Listening to the 915 MHz Sky
By the time the HackRF Pro’s firmware update settled into place over the past weeks, the engineering team at the university radio club discovered that the 915 MHz band was a veritable ocean of quiet chatter. While most people treat this ISM frequency as a quiet reserve for industrial, scientific, and medical equipment, the band is also a popular choice for proprietary wireless protocols, particularly in automotive applications. The HackRF Pro’s wide instantaneous bandwidth and dual-USB interface make it an ideal s/audible listening post. After setting the device to a 25 MHz sweep anchored at 915 MHz, the club’s engineers listened to a rain of carrier bursts punctuated by short bursts of data—an unmistakable signature of tire pressure monitoring systems (TPMS).
Eavesdropping on Tire Guardians
Once the stream was captured with CubicSDR and then routed to the HackRF’s SDRSharp plugin, the team found a repeated sequence resembling a beacon. The TPMS beacons broadcast themselves about once every eight seconds, a frequency that is friendly to the HackRF’s step‑diver paradigm. By narrowing the software’s tunable filter to a 200 kHz window around the beacon’s center, the data packets could be isolated with 99 % clarity, revealing them to be in the upright 915 MHz band, as required by most North American regulations. When the team switched to GNU Radio flowgraphs, the packets unraveled into a 10‑bit frame structure, with the first two bytes encoding the live pressure and temperature, followed by a CRC and then a unique vehicle identifier.
Decoding the Tire Pressure Protocol
After scrubbing the data with a custom Python script, the analysts forward‑decoded the payloads. They uncovered that the TPMS protocol employs a lightweight scrambling algorithm based on a 27‑bit linear‑feedback shift register (LFSR). Understanding the LFSR was the key to unlocking the full packet. By re‑skewing the recovered bits through the reverse LFSR, the pressure values emerged in kilopascals, while the encoded vehicle ID could be cross‑referenced with a manufacturer’s public data dump. The HackRF’s ability to perform in‑band real‑time demodulation allowed the researchers to observe a dynamic cluster of car signals in a single car park, each moving independently as the vehicles drifted through the RF space.
Tools and Tricks for the HackRF Pro
The university’s engineering team now routinely configures the HackRF Pro with a calibrated R820T2 tuner to extend its reach toward the edges of the 915 MHz spectrum. They’ve automated the capture process with a Bash script that spawns hackrf_transfer in a loop, saving 2‑second WAV files for each beacon burst. Using the SoapySDR API, they monitor the average power in the band; a sudden spike of -70 dBm typically indicates a TPMS packet. When these packets are clustered, the team overlays the packet timing on a geo‑tagged map created with Leaflet.js, giving a visual heartbeat of the local vehicular ecosystem. Coupled with RadioHead libraries for low‑level packet parsing, the HackRF has become a first‑class citizen in the university’s research on vehicle‑to‑infrastructure (V2I) communication.
While the hobbyist community still explores this tech for fun, the academic use case is much more nuanced. The 915 MHz band has, for all its allure, become a spotlight for privacy concerns. By documenting the behavior of TPMS beacons while respecting non‑personally identifiable information, the team is forging methods that could be used to secure wireless vehicle networks, making the band safer for everyone. In short, the HackRF Pro has turned curiosity about a silent radio band into a living, breathing story of tires that talk to us, and of the engineers who keep the conversation clear and safe.
You remember the first time you turned the HackRF Pro on, its twelve‑voltage driver humming beneath the plastic lid, a low‑profile rectangle that seemed almost an appliance from another era. That moment was the beginning of a self‑made voyage into the invisible world between the campus soccer field and the hills across the bay. When the local power company shut off a transformer, that night you could hear, in the dead air, the subtle crackle of the 915‑MHz ISM band that frequents our wireless home. It was then you learned that your SDR was a key—an antenna to an ocean of data.
Hunting the 915‑MHz ISM Band
At first, the 915‑MHz band looked like a garnish, a handful of carrier frequencies. But as you pushed the HackRF Pro’s sampling rate to 8 MS/s and zoomed in with GNU Radio, a river of signals unfurled. You set up a source block, fed it into an FFT sink, and the spectrum display blossomed with countless narrow pulses, each a miniature satellite of a feather‑weight IoT device. The stream of data looked like starlight, and you felt like an astronomer hoping to catch a comet.
Local weather stations had become aficionados of the 915‑MHz band. The Mesowest network, a staple for amateur meteorologists, launched a suite of digital weather radars that transmitted their reports over this band in 2025. To capture a packet you tuned the HackRF’s center frequency to 915.0 MHz and set your gain carefully. You used a 100 kHz bandwidth to narrow the view. As the radar pinged the sky, your board logged each burst, the digital echo a beckoning beacon of data in a sea of noise.
