Key Fob Lab: Demodulating Over the Air OOK

Publish Date: Apr 21, 2015 | 0 Ratings | 0.00 out of 5 | Print | Submit your review


In this lab, learn the background and concepts of using key fob transmitters, requirements for building a system to test an on-off-keying (OOK) signal, steps to test the signal, and example VIs from NI LabVIEW software to assist you along the way.

Table of Contents

  1. Goal
  2. Background
  3. Required Hardware and Software
  4. Decoding Procedure
  5. Solution VIs
  6. Next Steps

1. Goal

Determine button presses by decoding the OOK RF signal being transmitted from a handheld five-button wireless key fob using an NI USRP-2920 and LabVIEW.


Back to Top

2. Background

Common key fob transmitters, similar to those used in automotive applications, typically transmit at either 315 MHz or 433.92 MHz and send a simple RF packet of information each time a button is pressed. In our case, we chose a non-encrypted key fob from Digi-Key electronics that operates at 315 MHz. It generates an OOK signal using pulse-width modulation (PWM) in the form of a packet that includes sync, address, and data bits that provide an indication of which key is pressed. Generally, OOK means that when converting from bits to symbols, a 0 is transmitted as no signal, while a 1 is transmitted as a sinusoid of a specific frequency (here it is 5 kHz offset from the 315 MHz center frequency) for a specific time duration (in our case this time varies). PWM means that a standard pulse is transmitted at a regular interval, but the length of each pulse varies depending on whether the bit being transmitted is a 0 or 1. In our case, the key fob uses different encoding schemes for different parts of the signal. The address bits have a 10-bit address of all 0s (because we’ve not changed the default address of the remote). Each 0 is encoded as one long pulse. For the data bits, the signal contains two pulses for each bit. A 0 is encoded as one long pulse followed by one short pulse and a 1 is encoded as two short pulses.


Back to Top

3. Required Hardware and Software

1. LabVIEW software and NI-USRP 1.0 or later driver software

2. NI USRP-2920 hardware 

3. 315 MHz, 50 Ohm Receiver Antenna (NI VERT400 will work)

4. 315 MHz Key Fob Transmitter: Digi-Key P/N: CMD-KEY5-315-ND


USRP-2920 and LabVIEW

315 MHz Key Fob Transmitter

Digi-Key P/N: CMD-KEY5-315-ND


Back to Top

4. Decoding Procedure

1. Determine the presence of an OOK signal using energy detection

2. Demodulate the input OOK signal into a square waveform

3. Separate the PWM signal into short and long pulses

4. Sync the packet based on the expected address bit pattern

5. Determine key pressed by decoding the data bit pulse pattern


Step 1: Determine the Presence of an OOK Signal Using Energy Detection

First, we need to determine if a button has been pressed. This requires us to see if a signal is being transmitted at the center frequency used by the key fob (315 MHz). To do this, we use a simple energy detector in the frequency domain. Analyzing the raw I/Q data from the NI universal software radio peripheral (USRP™), we find that most of the signal energy is in a 10 kHz band around 315 MHz, so we can limit our energy detector to those frequencies. Also, we can empirically determine the amount of energy received when a button is pressed on the key fob. This gives us the ability to differentiate between noise and an actual signal being sent by the key fob. Using these two elements (frequency range and minimum energy), we can determine if a signal is present by looking at the power spectral density (PSD) of whatever the antenna picks up. If whatever signal we are acquiring has a PSD that reaches above our determined energy threshold within our specified frequency range, then we know (almost certainly) that the key fob is transmitting a signal.

At that point, we need to actually look at the signal. We sample the signal for an amount of time that is long enough to at least receive the full packet of information (which repeats continuously until the key fob button is released). This packet contains a short preamble (which is 3-bits long), then the address of the key fob (10 bits) repeated twice, and finally the message (8 bits), which contains the information on which button was pressed.

This signal needs to first be converted down to baseband I/Q (in-phase and quadrature) information, which is handled by the USRP. The in-phase portion of the complex baseband signal is the real part and the quadrature is the imaginary part. From there, we must demodulate the signal.


Step 2: Demodulate the Input OOK Signal Into a Square Waveform

At this point, we have the in-phase portion of the baseband signal and the quadrature portion, each of which looks like it is using OOK with a 5 kHz sinusoid, but different periods. First, we would like to convert these sinusoids to square pulses. To do this, we square the in-phase and quadrature parts of the signal and add them together. The signal is then passed through an integrate-and-dump process, which will smooth out the peaks in the pulses. The window length used here is chosen to smooth out the peaks without destroying the general shape of the pulses and is also chosen to be approximately an integer fraction of the pulse rate. This step is essentially performing an envelope detector. The concept of an envelope detector is to rectify the signal (that is, flip the negative portions about the time axis to make them positive) and then pass the signal through a lowpass filter. The result is an envelope of the original signal that represents the general “outline” of the original, as shown below.




From here, a simple threshold is used to convert these peaks to square pulses. This is done by setting the threshold to around 10 percent of the average value of the signal and any part of the signal above that value gets forced to 1. Everything else gets forced to 0. This gives us a nice square wave representation of our signal.



Step 3: Separate the PWM Signal Into Short and Long Pulses

Here, we have our signal represented by square pulses that are either “short” or “long.” Our next step is to convert this PWM signal to a series of 0s and 1s, where a 0 represents a short pulse and a 1 represents a long pulse. This step requires two actions. First, we count the number of total pulses in our signal.



Once we have that information, we use it to find the duration of each pulse, as shown below:



As we can see, a long pulse is, on average, nine samples long whereas a short pulse is four pulses long. Therefore, the best threshold we can use to differentiate between the two states is a pulse length of 6.5. Any pulse that is longer than that is classified as a 1 and any pulse shorter than that is classified as a 0.



Step 4: Sync the Packet Based on the Expected Address Bit Pattern   

The next step is to synchronize our signal with the beginning of our message. We know that the address is a series of 20 long pulses and occurs right before our message. We can use this information to create a sliding correlator, which  attempts to find the part of our signal that matches this pulse pattern closest. Once that part of the signal is found, we offset the signal to the end of the address so that we can work with the message pulses.



Step 5: Determine Key Pressed by Decoding the Data Bit Pulse Pattern

At this point, we just need to use the simple encoding scheme to determine the bits of the message. A short pulse followed by a long pulse represents a 0, while two short pulses in a row represent a 1.


Finally, we have eight bits that represent which button was pressed. The key fob uses a simple encoding scheme as follows:

  • Button 1: 10000000
  • Button 2: 01000000
  • Button 3: 00100000
  • Button 4: 00010000
  • Button 5: 00001000

It is then simple to use this knowledge to determine which button was pressed.


Back to Top

5. Solution VIs

The solution VIs for this application exist in two parts. The first,, is the higher level VI that simply acquires the 315 Mhz I/Q signal with a 200 ks/s bandwidth. The second,, implements the contents of this tutorial, and contains some test signals on the block diagram for testing and troubleshooting purposes. To run this example, download both files to the same folder. Open and run Be sure to set the correct IP address for your USRP-2920.


Back to Top

6. Next Steps

Learn more about the NI USRP

Back to Top

Bookmark & Share


Rate this document

Answered Your Question?
Yes No