Sniff and decode NRF24L01+ and Bluetooth Low Energy using RTL-SDR
C Makefile
Switch branches/tags
Nothing to show
Clone or download
Omri Iluz Omri Iluz
Omri Iluz and Omri Iluz Merge branch 'mluis-master'
Latest commit 8bbd110 Feb 3, 2017


Sniff and decode NRF24L01+ and Bluetooth Low Energy using RTL-SDR.
These protocols use the ISM 2.4Ghz frequency range, which is beyond the capabilities of the cheap rtl-sdr, a down convertor is necessary. See for more details.

The main repository is at


or directly
gcc -std=gnu99 -Wall -O3 -o nrf24-btle-decoder nrf24-btle-decoder.c


nrf24-btle-decoder [-t nrf|btle] [-d 1|2|8] [-l len] -t packet_type (nrf or btle), defaults to nrf. Using packet type btle implies -d 2
-d downsample_rate (1 for 2mbps, 2 for 1mbps, 8 for 256kbps), default to 2
-l len (1-32). Sets a fixed packet length

Important - this program input is a 2M samples per second bitstream generated by rtl_fm or equivalent e.g. rtl_fm.exe -f 428m -s 2000k | nrf24-btle-decoder.exe -t nrf -s 2



  • The NRF24L01+ protocol decoder is missing 0/1 byte CRC. It should be trivial to implement, please open an issue if you need that capability.
  • The BTLE protocol decoder currently supports only advertisement packets on channel 38 and not data packets / frequency hopping. I am still evaluating whether the rtl-sdr hardware is fast enough to track the frequency hopping.


  • Biggest problem is noise, avoid rf auto gain and set as low as possible. I usually get best results with 0-10 db gain.
  • Second biggest problem is frequency drift. Use kalibrate for a good base line then fine tune the frequency in 50Khz steps until perfect


All of the code contained here is licensed by the MIT license.


Dmitry Grinberg, CRC and Whiten code for BTLE -
Open Source Mobile Communication, RTL-SDR information -
Steve Markgraf, RTL-SDR Library -

Copyright (c) 2014 Omri Iluz ( / /