Tuesday, January 21, 2014

Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30

In this long post I am going to describe my journey to sniff and decode popular digital wireless protocols off the air for very cheap. So cheap practicality anyone can obtain the equipment quickly.

I was able to decode NRF24L01+ and Bluetooth Low Energy protocols using RTL-SDR. 
As far as I can see, this is the first time the NRF24L01+ is being decoded, especially considering the low entry price for the hardware. Given the extreme popularity of this transceiver, we are likely to see a wave of hackers attacking the security of many wireless gadgets, and they are likely to succeed as security is usually the last priority for hardware designers of such cheap gadgets.

A lot of work have been done to decode bluetooth using dedicated hardware and I am sure this software can be adapted to output the right format as input to the existing Bluetooth decoders such as Wireshark.
As far as I can see, this is also the first time BTLE can be decoded using a very cheap generic device.

The main software repository for this project is at https://github.com/omriiluz/NRF24-BTLE-Decoder

Developing a wireless mesh network challenges

Recently I've been working on a project to create a super cheap (<$5) sensor node that can be flexible and power efficient so I can just leave sensors everywhere and need absolutely no maintenance.
I decided to use the extremely popular NRF24L01+ transceiver from Nordics Semiconductor due to a balance of performance, power and price - and you'll be surprised how many hardware designers have taken the exact same decision once you start sniffing the air for packets. In my home alone I can see 15 addresses - wireless keyboards and mouse, remote controls, toys and appliances all use this tiny transceiver for wireless communication.

The sensor node with NRF24L01+ 
While working on the mesh network code, my progress slowed to nearly a halt. The code is extremely complex and depends on external conditions like signal strength, noise, etc. But worst of all? I was completely blind on what really happens once packets leave the safety of my micro controller using SPI to the transceiver. For normal (i.e. non-wireless) projects I'm used to being able to connect my scope or logic analyzer and "see" what happens on the wire. This makes debugging a breeze. Unfortunately this is not the case for wireless projects and I had absolutely no idea what happens between the transceivers. To make things worse, these transceivers work in the ISM band of 2.4Ghz. this is fast. much faster than any equipment I have available.

Enter Software Defined Radio (SDR) 

I assume you all know about the magic of SDR and specifically the cheap RTL-SDR. If not, take a break and head to http://sdr.osmocom.org/trac/wiki/rtl-sdr to read about it. For $13-18 (Amazon 1, Amazon 2) you open a world of possibilities that stretches far beyond analog radio into the 2.4Ghz digital space, as you'll read on this post.

Back to the problem of debugging - having experience with rtl-sdr, I immediately started thinking how can I use it to sniff packets off the air. This is impossible using any version of the rtl-sdr as the highest you can buy reach 2.2Ghz. just shy of the 2.4Ghz we need.

I started looking for a way to convert the signal down to a frequency usable by the rtl-sdr. Building one was a possibility, but I had no idea how and all the commercial/DIY products costs hundreds of dollars.

China to the rescue

Another option was to try and find an existing, mass produced and cheap product with my required specification. A quick search on Aliexpress.com found exactly that  - MMDS LNB.
MMDS is a digital broadcast system used in some countries for digital TV, and the LNB is part of the antenna. The MMDS LNB can be found for a variety of frequencies and LO frequencies.

Complete setup
The base frequency defines the filters on the device and the LO frequency defines by how much will it reduce the input frequency. 

Based on the specification, it would do EXACTLY what we need - take 2.2-2.4Ghz signal and down convert it to around 400Mhz. Then we can use the rtl-sdr and some code to decode packets off the air.

As it was very cheap ($12+shipping at Aliexpress) I took the chances and ordered one. About 10 days later it popped in my mail. I quickly hooked everything up and to my extreme surprise, after minutes -


I used SDR# with the new radio setup to see if I can find signals where I expect them to. The easiest one to find was my Logitech wireless mouse (which uses nrf of course). Tuning to 2,405Mhz (or 407Mhz after down conversion using LO of 1998Mhz) clearly show a strong signal when I move my mouse.

