Overview
One of the newest toys people are playing with are cheap 2.4 GHz wireless video cameras. And, of course, another new hobby followed which was deemed "warspying." This basically consists of traveling around and trying to intercept the unencryped analog video signal these units transmit. The two major manufactures of these little wireless video units, Wavecom and X10, both utilize the same four transmit/receive frequencies. They are usually:
Channel Operating Frequency (GHz) TP Voltage A 2.411 3.31 B 2.434 3.65 C 2.453 3.94 D 2.473 4.20The "TP Voltage" value is the voltage I measured at the output of the 4-position "Channel Select" switch on a X10 Model VR36A Video Receiver. This is the switch that selects the unit's receiving frequency. As you can see, by adjusting the voltage at this point, you can also adjust the receive frequency. This means these units can be modified to receive "out-of-band" wireless video transmissions between approximately 2.3 - 2.7 GHz. This is handy, because some television stations can legally use frequencies outside of the standard unlicensed 2.4 GHz band (2.402-2.483 GHz) to operate their remote video links. You know, the video signals which are sent by those trucks with the microwave dish mounted on a pneumatic lift.
Pictures & Construction Notes
Overview of the "X10 Model No. VR36A 2.4 GHz Wireless Video Receiver" for use with X10's wireless camera systems operating in the unlicensed 2.4 GHz band.
Note that the stock antenna is just a simple little patch antenna.
Internal view of the X10 VR36A receiver.
The power LED is on the left. The actual 2.4 GHz video receiver module is the silver box in the middle. The +9 VDC power input is via the connector on the top-right. The video output signal is via the RCA jack on the bottom-right.
The 2.4 GHz video receiver module only has four main connections. The 2.4 GHz antenna input (via the coax connection on the upper-left), +5 VDC for power, baseband video out, and ground.
Underside view of the X10 VR36A receiver.
+9 VDC power input is on the lower-left, and the video output is on the lower-right.
The 4-position "Channel Select" switch is on the right-side. The switch is in the "Channel A" position.
The six pins circled are the connections to the actual 2.4 GHz video receiver module.
Four of them are ground, one is +5 VDC, and one (red dot) is the baseband video output.
Overview of the 2.4 GHz video receiver module.
The antenna input is via the piece of coax on the upper-right. It is amplified around 16 dB using a Sirenza SGA-3486 MMIC and then high-pass filtered before entering the shielded mixer/local oscillator section. This module, and most others, use an IF output frequency of 480 MHz and a low-side local oscillator. This means to receive a video signal at 2.45 GHz, the local oscillator needs to be set to 1.97 GHz.
This is where the "Channel Select" switch comes into play. As you can see in the above photo, the switch is used to select between four different resistive voltage dividers which determine the voltage on the local oscillator's tuning line. The two potentiometers appear to be "fine tune" controls for this voltage. The "TP Voltages" in the chart at the beginning of this article where taken at the plated through-hole labeled TP in the above photo.
The idea is that by manually adjusting the voltage on this local oscillator tuning line, we can then make the module receive "out-of-band" video signals.
Alternate internal view of the 2.4 GHz video receiver module.
You'll need to remove the 2.4 GHz video receiver module to perform the next modifications.
This is a little better view of the voltage-dividing resistors and the "Channel Select" switch pin-out.
Bottom view of the 2.4 GHz video receiver module.
The circled portion is the voltage tuning line input for the mixer/local oscillator section.
A series 1,000 ohm resistor and shunt capacitor help to form a low-pass filter to remove any noise on the tuning line.
Overview of the manual tuning modification.
You'll need to cut the trace on the voltage tuning line (right after the plated through-hole) and move the shunt capacitor next to the 1,000 ohm resistor.
Then you'll solder an extension wire onto this "new" voltage tuning line and route it to the top of the board.
Overview of the "new" external voltage tuning line.
I ran it to a panel-mounted 1,000 pF feed-through capacitor. This capacitor is optional, but very helpful.
Also, you may wish to add a better piece of coax on the module's RF input. I added a piece of nice Teflon coax with a male SMA connector.
For this project, we'll mount the 2.4 GHz video receiver to the back of an old California Amplifier 2.5 GHz MMDS integrated downconverter and 22-element Yagi antenna.
You'll want to replace the stock coax on the Yagi with something of higher quality and with a RF connector. This will allow you to use the antenna for other projects, if so needed.
A handle was also added to the back plate of the Yagi antenna for mounting or holding.
Case overview used to hold the modified VR36A receiver.
The stock downconverter was removed and a stainless steel 1/4-20 bolt was added to secure both the antenna parts and the aluminum project case. The circuit board of the VR36A will be mounted to the case using some nylon stand-offs and hardware.
A panel-mount, feed-through female SMA-to-SMA connector is used to bring the RF signal into the module. Next to that is a panel-mounted LED and the power switch.
The panel-mount switch with the green back is a 4-position switch. Next to the switch is a multiturn 1,000 ohm potetiometer, and a RCA jack for the video output.
Overview of the potentiometers for setting the voltage levels which correspond to each of the four stock channels.
