Interpreting the SDR recording of a remote control signal

[petert]

Hello,

I am a beginner in SDRs, and wanted to have a look at the signal sent from a remote control for a simple RC car. There are only four buttons: drive forward, backward, left or right.

The recorded wavefiles that I captured with SDRPlay (from an RSPduo) can be seen in the attachment. They were captured at 40.68 MHz in AM mode, and generated by pressing the forward button on the remote control two times.

I am a bit surprised there are two channels, is it I/Q? Are they just phase shifted versions of the same signal, or do they have to be combined, to capture the "real" audio from an AM station?

And the main question: I do not recognize the encoding/modulation of the zoomed-in waveform. What could it be?

It seems to be a sine wave that is interrupted regularly, but it does not seem to be phase shift keying. Is it on-off-keying?

[ConKbot]

Its just a quadrature pair of sine waves, so presumably it is IQ data and there is some frequency error between the LO and the received signal carrier. No timebase, but comparing the bit period to the wave frequency, it looks like not that much error.
But both are going to 0 at the same time, so yes, it's simple On-off keying. Take the absolute value of each trace, sum them, and you can set a threshold, where above it, the carrier is on, below it, carrier is off, and it will clean up to a binary data stream that hurts the eyes less to decode.

[RoGeorge]

From the zoomed-in pic, my first guess will go for 3 bits of '0' followed by 9 bits of '1' (on/off carrier, where a long pulse followed by a pause is a zero, and a short carrier pulse followed by a pause is a one, or vice-versa).

The interrupted sinusoidal waveform is most probably an artifact from the slightly different Rx frequency than it was at Tx, as it was already pointed out by ConKbot.  To see the correct on/off that is happening in the Tx, you need to add the square of the two amplitudes:

Tx = I² + Q²

Then you should see a 0 110 110 110 10 10 10 10 10 10 10 10 10, assuming the time slots are equal with the smallest period of Tx carrier absence.  Most probably a '110' will correspond to a zero and a '10' to a one (or vice-versa).

There might be a few synchronization bits and/or a remote ID at the beginning, too.

[petert]

Thanks for your replies. It turns out it is actually on-off keying, but the interruptions within a cycle are due to a wrongly recorded signal.

Carefully chosing the gain and experimenting with some other settings results in a signal that is much more similar to what I would expect. It is somewhat unreliable, though, I haven't figured out which bug? in SDRuno is causing this.

Once I did, I'll edit my post here. (Edit: See post below)

[ConKbot]

I wouldn't expect the TX frequency to be all that stable on a toy RC car, plus the SDR is going to have a minimum increment of which it can tune the LO (not sure of the specs of the unit you're using, so you might be nowhere near this), that and the TX frequency can drift during a TX cycle as voltage or temperature may change, so dealing with frequency error is inevitable.

RoGeorge is correct in the trig identity to use, sin^2+cos^2=1, so frequency error (Sine/cosine in IQ data) will drop away leaving you with just scalar amplitude. The absolute/sum/threshold method I suggested is computationally cheaper (without a hardware multiplier at least, dunno why my brain wandered off to 8-bit micro land ) but that's not of concern if you're working on a desktop PC. The more accurate your frequency gets, just the slower the sine/cosine wave will be, but it will be there unless the SDR locks on and tracks the carrier.

If you're picking up other transmissions within your SDR capture bandwidth, you can high pass filter the IQ data, but make sure your filter algorithm doesn't mess with phase too much in the passband. 

[nuclearcat]

If you are familiar with the programming, you can check source of rtl_433 ( https://github.com/merbanan/rtl_433 ), they did very good job of recording, detecting and decoding such signals.

[petert]

Ok, I found out the main reason. The bandwidth was set to 1MHz with a sampling rate of 2MHz. This would create the seen artifacts, and not show the real signal. Starting with 1.2MHz bandwidth the signal looks much better, and I can reliably see the on/off keying (which has much longer periods than the one you might guess from earlier captures/attached images, which show errors in signal capturing).
The zoomed-in signal now shows a clean sine wave, no interruption within each cycle.

Still have to find out how to trigger this in SDRuno, but I can reliably reproduce this issue in Ultimate Radio Hacker by changing the bandwidth to 1MHz or less.
So it's not the RC/toy car.

If you are familiar with the programming, you can check source of rtl_433 ( https://github.com/merbanan/rtl_433 ), they did very good job of recording, detecting and decoding such signals.

