Sub-GHz

Sub-GHz radios (typically 315, 433, 868, 915 MHz) drive garage doors, car key fobs, doorbells, sensors, meters, and industrial controls. This page covers modulation basics, capture/replay, decoding workflows, and defenses—used only with permission.

Quick-start checklist

Authorization & scope: Only test systems you own or have explicit written permission to assess.
Identify band: Determine target frequency (315/390, 433.92, 868, 915 MHz, etc.). Label it before you transmit anything.
Choose a tool: For quick demos, use Flipper/RFQuack; for deep analysis, use an SDR (HackRF) + URH/GNU Radio.
Antenna match: Use a quarter-wave or band-specific antenna; wrong antennas cause weak/garbled captures.
Start RX-only: Capture multiple examples first; compare frames to infer structure. Transmit later—in a lab—if authorized.

Bands & modulation primer

Sub-GHz devices favor lower frequencies for longer range and better penetration. Many consumer protocols are simple and narrowband, commonly using OOK/ASK or 2-FSK/GFSK.

Common bands: 315/390 MHz (US remotes), 433.92 MHz (ISM, global), 868 MHz (EU), 902–928 MHz (US ISM). Always verify local regulations.

Many Sub-GHz links use OOK/ASK or FSK with short framed messages.

Rolling codes: Car fobs and some openers use counter-based or cryptographic rolling codes. Replay may fail unless you capture and inject at the right timing or possess valid keys. Keep all such tests in a lab.

Common research workflows

1) Recon & catalog

Use a spectrum view (SDR) or a protocol scanner (Flipper/RFQuack) to find active frequencies.
Log carrier, bandwidth, modulation guess, and time of activity; take multiple captures.
Identify device classes: remotes, sensors, meters, alarms, weather stations.

2) Capture → Compare → Infer

Record raw bursts from repeated button presses or sensor events.
In URH or similar, align frames; spot preambles/sync; derive symbol rate and encoding (NRZ/Manchester).
Flip one input bit (e.g., different remote button) to observe which payload bits change.

3) Quick replay (lab)

With authorization, use a tool’s built-in replay on captured frames to validate your understanding.
Confirm distance/angle effects; keep TX power minimal and work in a shielded or isolated setup where possible.

4) Decoder build-out

Implement a simple pipeline: filter → symbol timing → bit slicer → frame parser → checksum.
Test on multiple samples; handle timing jitter and occasional bit flips.
Annotate fields (button ID, counter, device ID, checksum) for future automation.

5) IoT/ICS telemetry

Log long-running sensor traffic (meters/weather). Look for periodicity, device IDs, and integrity fields.
If encryption/auth present, keep to meta-analysis: rates, IDs, RSSI trends; do not attempt circumvention.

Safety & legality: Many Sub-GHz systems affect safety or property (doors, alarms, cars). Don’t interfere with real systems. Keep all replay/transmit work to permitted lab rigs or explicit engagements.

Hardening & safety notes

Prefer modern protocols: Use authenticated, rolling, or encrypted links; retire fixed-code remotes.
Diversity & rate limits: Per-device keys/counters; lockouts after repeated failures; narrow receiver acceptance windows.
RF hygiene: Use appropriate filtering and shielding; avoid overly sensitive receivers that accept garbage.
Backend checks: Correlate events with physical sensors (contact/motion) and time/place to detect anomalies.
Upgrade paths: For legacy fleets, plan phased migrations (readers + endpoints) with dual-mode periods kept short.

Troubleshooting

Nothing captured? Re-check the band; widen the bandwidth; move closer; verify antenna.
Frames inconsistent: You may be clipping or missing preamble; adjust gain and sample rate.
Replay fails: The system may use rolling codes or timing windows; try fresh captures and correct symbol timing.
Noise floor too high: Change location, shorten cables, add filtering/attenuation, or use a directional antenna.

FAQ

Is Sub-GHz better than 2.4 GHz?

Different trade-offs. Sub-GHz often travels farther and penetrates better at lower data rates; 2.4 GHz supports higher throughput but shorter range.

Can I “open any garage door” with replay?

No—many systems use rolling codes or extra checks. Replay may only work on fixed-code systems and is still illegal without permission.

Do I need an SDR?

Not always. Devices like Flipper or RFQuack can handle many simple protocols. For unknown or complex signals, SDRs provide full visibility and flexibility.

Devices for Sub-GHz

Useful references

Regional ISM band regulations and power limits
Universal Radio Hacker (URH) tutorials for OOK/FSK decoding
GNU Radio guides (clock recovery, symbol timing, framing)
Antenna calculators for quarter-wave lengths (315/433/868/915 MHz)

Legal & ethics: See Ethics for boundaries and safe lab practices.