Sub-GHz Sniffing Guide

The Snake-V1 leverages the Texas Instruments CC1101 transceiver to interact with wireless devices operating in the Sub-GHz spectrum. This guide covers how to identify, capture, and analyze radio signals using the onboard helical antenna and sniffing utilities.

Overview

Sub-GHz sniffing allows you to intercept data packets from common wireless devices such as garage door openers, weather stations, remote doorbells, and TPMS sensors. The Snake-V1 supports the most common ISM bands:

• 315 MHz: Common in North American car remotes and older garage openers.
• 433.92 MHz: The global standard for low-power consumer electronics.
• 868 MHz: Standard for smart home devices and industrial sensors in Europe.

Frequency Selection

Before sniffing, you must tune the CC1101 to the correct frequency. If you are unsure which frequency a device uses, use the Frequency Analyzer tool first.

1. Navigate to Sub-GHz > Frequency Analyzer.
2. Trigger the target remote/device near the Snake-V1 antenna.
3. The display will show the strongest detected frequency (e.g., 433.92 MHz).
4. Note this frequency for the sniffing step.

Sniffing Modes

The Snake-V1 provides two primary ways to capture data: Read (Protocol-based) and Raw Capture.

1. Read Mode (Decoded)

Use this mode for well-known protocols (e.g., Princeton, KeeLoq, Champerlain). The Snake-V1 will attempt to decode the signal into a hex value and identify the protocol.

• Usage:
  1. Go to Sub-GHz > Read.
  2. Select the frequency found during analysis.
  3. Select the modulation (usually OOK or 2-FSK).
  4. Wait for the "Listening..." prompt.
  5. When a signal is captured, the device will vibrate or flash, displaying the Protocol, Bit length, and Key value.

2. Raw Capture

If a signal uses an unknown or encrypted protocol, use Raw Capture to record the fluctuations in the radio wave without decoding them.

• Usage:
  1. Go to Sub-GHz > Raw Record.
  2. Set your frequency and tap Start.
  3. Activate the target device.
  4. Tap Stop to save the capture to the microSD card.

Step-by-Step: Capturing a 433MHz Doorbell

This example demonstrates a standard workflow for capturing a simple wireless signal.

Step 1: Configuration

Ensure the CC1101 is initialized. From the main menu, select the Sub-GHz application.

Menu -> Sub-GHz -> Read -> Config
Frequency: 433.92 MHz
Modulation: AM650 (OOK)
Hopping: OFF

Step 2: Signal Capture

Press the "Start" button on the Snake-V1. While the device is in "Sniffing" mode, press the button on the doorbell remote.

Step 3: Analysis

Once the packet is caught, the screen will populate with the following fields:

• Data: 0x1A2B3C (The unique ID of the remote)
• Protocol: Princeton
• Bit: 24-bit

Working with Captured Data

All captures are stored on the microSD card in the /subghz/ directory.

• .sub files: These are text-based files containing the raw timings or decoded data.
• Replaying: You can navigate to Sub-GHz > Saved to select a captured signal and re-transmit it (ensure you are compliant with local radio regulations before transmitting).

Technical Tips for Better Sniffing

• Antenna Orientation: The tapered helical antenna is most sensitive when the signal source is perpendicular to the coil's axis.
• RSSI Threshold: If you are in a noisy environment (lots of background RF), increase the RSSI threshold in the Settings menu to filter out weak, irrelevant signals.
• Distance: For initial sniffing, keep the target device within 1–3 meters. Once the frequency is confirmed, the CC1101 can typically sniff signals from up to 30–50 meters depending on the environment.