Sunday, June 23, 2013

HackRF LEGO Car

In the Hacker Lounge at Open Source Bridge last week, the well-stocked LEGO table caught my eye. In particular, I spotted an antenna protruding from the pile, and I followed it down to a radio-controlled LEGO car platform! The controller was quickly located, a battery replaced, and I found that it worked pretty well.

The controller was clearly marked with a sticker indicating operation at 27 MHz (FCC ID: NPI71646). That would have been my first guess anyway as it is a very popular frequency for radio-controlled toys. Since several of us were having a HackRF party, I decided to see if I could control the car with my HackRF Jawbreaker.

After verifying that the car worked with the original controller, I recorded several waveforms with the hackrf-transfer utility. I made eight separate recordings, one for each active controller state: forward, backward, left, right, forward/left, forward/right, backward/left, and backward/right.

The recordings were quite clean even though 27 MHz is below Jawbreaker's official operating range (30 MHz to 6000 MHz). In fact, I had captured some apparently good recordings of NFC transactions at 13.56 MHz just the day before. The major drop-off in performance I've observed on Jawbreakers I've tested has been just below 10 MHz.

The first HackRF transmission I tried was by building a small flowgraph in GNU Radio Companion to replay the captured waveforms with my Jawbreaker one at a time. With the car's controller switched off, I was able to make the car move with a simple replay! The best waveform worked at a distance of up to 20 meters even though I put very little effort into cleaning up the waveform or adjusting the power level.

Although I didn't have much time left before I had to catch my flight home, I wanted to see if I could synthesize control transmissions in software on my laptop instead of replaying captured waveforms (that included received noise and minor defects such as quantization and DC offset).

The first step toward synthesizing control transmissions was to analyze the captured waveforms. I found that each transmission consisted of a series of pulses at 27.145 MHz. The pulses were all at the same power level. Each pulse lasted one of two durations and was followed by a pause of consistent length. It looked like On-Off Keying (OOK) with data encoded in the number of consecutive short pulses.

Each transmission featured a repeated pattern of four long pulses (each 1.875 ms long, separated by 0.625 ms pauses) followed by some number of short pulses (each 0.625 ms long, separated by 0.625 ms pauses). The repeated pattern continued for as long as the controller was held in a particular state. The number of consecutive short pulses depended on the state of the controller:

  • forward: 10 short pulses
  • forward/left: 28 short pulses
  • forward/right: 34 short pulses
  • backward: 40 short pulses
  • backward/left: 52 short pulses
  • backward/right: 46 short pulses
  • left: 58 short pulses
  • right: 64 short pulses

That's as far as I got.

15 comments:

will said...

super excited about the commercial hackrf!!

Anonymous said...

Great is fantastic. I hope to see other example for this device. I would like to see also RFID 13.56MHz

Karon@ cheap gadgets said...

It's really gonna be cool stuff and my kids will be so happy to have this one.

Ace Maxs Daun Sirsak said...

thank you for youe information

kpreid said...

Applying (count - 4) / 6 to your list of pulse counts produces [1,4,5,6,8,7,9,10], which is a nice bunch of consecutive integers, but doesn't look further structured except in a "someone wrote down a mostly sensible enumeration" way.

Neversphere said...

I tried doing a simple capture and playback with HackRF but using a simple hackrf_transfer -r / hackrf_transfer -t doesn't appear to work. Looking at GitHub it seems that there's a bug with hackrf_transfer -t. Any chance you can post a super simple GNU Radio Companion graph for playback?

Neversphere said...

I see you added it to the list: http://nine.pairlist.net/pipermail/hackrf-dev/2013-July/000111.html

Thanks!

Anonymous said...

What You did found is coding used by nearly all cheap radio toys.
Datasheet of some of those chips:
http://groups.ist.utl.pt/lee/SUBA/Suba_files/txrx2.pdf

Michael Ossmann said...

Anonymous: Thanks for the link to the datasheet! I've definitely seen the same encoding used in other toys, but that is the first matching datasheet I've seen.

Anonymous said...

cool blog. Check out mine at http://sfspaloma21.blogspot.kr/

silverk said...

Son got RC car for christmas. So I decided to study GNU radio during holidays. (Because we have no snow. Only rain and mud.)
I used RTL stick for reception. It works well.

I got 16 pulses for forward and 40 backward.

Thanks for giving idea, what can be done with SDR.

Dad said...

As you are naming HackRF and open source project which I found is misleading. I checked the zip files and checked all schematic and pcb files which are incomplete. I could not tracked down any proper link so that the firmware and the software could be downloaded with well documentation

Michael Ossmann said...

Dad: The complete HackRF design files and source code are located on github:

https://github.com/mossmann/hackrf

I can assure you that the information is complete. People other than me have used that information to build and use HackRF boards.

Anonymous said...

I have a car commands which has a PT8A977B http://www.pericom.com/assets/Datasheets/PT8A977B978B978BL.pdf
and has the same trasmission.
Thank you for help to understand.

Lego Table said...

HackRF LEGO Car. In the Hacker Lounge at Open Source Bridge last week, the well-stocked LEGO table caught my eye. ... ilegotable.blogspot.com