I was quite intrigued by the S-Pen that came with my Samsung Galaxy Note 4. According to the specifications listed on Samsung’s site, the S-Pen supplied with Samsung Galaxy Note 4 he S-Pen supports 11 bits (2048 levels) of pressure levels and can be detected at a 15 mm hovering distance from the phone surface.
Kristofer at Android Authority had done a teardown of the S-Pen a couple of years ago (it was an older model, but the principal should be largely the same). And as we know the S-Pen works similar to an RFID which is passively powered from the electromagnetic field generated by the phone. I thought it would be interesting to dig a bit deeper to see what the communication patterns look like.
Because the S-Pen is powered by the RF field via inductance coupling, we can use a pickup coil to detect the signals passed between the pen and the pone without having to take apart either. To do this, I dissembled a small speaker and used the voice coil as the pickup device (see picture below).
When the tip of the S-Pen is placed inside the coil near the screen the communication waveform can be picked up. Alternatively, you could wrap some magnetic wire around the pen-tip and it would work equally well.
The communication waveform patterns can be then captured via an oscilloscope. The data wave form looks power optimized and each frame is roughly 15 ms in duration. The oscilloscope capture below shows the waveform within one and a half frame.
The RF carrier frequency appears to be in the 550 kHz to 560 kHz range (not a standard RFID frequency).
Here is what the baseline waveform looks like when the pen is not in the vicinity of the screen. Some small bursts of RF signals can be seen, which is presumably the “polling” signal used to detect the presence of the S-Pen.
Unfortunately I do not have the equipment to further decode the signal, I did however captured some waveform data with a few different usage modes (e.g. pen hovering, pen pressing, etc.) using my Rigol DS1052E in long memory mode and the data along with the descriptions are included towards the end of the post in case anyone is interested in trying to decode the protocol.
There are a few things we can deduce from nevertheless. Because the carrier frequency is relatively low, this is strictly near field communication. This means that the screen can sense the location of the pen by detecting the dip in the RF fields strength. This makes sense as there is no simple way for the pen to be actively monitoring and transmitting its location information.
The only information that is transferred between the pen and phone is the 11 bit pressure sensitivity along with the 1 bit value that denotes whether the S-Pen button on/off. The remaining encoded information should contain some value that identifies the presence of the S-Pen.