decode RF transmitter

ionymous

I want to determine the protocol of an RC transmitter. Like the kind you'd find with an RC toy.
I don't know even know the frequency yet. (Though I can target the common ones first)
I'm hoping to use my Propeller to figure it out the frequency and protocol.

I've seen several of posts (by Beau) about making a transmitter and a Spectrum Analyzer (for audio).

I can easily access the antenna signal wire, and connect it to a Propeller input (though I'm not yet sure how to protect the circuit).

Can anyone recommend a plan for me?
It seems like I need to find the frequency first, and then break down the protocol.

Should I try to use Beau's Spectrum Analyzer (for audio) for this, or something else?

Thanks helping me get started!
Ion

Leon

That won't give the frequency. You could use a suitable frequency counter, I have one that goes up to 3 GHz. It was quite cheap, and is very sensitive.

Leon

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Amateur radio callsign: G1HSM
Suzuki SV1000S motorcycle

Beau Schwabe

ionymous,

I wouldn’t initially use a Propeller to determine what an unknown signal looks like.· Use an oscilloscope, a spectrum analyzer or frequency counter would be overkill, and probably not give you the proper results, because the signal is often broken down into some kind of mark/space digital transmission that can only be seen on a scope.


▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

ionymous

Yeah. It always sucks not having an oscilloscope.

In the past I've been able to use scopes from my workplace. Not the case now.

I guess I'll have to look around for one.

Any other suggestions are welcome.
Thanks
Ion

Beau Schwabe

ionymous,

Without knowing any parameters of·the signal, it's hard to make any assumptions.

http://www.parallax.com/Store/Sensors/CustomKits/tabid/134/txtSearch/scope/List/1/ProductID/46/Default.aspx?SortField=ProductName%2cProductName





▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

ionymous

The Parallax USB Oscilloscope says "200 kHz Bandwidth"

My understanding is that common consumer radio controls are 27Mhz, 49Mhz, 72Mhz, and 75Mhz

Is this "200 kHz bandwidth" a problem in this case, or am I misinterpreting things?

Ion

Beau Schwabe

ionymous,

If your looking to·determine the carrier frequency, it's usually stamped on the back of the transmitter... if not it can be read directly off of the crystal.

The Parallax scope is plenty fast enough to decode the bit pattern that you would use to modulate the carrier frequency.

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

Leon

A frequency counter will work if the transmitter is set to transmit continuously.

Leon

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Amateur radio callsign: G1HSM
Suzuki SV1000S motorcycle

FrameShift.

you could probably use Viewport 4's scope feature.

Paul Baker

If you live anywhere near a university, you can typically make an arrangement (especially if you know anyone there) to use a good 2GHz scope for an hour or two. Ussually all thats needed is looking on the university's website for thier engineering college staff and send an email to a few of the professors (look for someone tenured whose specialty is in a field that needs oscilloscopes, the best are professors which have a graduate study group and a lab).

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Paul Baker
Propeller Applications Engineer

Parallax, Inc.

ionymous

Beau said...

If your looking to determine the carrier frequency, it's usually stamped on the back of the transmitter... if not it can be read directly off of the crystal.

The Parallax scope is plenty fast enough to decode the bit pattern that you would use to modulate the carrier frequency.

Ah... I see... that makes sense. The carrier frequency is one thing... the frequency of modulation pulses is another. And of course it is less frequent.

In a similar project, I take a couple of digital signals (not an antenna) and plug them into a couple of inputs on my propeller.
My propeller code then saves the cnt in a couple of buffers whenever the signals transition high-low or low-high.
When it fills its buffers, it dumps the buffers out the serial port to my PC.

I then have a PC app I made to then show me the signals.

If I knew the carrier frequency (by looking at the crystal), would that help me do what I just described?
It sounds like the $140 usb oscilloscope would help me, but is there some simple way to "remove" the carrier frequency and/or just treat the modulation as a "normal" digital signal?
I hope I'm making some sense.

