Capturing and reversing wireless keyboard signal

Recently I have made a presentation at the “Software Defined Radio Israel” meetup about my work capturing and reversing wireless keyboard signals. I focused on a “Rapoo E2700 keyboard and track-pad” but we also discussed the broader challenge of such capturing for SDR enthusiasts.

The project involved capturing 2.4Ghz wireless signal with an RTL-SDR dongle and a down-converter, demodulating and decoding the digital bits and finally parsing the key-press or mouse-move data. Work was done mainly with GNU Radio and included writing custom blocks.

The main challenges were identifying burst transmission, figuring out the encoding used and reverse engineering the format. The device doesn’t feature encryption which made capturing of key presses possible.

You can find further material in the following forms:

And you are invited to the enjoy the following gallery which tells the story in pictures:

Down-converter

Down-converter [L.O. 1998Mhz]

Scanning

Scanning, when a key is pressed you can see the signal in the middle of the axis [Keyboard at 447Mhz and Wi-Fi at 415Mhz on the axis]

Demodulation

Demodulated frame, including the preamble and other data symbols

Parsing block

Custom GNU Radio parsing block, showing the capturing and parsing of typing QWERTY

Leave a Reply