Reverse engineering a 27MHz RC toy communication using RTL SDR

by austinallegro on 10/15/2025, 2:31 PM with 19 comments
  • by theamk on 10/15/2025, 9:34 PM

    Having different number of bits in very similar commands (up vs down) is very unusual in low cost RF devices. Those things are built as simply as possible using underpowered CPUs, so I would not expect any sophistication.

    Based on patterns ("110110110", "1010", "111011101110"), I bet bits are variable length. Long pulse for sync, medium for 1, short for 0 (or other way). So there is always the same number of bits, but the time taken is different. This makes it very easy to decode, and explains the values in the table.

  • by numpad0 on 10/15/2025, 10:52 PM

    In similar manners to how lots of optical mouse sensors are Agilent command compatible, many RC cars are built on clones of Realtek TX2/RX2 chipsets. Ironically designed originally by the same company as the RTL2832U.

    The RX2 protocol is incredibly simplistic and inefficient at the same time, something like numbers of pulses in increments of few dozens to accept one of the grand total of dozen commands. It barely allow multiple command issuance within a second and completely incapable of handling analog inputs due to that. It's truly a product of "if it works" mindset.

    They take the radio input, or just digital input into the antenna pin, or photodiode for IR input, or you can just remove the chip and solder an Arduino into H bridges. The difficulties are about the same. The minor disappointment I have had with these is that the steering servo built into the chassis inthe example I had was way too roughly made that analog control was plain impossible no matter what.

  • by BobbyTables2 on 10/16/2025, 2:08 AM

    Author should have used Universal Radio Hacker instead. https://github.com/jopohl/urh

    It’s an amazing tool. In less than an hour I decoded my RF remotes for the fans in my house.

    Whipped up a Python script (without external modules) that transmits a modulated carrier using HackRF. Now I can control fans (with lights) with scripts.

    URH also really good at recognizing the pulse durations and repetitions.

    All crude RG devices aren’t even ASK, it’s really OOK. The receivers don’t have an ADC!

  • by ge96 on 10/15/2025, 3:11 PM

    Tangent

    I had an rc submarine that could go underwater a couple feet, but I'd take an rc car's 27MHz radio and put it underwater, it'd stop working almost immediately soon as it went underwater (waterproofed). Wonder what the difference was.

  • by Peteragain on 10/15/2025, 4:04 PM

    Software defined radio but what is LTR?

  • by janwl on 10/15/2025, 9:44 PM

    All that audio engineering expertise and you can't remove the background noise from your microphone.