Video Examples: [1], [2], [3]
Stereo Wideband FM (WFM) Sample Audio: – Typical Frequency: Common – 87.5 to 108.0 MHz OIRT – 65 to 74 MHz Japan – 76 to 90 MHz Consumer Wireless Devices – ~860 MHz Mode: WFM Bandwidth: 30000 Hz Description: Stereo Wideband FM signal. Used for typical broadcast radio, and in some wireless headsets and speakers. This particular signal is from an AKG headset. Top signal is WFM transmitted with low amplification. Bottom signal is WFM transmitted with high amplification. Thanks to Tobby for the submission. Decoding Software: Unencoded Video Examples: [1], [2]
Amplitude Modulation (AM) Sample Audio: – Typical Frequency: Long wave – 153 to 279 kHz Medium wave – 531 to 1,611 kHz in ITU regions 1 and 3 and 540 to 1610 kHz in ITU region 2. Short wave – 2.3 to 26.1 MHz Aircraft – 108 to 137 MHz Mode: AM Bandwidth: 10000 Hz Description: Amplitude Modulation broadcast audio radio station. Thanks to rtlsdr_is_fun for the submission. Decoding Software: Unencoded Video Examples: [1], [2]
Weatherfax (HFFAX) Sample Audio: Typical Frequency: HF ~3 to 16 KHz. Location dependant. Mode: Upper side band (USB) Bandwidth: ~1900 KHz Description: HF Weatherfax. Used by boats for weather reports. Also Kyodo News, a Japanese newspaper transmits entire pages via HFFAX. Decoding Software: FLDIGI Video Examples: [1], [2]
Upper Side Band Voice (USB) Sample Audio: Typical Frequency: All HF band. Mode: USB Bandwidth: ~1900 Hz Description: Single side band, specifically upper side band. Used in the HF band by amateur radio hams and aircraft weather reports. Single side band saves bandwidth. Decoding Software: Unecoded Video Examples: [1], [2]
Over the Horizon (OTH) Radar Sample Audio: Typical Frequency: All over HF Band Mode: – Bandwidth: – Description: Over the horizon radar. Used by governments for very long range radar systems. Decoding Software: Unencoded
Analogue PAL TV Sample Audio: – Typical Frequency: Multiple Mode: PAL TV Bandwidth: 5 MHz Description: Analogue PAL TV. Color TV signal. Decoding Software: TVSharp Video Examples: [1]
Digital Audio Broadcast (DAB+) Sample Audio: No Audible Sound Produced Typical Frequency: Multiple channels. Block 13F – 239.200 MHz Mode: DAB Bandwidth: 1,537 KHz Description: Digital Audio Broadcast (DAB+). A type of digital broadcast radio signal, containing multiple digital radio stations in the signal. Decoding Software: SDR-J Video Examples: [1]
Baby Monitor (NFM) Sample Audio: – Typical Frequency: ~40 MHz, 49.5 – 50 MHz Mode: NFM Bandwidth: < 15 KHz Description: NFM signal from a baby monitor. Periodically bursts signal when no audio is detected. Thanks to Dean for some extra info. Decoding Software: Unencoded Video Examples: [1]
Digital Radio Mondiale (DRM) Sample Audio: Typical Frequency: Below 30 MHz on HF, near other shortwave radio stations. Mode: USB Bandwidth: 10000 Hz Description: Digital Radio Mondiale (DRM). A form of international digital shortwave radio. Replaces AM shortwave radio. Thanks to Will P. for the contribution. Decoding Software: DREAM, SODIRA Video Examples: [1], [2]
STANAG 4285 Sample Audio: Typical Frequency: All over HF. Mode: USB Bandwidth: 2500 Hz Description: Standardization Agreement (STANAG) 4285. NATO standard for HF communication. Decoding Software: Sorcerer (Waring: Potential Virus Alert), Sigmira Video Examples: [1]
GSM Downlink (Non-Hopping) Sample Audio: Typical Frequency: 900 MHz and 1800 MHz Band OR 850 MHz and 1900 MHz Band Mode: – Bandwidth: 200 KHz Description: GSM Cell Phone Downlink (Non Hopping Signal). Audio sample used NFM mode. Decoding Software: Airprobe