Developing the software to decode the packets was a bit of a headache, but once it started shaping up it was very easy to use it to capture and decode the packets.

So what do you need to make it work?

  • RTL-SDR dongle - ~$15. Easiest to buy on Amazon - (Amazon 1Amazon 2), but you can find it everywhere. I have both an E4000 and R820T dongles and they both work perfectly.
  • MMDS down converter - $12+shipping at Aliexpress. Buy one for 2.2-2.4Ghz with L.O. of 1998Mhz. If you buy from the link here, the seller will ask you for these details after you purchase.
  • (optional) Cables - Different rtl-sdr sticks have different input plug, you need to find a way to connect it to your down converter. This is really optional as I simply hacked some wire and it worked fine.
  • (optional) Power Injector - the down converter is an active component and requires 14-24V. I started by simply connecting my power supply to the wire and it worked fine. later I purchased a commercial power injector for less than $10. you can find one at Amazon or from the same Aliexpress seller.

Back to the comfort of software

From now one, all we need in order to get the packets is some clever software and the comfort of our computer (whether it's windows, linux, mac or RPi).

The NRF24L01+ (nrf from now on) uses GFSK modulation for the data. FSK (and it's derivatives like GFSK) is the digital cousin of FM. the modulator takes a bit stream, and emits one frequency to represent "1" and another frequency to represent "0".
Luckily for us, there is already a great library that does the basic rtl-sdr work and includes a software FM demodulator, rtl_fm.

Using the rtl_fm code on the incoming stream, I exported to excel a raw demodulated feed and filtered to find interesting results -

This is without a doubt an nrf packet. You can see:

  • Noise before (<80) and after (>395) the packet
  • Radio turn on time (85 to 125)
  • Preamble sequence of alternating bits (01010101 here) for the demodulator to detect a packet start and sync clocks (125 to 160)
  • Packet data (160 to 395)

In my code, I detect the preamble and calculate a Threshold number - anything above that number is considered a binary "1" and anything below is a "0". This provides a bit stream which represent the packet.
My code takes this bit stream, and manipulate it to recover the packet.
The last step is to take the packet, apply CRC and compare to the CRC in the last two bytes to verify that this is a valid packet. if the CRC match, we print a decoded packet.

For a detailed description of how I turn this bitstream into a decoded packet, I suggest you open my code over at https://github.com/omriiluz/NRF24-BTLE-Decoder, it is documented and should be relatively simple to understand.

Getting rtl_fm to output the right signal

Once you install the librtlsdr and have it working with your dongle, the basic command line for rtl_fm to product the bitstream we need as input is:
rtl_fm -f 402m -s 2000k -g 0 -p 239

The parameters are:

  • -f - frequency. remember to take the nrf channel frequency and reduce your down converter LO frequency. in the case here it's 2400-1998=402.
  • -s 2000k - mandatory. my code expects a 2M samples per seconds stream
  • -g 0 - to avoid noise, it's important to disable the auto gain control and reduce the gain as much as possible. I use 0 when everything is on my table and 10-15 when it's in my house.
  • -p defines the rtl-sdr permanent frequency drift. As a cheap device, the rtl-sdr is not calibrated. it's easy to calibrate it out of cellular signals using kalibrate-sdr

Sniffing NRF24L01+ packets

Once rtl_fm works, simply pipe the output into my software to see packets decoded -
rtl_fm -f 402m -s 2000k -g 0 -p 239 | nrf24-btle-decoder -d 1

2 simple parameters:
  • -t nrf | btle - should we decode nrf or bluetooth LE packets (more on this later)
  • -d 1 | 2 | 8 - select packet speed - the nrf can do 2mbps, 1mbps or 256kbps. you need to pick the right one.
Having my sensor node send one byte of data (an increment counter) with an acknowledgment from another node, the output would look like:

Sniffing 2Mbps NRF24L01+ traffic on channel 0 (2,400Mhz)

And now I'm not blind anymore when debugging!

Taking it further

As one smart blogger explained, the physical radio of the NRF24L01+ and Bluetooth Low Energy (btle from now one) are quite similar. This allowed me to quickly adapt my code to sniff btle packets as well.

Sniffing Bluetooth Low Energy advertisement channel 38 (2,426Mhz)
The code for sniffing btle is complete for the advertisement channels, but not for the data channels, it would be my next step to add it. The main issue is frequency hopping as required by btle, which I'm not sure our lowly rtl-sdr can do fast enough.


  1. There is also this option with a $49 USB dongle to sniff BT LE packets:

    1. You can do some other nice tricks with TI's RF sticks, a few of them can jam WiFi...

    2. Tell me more. :3

    3. You can probably jam WiFi by just continuously sending packets with the TI's RF sticks (perhaps you need to disable carrier sense first). Well we were even able to do it with ordinary WiFi dongles :D Shameless self plug: some of the code is at https://github.com/vanhoefm/modwifi

    4. Purely for the purposes of academic enquiry (because it's antisocial and childish to jam wifi) you'll have better results transmitting a CTS management frame after which all 802.11 stations are required by the standard to stop transmitting for upto 65535 microseconds.

  2. or the 120$ ubertooth, which you can possibly extend with custom firmware.

  3. The BTLE freq hopping code and other nice bits are in the ubertooth src repo, you could easily adapt it for use with the rtl-sdr

  4. Thanks to all the interest in the post, Amazon ran out of stock for products I pointed to. I modified to similar products on Amazon, hope they have more stock...

  5. You are right about the security implications. But anyone with a GoodFET has been able to sniff NRF24L01+ packets since 2011. http://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html

  6. You can make a nice BTLE sniffer using the nRF51822-EK from Nordic Semiconductor. There is a Sniffer project listed on the Website. It is used in conjunction with WireShark. Wireshark is a network protocol analyzer for Unix and Windows. The -EK comes with a Evaluation board and a dongle for $99.00. Either of the devices can run the sniffer so you potentially you can have 2 sniffers made out of 1 kit.
    ~~~ JT

  7. "While working on the mesh network code [...]" - any success with that? Do you plan to publish the code? I'm looking for a ready for use "simple" mesh protocol. I was thinking about writing such a protocol, but it doesn't look easy (but no attempts yet).

  8. yes, some progress on the mesh network code. point to point and discovery are pretty much working. currently working on the wifi to nrf gateway code (hardware ready, software 50%) and the next step would be routing and multi hops.
    still a long way to go, will keep everyone posted.

    1. Very intersted in seeing that! Do you intend to publish this work? I'm actually following the same path. nrf24s, low cost sensor mesh, raspberry pi + openhab as a gateway. I managed to connect raspi to arduino nano using this modules, they are great.

    2. Hi,
      any success by finishing the code for routing and multihops as well as the nrf gateway hardware ?
      Would be nice if you could provide this to be used for enhanced mesh networks.
      Thanks for your reply.
      BR Mike

  9. Hi,

    I recently did a similar thing for NRF905 chipset traffic monitoring.
    It monitors sub 1GHz carrier, and does not require the conversion
    to use RTLSDR. A post is available here:



  10. Q? I'm building a home automation system using a network of NRF24L01+. I'd like the units to detect when someone walks into the room by measuring the BT 2.1 device name and RSI. This would trigger the lights and music to follow you through the house.

    Is this possible?

  11. I'm working on connectin nRF24L01+ to ANT devices, and it's basically working ;) Will publish soon.
    By the way, I have the same downconverter here (from alibaba), how the hell it is powered, is there only a connector? Do I need a specific power supply?

    1. you need to supply 18V on the RF cable. easiest method is using a power injector like the one described in the post - http://www.amazon.com/gp/product/B005AME7Y8/ref=as_li_ss_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B005AME7Y8&linkCode=as2&tag=cybeblog-20

    2. I have a 12V PSU. In the antenna circuit, there's a 7808 so according to the datasheet it can work with voltages from 10.5V up to 23V. Inside the antenna, the DC is removed from the RF signal only with a 10uF capacitor. Maybe I can do the same on the dongle side. Even if I am not sure that parasitic components of the capacitor would not block the RF signal. I'll try and post the results.