Decoding Weather Sensors
The real joy was decoding away those packets. With the help of an open‑source project called rtlsdr-scanner, you built a Python script that sniffed the raw radio frames. Your HackRF’s output fed into the library, and the script demodulated the narrowband FM signals. The sensor data was transmitted as simple bursts of Manchester‑encoded bytes; the radar swept its field of view and sent meteorological measurements like wind speed, temperature, and humidity. You could see the timestamps line up against your own log, a confirmation that the data truly represented the weather our sensors reported.
Most remarkable was the persistence of bad weather. Under heavy storms, the radar’s packets emerged as gentle tremors, faint but distinguishable. Your HackRF plaque considered it almost poetic—as if the sky were whispering directly into the microwaves.
Turning Listening into Knowledge
What began as a late‑night experiment blossomed into a small data‑science venture. By structuring the captured packets into a database, you cross‑referenced the 915‑MHz stream with the station’s official weather reports. The correlation was almost perfect: your SDR’s wind direction outputs matched the 3 m wind gauge on the Mesowest dataloop, and humidity readings lined up to within a few percent.
Still, the city’s AT&T fog helped your hardware curve. In 2026 researchers at the University of Texas used the HackRF Pro to verify the authenticity of unmanned aerial surveillance. They built a reference in the 915‑MHz band to prove that illegal “unlicensed” data transmissions could be intercepted and decoded. The same process you used to etch weather data on the dark canvas of radio waves also proved invaluable for network security.
The Endless Field
Now, every evening you find yourself again on the rooftop, HackRF pro in hand, searching through the 915‑MHz ISM band. Each packet carries a story—a random gust of wind or sudden thunderstorm that the sky rebels against the calm of the land. The HackRF remains a testament that the universe speaks in bits and frequencies, awaiting those who listen. The wind may be non‑visible, but with this humble probe, you can hear its voice.
When the first greenish glow of the HackRF Pro faded into the night, I felt as though I was standing at the threshold of an invisible world. The little box with its oversized shields and needle‑like antenna felt more like a portal than a piece of gear.
Unveiling the HackRF Pro
The HackRF Pro is a full‑band, bidirectional software‑defined radio that stretches from 1 MHz to 6 GHz. Its 20 MHz bandwidth and 8‑bit ADC let it scoop up a slice of spectrum as if you were holding a fishing net that could be re‑threaded to any wavelength you please. The 915 MHz, or ISM, band is one of the most lively fishing grounds, full of signals that pulse with the rhythm of everyday activity.
Why 915 MHz Matters
The 915 MHz ISM band is the home of a multitude of short‑range applications: loitering drones, wireless temperature sensors, and – most crucially for the hobbyist in me – electrical power meters that transmit data wrenched from household circuits. These meters often encode consumption, voltage, current, and power factor on a carrier that bounces between 900 and 950 MHz. Catching that chatter is like catching a secret conversation carried by invisible waves.
Setting the Stage
First, the HackRF Pro must be tuned to the 915 MHz band. A simple command in SoapySDR or sdrPlay can lock it to 915.0 MHz with a centre frequency offset that eliminates the need for external harmonic filters. Next, I set the sampling rate to 10 Msps and the gain chain to a flat 30 dB, creating a quiet environment where 915‑MHz signals stand out without clipping the weak ones.
Scouting the Spectrum
I opened GQRX, a low‑level RX interface that visualises the live spectrum. The screen flickered as the HackRF streamed data in real time. A band‑pass filter of 1 MHz highlighted the power meter’s carrier, and a waterfall plot made the modulated bursts appear as bright streaks. By right‑clicking on the waterfall, I could zoom in on each oscillation to check the bandwidth of the device’s signal.
Harvesting Power Meter Data
Electrical meters often pulse a 10 Hz envelope on the carrier to encode power usage. I wrote a tiny script in Python that ran gqrx‑stream, piped the samples to NumPy, and looked for a 10 Hz demodulation. Once the stream was framed, I extracted the voltage swings and matched them with the known encoding format: the meter typically sends a 165 mV peak‑to‑peak full‑wave rectified signal. By filtering, squaring, and averaging, the script reconstructed the meter’s telemetry in seconds.
Playing with LoRa Within the ISM Band
LoRa, too, shares the band but with a very thin, chirped waveform. A small look‑ahead in GNU Radio and a few blocks of resampling brought LoRa packets into view. This helped me identify whether the same meter was broadcasting over LoRa: some manufacturers now adopt LoRaWAN for remote sensing, and catching that traffic adds another layer of information to the data stream.