Ion

Leon

The crystal frequency isn't necessarily the same as the transmitter frequency, it might be multiplied.

Leon

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Amateur radio callsign: G1HSM
Suzuki SV1000S motorcycle

ionymous

Leon said...

A frequency counter will work if the transmitter is set to transmit continuously.

The crystal frequency isn't necessarily the same as the transmitter frequency, it might be multiplied.

Some vague unconfirmed documentation tells me that the transmitter DOES transmit continuously.
In the case when no actions are required, header bits are sent and then all data bits are low.
As soon as the last data bits are sent, the next header and data bits are sent immediately.

I will look for the crystal when I get a chance.
If it is a common frequency, I don't mind assuming it isn't multiplied.

Are multipliers usually whole numbers? I'm wondering if I might be able to correctly guess the transmitter frequency based on the crystal.
For example if it the crystal was exactly 1/8 of a common RC transmitter frequency.

Ion

Leon

If it's about 27 MHz, which is a common RC frequency, you can assume that it isn't multiplied. Multiplication is by an integer, unless it has a PLL synthesiser.

Leon

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Amateur radio callsign: G1HSM
Suzuki SV1000S motorcycle

ionymous

Cool. I got home and checked it.
Hooray 27.145 is imprinted on the crystal.

Now can I use that to help me determine the protocol?

Can I hook the antenna line up to an input and make sense of it somehow?
Can I make a receiver out of my propeller similar to Beau's transmitter?

Ion

Beau Schwabe

ionymous,

"Now can I use that to help me determine the protocol? Can I hook the antenna line up to an input and make sense of it somehow?" - With a scope you will visually "see" the 27.145MHz carrier frequency most likely in modulated bursts (see attached image)

"Can I make a receiver out of my propeller similar to Beau's transmitter?" - Receiver's can be tricky. Your best bet is to copy an existing regenerative style receiver design tuned to 27.145MHz and use the conditioned output to drive an I/O pin making note of the voltage levels entering the I/O pin.

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

ionymous

I have reason to believe that this is generally how bits are sent by the transmitter:
Lets say there are 10 bits per frame. Frames repeat one after another, forever.

The first 2 bits are start bits. This allows the receiver to sync up with the signal.
Then there are 8 data bits.
The expected duration of the entire frame is known by both sides.
If you divide this frame duration by the expected number of bits (10), you know the expected "bit duration".

Each bit duration can be divided in two halves.
If there is a transition from high to low during the first half of a bit duration, this means that bit is high.
If there is a transition from high to low during the second half of a bit duration, this means that bit is low.

Like I said, this is generally the idea. I still need to learn the timing and any nuances.

Now lets say I was using an oscilloscope to look at this.
I understand I won't see nice square digital high/low transitioning signal.
I've mostly used digital signal storage scopes before.

But will I be able to see the transition from high to low and low to high and be able to measure their durations and timing?

Looking at the oscilloscope image from Beau, I am trying to understand how I would make sense of it.
I that like a single transition?

Maybe I should read the manual/documentation for the Parallax USB oscilloscope before I purchase one?

Ion

Beau Schwabe

ionymous,

Sounds like you have a grasp on how the signal is generally sent, but there's a million and one ways to specifically organize the data, and without written documentation from the manufacturer a scope is a way allowing you to visualize the transitions. With reference to the image I posted, it would be read as a 1 followed by a 0 and the beginning of another 1.

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

ionymous

Beau said...
With reference to the image I posted, it would be read as a 1 followed by a 0 and the beginning of another 1.

Ah... I wasn't seeing the forest for the trees!
Thanks

Now I have to decide whether to order the USB scope before or after I get over the guilt of spending another $150.
Buzz

Joel Rosenzweig

ionymous said...
I want to determine the protocol of an RC transmitter. Like the kind you'd find with an RC toy.

The FM modulation schemes are generally called PPM and PCM.· Do a Google search for these and you'll see a good amount of material.· PPM will be used on the low end consumer grade equipment.· PPM and PCM will be used on the higher end equipment.· The 2.4GHz equipment now available uses a totally different scheme and varies from manufacturer to manufacturer.

