Short-range wireless is the wild west of the airwaves. From garage doors to car key fobs, learn to intercept, decode, and analyze the devices that surround us.
Older fixed-code systems that transmit the same bitstream every time. Vulnerable to simple replay attacks but largely replaced by rolling code systems in modern hardware.
Standard band in North America for short-range wireless devices. Tire Pressure Monitoring Systems (TPMS) often broadcast here, including sensor ID and pressure data.
The 'catch-all' band for consumer electronics. Most modern car key fobs operate at the edges of this range, typically using rolling codes (hopping) for security.
The most active Sub-GHz frequency globally. Used by thousands of devices from backyard weather stations to commercial IoT sensors. Ideal for rtl_433 experimentation.
Higher frequency Sub-GHz bands used for modern wide-area networking like LoRa. These signals can travel several kilometers using Chirp Spread Spectrum (CSS) modulation.
Standard Tooling
Start with rtl_433 for automatic decoding. For unknown or complex protocols, use Universal Radio Hacker (URH) to manually inspect pulse widths and headers.
Security Challenges
Most modern systems use Rolling Codes. Capturing and replaying a code will not work because the receiver expects the next value in the sequence, rendering the captured code invalid.
Flipper Zero
The Flipper Zero is a portable multi-tool for pentesters and geeks. Its built-in Sub-GHz transceiver (CC1101) makes it the gold standard for mobile signal capture, analysis, and replay in the 300-928 MHz range.
🟢 Generally Legal
Passive reception of unlicensed ISM band devices (weather sensors, TPMS) for personal research.
🟡 Use Caution
Replaying signals on active frequencies. Check local spectrum laws even for low-power ISM bands.
🔴 Strictly Prohibited
Intercepting encrypted comms, interfering with emergency services, or using data for malicious gain.
Monitoring is education. Transmission is responsibility. Never interfere with systems you do not own.
Actionable field exercises for Sub-GHz mastery
Identify 3 unique local IoT sensors using rtl_433.
Field Workflow
1. Connect your RTL-SDR. 2. Run 'rtl_433 -f 433.92M'. 3. Monitor the terminal for incoming data packets (weather, tires, alarms). 4. Document the Model, ID, and data values.
Measure the bit-duration of a 433MHz OOK burst.
Field Workflow
1. Capture a raw IQ file of a key fob press using URH or SDR++. 2. Open the file in Universal Radio Hacker. 3. Use the selection tool to measure the duration of a single 'high' pulse. 4. Calculate the approximate baud rate (1 / duration).
Find a legacy fixed-code signal in the 300-315MHz range.
Field Workflow
1. Scan the lower Sub-GHz bands. 2. Look for signals that repeat the exact same pattern on every trigger. 3. Use URH to compare two different captures of the same device. 4. Verify that the preamble and payload are identical.
Verify your understanding of short-range wireless protocols
What is the primary challenge when attempting to replay signals from modern car key fobs?