GSM Uplink Sample Audio: No Audible Sound Produced. Typical Frequency: ~890 MHz Mode: – Bandwidth: 200 KHz Description: Initial connection GSM signal sent from a cellphone. Decoding Software: –
GSM Downlink (Hopping) Sample Audio: No Audible Sound Produced Typical Frequency: 900 MHz and 1800 MHz Band OR 850 MHz and 1900 MHz Band Mode: – Bandwidth: Each channel 200 KHz Description: GSM cell phone hopping. Decoding Software: –
“Japanese Slot Machine” (XSL) Sample Audio: Typical Frequency: Between 4 MHz and 9 MHz Mode: USB? Bandwidth: – Description: Known as the Japanese Slot Machine. Thought to be data originating from the Japanese Navy. Decoding Software: Sigmira (But Cannot Decrypt) Video Examples: [1], [2]
Automatic Dependent Surveillance-Broadcast (ADS-B) Sample Audio: No Audible Sound Produced Typical Frequency: 1090 MHz Mode: – Bandwidth: 2 MHz Description: Automatic Dependent Surveillance-Broadcast (ADS-B). Used by aircraft to broadcast their latitude, longitude and altitude. Decoding Software: ADSB#, Dump1090, RTL1090 Video Examples: [1], [2], [3]
Cuban Numbers Station HM01 Sample Audio: Typical Frequency: 11.530 MHz. Mode: AM Bandwidth: – Description: (Previously Unidentified Signal 5). Numbers stations are thought to transmit encoded information for various spy agencies around the world. They are recognized by a voice reading a sequence of numbers or words. This is a Cuban Numbers Station which has a data portion and a voice portion. Sound sample recorded in AM mode. Thanks to Andrew from the comments section for the ID. Decoding Software: Information Here Video Examples: [1], [2], [3], [4], [5]
High Frequency Data Link (HFDL) Sample Audio: Typical Frequency: HF Band Mode: USB (1440 Hz below center) Bandwidth: ~2800 Hz Description: (Previously Unidentified Signal 2). An Aircraft Communications Addressing and Reporting System (ACARS) data link that aircraft use to communicate short messages over long distances using HF signals. Thanks to Andrew from the comments section for the ID. Decoding Software: PC-HFDL Video Examples: [1], [2], [3]
Binary Phase Shift Keying (BPSK31) Sample Audio: Typical Frequency: HF Amateur Band Mode: SSB Bandwidth: ~31 Hz Description: A digital amateur radio mode based on Phase Shift Keying (PSK) modulation Thanks to Patrick for the submission. Decoding Software: Fldigi, MixW, HRD Digital Master 780, MultiPSK Video Examples: [1], [2], [3]
AFSK Paging Link Sample Audio: Typical Frequency: 72-76 MHz Description: (Previously unidentified signal 10). Identified in the comments section by Ronen as an Asynchronous Frequency Shift Keying (AFSK) pager link. It is easier to transmit the FSK pager signal to the transmitter site as AFSK.
Pulse Code Modulated (PCM) RC Toy Signal Sample Audio: Typical Frequency: 27.145 MHz, 72 MHz Description: (Previously unidentified signal 9). Identified in the comments section by W1BMW as a Pulse-code modulated (PCM) signal used for remote control (RC) Toys. Link to IQ file http://i.nyx.cz/files/00/00/09/99/999880_c640d91142db39ee7d57.zip?name=SDRSharp_20130613_113322Z_27186kHz_IQ.zip. Sample audio recorded in USB mode.
Overlapping RTTY Signals Sample Audio: Typical Frequency: HF band Description: Previously unidentified signal (11). Identified in the comments by various contributors as multiple overlapping RTTY signals sent by ham radios.
