While eagerly awaiting the arrival of my HackRF, I was inspired by a blog post by Michael Ossmann reverse engineering a remote control LEGO car. I decided to do the same, but with an old radio controlled toy sold by Radioshack, the ZipZap car. These are really tiny RC cars with interchangeable parts that were popular around 2003-2004.
The first step was to find the center frequency using GQRX, which I found to be 49.857 MHz (plus or minus the poor clock accuracy of the RTL-SDR). Based on the spectrum, I guessed simple on-off keying was being used. I set up the following GNU Radio Companion block diagram to demodulate it:
I found that the on off keying used was 4 long pulses, about 1.5 milliseconds, followed by a number of short pulses, about 0.5 milliseconds, with 0.5 millisecond pauses between them. This happens to match mossmann’s LEGO car.
I also added a moving average (Ch2 on the scope) to ease triggering on the long pulses. I discovered the following relation of commands to number of short pulses:
- Stop: 4
- Forward: 10
- Backward: 40
- Left: 58
- Right: 64
At this point I realized the radio chip had to be the same one in the earlier blog post.
Unfortunately, the RTL-SDR cannot transmit, so I was unable to actually control the ZipZap car. I would, however, like to write a complete software decoder, to use the controller as an input peripheral (for no practical purpose, of course) – a good reason for me to finally learn the GNU Radio C++ API.