If you just want to try and decode it, consider doing the logic analysis on the demodulated signal.· That is, if you probe the signal on the RX, don't look at what comes in on the antenna.· Look at the signal after the carrier has been stripped.· Likewise, if you decide to examine it on the TX instead, look at the signal before it goes to the RF portion.· This will strip away the unnecessary bits that have nothing to do with the actual low level encoding scheme.

Keep in mind that the encoding schemes are not necessarily the same from manufacturer to manufacturer.· Some use the same schemes as others, and some do not.· Depending on what your goal is, say learn how to decode the stream from a single TX, or build a receiver to decode the stream from a single TX, you have some different paths to take.

Don't forget to look for part numbers on the IC's to help you locate a data sheet that can also explain how the protocol works.· Some devices use off the shelf parts, and others use custom ICs.

Joel-
·

ionymous

Joel said...
consider doing the logic analysis on the demodulated signal. That is, if you probe the signal on the RX, don't look at what comes in on the antenna. Look at the signal after the carrier has been stripped.

Yes. If there is a trace/line on the RX that I can tap into that would be great. I'll have to be careful that it is the modulation though (I hope I'm using that word in the right place).

If my limited info about the protocol is correct, those transitions within the RF signal by themselves are not the actual 0's and 1's of the final data packet. But instead, the timing of when the transitions occur determine the 0's and 1's of the data packet.

If the trace/line I end up tapping shows the bits of the final data packet, then I still won't know how to modulate.

Anyway... I think I'll poke around the RX side tonight and see if there is anything to work from.
It would be sweet if I could see both the modulation transitions and the resulting data packets.
With my luck the antenna will go right into some unknown IC or one of those black blobs, and there'll be nothing to tap into at all.

Thanks
Ion

ionymous

I see only 4 components more interesting that capacitors, resistors, and transistors.

- LB1838 - A bi-directional motor driver
- LTU455D with a subscript 2 - A ceramic filter
- A 26.690 crystal
- An IC with a National Semiconductor logo on it, but has the product manufacturer's name on it, and a number that isn't found by National Semiconductor's search or Google.

The first thing I notice is the 26.690 crystal.
The transmitter had a 27.145 on it.
How does that work?

Is there something I can do with the ceramic filter?

Ion

Beau Schwabe

ionymous,

Ahhh, the magic of a single conversion superhet receiver!

26.690 MHz + 455 kHz = 27.145 MHz

This is actually a decent receiver... most of the hobby RC receivers don't have a crystal. Usually they have a tuned coil as part of a regenerative receiver circuit.

Here is basically what happens....


1) The transmitter transmits on a carrier frequency set to 27.145MHz
2) The receiver listens for any RF and mixes it with it's own 26.69MHz oscillator. This creates a beat frequency of 455kHz if it detects the presence of the 27.145 MHz ... ( 27.145 MHz - 26.690 MHz = 455 kHz )

3) The 455kHz filter only allows this frequency to pass, and if it's detected would output a LOGIC "1" through simple filtering, likewise if a signal was not detected, the output would be a LOGIC "0".

Cool Huh?!




Reference:
en.wikipedia.org/wiki/Superheterodyne

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

Post Edited (Beau Schwabe (Parallax)) : 11/8/2008 3:24:45 AM GMT

ionymous

This does seem cool.

I think I almost get it too.

The 455kHz beat frequency occurs when an incoming 27.145MHz signal "interacts" with the 26.690MHz crystal. This interaction is fed into the filter's input... I think.

The 455kHz filter's job is to tell us if this 455kHz beat is there. If so, we get a logic 1, otherwise logic 0.

I hope I understood that right.
That's all good, but doesn't the RX circuit still need the actual 27.145MHz signal too?
I mean, this isn't just a 27.145MHz frequency detector... it's also a receiver.

Where does that happen? What am I missing.