An optional feed-through capacitor (upper-right) was added as a test point to externally monitor the voltage on the module's tuning line.
Completed 'warspying' device overview.
An optional 15.75 kHz horizontal synchronization detector circuit using a LM567 tone decoder was added to help determine if you are actually receiving a video signal.
You should also try and replace the stock 7805 voltage regulator with one which has better noise and voltage stability specifications.
Closeup view.
Alternate internal view.
Originally, I was going to use an internally-mounted 9 volt battery, but the current draw is quite high, 300 mA or so, and the battery would die quickly.
An external power jack was added to run the circuit from a 12 volt lead-acid battery pack or cigarette lighter.
Finished case overview.
Power switch, power LED, and SMA jack for RF input.
Finished case overview.
Video output and 15.75 kHz horizontal synchronization detection LED on the left.
Selector switch to choose between the four stock channels and manual tuning. The multiturn 1,000 ohm manual tuning potentiometer is in the middle.
The new 4-position channel select switch and the tuning voltage test point are on the right.
Finished overview.
The video output can be monitored via a battery-powered TV, or other monitor, with a "video input" jack.
The Portable Video Camera Viewer project discussed in GBPPR 'Zine, Issue #22 will also work.
"A" is the default channel for the corresponding X10 transmitters.
Schematics
- GBPPR 2.4 GHz 'Warspying' Device Manual tuning connections. (Error: 5x should be 4x)
Notes & Datasheets
- Higher resolution pictures and the original project article are available in GBPPR 'Zine Issue #67.
- A project for a simple 2.4 GHz receive pre-amplifier was covered in GBPPR 'Zine Issue #76.
- A project for a 2.4 GHz spectrum analyzer adapter was covered in GBPPR 'Zine Issue #48.
- National LM567 Tone Decoder (303k PDF)
- Warspying An article by 'Particle Bored' in $2600 Magazine Vol. 19, No. 4.
- Nanny-Cam May Leave a Home Exposed by John Schwartz
- War Driving Version 2.0 Caution: Slashdot posters are the dumbest people in the world.
- Systm: Episode 1 Building a 'War Spying' box. (Hi-Res .AVI)
- 'Warspying' San Francisco by Kevin Poulsen
- WARspy Los Angeles
- The Art of Video Sniffing
- Warviewing by Massive White Dude
- Warspying on X10 Video Cameras
- TEARA's 2.4 GHz ATV Project Page 2.4 GHz FM ATV - a project concept.
- Engel 2.4 GHz Receiver Modified to cover 2.3 GHz to 2.7 GHz with frequency readout.
- Wavecom Jr. Modifications Making the receiver into a video scanner.
- Wireless Camera Security Issues: 'WarSpying'
- Homebrew 2.4 GHz Audio/Video Scanner
- The Packet Sniffers: X10 2.4 GHz Video
- Receiver & Transmitter Mods For G1MFG/Comtech units.
- Wireless Video Sniffer With Automatic Search Radproject from 2003 (366k PDF)
- 2.4 GHz FM ATV Platinum Receiver Schematic Using the Comtech FM2400RTIM8 tuner. (FM Demod Circuit)
- Comtech DFM2400RTIM8 Demo Board Specifications Includes DIP switch settings. (40k PDF)
- Comtech FM2400RTIM8B 2.4 GHz Receiver Module Datasheet (81k PDF)
- Comtech FM2400TSIMB 2.4 GHz Transmitter Module Datasheet (98k PDF)
- Toshiba TA8804 FM Video Demodulation IC (469k PDF)
- Zarlink SL1461 Wideband PLL FM Demodulator (186k PDF)
- Wireless Video Frequencies List of the most commonly used wireless video frequencies.
- Wavecom 2.4 GHz Receiver Modifications (263k PDF)
- Wavecom Jr. Transmitter VFO Modification Increase transmitter frequency range to cover 2.3-2.5 GHz. (105k ZIP)
- DFM Board Schematics Large collection of schematics for the FM900TSIM, FM900RTIM, FM1200TSIM, FM1200RTIM, FM2400TSIM, FM2400RTIM, SP5055, TA8804F, NE592, TL592, KIA6003S, NJM2360 (6.2M PDF)
- Vestigial Sideband Microtransmitter for Amateur Television by H. Paul Shuch, WA6UAM. Ham Radio - February 1976. (784k PDF)
- WarSpying: Wireless Camera Hunter
- Weaponised Auditing Response by Corrosion. Includes a nice 2.4 GHz 'warspying' device. (Hack a Day Entry)
- WarViewing Caution: Wikipedia
Other Related GBPPR Projects:
- Homebrew Bi-Directional 2.4 GHz Amplifier Designs
- Wideband FM Video Receiver
- Frequency Agile NTSC TV Demodulator
- Portable Video Camera Viewer
- GBPPR Video Camera Sync Detector
- Detecting Hidden Video Cameras
- Lamp Flasher For Detecting Hidden Cameras
- van Eck-style Radiation Interception Experiments
- X-Band Receive Converter
- GBPPR 1 GHz RF Spectrum Analyzer