    3. I had no issues just supplying 18v to multiple dongles. another option is to buy an RF splitter like this one:http://www.amazon.com/gp/product/B000Y97Q86/ref=as_li_ss_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B000Y97Q86&linkCode=as2&tag=cybeblog-20
      and you can find them for less than $2 any local hardware store.

  12. Hi, I've noticed your donwconverter isn't exactly in 2.4GHz band, but I guess the filter aren't that sharp so you could still use it. Am I right? Do you think a downconverter with these parameters would also be OK?
    > RF INPUT: 2500 - 2700 MHz
    > IF OUTPUT 950 - 1150 MHz
    > GAIN: 65 dB
    > LO: 3650 MHz

  13. The filters are likely not to be tight to reject a strong signal in the 2.4 Ghz range.
    The downconverter parameters doesn't add up, could there have been a typo? usually RF - LO = IF.

  14. The nRF24L01+ has a frequency range of 2400-2527 MHz - does your 2.2-2.4GHz downconverter have loose enough filters to accept 2.527 GHz signals without excessive attenuation?

    I do understand that for testing your mesh, you can just temporarily choose a lower frequency channel, even if you raise the channel number in production. But it would be cool if decoding higher frequencies were possible.

  15. This hack is broooootal!

    I really like the way you used the LNC (LNB) to convert the signal down.
    I am aiming for something similar but a bit different.

    I have a PL1167(datasheet see here http://www.datasheet-pdf.com/datasheet/POWERLINK/815377/PL1167.pdf.html) which works on 2.4GHz ISM band with FHSS....
    Do you think it might be possible to sniff this one with your great solution?
    I'm asking befause the frequence hopping of the PL1167 (FHSS)...
    Hope you can tell me something ^^

  16. Hello! I found this project to be inspiring.

    I ordered the same LNB from Aliexpress, plugged it all in... and YEAH! It worked perfectly and I could easily see everything I expected in the rage I expected it.

    Then I put it away, as there were many projects ahead of it.

    I recently pulled it out to mount on a dish and a motorized tilt/pan system... and I realized I must have thrown away that little metal rectangle that goes on the end of the LNB (or maybe it wasn't even in the box). I didn't even think about it at the time.

    Would it be possible to give the height/width/thickness/corner radius/hole measurements so I can whip one up? That would be totally swell!

    Keep up the good work.

    BTW... I have some idea to let the tilt/pan scan around and see what kind of intensity maps I can make at different frequencies... mapping where wifi is coming from or what degree of reflection there is... though it went back in the project cue when I realized I didn't have the little metal rectangle.

    1. Here are the measurements of my plate:
      98mm x 37mm x 0.4mm
      3 holes each with diameter of 3.2mm, gap between holes is 3mm. Center hole aligned horizontally and vertically.

      Great idea for a project, let me know how it works!

  18. I found that on aliexpress http://www.aliexpress.com/item/dogital-MMDS-downconverter-1998MHz-with-2-4-2-6GHz-Input-SDR-converter-for-2-4G-Wifi/2030074720.html do you think it will work better than the one you point out?

  19. Even though you said that filters are likely not to be tight to reject a strong signal in the 2.4 Ghz range, why you preferred the 2.2-2.4 GHz down converter instead of the 2.4-2.6 version ?

