Sniffing and Decoding Bluetooth LE Advertising Packets and NRF24L01+ Comms. for under $30

[Omri] just documented his journey to sniff and decode the protocol used by the popular NRF24L01+ transceiver off the air for very cheap. As he was designing a mesh network code and needed a way to monitor/debug the overall network performance, [Omri] decided to look for some RF hardware.

We’re sure that most of our readers are familiar with Software Defined Radio (SDR), which not so long ago became popular when some engineer discovered hidden registers inside Realtek RTL2832U chip, allowing many DVB-T dongles to be converted into RF listening devices. Unfortunately for [Omri], most of them have a maximum listening frequency of 2.2GHz, while the NRF24L01+ emits at 2.4GHz. The solution? Buy a 2.2-2.4GHz antenna from Aliexpress with a low-noise block downconverter (LNB), used for a Multichannel Multipoint Distribution Service (MMDS). The LNB therefore takes the 2.2-2.4GHz signal and downconverts it to around 400MHz, allowing any RTL-SDR-compatible DVB-T dongle to listen to the NRF communications. A program was then written to decode the RF signal and output the sniffed data in realtime.


  1. pedro says:

    SDR is such an amazing thing. I think I’m in love.

  2. cpldcpu says:

    I should be mentioned that this kind of “sniffing” can also be performed with a nRF24L01. So that would be a <2$ solution:

    This may also work for BLE?

  3. fartface says:

    Awesome to see people discovering Dish Downconverters and how they can make life a lot easier.

  4. Ray Roberts says:

    I believe down conversion here is by 400MHz, rather than to 400MHz, to get the signal to below the 2.2GHz upper limit of the RTL-SDR.

    Until I can get my hands on a HackRF board I am looking for cheap down conversion that will convert, say, a 2-6GHz range to 0.5-2GHz. Any suggestions? Thanks.

  5. gabriel says:

    how do you even get meaningful data from 2.4ghz to 400mhz?

    you now have 1/6 of the data… assuming you had 6 peaks, now you see one… what am i getting wrong here?

    • Gerald says:

      2.4ghz is not a data bitrate, it is the carrier’s frequency used for transmitting the data which is then modulated to transmit data. So you don’t loose any data, you transpose your data to another lower carrier’s frequency.

  6. omriiluz says:

    The down conversion is done linearly by 1998 Mhz in this case – so a signal at 2426Mhz to 2428Mhz is mapped to 428-430Mhz completely linearly, so if it had 6 peaks before the conversion it will have the same 6 peaks after conversion, just around a different base frequency.
    The down converter really opens up the frequency range, but it has filters that limit you to a specific input frequency. I’ve seen a few experiments to remove or change the filters, that should work fine.

    btw, you can find down converters with a huge selection of LO frequencies, even at the 10th oh Ghz – although the signal itself will probably be too wide for the rtl-sdr. but if you have a simple signal at very high frequency, you should be able to down convert it.
    here’s an example for an interesting one –

  7. Ray Roberts says:

    I had it wrong earlier. They _are_ converting down to ~400MHz. Combining the 2.2-2.4Ghz signal with a L.O. (local oscillator) frequency of 1998MHz produces sum and difference frequencies, where the 400 MHz is then used here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s