Reverse Engineering a 27mhz Rc Toy Communication Using Rtl Sdr

Posted3 months agoActive3 months ago

austinallegro

98 points

20 comments

nitrojacob.wordpress.comTechstory

calmpositive

Debate

40/100

Reverse EngineeringRtl SdrRf Communication

Key topics

Reverse Engineering

Rtl Sdr

Rf Communication

The author reverse-engineered a 27MHz RC toy communication using RTL SDR, sparking a discussion on the simplicity of RF protocols and alternative tools for decoding RF signals.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

39m

Peak period

7-8h

Avg / period

Comment distribution20 data points

Loading chart...

Based on 20 loaded comments

Key moments

01Story posted
Oct 15, 2025 at 10:31 AM EDT
3 months ago
Step 01
02First comment
Oct 15, 2025 at 11:11 AM EDT
39m after posting
Step 02
03Peak activity
5 comments in 7-8h
Hottest window of the conversation
Step 03
04Latest activity
Oct 16, 2025 at 2:08 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (20 comments)

Showing 20 comments

ge96

3 months ago

3 replies

Tangent

I had an rc submarine that could go underwater a couple feet, but I'd take an rc car's 27MHz radio and put it underwater, it'd stop working almost immediately soon as it went underwater (waterproofed). Wonder what the difference was.

doug_life

3 months ago

1 reply

It is likely that that the sub had it's antenna tuned to work well in water while the RC car antenna was tuned for open air. The two different mediums will change the antenna impedance.

ge96

3 months ago

1 reply

Interesting does say shorter antenna, I could see that, I think the RC sub's antenna was like 4in long vs. an rc car's antenna that's usually like a foot

iancmceachern

3 months ago

1 reply

Yeah, my basic understanding of submarine communications is that lower frequencies penetrate the water better. Lower wavelength needs a longer antenna. The system US subs use is a very low frequency from what I understand.

jasonjayr

3 months ago

2 replies

> TACAMO (take charge and move out) is the back up communications system to the US nuclear submarine fleet in case an attack on land based transmitters disables them. A rotating fleet of Navy E6 jets equipped with 200 KW transmitters and two 2½-mile-long trailing wire antennas (TWA) at 35,000 ft altitude to provide 24/7 coverage. Short pings are transmitted every few seconds.

Regarding "longer antenna" for submarines... -- I recently learned about this signal from https://www.sigidwiki.com/ -- which has been helpful to ID all the fun stuff you can see with RTLSDR

iancmceachern

3 months ago

1 reply

Delicious, 2.5 mile long antennas behind airplanes

Corona, stuff like this, the sheer gall, it's impressive.

janzer

3 months ago

Sadly the 6000 mile antenna never got built, but they did get a few tens of mile long ones built.

https://en.wikipedia.org/wiki/Project_Sanguine

mschuster91

3 months ago

The cost of that must be insane - the price tag of being about the only military force on this rock capable of projecting force and delivering utter devastation 24/7/365 any place any time even if the entirety of the US got glassed.

mmmlinux

3 months ago

1 reply

was the submarine remote RF or IR?

ge96

3 months ago

it's RF this one

https://www.dhgate.com/goods/822484606.html

seawolf Omnibearing RC Submarine - 6CH 35cm

Walmart used to sell it like 17 years ago

davemp

3 months ago

Water attenuates (reduces the power of) signals significantly and more-so at higher frequencies. The HF (3-30MHz) band is definitely not what you’d want to pick (sonar is in the KHz range). The sub was probably still 27MHz but just higher power with a better antenna because of the FCC regulations though.

Peteragain

3 months ago

2 replies

Software defined radio but what is LTR?

papercrane

3 months ago

1 reply

I believe the RTL in RTL-SDR is "Realtek Limited", the manufacturer of the chips used in the early days of SDR. I don't think the chips these days are exclusively Realtek, but the name has persisted.

Peteragain

3 months ago

Thanks! I'm getting myself a RTL-SDR!

jandrese

3 months ago

1 reply

The original low cost SDR was a European TV tuner USB stick. A driver developer noticed that it was possible to turn off the built-in vertical and horizontal blank suppression to get a raw I/Q dump from a device that was available for $20 retail. This revolutionized the hobbyist SDR community as the purpose built devices cost hundreds or thousands of dollars.

The "RTL" came from the company that built the hackable chip: Realtek.

RicoElectrico

3 months ago

> A driver developer noticed that it was possible to turn off the built-in vertical and horizontal blank suppression

Aren't you confusing that with Fresco Logic USB to VGA?

numpad0

3 months ago

In similar manners to how lots of optical mouse sensors are Agilent command compatible, many RC cars are built on clones of Realtek TX2/RX2 chipsets. Ironically designed originally by the same company as the RTL2832U.

The RX2 protocol is incredibly simplistic and inefficient at the same time, something like numbers of pulses in increments of few dozens to accept one of the grand total of dozen commands. It barely allow multiple command issuance within a second and completely incapable of handling analog inputs due to that. It's truly a product of "if it works" mindset.

They take the radio input, or just digital input into the antenna pin, or photodiode for IR input, or you can just remove the chip and solder an Arduino into H bridges. The difficulties are about the same. The minor disappointment I have had with these is that the steering servo built into the chassis inthe example I had was way too roughly made that analog control was plain impossible no matter what.

janwl

3 months ago

All that audio engineering expertise and you can't remove the background noise from your microphone.

BobbyTables2

3 months ago

Author should have used Universal Radio Hacker instead. https://github.com/jopohl/urh

It’s an amazing tool. In less than an hour I decoded my RF remotes for the fans in my house.

Whipped up a Python script (without external modules) that transmits a modulated carrier using HackRF. Now I can control fans (with lights) with scripts.

URH also really good at recognizing the pulse durations and repetitions.

All crude RG devices aren’t even ASK, it’s really OOK. The receivers don’t have an ADC!

theamk

3 months ago

Having different number of bits in very similar commands (up vs down) is very unusual in low cost RF devices. Those things are built as simply as possible using underpowered CPUs, so I would not expect any sophistication.

Based on patterns ("110110110", "1010", "111011101110"), I bet bits are variable length. Long pulse for sync, medium for 1, short for 0 (or other way). So there is always the same number of bits, but the time taken is different. This makes it very easy to decode, and explains the values in the table.

View full discussion on Hacker News

ID: 45593213Type: storyLast synced: 11/20/2025, 8:37:21 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN