---

2.1 About this volume

This is the first of three detection-physics volumes (Vols 2–4) that underpin the rest of the series. Vol 2 covers the RF and spectrum layer — broadband RF bug detectors, the power-detector vs signal-analysis distinction, the analog-video band plans, and, critically, what RF instruments cannot see. Vol 3 (Wi-Fi network analysis) and Vol 4 (finding non-emitting cameras) complete the physics arc.

Understanding the physics is not optional context. It is what separates a defensible counter-surveillance sweep from a theatrical exercise. Every cheap “anti-spy” gadget on Amazon is a power detector. Every tutorial that says “wave the detector around the room” is describing a power detector. Knowing exactly what that instrument measures — and what it is congenitally blind to — is the foundation on which all the practical sweeping in later volumes rests.

Chapter map for this volume:

• §2 dissects the broadband RF bug detector at the component level: the Schottky diode or log-amp circuit, the audio-feedback localization trick, what these devices are actually sensitive to, and the false-positive landscape.
• §3 draws the sharp line between power detection (broadband, spectrally unselective, cheap) and signal analysis (spectrally selective, decodable, expensive), and provides the comparison table that makes this concrete.
• §4 covers spectrum sweeping for analog wireless cameras: the 1.2, 2.4, and 5.8 GHz band plans with channel-by-channel detail, what an FM-video carrier looks like on a waterfall display, the sweep parameters that matter (RBW, dwell, sweep rate), and the command-line tooling for HackRF One and RTL-SDR.
• §5 closes the honest-constraint loop: RF instruments — from a $20 K18 through a $10,000 spectrum analyzer — cannot detect SD-only or wired cameras. And even for cameras that do transmit, certain transmission modes defeat any power detector and challenge even a spectrum sweep.

Three running themes this volume introduces:

1. Constraint #1 (load-bearing): Non-emitting SD-only and wired cameras emit no RF of any kind. RF methods are completely blind to them. This is not a limitation of cheap gear — it is a physics constraint that no RF instrument can overcome. Vol 4 covers the methods that can cross this gap.
2. Constraint #3 (introduced here, deepened in Vol 6): Analog wireless cameras (1.2/2.4/5.8 GHz) require spectrum sweep and demodulation — neither an ESP32 Wi-Fi scan nor a broadband power detector gives you a confident identification.
3. Calibration discipline: Every detection-range claim in this volume is spec-sourced pending bench verification. Manufacturer sensitivity specifications and claimed detection ranges have not been independently confirmed and should be treated as optimistic.

---

2.2 Broadband RF bug detectors

A “broadband RF bug detector” — the $20–60 “anti-spy” class sold under brands like K18, ST-800, DD-1206, JMDHKK, BUWAV, Mengshen, and dozens of interchangeable aliases — is, at its core, a Schottky diode envelope detector with a wideband antenna and an audio or LED output. That sentence contains everything you need to understand both its utility and its limits. Let us unpack each component.

2.2.1 The diode power-detector circuit

The operating principle is envelope detection: the diode rectifies the incoming RF, and the rectified envelope — a DC or low-frequency voltage proportional to the RF field strength — drives an indicator. No frequency selectivity. No decoding. Just power.

The Schottky diode. A standard silicon PN junction diode has a forward voltage of ~0.6–0.7 V; below that threshold it does not conduct, and weak RF signals cannot overcome the barrier. A Schottky diode — formed at a metal-semiconductor junction rather than a PN junction — has a forward voltage of 0.2–0.4 V, substantially lower, which lets it respond to much weaker RF. Common types used in detector circuits:

Table 1 — The Schottky diode. A standard silicon PN junction diode has a forward voltage of ~0.6–0.7 V; below that threshold it does not conduct, and weak RF signals cannot overcome the barrier. A Schottky diode — formed at a metal-semiconductor junction rather than a PN junction — has a forward voltage of 0.2–0.4 V, substantially lower, which lets it respond to much weaker RF. Common types used in detector circuits

Part	Vf (typ)	Frequency coverage	Notes
HSMS-2850 (Broadcom)	0.25 V @ 0.1 mA	DC – 6 GHz	Purpose-built for zero-bias detector applications; SOT-23/SOT-143 package
BAT41 (ST Micro)	0.34 V @ 0.1 mA	DC – 1 GHz (practical; extrapolates higher with sensitivity loss)	Low capacitance (1.5 pF); widely available; SOD-123
1N5711	0.41 V @ 0.1 mA	DC – 1 GHz	Old jellybean through-hole; good to ~1 GHz, not ideal above that
SMS7630 (Skyworks)	0.15 V @ 0.1 mA	DC – 10 GHz	Near-zero-bias; excellent GHz-range sensitivity; SC-70

The cheap K18-class units use whatever Schottky diode is available in bulk; you will find HSMS-2850 equivalents in the better units and near-counterfeit jellybean Schottkys in the worst.

The detector topology. The fundamental single-diode envelope detector:

                ┌──────────────────────────────────────────────────────┐
                │         SINGLE-DIODE ENVELOPE DETECTOR               │
                └──────────────────────────────────────────────────────┘

  Antenna
  (whip or
   folded)        Optional         Schottky        Video filter      Output
      │         wideband BPF      Diode            (envelope)       indicator
      │         (some units       (D1)
      │          omit this)
      │
      ▼           ┌─────┐        ┌──────┐
  ───►───────────►│ BPF │───────►│  D1  ├──────┬──────────► Vout (DC)
                  └─────┘    +   └──────┘      │
                                   anode  cathode│    R1      ┌──────────┐
                                          │     ├────/\/\/───►│ Audio    │──► Buzzer
                                          │     │             │ amp /    │    or LED
                                          │     │   C1        │ LM393    │    array
                                          ▼     ├────||───────│ comparator│
                                         GND    │             └──────────┘
                                               GND
                                    (C1 = video filter cap,
                                     sets low-pass corner)

  Signal flow:
  RF field → antenna coupling → diode rectification → RC low-pass → DC voltage

  Physics:
  ┌─────────────────────────────────────────────────────┐
  │ Small-signal (square-law) regime  │ P_in << V_f²/R │
  │   Vout ∝ P_in  (power detector)  │                 │
  ├─────────────────────────────────────────────────────┤
  │ Large-signal (linear) regime      │ P_in >> V_f²/R │
  │   Vout ∝ √P_in  (amplitude det.) │                 │
  └─────────────────────────────────────────────────────┘
  In practice: cheap units operate in the large-signal regime
  most of the time; calibrated units use square-law region.

The video filter RC time constant. The RC low-pass filter after the diode (C1 in the diagram) sets the envelope bandwidth. For detecting a continuous RF carrier (like an analog camera or a Wi-Fi AP), any time constant from 1 µs to 10 ms works fine — the output voltage follows the carrier power. For detecting burst transmissions (a phone sending a single LTE uplink packet), the time constant must be short enough to respond to the burst. Many cheap detectors use C1 values that produce time constants of 50–200 µs, which means they can respond to individual LTE/GSM bursts if the burst is strong enough to overcome the noise floor, but the response decays within a fraction of a millisecond. The audio output — which runs at human-audible rates — must therefore be driven from a comparator or peak-hold circuit downstream, not directly from the rectified envelope.

Sensitivity floor. The noise figure of a diode detector is determined by the diode’s conversion loss and the Johnson noise of the load resistor. For a zero-bias Schottky like the HSMS-2850, the conversion loss is roughly 12–16 dB, and the noise figure is in the 12–20 dB range. Combined with the noise floor set by the 50 Ω antenna impedance at room temperature (−174 dBm/Hz), the minimum detectable signal for a 1 Hz noise bandwidth is around −160 + NF ≈ −140 to −145 dBm. In practice, the bandwidth is much wider (tens of MHz), so the integrated noise floor is much higher, and the MDS of a cheap diode detector is in the −50 to −70 dBm range in any realistic deployment — far from the “1000 metre detection range” on the packaging.

2.2.2 The log-amp variant

Better-quality RF bug detectors and TSCM RF survey meters use a logarithmic amplifier (log-amp) in place of or following the diode detector. The log-amp produces an output voltage proportional to the logarithm of the input power (i.e., linear in dBm), which gives it a much larger useful dynamic range — typically 60–90 dB compared to 20–30 dB for a basic diode circuit.

The canonical log-amp IC in RF power measurement applications is the Analog Devices AD8307, introduced in 1999 and still widely used:

Table 2 — The canonical log-amp IC in RF power measurement applications is the Analog Devices AD8307, introduced in 1999 and still widely used

Parameter	AD8307	AD8310	AD8318
Frequency range	DC to 500 MHz	DC to 440 MHz	1 MHz to 8 GHz
Dynamic range	92 dB (−75 to +17 dBm)	95 dB (−90 to +5 dBm)	70 dB (−65 to +5 dBm)
Slope	25 mV/dB	24 mV/dB	−22 mV/dB (falling)
Intercept	−84 dBm	−108 dBm	+20 dBm (reference)
Supply	2.7–5.5 V, 7.5 mA	2.7–5.5 V, 8 mA	3.0–5.5 V, 28 mA
Package	SO-8	SO-8	LFCSP-16
Cost (approx)	$5–8 (LCSC)	$7–10	$12–18

Signal path for a log-amp-based RF power detector:

                ┌─────────────────────────────────────────────────────────┐
                │        LOG-AMP RF POWER DETECTOR (calibrated)           │
                └─────────────────────────────────────────────────────────┘

  Antenna                                                 Output voltage
      │      Preamp    BPF      Log-amp IC           (linear in dBm)
      │     (optional) (optional)
      ▼
  ─►──────► [LNA] ──► [BPF] ──►┌──────────────┐──► Vout
                                 │  AD8307 /    │    = V_intercept + slope × Pin_dBm
                                 │  AD8318      │    (e.g. AD8307: Vout = −84·0.025 + 0.025·Pin_dBm)
                                 └──────────────┘       = 0.025·(Pin_dBm + 84) volts
                                          │
                                    ┌─────▼──────┐
                                    │ ADC + MCU   │──► LED bargraph
                                    │ (threshold) │──► Buzzer frequency
                                    │             │──► Numeric dBm readout
                                    └────────────┘

  Example: AD8307 with −84 dBm intercept, 25 mV/dB slope
  ┌─────────────────┬────────────────┐
  │ Pin (dBm)       │ Vout (mV)      │
  ├─────────────────┼────────────────┤
  │ −75 dBm         │ 225 mV         │
  │ −50 dBm         │ 850 mV         │
  │ −30 dBm         │ 1,350 mV       │
  │ −10 dBm         │ 1,850 mV       │
  │   0 dBm         │ 2,100 mV       │
  │ +17 dBm         │ 2,525 mV       │
  └─────────────────┴────────────────┘
  Note: only valid within the IC's specified linear range;
  input must be RF-AC coupled; DC offsets must be managed.

The AD8307 covers DC to 500 MHz — perfectly adequate for the 1.2 GHz band’s lower edge and for 2.4 GHz with an appropriate preamplifier, but not reaching 5.8 GHz natively. For a wideband detector covering all three analog camera bands (and Wi-Fi, cellular, etc. for completeness), you would combine stages or use the AD8318, which covers 1 MHz to 8 GHz with somewhat less dynamic range.

The advantage of the log-amp for RSSI-based localization is the linear-in-dBm output: if you walk toward a 20 dBm transmitter from 10 metres away, you gain roughly 6 dB per halving of distance (free-space path loss ∝ 1/d²), and the log-amp output climbs proportionally. This makes the audio pitch or LED count a genuine range proxy — something the diode detector’s square-law output does not give you cleanly.

2.2.3 The “lead and leash” antenna and audio-feedback localization

The audio-feedback localization technique — walking toward an RF source guided by an increasing buzzer pitch or faster LED pulse rate — is the primary operational use of broadband RF bug detectors in counter-surveillance contexts. The mechanical details matter more than most descriptions acknowledge.

The antenna configuration. Cheap units ship with a single collapsible whip or a PCB trace antenna soldered to the detector board. Better units provide two antennas:

• The “leash” (broadside, omnidirectional): The primary antenna — typically a quarter-wave monopole tuned to the middle of the band, or a wideband folded monopole. Gives the signal level reading.
• The “lead” (directional or reduced-aperture probe): A smaller, closely spaced antenna or a shielded probe tip. Used when very close to the source to resolve the final centimetre-scale location. When the “lead” antenna is shielded or pointed, it has a null in certain directions, helping identify which specific object is the source.

The classic TSCM “near-field probe” approach — which the better cheap units approximate — uses a small (2–5 cm diameter) loop antenna as the lead probe; loop antennas respond to the magnetic near field, which falls off as 1/d³ in the near field (faster than the 1/d² far-field fall-off), giving much sharper spatial discrimination in close quarters.

The localization procedure:

1. Coarse sweep: Walk the perimeter and major furniture items with the leash antenna deployed. Note any area where the detector registers an increase.
2. Directional pass: Once a hot zone is identified, move the detector slowly through that zone, noting the reading at each position. In the far field, the reading is largely independent of the detector’s orientation. In the near field (within ~1–2 wavelengths of the source), the reading can vary with angle — pivot the detector to find the maximum.
3. Fine localization (close-in probe): Switch to or hold the probe tip toward suspect objects one by one. The steep near-field gradient (1/d³) means that at 10 cm from the source, the reading is roughly 8× higher than at 20 cm — a clear audible jump if the source is behind the object you are probing.
4. Confirmation: Any object that causes a sustained, significantly higher reading regardless of the detector’s orientation is a candidate. Mark it, move on, and complete the RF sweep before opening or moving anything (disturbance may reveal the sweep to an attacker’s remote monitoring).

A critical limitation of this technique: the procedure above assumes the RF source is continuous or long-duration. A Wi-Fi camera that bursts only during motion events, or a cellular camera that transmits only during upload cycles, may not be “on” for the entire sweep. This is why inducing motion (walking in front of suspect positions, waving a hand) during the RF sweep phase improves sensitivity for motion-triggered cameras.

[FIGURE SLOT — Vol 2, § 2.3] A typical cheap broadband RF “anti-spy” detector (K18 or ST-800 class) showing the collapsible whip antenna, LED indicator array, and buzzer. Source: Photo Helper search “K18 RF detector anti-spy gadget” — or vendor product page (Amazon/AliExpress product image). Caption when filled: “Figure 2.1 — A K18-class broadband Schottky diode power detector. This device measures aggregate RF power across a multi-GHz band with no frequency selectivity. Photo: File:Name.jpg by . .“

2.2.4 What broadband RF detectors actually target

Calibration point: A broadband RF bug detector responds to any sufficiently strong electromagnetic field in its operating band. It does not know whether the source is a covert camera, a smartphone, a Wi-Fi router, a Bluetooth speaker, or a microwave oven. The word “camera” appears nowhere in the physics of the measurement.

