Tagged: ISM

A Low Cost 2.4 GHz Downconverter from off the Shelf Dev Boards

Over on GitHub Ian Wraith has released his design and microcontroller code for a low cost 2.4 GHz downconverter circuit. A downconverter is a hardware device that shifts the signals that it receives into a lower frequency band. This is useful in the case of RTL-SDRs and Airspy SDRs, as their maximum frequency range is only 1.7 GHz. Ian's 2.4 GHz downconverter reduces those 2.4 GHz signals down to 1 GHz, which can then be received with his Airspy.

Rather than designing a circuit from scratch, Ian's design makes use of several very cheap Chinese evaluation/development boards that he found on eBay. It costs of a mixer board, oscillator board, and an STM32 development board for controlling the oscillator board via SPI. The whole set of hardware cost him less than £30 (~37 USD).

After spending some time working through the difficulties in programming the SPI interface on the STM32 board, he was able to get the downconverter circuit fully working. He notes that he's been able to receive WiFi, Zigbee, Bluetooth and ISM band signals at 2.4 GHz, as well as 3G and 4G cellular signals at 2.6 GHz.

Ian Wraith's Downconverter consisting of three off the shelf cheap Chinese eBay boards.
Ian Wraith's Downconverter consisting of three off the shelf cheap Chinese eBay boards.

Recovering 433MHz Messages with RTL-SDR and MATLAB

Recently RTL-SDR.com reader Ilias wrote in to let us know about a post he uploaded to his blog showing how he was able to decode data from a device transmitting at 433 MHz using an RTL-SDR and MATLAB. MATLAB is a technical computing language that can be used for signal analysis and processing. His post clearly explains the steps he took and is a great aide for anyone wanting to learn about decoding simple signals.

The goal of Ilias’ project was to be able to use the RTL-SDR and MATLAB to uncover the details of a 433 MHz transmitter he bought on Ebay. He wanted to see if he could determine the protocol and recover the data before even looking at the transmitter’s library code.

To do this he first used SDR# to record the data sent at 433 MHz. Then by looking at the waveform in the Audacity audio editor he was able to determine that the signal was on-off-key (OOK) modulated and from this knowledge he was able to manually recover the binary string. Next he used MATLAB to create a program that can automatically decode the received OOK signal. His post goes into further detail about the signal processing steps he took in MATLAB.

433 MHz OOK Transmitter
433 MHz OOK Transmitter

Using an RTL-SDR to help open a Gated Community

Tomasz lives in a gated community, but as he doesn’t own a car he wasn’t given access to a gate remote control. This made it difficult for him to have friends who have cars visit him. So he decided to use an RTL-SDR to receive, capture, analyze the gate signal which is transmitted at 433 MHz and then copy the signal to use with his own homemade transmitter.

First Tomasz used his RTL-SDR with SDR# to capture a few sound files of the gate remote which transmits at 433 MHz. Then he viewed the sound waveform’s in Audacity, a free audio editing program. Just by looking at the waveform he was able to determine that the signal was On-Off Key (OOK) modulated and that each frame of the transmission was the same, meaning that no security scheme was used.

Next he wrote down the transmission parameters that he learned from his analysis and built a simple 433 MHz transmitter which he connected to a microcontroller. After programming his microcontroller to send a copied signal he was able to open the gate.

433 MHz Gate Remote Received on the RTL-SDR
433 MHz Gate Remote Received on the RTL-SDR

Using an RTL-SDR and TI Chronos RF Wristwatch to Copy a Garage Door Opener

At Tel-Aviv University in Israel, two students undertook a class project where they were able to use an RTL-SDR to record a garage door opener signal and then use a Texas Instruments (TI) Chronos watch to retransmit a copy of the signal. Their report can be found here (pdf). The TI Chronos is a wrist watch with a built in programmable ISM band RF transmitter.

The students report contains an analysis of the signal which may be of use to anyone interested in decoding their own ISM band signals and they also describe a method used to automatically obtain the required parameters for programming the TI Chronos with the signal to be copied. The abstract of their report is as follows

We present a simple and affordable way of copying remote controls widely used for parking lot gates, garage doors and other simple systems. These simple remote controls usually use a fixed code (as opposed to the more secured rolling code used for car keys remote controls) and a simple On-Off Keying (OOK) modulation, over 433.92MHz in the ISM band. We suggest the use of the TI-Chronos wrist-watch platform for the emulation of the remote control, as this platform transmits in the same band, and can be programmed to emulate different modulations and to send user pre-defined signals.

In this report we show the complete process for copying a remote control into the Chronos platform. This process utilizes only a standard PC and low-cost hardware (less than $75 all together), alongside free software, and additional software developed by us. The process starts with recording the original remote control RF signal. It continues with automatic analysis of the recording, extracting the needed parameters of the signal. Finishing the process, we set the Chronos with those parameters. We demonstrate the copy process using a 4-channel remote control and its receiver board.

Flow Diagram of Copy Process
Flow Diagram of Copy Process