Comparing the Breadth of Software
For those who prefer a more visual approach, SDR# (SDRSharp) can ingest the HackRF stream and, with its extensive plug‑in list, demodulate FSK, AM, and even LoRa. On the other side, the open‑source command line tool rtl‑tool can be scripted to run overnight, logging every power meter burst for later analysis. Both paths share a common truth: the HackRF Pro is a stepping stone to seeing what was previously hidden in plain sight.
A Forward Look
In 2024 the HackRF Pro is paired with newer boards that offer 32‑bit processing, higher ADC resolution, and better thermal management. This means clearer 915 MHz captures, even on buried meters that saturate the spectrum with low‑power bursts. Coupled with better open source tools for real
It began on a quiet Saturday afternoon when Alex, a hobbyist developer, decided to push the limits of the HackRF Pro. The device, with its dual XTRX transceivers and a generous 8 MHz bandwidth, had already proven a flexible tool for experimenting with radio protocols. Now, the goal was to listen in on the 915 MHz ISM band and sift out control signals for the myriad of IoT gadgets flooding the neighborhood.
Preparing the SDR for 915 MHz
Alex started by updating the HackRF firmware to the latest 2025‑03 release, ensuring full support for the 915 MHz range and eliminating the pesky crystal‑locking issues that had plagued earlier models. After flashing, the device was plugged into the workstation and launched gqrx, a versatile graphical frontend for the GNU Radio ecosystem.
In gqrx, the center frequency was set to 915 MHz, while the sample rate was tuned to 25 MS/s. This provided a spacious 10 MHz bandwidth that allowed Alex to capture not only the target frequency but also any adjacent channels that might carry control data. With a digital notch filter turned on, he was able to eliminate the persistent 915.2 MHz interference from the municipal drone‑control station.
Uncovering LoRa and Other Protocols
Turning on automatic gain control (AGC) revealed a faint spread‑spectrum chirp typical of LoRa. Using GQRX’s built‑in demodulation options, Alex switched the demodulator to LoRa, set a spreading factor of 7, and received the payload header from nearby occupancy sensors. By decoding the packet, he could see that the devices were sending their state—and occasionally reacting to external triggers—over simple short‑range commands.
Unable to resist, Alex proceeded to a deeper frequency sweep using a custom GNU Radio flowgraph. Written in Python, the flowgraph captured streams across 860–960 MHz in fine steps. When the flowgraph arrived at 915.5 MHz, an unexpected burst of narrowband packets appeared: those were unmistakable packets from a ZigBee network used for smart door locks. With the zbee‑receiver script in the background, these packets were automatically parsed into human‑readable JSON, exposing the lock states and the packet types.
Listening for Remote Control Commands
Next, Alex concentrated on a sub‑band that had shown intermittent activity at 916 MHz. By installing the ZL‑TR92 mono‑band receiver within the GNU Radio setup, the SDR could demodulate the subcarrier frequency shift keying (FSK) signals used by many rural weather station transmitters. The resulting waveform, once FFT‑processed, revealed characteristic 4‑bit command bursts: “GET TEMPERATURE”, “SET THRESHOLD 25 °C”, and “REBOOT UTC”. These are the kinds of control commands used to command devices like HVAC units and smart thermostats within the ISM band.
Seamless Firmware Integration
The HackRF’s USB 3.0 interface delivered 12 MS/s raw samples directly to a Raspberry Pi running a lightweight server. Using rtl‑toolkit, Alex set up a piped pipeline that fed the samples into an FFTDock instance. The Docker container performed real‑time spectral analysis, detecting not only LoRa and ZigBee but also an 8‑bit SSB transmitter from a nearby amateur radio operator. The operator’s callsign was instantly identified through an acoustic fingerprint library, confirming the supervisor’s effortless monitoring setup.
Monitoring the Neighborhood
By the end of the day, Alex had built a shore‑based network of HackRF Pro listening posts. Locked into the 915 MHz ISM band, the system could visualize every packet transmitted across the neighborhood, from smart streetlights to pedestrian crossing signals. The integration of GNU Radio, GQRX, and open‑source Python scripts provided a flexible architecture that could adapt to new protocols as they emerged, making the 915 MHz band a living, breathing data stream rather than a silent static range.
© 2005 - 2026 AB9IL.net, All Rights Reserved.
Written and curated by Philip Collier / AB9IL.
About Philip Collier / AB9IL, Commentaries and Op-Eds, Contact, Privacy Policy and Disclosures, XML Sitemap.