Casey Callendrello Identity Archive

Decoding MUNI telemetry with GnuRadio

09 November 2014

I’m putting this unfinished hack out there in the hopes that anyone can lend me a hand. I’ve been playing with the awesome rtl-sdr project, snooping in on the airwaves and using pre-built decoders. This is my first foray in to constructing my own.

Background

For those of you in San Francisco, if you have a ham radio or SDR, try tuning to 484.5625, 488.5625, or 484.7625 MHz. You’ll hear something that sounds a lot like AFSK. A quick peek at the FCC database says that these are telemetry frequencies for Muni, our local transit system. And they’re busy!

Demodulating it

So, I threw together a FM demodulator in GnuRadio and captured the audio:

In the beginning, there seems to be a repeated brief broadcast. Eventually another transmitter comes in to the fray, and sends a short message. The first, more powerful transmitter sends a few longer messages, which the weaker one acknowledges.

The second transmitter also has a bit of a frequency offset, so it’s clearly separate hardware. It’s probably on a bus.

Audio characteristics

I’m operating on the assumption that the signal is modulated over NBFM audio. The QAM constellation is a big fat boring circle, so that’s a dead end. The audio signal seems to oscillate between two modes. The first broadcasts signals at only 100 Hz and 175 Hz (the red graph). The second is much wider band - it seems like white noise (the green graph).

<div style='clear: both'></div>

Next steps

My guess is that this is a simple AFSK modulation. The next step is to build a demodulator and see if anything of interest pops out. If we call the 100Hz signal the “space”, and the wideband noise the “mark”, it seems that there is a long “space” prelude, followed by some data, then another “space”.

Does anyone recognize this specific audio? Do you have experience with this kind of project? So much to explore! Get in touch.