Broadband RF detectors do find:

• Any device transmitting enough RF power to overcome the detector’s noise floor at the distance of the measurement
• Continuous carriers (analog wireless cameras, FM transmitters) — best case, since the signal is always on
• High-duty-cycle burst signals (DECT phones, baby monitors, older 802.11b at close range)
• Any strong local RF emitter regardless of its nature

Broadband RF detectors do not find or distinguish:

• The type of device (camera vs phone vs router vs speaker)
• The content of the transmission
• The direction of the transmission — only the power level
• Weak or low-duty-cycle signals that stay below the noise floor
• Non-emitting devices (SD-only cameras, wired cameras) — zero RF, zero detection, unconditionally

The implication is that a clean reading from a broadband RF detector in a furnished room — where multiple phones, Bluetooth accessories, and Wi-Fi clients are likely present — is not evidence of the absence of cameras. It is evidence that no strong RF emitter tripped the detector’s threshold in the swept area. The same reading could be produced by a room containing three Wi-Fi cameras and a room containing zero cameras, depending on how close the detector was swept to each object.

2.2.5 False positives and operational limits

False positives are not incidental to broadband RF bug detectors — they are the expected operating condition in any modern indoor environment.

Primary false-positive sources:

Table 3 — Primary false-positive sources:

Source	Typical power (at 1 m)	Frequency range	How to distinguish
Smartphone (Wi-Fi association)	−30 to −20 dBm	2.4/5 GHz	Ask all occupants to enable Airplane Mode; detector should drop
Wi-Fi AP / router	−20 to −10 dBm	2.4/5/6 GHz	Fixed location; present before and after your sweep
Bluetooth headset	−50 to −40 dBm	2.4 GHz	Short range; moves with the person
Baby monitor / DECT phone	−10 to 0 dBm	1.9 GHz (DECT)	Strong, often surprising; has a paired base unit
Microwave oven (operating)	Substantial leakage	2.45 GHz	Only active while cooking
Smart TV / streaming device	−30 to −20 dBm	2.4/5 GHz	Fixed; visible on Wi-Fi scan
IoT sensor (Zigbee/Z-Wave)	−50 to −30 dBm	900 MHz / 2.4 GHz	Short bursts; may not trigger detector
Induction cooktop	Variable leakage	20–100 kHz (fundamental) and harmonics	Should not reach GHz range; shielded

The mitigation protocol. To reduce false positives during a sweep:

1. Ask everyone in the space to set their phones to Airplane Mode for the duration of the RF sweep. This removes the largest and most variable noise source.
2. Note the locations of known fixed sources (router, smart TV) before sweeping. Any detector trigger collocated with a known source is a non-event.
3. Sweep objects that are not known sources and have clear lines of sight to sensitive areas — smoke detectors, clocks, chargers.
4. If the detector triggers on an unfamiliar object, leave the detector in place and walk away with all phones. If the reading drops, the source was a phone. If it remains elevated, the object itself is emitting.

Realistic sensitivity vs marketing claims. The TSCM industry commonly sees budget RF detectors marketed with detection ranges of “up to 10 metres,” “15 metres,” or — in the most egregious cases — “1000 metres” for “laser detection range” (this is referring to the optical lens-glint finder function that some combo units include, but the marketing conflates the two). Let us do the math for an RF camera:

A 2.4 GHz Wi-Fi camera transmitting at 20 dBm (100 mW — a typical maximum for a Wi-Fi device) at 10 metres free-space path loss:^[Friis transmission equation: FSPL = 20 log₁₀(d) + 20 log₁₀(f) + 20 log₁₀(4π/c) ≈ 20 log₁₀(10) + 20 log₁₀(2.4×10⁹) − 147.6 ≈ 60 dB at 10 m, 2.4 GHz.]

FSPL at 10 m, 2.4 GHz: ≈ 60 dB
Tx power: +20 dBm
Received power at isotropic receive antenna: +20 − 60 = −40 dBm

A typical cheap diode detector has an MDS of −40 to −50 dBm under real-world conditions (noise from the wideband noise floor, interference, etc.). So at 10 metres in free space, a 100 mW 2.4 GHz camera would produce approximately −40 dBm at the detector antenna — right at the sensitivity boundary of cheap diode detectors (MDS ~−40 to −50 dBm). In a real room (multipath, furniture absorbing 3–10 dB), the signal falls below the noise floor of most cheap units.

Realistic operating range for cheap detectors (spec-sourced, bench-unverified): 1–3 metres for a 100 mW Wi-Fi camera in a furnished room. The claim of “10 metres” detection range requires either a very sensitive detector (log-amp class, not diode class) or a much higher power transmitter than most cameras produce. The “1000 metre” claim has no physical basis for any camera on any RF band.

---

2.3 Power-detector vs signal-analysis

2.3.1 The fundamental distinction

The difference between a $30 broadband RF bug detector and a $500 HackRF One is not just price — they are fundamentally different measurement instruments solving fundamentally different problems.

A power detector integrates RF energy across a very wide band (often 1 MHz to 6 GHz in one shot) and reports a single number: how much total power is arriving at the antenna. It has no idea what frequency that power is at, no idea whether the signal is narrow or wideband, no idea whether there are one emitter or fifty, and no ability to distinguish a camera from a phone. It is the RF equivalent of a light meter that tells you how bright the room is, without telling you how many lights there are, what color they are, or where they are located.

A signal analyzer (spectrum analyzer, SDR, or software-defined receiver) measures power as a function of frequency: it produces a power spectral density (PSD) plot showing which frequencies carry how much power. It can distinguish a 1.5 MHz-wide LTE uplink burst at 1,850 MHz from a 20 MHz-wide 802.11n channel at 2,437 MHz from a 6 MHz-wide analog FM-video carrier at 2,432 MHz — signals that all overlap in the frequency axis but are distinct in the power-vs-frequency view.

  POWER DETECTOR VIEW                SPECTRUM ANALYZER VIEW

  Total RF power at antenna:         Power vs frequency (PSD):

  Vout (voltage, ∝ total power)      dBm
  │                                   0 ┤
  │      ████████████                -20┤  ████            ██████████
  │      ████████████                -40┤  ████  ██        ██████████
  │      ████████████                -60┤  ████  ██   ██   ██████████  ██
  │      ████████████                -80┤
  └──────────────────► time          ───┼──┼──┼──┼──┼──┼──┼──┼──┼──► freq
                                     2.4 2.41 2.42 2.43 2.44 2.45 2.46 GHz

  "Something is transmitting"        "Wi-Fi Ch1 at 2.412, analog FM camera
  (cannot say what, where, or why)    at 2.432, Wi-Fi Ch6 at 2.437 — three
                                       distinct signals at distinct powers"

This distinction drives every practical recommendation in the series. When the plan says “spectrum sweep for analog cams” (§4 below), it means using a signal analyzer — not waving a power detector around and hoping.

The K18 class. The budget RF bug detectors reviewed in this and subsequent volumes are power detectors in the strictest sense. The better ones (those using AD8307-class log-amp ICs) give you a calibrated power reading but no frequency information. Even with a logarithmic detector, you cannot tell whether the 3 dB increase you just measured was caused by a Wi-Fi camera, someone’s phone, or a Bluetooth speaker in the next room.

The HackRF One / RTL-SDR class. These are signal analyzers — specifically, software-defined radios with digitizing receivers that capture a slice of spectrum (the HackRF One: up to 20 MHz instantaneous bandwidth, 1 MHz to 6 GHz tuning range; the RTL-SDR: up to ~3 MHz bandwidth, ~24 MHz to 1,766 MHz depending on tuner) and pass the baseband IQ samples to software for spectral display, filtering, and demodulation. They can identify a signal — narrow vs wide, modulation type, carrier stability, whether it is analog-video FM or 802.11 OFDM — rather than just measuring aggregate power.

The implication: a HackRF One sweep of the 2.4 GHz band can tell you that there is a 6 MHz-wide FM-modulated carrier at exactly 2,432 MHz that is not a standard 802.11 channel — which is the signature of an analog wireless camera. A K18 detector, sweeping the same band, sees the same aggregate power and cannot distinguish camera from router.

2.3.2 Detector-type comparison

Table 4 — 3.2 Detector-type comparison

Detector type	Bandwidth coverage	Frequency selectivity	Identifies signal type	Cost (approx)	What it catches (camera relevance)
Schottky diode detector (K18 class)	1 MHz–6 GHz (claimed); effectively 50 MHz–3 GHz (practical sensitivity)	None — integrates all power	No	$20–60	Strong continuous transmitters (analog cameras up close, Wi-Fi APs close range); cannot distinguish camera from phone; misses SD/wired cameras entirely
Log-amp RSSI meter (AD8307 class)	Usually 10 MHz–500 MHz per IC; 1–8 GHz with AD8318	None — single-band total power	No	$100–400	Calibrated signal-level reading; better dynamic range for localization; same fundamental limit — no frequency selectivity
Wideband spectrum analyzer (handheld, e.g. TinySA Ultra)	100 kHz–960 MHz (TinySA) or 100 kHz–6 GHz (TinySA Ultra)	Yes — PSD plot	Yes (visual)	$120–200	Can identify analog 1.2 GHz camera carrier; visual inspection required; good sensitivity if swept slowly
RTL-SDR V3 (R820T2 tuner)	24 MHz–1,766 MHz (continuous)	Yes — 2–3 MHz instantaneous BW	Yes (with software)	$25–40 (dongle) + antenna	Covers 1.2 GHz band well; can see 2.4 GHz with the right antenna but not 5.8 GHz; with rtl_power for sweep, gqrx/SDR# for visualization
HackRF One	1 MHz–6 GHz	Yes — up to 20 MHz instantaneous BW	Yes (with software)	$280–500 (with PortaPack)	Full coverage of all three analog camera bands; hackrf_sweep covers entire 1–6 GHz in seconds; definitive for analog-cam detection
USRP B210 (research-grade)	70 MHz–6 GHz	Yes — 56 MHz instantaneous BW	Yes (with GNU Radio)	$1,500–2,200	Full coverage; used in academic EM-Eye / CamRadar research (see Vol 4 §8); overkill for analog-camera detection
Professional spectrum analyzer (Rigol, Keysight, etc.)	Varies; 9 kHz–3 GHz typical bench units	Yes — calibrated RBW, excellent NF	Yes	$400–$50,000+	Definitive reference instrument; highest sensitivity and dynamic range; necessary for professional TSCM
REI MESA RF	Handheld professional TSCM RF detector	Yes — intended for covert transmitter detection	Yes (audio/visual)	$2,000–4,000 (spec-sourced)	Professional TSCM class; specifically designed for bug-detection applications

Note: signal analysis requires active sweep time. A power detector gives a reading in real time, anywhere in the band, simultaneously. A spectrum analyzer or SDR covers only its instantaneous bandwidth at any moment; to sweep a wide range (1–6 GHz, say), it must hop through that range sequentially. This means a signal that transmits only during the brief window when the analyzer is tuned to a different frequency will be missed. For always-on analog-video cameras this is not a problem (the carrier is always present). For burst-mode transmitters (cellular cameras, low-duty-cycle IoT devices), a swept spectrum analyzer can miss bursts that occur between hops. This is an argument for longer dwell times or triggered scanning when the threat model includes burst-mode devices.

---

2.4 Spectrum sweep for analog cams

An analog wireless camera is, in RF terms, a continuous FM-modulated transmitter on one of three ISM-adjacent bands: 1.2 GHz, 2.4 GHz, or 5.8 GHz. This section provides the band-by-band channel plans, the spectral signature of an FM-video carrier, and the sweep methodology to find one.

2.4.1 The three analog-video bands

Analog wireless cameras use amplitude-unmodulated FM video transmission (FM-video) on three ISM and ISM-adjacent bands. These bands and their specific channel plans are set by the manufacturer; there is no single international standard governing covert-camera channels. The tables below reflect the most widely-used consumer-market channel plans as of the time of writing — actual devices may vary.^[Channel plans compiled from multiple consumer analog wireless camera product teardowns, FCC ID filings, and AliExpress product listings. Frequencies are nominal center frequencies; actual operating frequency may drift ±500 kHz from nominal due to crystal tolerance and temperature in cheap units.]

2.4.1.1 GHz band

The 1.2 GHz band is the oldest and least common in consumer-grade wireless cameras sold in North America, primarily because 1,200–1,300 MHz is adjacent to GPS L1 (1,575.42 MHz) and civilian aviation navigation aids. FCC Part 15 limits RF emissions near these bands. Chinese-market devices imported via gray channels sometimes use this band; North American compliance is questionable.

Table 5 — 1.2 GHz band

Channel	Center Freq (MHz)	Band edges (approx)	Notes
Ch 1	1,120	1,110–1,130	Lowest channel; least common
Ch 2	1,160	1,150–1,170
Ch 3	1,200	1,190–1,210	Nominal “1.2 GHz” label
Ch 4	1,240	1,230–1,250	Highest channel

RTL-SDR coverage: The R820T2 tuner covers 24 MHz to ~1,766 MHz, so the entire 1.2 GHz camera band is comfortably within RTL-SDR range. Sensitivity at 1.2 GHz is better than at 2.4 GHz with an R820T2 tuner.

HackRF One coverage: Covers 1 MHz to 6 GHz; full coverage, excellent sensitivity with appropriate LNA settings.

2.4.1.2 GHz band

The 2.4 GHz ISM band (2,400–2,483.5 MHz) is the most common band for consumer analog wireless cameras. It is also occupied by Wi-Fi (802.11b/g/n/ax, three non-overlapping channels in North America: Ch1 at 2,412, Ch6 at 2,437, Ch11 at 2,462 MHz) and Bluetooth (79 channels, 2,402–2,480 MHz). This congestion makes it harder to spot a weak analog camera carrier — the FM-video carrier must stand out from the 802.11 channel energy.

Table 6 — 2.4 GHz band

Channel	Center Freq (MHz)	Typical power (EIRP, spec-sourced)	Notes
Ch 1	2,414	10–100 mW	Falls between Wi-Fi Ch1 and Ch6
Ch 2	2,432	10–100 mW	Adjacent to Wi-Fi Ch6 (2,437); may overlap
Ch 3	2,450	10–100 mW	Between Wi-Fi Ch6 and Ch11
Ch 4	2,468	10–100 mW	Adjacent to Wi-Fi Ch11 (2,462)
Ch 5 (8-ch units)	2,419	10–100 mW	Within Wi-Fi Ch1/Ch6 overlap region
Ch 6 (8-ch units)	2,442	10–100 mW	Wi-Fi Ch8 area
Ch 7 (8-ch units)	2,458	10–100 mW
Ch 8 (8-ch units)	2,476	10–100 mW	Near band edge

Note that all four standard channels (Ch1–4) are designed to interleave with, not avoid, the three 802.11 channels. A 2.4 GHz analog camera running on Ch2 (2,432 MHz) places its carrier ≈5 MHz below the Wi-Fi Ch6 center — they are nearly collocated spectrally. The FM-video carrier is narrower than a 20 MHz 802.11n channel, but distinguishing them on a waterfall requires adequate RBW. This is a key argument for using a real spectrum sweep rather than a power detector for 2.4 GHz camera detection.

RTL-SDR coverage: R820T2 tuner covers 24–1,766 MHz — the 2.4 GHz band is outside native RTL-SDR R820T2 range. Some RTL-SDR dongles with different tuners (e.g., E4000 tuner, which covers 64–1,700 MHz with a gap, and has a secondary range to ~1.7–2.2 GHz (device-dependent)) can partially reach 2.4 GHz but with greatly reduced sensitivity. In practice, the RTL-SDR is not the right tool for 2.4 GHz analog camera detection. Use HackRF One, TinySA Ultra, or a YARD Stick One with appropriate front-end.

HackRF One coverage: Full coverage; HackRF One covers 2.4 GHz cleanly with good sensitivity.

2.4.1.3 GHz band

The 5.8 GHz ISM band (5,725–5,875 MHz in North America) is used by many modern consumer analog cameras because it is less congested than 2.4 GHz for analog signals — 802.11a/n/ac/ax uses 5 GHz (5,150–5,850 MHz), but the 802.11 channels in the 5.8 GHz ISM region (5,745–5,825 MHz covers U-NII-3) are OFDM digital, not analog FM, and a spectrum sweep easily distinguishes the two modulation types.

5.8 GHz is also popular in the FPV (first-person-view) drone video community; FPV analog video transmitters use the same FM-video modulation on overlapping channel plans. The FPV-band overlap means the 5.8 GHz channel plan is well-documented.

Table 7 — 5.8 GHz band

Channel	Center Freq (MHz)	FPV band name	Notes
Ch 1	5,740	A/Boscam Ch1	Common security camera channel
Ch 2	5,760	A/Boscam Ch2
Ch 3	5,780	A/Boscam Ch3
Ch 4	5,800	A/Boscam Ch4
Ch 5	5,820	A/Boscam Ch5
Ch 6	5,840	A/Boscam Ch6
Ch 7	5,860	A/Boscam Ch7	Near band edge
Ch 8	5,880	A/Boscam Ch8	5 MHz above ISM band edge (5,875 MHz)
Raceband Ch1	5,658	R1	Below ISM band; used in FPV
Raceband Ch4	5,769	R4
Raceband Ch8	5,917	R8	Well above ISM band

Path loss consideration. 5.8 GHz has ~8 dB more free-space path loss than 2.4 GHz at the same distance (20 log₁₀(5.8/2.4) ≈ 7.7 dB). A 100 mW analog camera at 5.8 GHz has effectively 8 dB less range than the same unit at 2.4 GHz. This means 5.8 GHz cameras are often found at closer range and their signals may be weaker relative to the noise floor.

RTL-SDR coverage: The R820T2 tuner does not reach 5.8 GHz. The RTL-SDR is not usable for 5.8 GHz analog camera detection. HackRF One, a proper 5.8 GHz-capable spectrum analyzer, or an FPV video receiver are the options.

HackRF One coverage: HackRF One covers 1 MHz to 6 GHz; 5.8 GHz is well within range.

2.4.1.4 Complete analog-band summary

Table 8 — Complete analog-band summary

Band	Freq range	Channels (typical)	RTL-SDR usable?	HackRF One usable?	Key interference
1.2 GHz	1,100–1,300 MHz	4 (1,120–1,240 MHz)	Yes (R820T2)	Yes	GPS at 1,575 MHz; aviation nav aids
2.4 GHz	2,400–2,485 MHz	4–8 (2,414–2,476 MHz)	No (R820T2 stops at ~1,766 MHz)	Yes	Wi-Fi Ch1/6/11; Bluetooth; microwave
5.8 GHz	5,725–5,875 MHz	4–8 (5,740–5,880 MHz)	No	Yes	Wi-Fi U-NII-3; FPV drones

2.4.2 What an analog FM-video carrier looks like

Understanding the spectral signature of an FM-video carrier lets you identify one on a waterfall without demodulating it.

FM-video modulation. Analog wireless cameras transmit composite video (NTSC or PAL) frequency-modulated onto the carrier. NTSC composite video occupies DC to ~4.2 MHz (luminance to 3.58 MHz color subcarrier, up to ~4.2 MHz residual sidebands). PAL extends to ~5.5 MHz. The FM deviation is typically ±2–6 MHz peak, depending on the transmitter design.

Occupied bandwidth. By Carson’s rule, the RF bandwidth (≥98% power) is:

BW_Carson = 2 × (f_peak_deviation + f_highest_baseband)

NTSC camera (narrow deviation, ±3 MHz):    BW = 2 × (3 + 4.2) ≈ 14.4 MHz
NTSC camera (wide deviation, ±6 MHz):      BW = 2 × (6 + 4.2) ≈ 20.4 MHz
PAL camera (wide deviation, ±6 MHz):       BW = 2 × (6 + 5.5) ≈ 23 MHz

Practical: most cheap analog security-camera transmitters occupy 12–20 MHz of RF bandwidth.

Spectral shape on a waterfall. An FM-video carrier has a distinctive shape:

ASCII WATERFALL MOCKUP — 2.4 GHz band, 20 MHz span, 100 kHz RBW

Frequency (MHz):
2.410   2.415   2.420   2.425   2.430   2.435   2.440   2.445

│       │       │       │       │       │       │       │
│ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ Wi-Fi Ch1 (2.412 MHz)     │  ← wide 802.11g channel
│ ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 20 MHz BW, OFDM pilots    │    (noise floor = grey)
│       │       │       │       │       │       │       │
│       │       │  ████████████████     │       │       │  ← ANALOG FM-VIDEO CARRIER
│       │       │  ████████████████     │       │       │    centered at 2.425 MHz
│       │       │  ████████████████     │       │       │    ~12–16 MHz wide,
│       │       │  ████████████████     │       │       │    bright but not rectangular
│       │       │  ▓▓████████████▓▓     │       │       │    (FM sideband roll-off)
│       │       │  ░░▓▓████████▓▓░░     │       │       │    peak brighter than edges
│       │       │  ░░░░░░░░░░░░░░░░     │       │       │
│░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│  ← Wi-Fi Ch6 (2.437 MHz) nearby
│░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░│
│       │       │       │       │       │       │       │

LEGEND:
████ = strong, narrow analog FM-video carrier (always present, stable position)
░░░░ = Wi-Fi 802.11 channel (wide, rectangular in OFDM, appears/disappears in bursts)
▓▓▓▓ = FM sideband roll-off region

KEY DISTINGUISHING FEATURES:
• Analog FM-video carrier: ALWAYS PRESENT (not bursty); stable center frequency;
  symmetric sideband roll-off; center peak brighter than edges; typically 12–20 MHz wide
• Wi-Fi OFDM channel: BURSTY (comes and goes with traffic); rectangular spectral shape
  (pilot tones visible as peaks within 20 MHz flat top); 20 MHz or 40 MHz wide

How to spot it in practice:

1. Always-on nature. An analog camera transmits continuously whenever powered. On a waterfall display (power vs frequency over time), a camera appears as a persistent colored stripe at a fixed frequency. Wi-Fi traffic appears as intermittent rectangular blobs.
2. Symmetric, narrowed peak. The FM-video carrier’s spectral envelope is roughly Gaussian/bell-shaped, brighter at center and rolling off to the sides, rather than the flat-topped 802.11 OFDM shape.
3. Scene-dependent spectral spread. When the camera is watching a high-motion scene (lots of frame-to-frame change), the FM deviation increases slightly, widening the carrier. A static scene (empty room, fixed scene) produces a slightly narrower carrier. This subtle variation is not easily visible on a casual sweep but can be used as a secondary confirmation.
4. Stable center frequency. Unlike a frequency-hopping Bluetooth device or a FHSS camera, an analog FM carrier stays at a fixed channel (within crystal tolerance: ±0.5–1 MHz drift over temperature).

2.4.3 Sweep methodology: RBW, dwell, and sweep rate

Getting a useful analog-camera sweep from a spectrum analyzer or SDR requires setting three parameters correctly: RBW (resolution bandwidth), dwell time, and sweep rate.

Resolution bandwidth (RBW). RBW sets the minimum frequency step at which the analyzer can resolve two adjacent signals. In traditional swept-tuned spectrum analyzers, RBW is determined by the IF filter bandwidth. In SDR-based sweeps, it is determined by the FFT bin size (RBW ≈ sample_rate / FFT_size for simple rectangular windows; use Hann/Blackman windows for better sidelobe rejection):

RBW = sample_rate / (FFT_size × window_correction_factor)

Example: HackRF at 20 MS/s, 2048-point FFT, Hann window (correction ≈ 1.5):
RBW = 20,000,000 / (2048 × 1.5) ≈ 6.5 kHz

Example: rtl_power at 2.048 MS/s, default 512-point FFT:
RBW = 2,048,000 / 512 ≈ 4 kHz

For detecting a 12–20 MHz-wide FM-video carrier, any RBW from 10 kHz to 500 kHz will reveal the carrier clearly — the carrier is many RBW bins wide, so each bin shows the carrier’s local power. A very narrow RBW (< 1 kHz) would be unnecessary and slow the sweep. A very wide RBW (> 1 MHz) smears adjacent signals together, making it harder to distinguish the carrier from adjacent Wi-Fi.

Recommended RBW for analog-camera sweep: 25–100 kHz. This provides adequate frequency resolution to distinguish a 12 MHz FM carrier from a 20 MHz Wi-Fi channel, while not being so narrow that a single sweep takes minutes.

Dwell time. Dwell time (how long the receiver stays on each frequency step before advancing) determines sensitivity: more dwell = more averaging = lower noise floor = ability to detect weaker signals.

For analog cameras (always-on carriers), dwell time is not a sensitivity concern — the signal is always there. However, dwell time affects the update rate of the display. For a quick survey sweep, 1–10 ms per step is adequate. For a sensitive slow sweep hunting a weak signal, 100–500 ms per step is better.

For burst signals (cellular cameras, low-duty-cycle IoT cameras): you need dwell time long enough to catch at least one burst. LTE uplink bursts in motion-triggered scenarios can be as short as a few hundred milliseconds — a dwell of 1 second per step across a wide band means many steps are sampled during a burst, but the specific step containing the burst frequency may be missed depending on timing. This is an argument for triggered or repeated sweeps rather than a single pass.

Sweep rate (for sequential sweeping). When the analyzer must hop across a wide band (e.g., 1–6 GHz in 20 MHz steps = 250 hops), the total sweep time is:

Total sweep time ≈ N_hops × (dwell_time + settling_time)

HackRF sweep at 1–6 GHz, 20 MHz/step, 10 ms dwell:
  N_hops = (6000 − 1000) / 20 = 250 hops
  Settling time ≈ 1–5 ms (PLL lock + filter settle)
  Total sweep ≈ 250 × (10 + 3) ≈ 3.25 seconds per full sweep

hackrf_sweep achieves ~1 sweep/second over 1–6 GHz in practice.

For an analog camera (always-on), a 1-second full-sweep update rate is more than adequate. You will see the camera on the first or second sweep pass.

2.4.4 Hardware and software options

HackRF One — full-band sweep.

The HackRF One is the preferred instrument for a comprehensive analog-camera spectrum sweep: it covers all three bands (1.2, 2.4, 5.8 GHz) in one command, and hackrf_sweep is purpose-built for this use case.

# Full-spectrum survey sweep (1–6 GHz)
# Covers all three analog-camera bands in a single pass
hackrf_sweep \
    -f 1000:6000 \
    -w 20000000 \
    -l 32 \
    -g 40 \
    -r fullsweep.csv

# Parameters:
# -f 1000:6000     Sweep from 1,000 MHz to 6,000 MHz
# -w 20000000      20 MHz bandwidth per hop (20 MHz steps)
# -l 32            LNA gain: 32 dB (0/8/16/24/32/40 dB, in 8 dB steps)
# -g 40            VGA gain: 40 dB (0–62 dB, 2 dB steps)
# -r fullsweep.csv Output: CSV with timestamp, freq_low, freq_high, step, samples, dBm[]

# Targeted 2.4 GHz sweep (narrow, higher resolution):
hackrf_sweep \
    -f 2400:2500 \
    -w 10000000 \
    -l 32 \
    -g 40 \
    -r 2p4ghz.csv

# Targeted 5.8 GHz sweep:
hackrf_sweep \
    -f 5700:5900 \
    -w 10000000 \
    -l 24 \
    -g 32 \
    -r 5p8ghz.csv
# Note: lower gain at 5.8 GHz to avoid compression from nearby Wi-Fi AP signals

# Visualize hackrf_sweep CSV output using hackrf_sweep_to_plot.py (from hackrf-tools):
hackrf_sweep -f 2400:2500 -w 10000000 -l 32 -g 40 -r 2p4sweep.csv
python3 hackrf_sweep_to_plot.py 2p4sweep.csv 2p4sweep.png
# hackrf_sweep_to_plot.py: https://github.com/greatscottgadgets/hackrf/blob/master/host/utils/hackrf_sweep_to_plot.py
# Alternative: import CSV into gnuplot, or use gqrx for real-time waterfall (see below)

RTL-SDR — 1.2 GHz band only.

The RTL-SDR with R820T2 tuner covers the 1.2 GHz analog camera band well. For 2.4 GHz and above, the RTL-SDR is not the right tool.

# RTL-SDR sweep of the 1.2 GHz analog camera band using rtl_power:
rtl_power \
    -f 1100M:1300M:10k \
    -g 40 \
    -i 1 \
    -e 120s \
    1p2ghz_camera_sweep.csv

# Parameters:
# -f 1100M:1300M:10k  Sweep 1,100 to 1,300 MHz in 10 kHz steps
# -g 40               Gain: 40 dB (0–50 dB range; reduce if saturated)
# -i 1                1 second integration per frequency line
# -e 120s             Exit after 120 seconds (adjust as needed)
# Output: CSV with date, time, hz_low, hz_high, hz_step, samples, dBm...

# Visualize: use heatmap.py (rtl-sdr project) or import into a spreadsheet
python3 heatmap.py 1p2ghz_camera_sweep.csv heatmap.png
# heatmap.py available at: https://github.com/keenerd/rtl-sdr/blob/master/python/heatmap.py

Real-time waterfall — gqrx.

For real-time visual inspection (as opposed to logged sweeps), gqrx provides the most accessible waterfall display on Linux/macOS:

# Install gqrx (Ubuntu/Debian):
sudo apt install gqrx-sdr

# gqrx GUI settings for analog-camera waterfall inspection:
# Input: HackRF or RTL-SDR (auto-detected)
# Mode: WFM (Wide FM) — use this to *hear* the camera's audio when close to the
#       carrier; the video baseband is inaudible but carrier presence is audible
# Bandwidth: 200 kHz minimum; 500 kHz–1 MHz recommended to see carrier shape
# FFT size: 4096 or 8192 for better frequency resolution
# Center frequency: start at each band center (1,160 / 2,432 / 5,780 MHz)
# Look for: persistent stripe in the waterfall at a non-802.11 frequency

SDR# (Windows, RTL-SDR). On Windows with an RTL-SDR, SDR# is the accessible alternative to gqrx. Similar settings apply (WFM mode, 500 kHz bandwidth, high FFT resolution). Limited to the RTL-SDR’s frequency range.

2.4.5 Forward pointer: demodulation to confirm

Finding an FM-video carrier on a waterfall confirms that something is transmitting FM in the camera bands at that frequency — but does not prove it is a camera. The definitive confirmation step is demodulation: decoding the FM signal to recover the composite video signal, then displaying the video. If you see a picture, you have found the camera, and you see exactly what it is watching.

The demodulation workflow — GNU Radio FM-video demod flowgraph, GQRX plugin, or a dedicated analog video receiver — is covered in full in Vol 6 §2, including the specific GNU Radio blocks needed, the NTSC/PAL composite video output, and how to display the resulting video stream. The forward pointer is: spectrum sweep to find, demodulate to confirm and see what the camera sees.

Constraint #3 in practice: If your sweep reveals an FM carrier at 2,432 MHz that is always present, doesn’t burst like Wi-Fi, and demodulates to a recognizable video signal, you have found an analog wireless camera. If your sweep reveals no anomalous carriers, you have ruled out actively-transmitting analog cameras in those three bands — but you have not ruled out Wi-Fi cameras (different detection method, see Vol 3), cellular cameras (licensed bands, see Vol 6 §3), or non-emitting SD/wired cameras (see §5 and Vol 4).

---

2.5 What RF cannot catch

2.5.1 Non-emitting cameras: the RF blind spot

Constraint #1 (stated here, repeated in Vol 4, Vol 15): Non-emitting cameras — SD-card-only cameras and wired cameras — produce no radio-frequency emission of any kind. A Schottky diode detector, a log-amp RSSI meter, a HackRF One hackrf_sweep, a professional spectrum analyzer, and an LTE-band monitoring receiver are all completely blind to them. There is no gain setting, no sensitivity improvement, no antenna choice, and no software that changes this. Silence on the RF is a guarantee of nothing about non-emitting cameras.

This is not a limitation of cheap gear. It is the physics of the problem. An SD-only camera has no radio hardware — no oscillator, no PA, no antenna. There is nothing to transmit and therefore nothing to detect on any RF instrument. Understanding this constraint is what separates a defensible sweep from a useless exercise.

Anatomy of an SD-only camera (why it emits nothing):

SD-ONLY COVERT CAMERA — TYPICAL BLOCK DIAGRAM

  ┌────────────────────────────────────────────────────────────────┐
  │                SD-ONLY COVERT CAMERA INTERNALS                 │
  └────────────────────────────────────────────────────────────────┘

  ┌──────────┐   ┌──────────────┐   ┌───────────────┐   ┌──────────────┐
  │  Lens    │──►│ Image sensor │──►│  Video encode │──►│  MicroSD     │
  │ (pinhole │   │ (CMOS, e.g. │   │  (H.264/MJPEG │   │  card slot   │
  │  ≤3 mm) │   │  OV2640 or  │   │   on MCU or   │   │  (video file │
  │          │   │  similar)   │   │   dedicated   │   │   stored     │
  └──────────┘   └──────────────┘   │   encoder IC) │   │   locally)   │
                                    └───────────────┘   └──────────────┘
                       │
                       ▼
               ┌──────────────┐   ┌──────────────┐
               │  PIR sensor  │──►│  Power       │──► LiPo battery or
               │  (optional   │   │  management  │    mains via
               │   motion     │   │  IC          │    disguised charger
               │   trigger)   │   └──────────────┘
               └──────────────┘

  RADIO HARDWARE PRESENT: NONE
  ANTENNA: NONE
  RF EMISSION: NONE
  RF INSTRUMENT READING: Noise floor (indistinguishable from empty room)

The SD-only camera is retrieved physically — the attacker returns, removes the card, and copies the video. This is why it is preferred by attackers who have recurring access to a space (a malicious Airbnb host who checks between guests, a domestic abuser with free access) and why it defeats every tool that requires the camera to be “on the network.”

Anatomy of a wired camera (also RF-silent):

A wired IP camera (PoE, coax, or proprietary cable) runs video over a physical cable to a recording NVR/DVR. The NVR is typically installed in a concealed location (inside a wall, in a closet, in a utility space). The camera itself may be sophisticated — full H.264, ONVIF-compliant, RTSP streaming — but all of that happens on the wire, not in the air. An RF sweep detects nothing.

The wired camera is detectable by other means: optical lens glint (the lens retroreflects regardless of whether there is a cable behind it), cable tracing (Fox & Hound tone generator/probe), PoE voltage detection on accessible cables, or finding the NVR. These methods are covered in Vol 6 §5 (the wired-specific track).

The practical implication for sweep design. A sweep that consists only of an RF phase — even a thorough one with a log-amp detector, a HackRF sweep, and a Wi-Fi scan — cannot make any claim about non-emitting cameras. The honest conclusion after a clean RF sweep is:

After a clean RF sweep:
┌───────────────────────────────────────────────────────────────────────┐
│ RULED OUT:                                                             │
│   • Active Wi-Fi cameras on any local network (if Wi-Fi scan clean)   │
│   • Active analog cameras at 1.2/2.4/5.8 GHz (if spectrum sweep clean)│
│   • Active Bluetooth cameras (if BLE scan clean)                      │
│                                                                        │
│ NOT RULED OUT:                                                         │
│   • SD-only cameras (no RF; zero information)                         │
│   • Wired cameras (no RF; zero information)                           │
│   • Any camera with RF disabled or powered off                        │
│   • Cameras transmitting on bands not swept                           │
│   • Cameras that powered up after the sweep                           │
└───────────────────────────────────────────────────────────────────────┘

The honest constraint in counter-surveillance: A defensible sweep that claims to rule out cameras must include at least one method that works on non-emitting devices. The minimum non-RF complement for a real sweep: optical lens retroreflection (a red-ring or IR-ring finder swept across all surfaces; a phone camera in a dark room to spot IR LED illuminators), plus physical inspection of plausible hiding spots. NLJD (the REI ORION class) is definitive but costs $10–15k and is the professional TSCM standard. These non-RF methods are covered fully in Vol 4.

2.5.2 Signals RF methods miss even when transmitting

Even for cameras that do transmit RF, there are transmission modes that broadband RF power detectors miss and that sweep-based methods challenge.

Frequency-hopping spread spectrum (FHSS). A frequency-hopping transmitter jumps its carrier across a range of frequencies in a pseudo-random pattern, dwelling at each frequency for only a fraction of a millisecond (Bluetooth Classic hops at 1,600 hops/second; IEEE 802.15.4 FHSS modes can hop at various rates). A swept spectrum analyzer that dwells on each frequency for 10 ms will be tuned elsewhere for the vast majority of the transmitter’s hop sequence and will see the transmitter only incidentally.

Consumer-grade FHSS camera transmitters are not common — they are more expensive than fixed-carrier analog or simple Wi-Fi cameras — but they exist. A dedicated FHSS-mode camera would be largely invisible to a spectrum sweep.

