JohnnieHancock

How to sniff RF signals, and then decode with an oscilloscope

Blog Post created by JohnnieHancock Employee on Dec 20, 2017

Sniffing the air

Dogs do it all the time. But there is much more in the air than just smells. There are RF signals of all kinds all around us. How do we 'sniff' these signals out of the air so that we can observe them on an oscilloscope?

Sniffing where you can’t probe

Probing electrical voltage signals in a circuit is typically achieved using an active or passive voltage probe. If you need to measure current, most engineers use a clamp-on Hall-effect current probe that converts the magnetic field around a conductor, created by the current flowing through it, into voltage. But what if you need to monitor and verify RF signals between two sealed devices (nothing to probe), such as signals transmitted from your key fob to the receiver in the car? Or perhaps Near Field Communication (NFC) signals between your mobile phone (transmitter) and a tag (receiver)? For this you can use a RF loop antenna — sometimes called “sniffers”.

Although RF loop antennas are typically used for spectrum analysis measurements, they can also be used for oscilloscope measurements. Loop antennas come in various sizes and are typically tuned for specific ranges of frequencies. In this post, I’m going to show you very briefly how you can capture key fob signals using a small RF loop antenna, based on amplitude shift-keying (ASK) modulation with a carrier frequency of 434 MHz. Detailed resources are listed at the bottom of this post.

RF_loop_antenna

Figure 1. A typical RF loop antenna

 

Sniffing and decoding automotive key fob RF signals

So, which oscilloscope would you need for the application? Since the carrier frequency in this measurement application is 434 MHz, I’ve used a 1.0 GHz bandwidth Keysight InfiniiVision X-Series oscilloscope (DSOX3104T). In brief, the steps to decode RF signals from an automotive key fob with a scope includes:

  1. Connecting the loop antenna to the scope’s Channel 1 input, terminated into 50
  2. Positioning the loop antenna near the key fob while one of its buttons is pressed to capture the single-shot burst of RF-modulated data packets (channel-1, yellow trace shown in Figure 2)
  3. As decoding the RF-bursted packets requires demodulation prior to digital decoding, you’ll also need to setup the scope to digitally demodulate the signal (hardware-based within the scope, channel-2, green trace shown in Figure 2)
  4. Decoding the digitally demodulated waveform. This can be achieved with the oscilloscope’s user-definable NRZ/Manchester trigger and decode option. Figure 2 shows the Manchester-decoded bits at the bottom of the trace display
  5. Screen display of the Keysight DSOX3104T scope

Figure 2. Screen display of the Keysight DSOX3104T oscilloscope that displays the captured single-shot burst RF-modulated signal (yellow trace), demodulated signal (green trace) and Manchester-decoded bits

 

Sniffing Near Field Communication (NFC) signals from a mobile phone

In Figure 3, I’m showing you the setup for how you can capture NFC signals generated by a mobile phone, using a larger PC trace loop antenna. Since the carrier frequency in this case is just 13.56 MHz, a 100-MHz bandwidth oscilloscope is sufficient for the measurement application.

 Capturing NFC signal from mobile phone

Figure 3. Setup to capture NFC signals from a mobile phone with a PC trace loop antenna and a 100-MHz bandwidth oscilloscope

 

Creating your own RF ‘sniffer’

What if you need a simple ‘sniffer’ that doesn’t have to be precision-tuned? Well, you can create a non-precision loop antenna yourself! Simply connect the ground clip of a standard high-impedance passive probe to the probe tip (shown in Figure 4) and – voilà – you have created an oscilloscope RF ‘sniffer’! Sure, it may not be tuned for a particular carrier frequency, meaning that the voltage levels that you measure on the oscilloscope may not be an accurate representation of the actual RF field strength. But you can still “sniff” signals out of the air to verify proper modulation and timing of your RF-modulated signals.

DIY of RF loop antenna using high-impedance passive probe

Figure 4. DIY your own RF loop antenna using a standard high-impedance passive probe

 

Detailed ‘sniffing’ resources

If you’re interested to learn in greater detail about ‘sniffing the air’ to verify modulated RF signals on an oscilloscope, here are excellent resources to get you started:

 

Decoding Automotive Key Fob Communication based on Manchester-encoded ASK Modulation – Application Note

Decoding Automotive Key Fob Communication based on Manchester-encoded ASK Modulation – YouTube Video

NFC Device Turn-on and Debug – Application Note

NFC Testing Using an Oscilloscope Part 1: Benchtop R&D Measurements

Outcomes