Voice Frequency Telegraph Sample Audio: Typical Frequency: 7453.50 KHz USB Description: Previously unidentified signal (13). VFT or Voice Frequency Telegraph is one of several systems for sending multiple RTTY signals over one voice-bandwidth radio channel.
Portable Traffic Lights Sample Audio: Found Frequency: 154.463 MHz Description: Previously unidentified signal (17). Identified by Peter via email as being signals sent from portable traffic lights that are often used at roadworks.
X2 on iDEN Sample Audio: – Found Frequency: 154.463 MHz Description: iDEN is an acronym for Integrated Digital Enhanced Network and is a technology developed by Motorola. It is a type of trunked radio with cellular phone benefits. Link to RR identification discussion from submission email. Thanks to Mike (VE3HER) for the submission.
Funcube-1 Satellite Sample Audio: Found Frequency: 145.950 – 145.970 MHz Mode: USB Bandwidth: ~2 kHz Description: The Funcube-1 is a Cubesat amateur radio satellite. Decoding Software: Funcube Telemetry Dashboard
Swedish Pocsag Minicall Sample Audio: Typical Frequency: ~161 MHz Mode: NFM Bandwidth: 20 kHz Description: A short Pocsag 1200 signal used in electric plants and remote transformer and insulation stations. Thanks to Joni for the submission. Decoding Software: PDW Video Examples: [1], [2]

Unidentified Signals

If you know what any of these signals are please write in the comments. You can also submit any unidentified signals you would like to be added to [email protected]

(1) Sample Audio: Found Frequency: 171.3 MHz Description: Recognized by DSD as a NXDN96 signal, but is disputed in the comments section. (Possibly a bug in DSD).
(3) – ALE? Sample Audio: Found Frequency: HF Band Description: Sound sample recorded in USB mode. Potentially some sort of 2G ALE signal. Similar signal shown in balints HF tour video. Possible a weather map transmitted from Tokyo as noted in the comments section by Syd, or 4xFSK from China as identified by K2RCN in the comments.
(4) Sample Audio: Found Frequency: HF Band Description: Periodic pulses. Sound sample recorded in USB mode. Possibly a GlobeWireless signal as identified in the comments section by K2RCN.
(6) Sample Audio: Found Frequency: 152.652 MHz Description: Continuous signal. Audio sample recorded in NFM.
(7) Sample Audio: Found Frequency: 162.863 MHz Description: Continuous bursts. Audio sample recorded in NFM.
(8) Sample Audio: Found Frequency: 457.168 MHz Description: Audio sample recorded in NFM.
(10) Sample Audio: Found Frequency: 452.325 Mhz Description: Sent in over email. Sounds like Motorola Type II smartnet, but Unitrunker does not recognize.
(12) Sample Audio: Found Frequency: 154.646 MHz Description: Sent in over email. Repeats every minute.
(14) Sample Audio: Found Frequency: 433 MHz Description: Sent in over email. Hello! I was listening in the 433MHz band and saw this blip (about 1-2sec) on the waterfall on 433.873 (Millville, MA). It repeats about every 30-50 seconds, though doesn’t seem to be the same every time. Maybe a wireless instrument of some type (weather or something?). The only clear sound of it I could get was with AM, about a 4.2kHz wide filter (rtl-sdr, gqrx linux). Any ideas? Thanks!
(15) Sample Audio: Found Frequency: 455 MHz Description: Sent in over email.
(16) Sample Audio: Found Frequency: 173.262 MHz Description: Sent in over email.
(18) Sample Audio: None Found Frequency: ~856 MHz Description: Sent in over email. The antenna has a Yagi pointed to West from 23.5° South latitude, 47.46° West longitude. The signal can be local or from the sky. The signal is horizontal polarized.
(19) Sample Audio: Found Frequency: ~409.6 MHz Description: Sent in over email. Recorded in NFM mode.