Thanks Beau... this is good stuff.
Ion

Beau Schwabe

ionymous,

You still need an amplifier and low-pass filter after the 455kHz filter to get a logic "1" or "0", but yes the 455kHz filter only allows a 455kHz signal to pass.

"That's all good, but doesn't the RX circuit still need the actual 27.145MHz signal too? I mean, this isn't just a 27.145MHz frequency detector... it's also a receiver." ... Yes and No, the receiver has a broadband RF amplifier on the front end that amplifies or receives ALL signals. (<-sometimes there is a band-pass filter on the front end, but not always.) The ALL band RF includes the 27.145MHz signal from the transmitter. The receiver also has a local oscillator, in your case the local oscillator is 26.690MHz. Because the 455kHz filter is fixed to a specific frequency, there are only three frequency combinations that will produce a 455kHz signal on the output side of the filter.

1) A 27.145MHz signal combined with the 26.690MHz local oscillator will produce 455kHz on the output.
2) A 26.235MHz signal combined with the 26.690MHz local oscillator will produce 455kHz on the output.
3) A 455kHz signal directly will produce 455kHz on the output.

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

Post Edited (Beau Schwabe (Parallax)) : 11/8/2008 4:42:34 AM GMT

ionymous

Ok, so a 455kHz signal comes out of the filter under those 3 conditions.

Given the transmitter crystal is 27.145MHz, and what I've seen on the RX side, it looks like the receiver needs to look at the modulation that is occurring on the 27.145MHz frequency.

The 455kHz filter's role in the circuit is to indicate the presence of the 27.145MHz frequency.
I'm guessing (maybe I can follow the traces) that this output ultimately leads to an input pin on the main IC.
The IC then knows when it should even bother trying to work with the incoming RF signal.

I'm also guessing that the incoming RF signal ultimately gets fed to an input pin on the main IC.
The conversion of the 27.145MHz to a sequence of 0's and 1's must be happening inside the IC.
There are just no other components that would be doing this.... I guess. Just resistors, capacitors, etc.

In other words... I'm not going to be able to tap into some solder point here to analyze any logic.
I'll need to buy the scope, and work off the transmitter side. Right?

I suppose there is a chance the IC sends the modulations and/or the resulting data packet out an output pin. But I don't see why it would.
It looks like only the IC would need this internally.

Would you agree with this conclusion? End of the road... I need an oscilloscope?
Ion

Erik Friesen

This is off the discussed topic but a jr brand model aircraft transmitter makes it easy and provides a digital signal to the trainer port. It is too high a voltage for a prop so you would need to use a resistor or transistor combo to filter the signal.

Beau Schwabe

ionymous,

"The conversion of the 27.145MHz to a sequence of 0's and 1's must be happening inside the IC." - A low-pass filter made with a resistor and capacitor and sometimes a diode·is usually sufficient.


▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

Post Edited (Beau Schwabe (Parallax)) : 11/8/2008 8:36:04 PM GMT

ionymous

Beau, I think your response was meant for me, not Erik.
I'm good with software... not so good with hardware.

I didn't know a "low-pass filter made with a resistor and capacitor and sometimes a diode is usually sufficient"

Thanks
Ion

Beau Schwabe

ionymous,

"Beau, I think your response was meant for me, not Erik" - Your right!.. (corrected)

"I didn't know a "low-pass filter made with a resistor and capacitor and sometimes a diode is usually sufficient"" - A low pass filter will block higher frequencies, i.e. the 455kHz, but allow the lower frequencies, i.e. the original modulated transmission, to pass. A diode is used to clamp the filtered signal so that it doesn't go below GND or a diode is used to allow only the top portion of the wave to pass. The bottom portion of the wave would be below ground and can be ignored since it is a mirror image of the top portion of the wave.

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Beau Schwabe

IC Layout Engineer
Parallax, Inc.

statemachine

·ionymous,take the device to a communications shop,the type that services two way radios and such.Get them to hook it up to their service monitor.They should be able to get the info you want.Bry.