Ultimate Radio Hacker is a tool that is compatible with many SDRs and very capable at decoding signals, in case anyone wants to have a look.

[petert]

I had another look at IQ data, and found this:
https://www.tek.com/blog/calculating-rf-power-iq-samples

Tx = I² + Q²

So apparently the above formula (almost) computes the RF signal power.

But more importantly, it computes absolute values, so it wont restore the originally sent signal.

Is there a way to restore the originally sent signal, including the phase information, when having I and Q signals?

[radiolistener]

Is there a way to restore the originally sent signal, including the phase information, when having I and Q signals?

second part is required just to keep information about negative frequencies. In real world negative frequencies are equals to positive frequencies. This is what happens when you doing Tx = sqrt(I^2 + Q^2), it folds negative frequencies into positive.

When you want to restore the signal, just multiply input Rx with sine and cosine for the center frequency for your signal. It will shift your signal to zero frequency and you will get I and Q values which will consists of both - negative and positive frequencies around DC. After that just apply LPF with bandwidth of your signal to remove unwanted signals.

[petert]

Thanks.
Good video about IQ modulation/demodulation:

Code: [Select]

https://www.youtube.com/watch?v=h_7d-m1ehoY
I found this explanation with clear formulas: https://dsp.stackexchange.com/questions/33684/how-to-reconstruct-rf-signal-using-iq-data

Where the second equation is the one in the most usable form, where r(t) is the original RF signal:
r(t)=x(t)cos(ω₀t)−y(t)sin(ω₀t)

x(t) is the sample of the I signal at time t, and y(t) the sample of the Q signal at time t.
ω₀ is the carrier frequency f in radians, so ω₀ = 2*pi*f.
If we have a sampling frequency SamplesPerSec,  t = SampleIdx / SamplesPerSec, where SampleIdx is the zero based index, of the current sample in the I or Q sample array.

So far so good. With that I was able to compute a signal that looks good.

I wonder though about why the two signals are subtracted, instead of added. Using addition seems to render an equally plausible signal, and the video linked above seems to suggest addition is the right operation.

So what is the correct operation? Addition or subtraction?

Would the reconstructed signal contain the carrier frequency? If the sample rate (and therefore my I and Q sample arrays) is much lower than the carrier frequency, wouldn't it be at most aliased in the reconstructed signal?

Is there some software/simulation that shows this process in detail?

[RoGeorge]

The squaring I recommended for the I and Q waveforms shown was because the attached pics are most probably from an on/off keying modulation.  I still think squaring each sample from I and Q then adding them together will give you the demodulated Rx signal you are looking for.  The posted waveforms doesn't look like an IQ constellation, but rather like on/off keying.

The IQ samples you have were already multiplied with the carrier's frequency.

You may want to read these two chapters for how the IQ modulation/demodulation works:
https://pysdr.org/content/sampling.html
https://pysdr.org/content/digital_modulation.html

Since the whole book is about SDRs with Python, chances are it might have code examples, too, but I didn't checked.

LATER EDIT:
Not sure if it helps, this is an interactive GeoGebra playground where I was fooling around looking at IQ waveforms (can drag sliders, turn on/off waveforms, zoom, etc - it was for something slightly different than what you are trying to do, but it's easy to modify upon wish):
https://www.geogebra.org/m/nymqtwnc

The interactive model might come in handy only to get a better grasp of how IQ works, it does not decode a received IQ stream.

[petert]

Thanks so much, this is really an excellent reply. Especially PySDR has the level of detail (yet clear language) I was looking for.
I am still reading through it, but it looks promising

[petert]

The squaring I recommended for the I and Q waveforms shown was because the attached pics are most probably from an on/off keying modulation.  I still think squaring each sample from I and Q then adding them together will give you the demodulated Rx signal you are looking for. 

Thanks. I actually was able to decode it with Ultimate Radio Hacker already (I attached a picture), but I am not entirely sure what my SDR outputs as data, and how to interpret everything exactly. So far, it still seems the r(t) equation I gave above is correct (and the multiplication with cos, and sin is necessary to reconstruct the original signal, even if I*I + Q*Q can be used to demodulate, as you pointed out).