For a broadband power detector, FHSS signals are a mixed case: if the total average power is high enough, the power detector responds (it integrates across all frequencies simultaneously); but the response is weaker than for an equivalent-power continuous carrier because the energy is spread across the dwell period at any given frequency.

Burst-mode / low-duty-cycle transmission. A camera that transmits only during motion events — uploading a short video clip, then going silent — may be off the air during the sweep. Cellular cameras (LTE burst upload) are the canonical example. The burst duration may be seconds; the silence between events may be minutes. A spectrum sweep that takes 3 seconds to complete could be completed entirely during a 5-minute silence between motion events.

Mitigation: induce motion (walk in front of suspected camera positions, move your hands into likely fields of view) during the sweep, and repeat the sweep multiple times. A camera that uploads on motion will trigger its upload cycle when you walk in front of it.

Low-power or short-range cameras. A camera designed to operate at very close range (e.g., a pinhole camera in a wall socket 1 metre from the subject) may transmit at very low power — perhaps 1–5 mW (0–7 dBm) — to reduce detectability. At 1 metre this still delivers adequate signal-to-noise for the receiver; at 3 metres from the detector, the received power may be below the detector’s noise floor.

Free-space received power at 3 m for a 5 mW (7 dBm) source at 2.4 GHz:

FSPL at 3 m, 2.4 GHz ≈ 20 log₁₀(3) + 20 log₁₀(2.4×10⁹) + 20 log₁₀(4π/c)
                      ≈ 9.5 + 187.6 − 147.6 ≈ 49.5 dB

Pr = 7 dBm − 49.5 dB ≈ −42.5 dBm (with isotropic Tx and Rx antennas)

A log-amp detector with a −60 dBm sensitivity floor could detect this signal at 3 m. A cheap diode detector with a −40 dBm floor would miss it. Sensitivity matters for weak or short-range sources.

Encrypted and compressed streams. Modern Wi-Fi cameras use WPA2/WPA3 encryption at the air interface; the payload is encrypted and inaccessible to passive observation. This does not affect power detection (you detect the frame-level energy regardless of content) but it does mean that detecting the presence of a camera does not automatically grant access to the video. The deauth-confirm technique (Vol 3 §6) and traffic-rate/motion-correlation (Vol 3 §5) work on the encrypted frame structure, not the video content, so encryption is not a barrier to detection — but it is worth noting that RF detection and stream access are different problems.

---

2.6 Resources

RF detection hardware

• HackRF One — Michael Ossmann / Great Scott Gadgets. 1 MHz to 6 GHz, half-duplex, 20 MHz bandwidth. hackrf_sweep utility covers all three analog camera bands. The HackRF One deep dive is the primary reference for setup, gain staging, and GNU Radio workflows.
• RTL-SDR V3 (RTL2832U + R820T2) — RTL-SDR Blog. 24 MHz to ~1,766 MHz. Covers the 1.2 GHz analog band; does not reach 2.4 or 5.8 GHz. $25–40. See the RTL-SDR deep dive for driver setup and rtl_power / gqrx workflow.
• TinySA Ultra — TinySA. 100 kHz to 6 GHz, portable spectrum analyzer. $120–200. Not an SDR (no IQ output), but the built-in spectrum display and sweep function cover all three analog camera bands.
• AD8307 log-amp IC — Analog Devices. DC to 500 MHz, 92 dB dynamic range, 25 mV/dB slope. LCSC: ~$6 in small quantities. Reference datasheet: https://www.analog.com/media/en/technical-documentation/data-sheets/AD8307.pdf
• AD8318 log-amp IC — Analog Devices. 1 MHz to 8 GHz, 70 dB range. For a wideband log-amp-based detector covering all camera bands. LCSC: ~$15.
• HSMS-2850 Schottky detector diode — Broadcom/Avago. Zero-bias Schottky, SOT-343 package. Best readily-available choice for the diode detector circuit. Mouser: ~$0.80.

Software

• hackrf_sweep — bundled with hackrf package (sudo apt install hackrf); source at https://github.com/greatscottgadgets/hackrf. Primary sweep tool for HackRF One. CSV output; pipe to gnuplot, Python waterfall scripts, or hackrf_transfer-based visualizers.
• rtl_power — bundled with rtl-sdr package (sudo apt install rtl-sdr); source at https://github.com/keenerd/rtl-sdr. Power sweep for RTL-SDR. Companion heatmap.py at the same repo converts CSV to a visual waterfall PNG.
• gqrx — https://gqrx.dk/. Open-source SDR receiver and waterfall display. Supports HackRF, RTL-SDR, and many other SDRs via SoapySDR. Linux and macOS; sudo apt install gqrx-sdr.
• SDR# — https://airspy.com/download/. Windows-native SDR receiver with waterfall. Primarily for RTL-SDR and Airspy hardware; HackRF support via SoapySDR plugin.
• GNU Radio — https://www.gnuradio.org/. The demodulation tool for analog-video recovery. Full FM-video demod flowgraph is in Vol 6 §2.

Academic and technical references

• Carlson, A. B., Communication Systems, 4th ed. McGraw-Hill, 2002 — classical FM detector and Carson’s rule derivation.
• Pozar, D. M., Microwave Engineering, 4th ed. Wiley, 2012 — Schottky diode detector theory (Ch. 10), square-law vs large-signal regimes, noise figure analysis.
• Analog Devices Application Note AN-691, “Operation of the AD8307 in Detector Applications,” 2003 — practical log-amp detector circuit design with gain staging.
• NTSC Standard (SMPTE 170M) — NTSC composite video baseband specification; 4.2 MHz bandwidth, 3.58 MHz color subcarrier.
• PAL Standard (ITU-R BT.470) — PAL composite video; 5.5 MHz bandwidth, 4.43 MHz color subcarrier.
• FCC Part 15, Subpart B (unintentional radiators) and Subpart C (intentional radiators in the ISM bands) — the regulatory envelope for unlicensed analog camera transmitters in North America.

Commercial detector references (spec-sourced, bench-unverified)

• K18 RF Bug Detector — representative cheap broadband diode detector; AliExpress/Amazon; specifications vary by supplier.
• REI MESA RF — professional wideband RF detector and spectrum analyzer for TSCM. Research Electronics International, https://www.reiusa.net/. Pricing ~$2,000–4,000 (spec-sourced).
• TinySA Ultra product page — https://www.tinysa.org/wiki/ — bench-calibration procedure and frequency accuracy specs.

Interconnects within this series

• Vol 1 §4 — the emission-class taxonomy; the analogy-vs-Wi-Fi-vs-SD/wired taxonomy that motivates this volume’s focus.
• Vol 3 — Wi-Fi network analysis detection physics; the behavioral detection layer that complements the RF survey covered here.
• Vol 4 — finding non-emitting cameras; the methods that cross the gap RF instruments cannot bridge.
• Vol 6 §2 — analog wireless camera deep dive; FM-video demodulation to see the video feed; GNU Radio flowgraph; NTSC/PAL composite video capture. This is where the spectrum sweep leads when you find a carrier.
• Vol 9 §2 — commercial RF sweeper survey; the K18/ST-800 class in more detail, including the “what it actually catches” matrix.

---

Vol 2 ends here. Vol 3 shifts the detection layer from RF power and spectrum to the Wi-Fi network — vendor-OUI fingerprinting, mDNS/ONVIF discovery chatter, RTSP probe, and the most robust detection technique in the series: traffic-rate/motion-correlation, which works even through encryption.