Skip to main content

Analysis & reverse engineering

When rtl_433 receives a transmission that none of its built-in decoders recognise, the message is dropped. The tool also ships an analysis mode that, instead of decoding, reports the raw structure of a signal: the pulse and gap timings, the inferred modulation, and the demodulated bits. This is the starting point for reverse-engineering a new device so a decoder can eventually be written for it.

This page covers the four flags you reach for most often when investigating an unknown signal: the pulse analyzer (-A), per-signal auto-save (-S), disabling decoders (-R 0), and increased verbosity (-vv).

When to use this

You typically drop into analysis mode after a normal capture produced no decoded output but you know a device is transmitting — for example a remote, a doorbell, a TPMS sensor, or a weather station that rtl_433 does not yet support.

The pulse analyzer: -A

-A enables the pulse analyzer. From the program's own help text:

[-A] Pulse Analyzer. Enable pulse analysis and decode attempt. Disable all decoders with -R 0 if you want analyzer output only.

The analyzer summarises the timings of the pulses, gaps, and periods in a detected signal and makes a best-effort attempt to guess the modulation (OOK/ASK vs. FSK) and the bit coding. Run it against a live radio or, more reproducibly, against a recorded file:

rtl_433 -A -r g001_433.92M_1000k.cu8

By default the standard decoders still run alongside the analyzer, so you may see both a decode attempt and the analyzer report. To get analyzer output only — which is what you usually want when the device is unsupported — turn the decoders off with -R 0:

rtl_433 -A -R 0 -r g001_433.92M_1000k.cu8
Visualise the pulses

The pulse analyzer prints timings as text, but signals are far easier to read as a diagram. Export the demodulated pulses to an .ook file (see below) and load it into the triq.org Pulse Data Viewer (PDV) at triq.org/pdv to see pulses and gaps on a timeline.

Capturing signals: -S

To reverse-engineer a device you first need a clean, repeatable copy of its signal. -S saves received signals to disk, one file per signal, so each burst is isolated rather than buried in a long continuous recording:

[-S none | all | unknown | known] Signal auto save. Creates one file per signal. Note: Saves raw I/Q samples (uint8 pcm, 2 channel). Preferred mode for generating test files.

The argument selects which signals are written:

ModeSaves
noneNothing (the default)
allEvery detected signal
unknownOnly signals that no decoder matched
knownOnly signals a decoder recognised

For an unsupported device, unknown keeps the noise down by writing only the bursts that fell through every decoder:

rtl_433 -S unknown -T 60

-T <seconds> bounds the run time so the session ends on its own; here it captures for 60 seconds. Each saved file is raw I/Q (unsigned 8-bit, two channels — .cu8), the native format for RTL-SDR, which makes the files ideal as test fixtures and for replay with -r.

note
-S vs. -w

-S and -w are different. -S auto-saves each signal to its own file as it is detected, which is what you want when building a test corpus. -w writes the entire continuous stream to a single output file. Use -S for reverse engineering and -w for a full recording you intend to replay or convert.

Verbosity: -v, -vv, and beyond

Verbosity reveals what the demodulator and decoders are doing internally. The flag stacks — repeat it for more detail:

FlagLevel
-vverbose notice
-vvverbose info
-vvvdebug
-vvvvtrace

-vv (verbose info) is the practical sweet spot during reverse engineering: it surfaces detected pulse counts, modulation guesses, and per-decoder activity without the flood of low-level output that -vvv/-vvvv produce. Combine it with the analyzer and decoders-off for a focused view:

rtl_433 -A -R 0 -vv -r g001_433.92M_1000k.cu8

A reverse-engineering workflow

A typical first pass on an unknown 433.92 MHz device:

# 1. Capture only the bursts no decoder understood, for 2 minutes.
rtl_433 -S unknown -T 120 -f 433.92M

# 2. Replay one saved signal through the analyzer, decoders off, verbose.
rtl_433 -A -R 0 -vv -r g001_433.92M_1000k.cu8

# 3. Convert the same capture to an .ook pulse file for the viewer.
rtl_433 -r g001_433.92M_1000k.cu8 -w signal.ook

The analyzer's report — pulse width, gap width, inferred modulation and bit coding — together with the .ook timeline gives you the raw material to identify the encoding. Once you have a candidate bit pattern, you can check a decoder against captured codes with -y:

[-y <code>] Verify decoding of demodulated test data (e.g. "{25}fb2dd58") with enabled devices

The example filenames and the {25}fb2dd58 code above are illustrative. Your saved filenames will encode the actual center frequency and sample rate, and real captured codes will differ.

Quick reference

FlagPurpose
-AEnable the pulse analyzer (timings + decode attempt)
-R 0Disable all decoders (analyzer output only)
-S none|all|unknown|knownAuto-save one file per signal (raw .cu8 I/Q)
-v-vvvvIncrease verbosity (notice → info → debug → trace)
-r <file>Read from a capture file instead of the radio
-w <file>Write the stream to a file (format from extension, e.g. .ook)
-T <seconds>Stop after the given number of seconds
-y <code>Verify decoding of demodulated test data with enabled devices
Make captures shareable

The .cu8 files produced by -S are the preferred format for test files. Including one in a bug report or a pull request lets a maintainer reproduce your signal exactly and is often the quickest path to getting a new device supported upstream.

Sources