So I was not really looking for demodulating the signal only, but understanding the analog detail of the signal, also to recreate and retransmit it myself, as closely as possible. I don't have an SDR that can send currently, so I am trying to make-do with a signal generator, to produce the signal that would reproduce the RC's signal. As such, faithful reproduction will help.

You are right, I*I + Q*Q results in a waveform that could be used to decode the data, easily.
But to reconstruct the original signal, the multiplication of I and Q with cos and sin, respectively, is necessary to recombine them to get the original signal r(t). I also tested a simple addition of I and Q, which still has these interruptions, which the reconstructed signal r(t) does not have.
The second last attachment shows the original I/Q-data generated by SDRuno, and the last shows the reconstructed signal, which is similar to URH (eventhough both captures are done separately, with URH having more pulses as I pressed another button of the RC, there).


Edit: expanded my reply, and reattached the last two images; the new images now have the exact same time-base.
Edit2: attached an I*I + Q*Q waveform.

[petert]

Ok, I made two more screenshots, where all wave files are combined, so they not only have the same time-base/zoom-level but also the same phase.

Makes it easier to see the correlation between the various signals.

Interestingly, if you look at the zoomed-in r(t) -- last attached screenshot -- it has some sinusoidal shape, which has another lower frequency sinusoid modulated onto it. Would the higher frequency be the carrier frequency, i.e., 48.68 MHz, or is it some alias or another frequency entirely? What would the signal be, that can be seen to be modulated onto it?

In comparison the I²+Q² and I/Q signals look much more random. Is it just noise?

In the zoomed-out and zoomed-in-a-little screenshots however, the I/Q waves clearly show sinusoids, which are 90° out of phase, as you would expect from an I/Q signal. Those sinusoids would have the frequency of the local oscillator (LO), right?

[radiolistener]

So far, it still seems the r(t) equation I gave above is correct (and the multiplication with cos, and sin is necessary to reconstruct the original signal, even if I*I + Q*Q can be used to demodulate, as you pointed out).

But to reconstruct the original signal, the multiplication of I and Q with cos and sin, respectively, is necessary to recombine them to get the original signal r(t).

There is no reconstruction. Quadrature (where you use I and Q pair) is just different representation of the signal. It allows to represent signal in 2D. In 2D we can distinguish vector rotation direction, it allows to not lose information about negative frequencies. So when you make frequency shift in quadrature representation, frequencies are not folded against zero frequency. This is very useful for signal processing to avoid mirror images.

Quadrature needs twice lower sample rate, but it consists signal pair (In-phase and Quadrature components) instead on single signal.

I*I + Q*Q is actually simplified expression of vector modulus: sqrt(I^2 + Q^2). It is used to get scalar projection of 2D vector. When you're doing such operation, you will lose information about negative frequencies. All negative frequencies will be folded around zero frequency and merged with positive frequencies.

sqrt is heavy math operation for computing, this is why it is omitted here - to reduce CPU load

Just look how it works.
On the left side, we have quadrature representation, where the dot is coded with two components Angle and Length of the vector. Angle is a phase and length is an amplitude. You can represent this vector with a point with coordinates X and Y.

On the right side, we have usual representation, where the dot is coded with one component Y.

When you calculate sqrt(I^2+Q^2) you're transfer vector representation (quadrature, left on the picture) into scalar representation (right on the picture).

[RoGeorge]

Interestingly, if you look at the zoomed-in r(t) -- last attached screenshot -- it has some sinusoidal shape, which has another lower frequency sinusoid modulated onto it. Would the higher frequency be the carrier frequency, i.e., 48.68 MHz, or is it some alias or another frequency entirely? What would the signal be, that can be seen to be modulated onto it?

In comparison the I²+Q² and I/Q signals look much more random. Is it just noise?

- Most probably the higher frequency seen in the r(t) waveform is an artifact.
- Might be caused, for example, by the ADC taking the I and Q samples consecutive instead of simultaneous sampling.
- Yes, noise.  Ideally it should be either zero or a constant value (about 0.4 in your II+QQ waveform)

In the zoomed-out and zoomed-in-a-little screenshots however, the I/Q waves clearly show sinusoids, which are 90° out of phase, as you would expect from an I/Q signal. Those sinusoids would have the frequency of the local oscillator (LO), right?

