It’s still September, but winter will come soon. I learned about Software Defined Radio years ago, but the equipment was very expensive or limited. The software ecosystem wasn’t that large either.
However that has changed in the meantime: an Airspy is US$169 and the SpyVerter $49 and that combo can scan anything from DC to 1.8GHz.
First order was watching the spectrum at various wavelength via SDR#:
As you can see it detects nicely when I pushed a button on the 433.92MHz remote control. Interestingly there’s a slight 3kHz miss-tuning for the small remote compared to the RF bridge:
Lower signal: RF Bridge, upper signal: remote control
And I can listen to FM radio (very poor quality since the antenna I have is for 433MHz band):
To use any other bands beside 433MHz I’d need different or adjustable antennas. Something for later to worry about.
Decoding the RF Remote Control
Recognizing and decoding digital signals is surprisingly easy with the right tools. rtl_433 can decode a lot of standard devices, so it was my first attempt. Compiling was a bit more complex than I though due to dependencies. It was well enough documented though. After that’s done, time to decode some signals!
rtl_433 -d airspy -Y autolevel -M level -R 0 -v -A
This shows output like this for every button press and usually several times repeated:
Analyzing pulses...
Total count: 25, width: 290297.52 ms (72574379 S)
Pulse width distribution:
[ 0] count: 1, width: 289230564 us [289230564;289230564] (72307641 S)
[ 1] count: 16, width: 11380 us [11372;11456] (2845 S)
[ 2] count: 8, width: 33640 us [33636;33644] (8410 S)
Gap width distribution:
[ 0] count: 9, width: 11708 us [11684;11728] (2927 S)
[ 1] count: 15, width: 34020 us [33880;34284] (8505 S)
Pulse period distribution:
[ 0] count: 1, width: 289242292 us [289242292;289242292] (72310573 S)
[ 1] count: 23, width: 45380 us [45256;45660] (11345 S)
Pulse timing distribution:
[ 0] count: 1, width: 289230564 us [289230564;289230564] (72307641 S)
[ 1] count: 25, width: 11496 us [11372;11728] (2874 S)
[ 2] count: 23, width: 33888 us [33636;34284] (8472 S)
[ 3] count: 1, width: 100004 us [100004;100004] (25001 S)
Level estimates [high, low]: 126, -1
RSSI: -42.3 dB SNR: 42.0 dB Noise: -84.3 dB
Frequency offsets [F1, F2]: 121, 0 (+0.5 kHz, +0.0 kHz)
Guessing modulation: Pulse Width Modulation with sync/delimiter
view at https://triq.org/pdv/#AAB104FFFF2CE88460FFFF819292929292A19292A1A1A1A1929292A1A192929292A1929355
Attempting demodulation... short_width: 11380, long_width: 33640, reset_limit: 34288, sync_width: 289230560
Use a flex decoder with -X 'n=name,m=OOK_PWM,s=11380,l=33640,r=34288,g=0,t=0,y=289230560'
pulse_slicer_pwm(): Analyzer Device
bitbuffer:: Number of rows: 1
[00] {24} fb 0e 7b : 11111011 00001110 01111011Note the line with the flex decoder: those numbers vary slightly. Take the average for s, for l and r. Use the most common values for g and y. Use t to add some margin of timing error. I have 2 RF devices: a small remote control and a RF-Wifi bridge. Both can send the same signals, but their timing is slightly off:
- Remote: s=13378±5, l=33638±10, r=34929±10
- Bridge: s=11635±40, l=34198±10, r=34768±10
So I took the average, added some slack and that worked for both devices:
$ rtl_433 -d airspy -Y autolevel -M level -R 0 -v -X 'n=remote1,m=OOK_PWM,s=11500,l=34000,r=34900,g=0,t=800,bits=24'
[...]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
time : 2022-09-23 11:46:45
model : name count : 1 num_rows : 2 rows :
len : 0 data : ,
len : 24 data : fb0e7b
codes : {0}, {24}fb0e7b
Modulation: ASK Freq : 433.9 MHz
RSSI : -48.3 dB SNR : 36.0 dB Noise : -84.3 dB
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
time : 2022-09-23 11:46:45
model : name count : 1 num_rows : 2 rows :
len : 0 data : ,
len : 24 data : fb0e7b
codes : {0}, {24}fb0e7b
Modulation: ASK Freq : 433.9 MHz
RSSI : -48.3 dB SNR : 36.0 dB Noise : -84.3 dB
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
[...]Note that the shown code fb0e7b is unique to a single button. The other 3 buttons send different 24 bit codes.
Other 433.92MHz Devices
I was hoping to find more devices on that band, but I guess I need a really good antenna on a roof to detect them.
Frequency Usage in Japan
Here is the most useful general frequency usage plan.
Harald's Random Stuff 