  51. Thank you for reading our blog, Daniel! I hope you will find some useful tips applicable to your business.

  95. I would like to let all know that the size of your Penis really matters in your relationship or marriage. I got married to my wife about 1 month after we met on a photo studio, we lived happily for the first 3 months of our marriage until i and my wife started having quarrels at home because i couldn't satisfy her on bed with my little penis. Actually my penis was very small, it measured about 4.5 inch long on erection and i am 39 years old. My wife said it was forbidden by the women of this world. My wife started sleeping with other men outside. Sometimes i will return from work without finding my wife at home and whenever i call or ask her where she was, she will always snub at me and sometimes just tell me to go get a larger dick. All this continued for a long time and it hurt me so much that i was at the edge of breaking up on the marriage till when i read about a doctor called DR.OMOHAN. online. I never thought i could smile and be in a happy marriage again if not for the help of DR.OMOHAN. I got the doctors Emails:(dromohanherbalmedicine@gmail.com ) on the internet and i emailed him, and he got back to me with some encouraging words, he got me some herbs cream which i use for just 8 days and i began to feel the enlargement of my penis, and without surgery. This went on for a little period of about 10 days and to my surprise my wife keeps screaming that she love my big dick now. Now my wife no longer cheat on me, and my penis is now about 10.5 inches long on erection and off course very large round. And now my wife uses breasts, hips and bums enlargement. I and my wife are very happy for the help rendered to me by DR.OMOHAN , and i want to say a big thanks to Doctor for the help. You can contact the Doctor now on his Email:( dromohanherbalmedicine@gmail.com ) Am thankful to the doctor for helping me.
    his whataspp number +2348164816038

    5 IF YOU NEED A BABY SPELLhim to solve
  124. This is a great blog. It had helped me a lot. Kindly visit Supplier-in-China.


  125. QuickBooks Online Support Phone Number
    Need support to solve problems related to QuickBooks then your are correct place, get QuickBooks online support phone number and connect with QuickBooks online customer service phone number.


  126. QuickBooks Online Tech Support USA
    Call Quickbooks online tech support usa to get fix for all problems related to Quickbooks and contact Quickbooks online helpline usa.


  127. fix QuickBooks error 3371 Status Code-11118
    Need support to solve QuickBooks error 3371 Status Code-11118 then your are correct place, get help to fix QuickBooks error 3371 Status Code-11118 by best experts.fix QuickBooks error 3371 Status Code-11118, fix QuickBooks error 3371


  128. Quickbooks Technical Support
    Quickbooks Support- Get 24x7 complete QuickBooks Support from best QuickBooks Technical Support team. Contact 1-877-410-1171 for immediate solution.

  129. Office Furniture Cape Town The William Office Furniture provides a wide array of modern office furniture, from office desks, reception desks, boardroom tables, call centre desks, filing cabinets to modern design office chairs, waiting room couches and sofas, cafe couches, office screens and office accessories. We are based in Cape Town South Africa and we deliver and install office furniture in and around Western Cape. We have been selling office furniture in Cape Town since 1988.


  132. My relatives always say that I am killing my time here at web, but I know I am getting knowledge all the time by reading thes nice posts.

  133. Mcafee Download - McAfee proactively secures systems and networks from known and as-yet-undiscovered threats worldwide.As McAfee is one of the leading software protection companies for cyber security.It warns you about risky websites and helps prevent dangerous downloads and phishing attacks. For any support or help regarding mcafee products installed on your system dial into Mcafee antivirus customer support phone number or visit mcafee.com/activate

    mcafee.com/activate | mcafee activate | mcafee retailcard


  134. The Garmin Approach S20 is a mid-extend golf watch, pressing in all the best highlights found in the Approach arrangement. It contains exact separations to the front, back, and center of the green, just as perils. Utilizing the Garmin Connect Golf App you can break down the area and separation of each shot. Including more than 40,000 pre-stacked courses, regardless of whether you are playing at a nearby golf club or starting at one of the best courses on the planet, it can manage you flawlessly from gap to gap.
    garmin approach s20 gps golf watch best


  135. Stay up with the latest with everything as we approach the dispatch date and turn into a VIP - increasingly here
    The extreme new GPSMap66s worked to military principles for warm, stun and
    water execution (MIL-STD-810G)
    launch of new garmin gpsmap66s.html

  136. What’s up, this weekend is fastidious designed for me, since this moment i am reading this great informative post here at my residence.


  137. If you desire to get much from this post then you have to apply such techniques to your won web site.

  138. Thank you dear, I found your information really useful. I would like to say thanks once again for this information. Keep posting all the new information.
    Cyber Security
    Cyber Security Pakistan

  139. Hi there, the whole thing is going perfectly here and ofcourse every one is sharing information, that’s genuinely good, keep up writing.

  140. Mcafee.com/activate - McAfee is one of the global computer security software companies that have been working since years for proving a defensive layer to the users’ data against all the online threats like virus attacks, spyware, malware and many more, that might harm the personal as well as the professional data of the users and misuse it. Now McAfee downloads free.McAfee Activation by a Retail Card in Easy Steps from McAfee.com/activate. If you have a Retail card of McAfee security in your hand and you are looking for theMcAfee MTP Retail CardMcAfee Total Protection Activation with MTP Retail Card. Use your MTP Retail Card to activate your McAfee Total Protection subscription, follow the steps given below: Copy down the 25 characters alpha-numeric product key written on the MTP retail card. Launch the newly installed McAfee Total Protection software on the computer
    McAfee mis retail card
    McAfee mav retail card
    McAfee LiveSafe
    McAfee retail card
    Samsclub Mcafee
    McAfee Activate
    McAfee log in

  141. Thanks for sharing with us.looking for uninstall Avast from Windows, Mac, PC and if you facing any kind of issues can contact this link How to uninstall Avast can help you.

  142. Hello,
    A duty of appreciation is all collectively to scrutinize this weblog I believe you discovered it reinforces and steadily information. I've scrutinized you blog top-notch records in this weblog. It became amazing gaining from this (mcafee.com/activate) blog. Your blog is an ok idea for this weblog.

  143. Hello, dear
    I am Enjoy full perused your blog, It Trusts you like your blog. this blog is great Information, a similar blog, I am Writing to this blog. I trust you got a ton of assistance from this blog. More Details…..(mcafee.com/activate).

  144. garmin express android

    The Garmin Connect is a versatile application that offers the matching up and overseeing highlights for the Garmin Device. Additionally, utilizing the Garmin Connect, you can change over your cell phone into a wellness gadget. This application is accessible for Android and iOS.

    garmin express android

    garmin express update


  146. Obvious wires are a blemish, are simple for gatecrashers to spot and can even be a stumbling danger, if inappropriately introduced. BestSecurityPlace

  147. install Norton Norton antivirus is an award-winning computer and mobile security program that helps to block threats, viruses, and unwanted intrusions. You can install Norton on Windows OS, Mac, Android, and iOS devices.

  148. This comment has been removed by the author.

  149. Thanks for sharing with us. looking for Norton product installer can enter Norton Product Key to install Norton/uninstall Norton security product from your windows or Mac and facing any kind of issues can contact our Norton assistance number can help you.
    Enter norton product key

  150. Find Awards Latest News, Videos & Pictures on Awards and see latest updates, news, information from Feeds Box. Explore more on Awards.

  151. Hello viewers around the Globe, I was despondent because i had a very small penis, about 2.5 inches soft and 4 inches hard not nice enough to satisfy a woman, i have been in so many relationship, but cut off because of my situation, i have used so many product which doctors for me, but none could offer me the help i searched for. i saw some few comments on the INTERNET about this specialist called Dr,OLU and decided to contact him on his email: Drolusolutinthome@gmail.com) so I decided to give his herbal product a try. i emailed him and he got back to me, he gave me some comforting words with his herbal pills for Penis Enlargement, Within 3 week of it, i began to feel the enlargement was surprised when she said that she is satisfied with my sex and i have got a large penis. Am so happy, thanks to Dr OLU I also learn that Dr OLU also help with Breast Enlargement Hips and Bums Enlargement etc.. If you are in any situation with a little Penis, weak ejaculation, small breast_hips_bums do get to Dr OLU now for help on his email (Drolusolutionhome@gmail.com) or add him on whatsapp line +2348140654426

  153. A Router is a device which transfers data packets to the computer network and allows your computer to browse the internet.Router Support Number

  154. really amazing post!!

  157. The same device with LO=1838 seems much cheaper. Can it be used in place of the 1998MHz version you used?

  158. This comment has been removed by the author.

  159. Thanks for submitting this article. I enjoyed this wonderful piece of writing. Exclusive and original for each of us!

