Pages

Monday, August 11, 2014

Decoding and learning remote control cars (RC cars) with Software Defined Radio (SDR)

In this entry i will discuss briefly on decoding and learning the signals from an RC remote (RF remotes) used in various toys and hobby components. This is the way i decoded an rc car remote to duplicate the Rf remote using an arduino and ad9850  rf signal generator as explained in a previous post here.

Overview

The basic components are 

1)  A device to capture the signal- here am using a funcube dongle (RTL sdr could be an alternative)

2)  Software to analyse and convert the signals to a suitable form ( Software defined radio/SDR)- I used gnuradio, but for simple tasks, gqrx or sdr sharp can be an alternative.

3)  Tool to explore the wave files (I used audacity)

Capturing signals

In this case , my idea is to replace the use of an oscilloscope (as many people use) with an SDR for analysing the rf remote signals. Furthermore, sdr  adds other possibilities for signal decoding. But in this post we are dealing with a simple 27mhz remote used in RC toys.

I used gnuradio and the GRC file can be downloaded here. The basic blocks are shown in figure below. It basically receives 27mhz signals and does an am detection and the resulting signal is saved as a wave file (this can be easily performed in any sdr softwares). If you want to learn things and play with a captured file, you can see an example file on github (use this GRC file which uses the captured file)

Gnuradio Companion file for Capturing RC remote signals

Although we deal with a simple modulation here (on off keying), the grc file can be extended with python to perform more complex routines. Once you start the sdr, the signals can be viewed on the waterfall plot (see figure). Square wave is one pulse

Decoding an RC car remote with software defined radio

In this case i have kept the tuning around 27mhz. But if you are looking at remote switches, try to focus on the frequencies specified (mostly 433MHZ) More frequencies can be seen here (ISM band). GRC flow file generates a wav file (cap.wav) which is the demodulated signal.

Analysing the Signals

An example capture signal can be downloaded here. After opening the file in audacity, the wave patterns can be studied manually by visual inspection and further analysis and conversion can be performed in case of complex digital signals. But in this case, simple manual inspection was sufficient to get an idea and clone the signals. See figure below

Analyzing RF remote signal with Audacity

The wave form from audacity shows a sequence of four long pulses followed by ten short pulses. This is a typical signal used in radio controlled devices.  The four long pulses are similar but the remaining pulses vary from 10-60 based on different commands (e.g forward, left, right,   reverse etc)

Length of the pulses can be calculated from the audacity and these information can be used to clone the remote. More about this can be read here


6 comments:

  1. Hi thx for info, i use SDR sharp but i don't have a good signal result like you, the pulses are not rectangular... Here some screenshots: https://goo.gl/photos/vB8ENdrpk8pHzoaP9. The problem come from my settings in SDR-Sharp no ? How i can improve that ? I don't have 4 long pulse but 3 made with 2 short pulses, and after there is 118 short pulses, it looks weird...
    If you have any sughestion, thx!

    ReplyDelete
  2. Gnuradio allows proper filtering. In sdr-sharp, you can try lsb mode instead of am and see if it improves. Some of the remotes uses encryption and in such cases, analysis is complex

    ReplyDelete
  3. Hi, i didn't see your message ( i was waiting a notification but i think i've forgot to active this option), i think it was an antenna problem but i solve it :)

    Your code is nice but something go wrong with the AS9850 or your code and i can't found the problem.

    The output signal from the AD9850 is really bad, i tried to use a longer jumper for the antenna, checked the connectors, changed changed arduino (i use Nanos) and nothing change. Sometimes it works few millisecond or even the signal disapear...

    So i used an another code(https://www.youtube.com/watch?v=LE1CvGWqSsw) for a garage door with FM and it works perfectly (at the same frequency) :/

    I made a video to show you how the signals are

    https://drive.google.com/file/d/0BwwhsifvcMIuYXltQlZpbkVtUHc/view?usp=sharing

    Somethimes there is a short signal with a large spectrum, it's the original remote(all are foward signals so 10 pulse lenght around 300 (my rc car worked with 305 and 280), Frequency: 542895. Because i don't use bouttons i changed void loop to

    void loop (){
    sendcommand (10);
    }

    It can cause trouble ?

    Remote forward signal(https://drive.google.com/file/d/0BwwhsifvcMIuOWhfQ1RJUGhhbWM/view?usp=sharing)

    Do you have an idea about my problem ?

    Have a good day and thx !

    ReplyDelete
  4. Thanks for the feedback and comments. Just check the dds board (AD9850) with the simple sketch here (http://blog.riyas.org/2014/02/quickly-test-ad9850-ebay-module-with-arduino-and-software-defined-radio.html). It just generate a carrier and make sure that the module works properly. Some of these modules gets heated up with 5v and stops working after a while and works fine at 3.3v (where the culprit is an smd oscillator for 125mhz on the dds board which gets heated up at 5v). There shouldnt be any problem using send commands as the pulse length and repetitions are the only thing which matters for these simple remotes.

    Best regards

    ReplyDelete
    Replies
    1. Ho god thx ! The voltage was the problem, i used 3.3v and it works perfectly now :). I'm surprised by how the pulse lenght can be different and works, from 290 to around 350 it work.

      Delete