No, not the frequency of the LO.  The LO ideally (to avoid any artifacts) must have the same frequency and be synchronous with the transmitter's oscillator, and the LO in the SDR certainly can not do that.  My best guess is those "interrupted" sinusoids shifted at 90° are caused by a small difference between the frequency of the Tx oscillator and the frequency of the LO in your SDR, so they are an artifact, too, and if I am correct their frequency should be the difference between Tx and LO. 

To probe if the apparent frequency seen in the I/Q "interrupted" sinusoids comes indeed from the difference between the Tx and the LO oscillators, try changing the receiving frequency just a little (from the SDR tuning).  It is expected to see the frequency of the interrupted sinusoids in I/Q changing, too, when the receiveing frequency (the LO) changes.


Keep in mind that all this SDR and IQ thing is most probably not even used by your RC car, and you don't need it.  Casual toys only have a Tx oscillator that is fully turned on/off, so the Tx is not modulated at all.  Sure, one can say turning on/off the 40.68 MHz Tx oscillator is the same as a 100% AM modulation, which in theory it is correct, but it is much easy to just think about it in terms of just an on/off 40.68 MHz.

Most probably your remote is sending just a train of on/off pulses, and these pulses just turns on/off the 40.68 MHz Tx oscillator, this is what on/off keying modulation is.  Nothing more.

The receiver is tuned on the same frequency, and it continuously listening on 40.68 MHz.
- When it detects 40.68 MHz oscillations, the detector in the Rx outputs a constant (let's say) 5V (in your attached pics, that would be the 0.4 seen in the I²+Q² waveform).
- When the 40.68 MHz is missing from the antenna, the detector in the Rx outputs a constant 0V (in your attached pics, that would be the noise around 0, noise seen between other 0.4 periods of the I²+Q² waveform).


In conclusion, SDRs and IQ modulations are very powerful techniques to have under your belt, but not necessary for this RC car.

To control your car, look at the I²+Q² waveform.  There are only 2 levels there, LOW (about 0) and HIGH (about 0.4 in your pics).  You need to record the duration length of each HIGH and LOW, and reproduce that as a 0/1 on a digital output pin.  That pin will disable/enable (turn off/on) the 40.68 MHz oscillations that you put in your computer controlled Tx antenna.

So far all clues are pointing you are dealing with a simple on/off keying.  Using an SDR to implement on/off keying will be an overkill, it can be done much simpler by just turning on/off the 40.68 MHz Tx oscillator, without using any SDR or IQ modulation.


DISCLAIMER:  Other remote controllers might have some other more complicated modulation than on/off keying, but this is highly unlikely for this particular RC car of yours.

[petert]

Turns out the signal generator will transmit the radio wave, even with a coax cable connected to my scope. An unconnected end works as well.
The RC car reacts to the sent signals.

Even when touching the inside of the coax socket, my arm/body works as antenna. Crazy efficient.

The main issue was the square wave I was using to modulate the carrier frequency was not clean enough and didn't have the right levels or DC offset. I had it extracted from the originally received signal.

When I wrote a small program to generate the square wave myself, with the right symbol sequence (long pulses, short pulses and gaps), then uploaded that to the signal generator's second channel, the modulation of the first channel (40.68 MHz) worked as expected.

Independently of that, I'll look more at PySDR to understand more of the SDR details.

Thanks all, this part works now

[RoGeorge]

I wrote a small program to generate the square wave myself, with the right symbol sequence (long pulses, short pulses and gaps), then uploaded that to the signal generator's second channel, the modulation of the first channel (40.68 MHz) worked as expected.

Glad to hear you made it work!   

[Lord of nothing]

Hi
I want to try out to find the reason why someone broadcast 24/7 the same (empty?!) Signal.
Sure maybe some Company dont know that its still running and nobody turn that off... 

So what do I need to set in SDR# and Audacity to manually look into the Signal?
Thanks

[A.Z.]

Hi
I want to try out to find the reason why someone broadcast 24/7 the same (empty?!) Signal.
Sure maybe some Company dont know that its still running and nobody turn that off... 

So what do I need to set in SDR# and Audacity to manually look into the Signal?
Thanks

As for the "why", maybe they're just doing that to "mark" that frequency as occupied or even just to have a way to check that the remote device is working; as for looking into the signal, if it's a digital one, using Universal Radio Hacker (as the OP did) may be a good start; regarding audacity, I'm not sure, but I think that setting up SDR# to record the IQ from the signal could then allow to open the recorded file in audacity to examine it