Sniffing And Decoding Bluetooth LE Advertising Packets And NRF24L01+ Comms. For Under $30

[Omri] just documented his journey to sniff and decode the protocol used by the popular NRF24L01+ transceiver off the air for very cheap. As he was designing a mesh network code and needed a way to monitor/debug the overall network performance, [Omri] decided to look for some RF hardware.

We’re sure that most of our readers are familiar with Software Defined Radio (SDR), which not so long ago became popular when some engineer discovered hidden registers inside Realtek RTL2832U chip, allowing many DVB-T dongles to be converted into RF listening devices. Unfortunately for [Omri], most of them have a maximum listening frequency of 2.2GHz, while the NRF24L01+ emits at 2.4GHz. The solution? Buy a 2.2-2.4GHz antenna from Aliexpress with a low-noise block downconverter (LNB), used for a Multichannel Multipoint Distribution Service (MMDS). The LNB therefore takes the 2.2-2.4GHz signal and downconverts it to around 400MHz, allowing any RTL-SDR-compatible DVB-T dongle to listen to the NRF communications. A program was then written to decode the RF signal and output the sniffed data in realtime.

9 thoughts on “Sniffing And Decoding Bluetooth LE Advertising Packets And NRF24L01+ Comms. For Under $30

  1. I believe down conversion here is by 400MHz, rather than to 400MHz, to get the signal to below the 2.2GHz upper limit of the RTL-SDR.

    Until I can get my hands on a HackRF board I am looking for cheap down conversion that will convert, say, a 2-6GHz range to 0.5-2GHz. Any suggestions? Thanks.

    1. 2.4ghz is not a data bitrate, it is the carrier’s frequency used for transmitting the data which is then modulated to transmit data. So you don’t loose any data, you transpose your data to another lower carrier’s frequency.

  2. The down conversion is done linearly by 1998 Mhz in this case – so a signal at 2426Mhz to 2428Mhz is mapped to 428-430Mhz completely linearly, so if it had 6 peaks before the conversion it will have the same 6 peaks after conversion, just around a different base frequency.
    The down converter really opens up the frequency range, but it has filters that limit you to a specific input frequency. I’ve seen a few experiments to remove or change the filters, that should work fine.

    btw, you can find down converters with a huge selection of LO frequencies, even at the 10th oh Ghz – although the signal itself will probably be too wide for the rtl-sdr. but if you have a simple signal at very high frequency, you should be able to down convert it.
    here’s an example for an interesting one – http://www.aliexpress.com/store/product/Universal-Ku-Quad-LNB-With-waterproof-design-with-high-quality-and-low-price/402505_1104172692.html

  3. I had it wrong earlier. They _are_ converting down to ~400MHz. Combining the 2.2-2.4Ghz signal with a L.O. (local oscillator) frequency of 1998MHz produces sum and difference frequencies, where the 400 MHz is then used here.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.