Understanding that further development of radio monitoring devices should include analysis and automatic classification of known communications standards, “RadioInspector” software engineers have developed a digital signal analysis option – “DTEST” (“Digital Test”). This option is designed for digital (software) demodulation of the most common communication standards and signals classification in accordance with these standards. This option is very simple to use: you should set the cursor on the signal you want to explore and push the button .
The program tunes the instrument to the cursor’s frequency, receives necessary data and performs IQ signal demodulation for a given communication standard. The result of demodulation and signal classification is displayed on the screen.
DTest uses an array or a stream of IQ data transmitted by the instrument. The current version of RadioInspector’s “DTest” option implements demodulators for the following communication standards:
AM and FM analog signals;
Analog TV signal PAL / SECAM / NTSC (displays video);
APCO25 (voice demodulation);
DRM/MOTOTRBO (voice demodulation);
IEEE 802.15.4 family standards (ZigBee, ISA100.11a, WirelessHART, MiWi and other protocols).
Compliance Table of the devices’ capabilities connected to the “RadioInspector” software with digital analysis and streaming demodulation of digital signals (DTEST) option (the possibilities for identification, classification and demodulation depending on IQ bandwidth, IQ length and possibility of streaming of IQ).
“RadioInspector” software (DTEST option) IQ requirements (memory and sample rate) for the analysis of digital signals.
For analysis of digital signals the instrument must capture an IQ array with the specified bandwidth (sampling rate. Modern instruments’ sampling rate is about 125% of the bandwidth) and the minimum recording time of the IQ. The required bandwidth and the required recording time of IQ are determined by the standard of the analyzed digital signal.
For example, the DECT signals have minimum sampling rate of 2000 kHz and the minimum IQ recording time of 200 ms. If the instrument does not support sampling rate of 2000 kHz, than the program selects the nearest available frequency higher than 2000 kHz and performs resampling of IQ to the required frequency for DECT demodulation. If the instrument does not allow capturing IQ with frequency of 2000 kHz or higher, it is impossible to demodulate DECT standard (error message “insufficient sampling rate” will be displayed).
The majority of the instruments has built-in memory for recording IQ. (Note: some instruments does not have built-in memory, but can produce IQ as continuous flow. For such instruments as Rohde & Schwarz PR100, SignalHound BB60memory size limitation is not applied.). The required minimum sample rate and minimum IQ recording duration are define a minimum memory size requirements:
For example, when analyzing the DECT signal, minimum size of IQ memory must be 0.2 (seconds) * 2000 kHz = 400 kWords of IQ.
If an unknown signal is analyzed for several digital data transmission standards at the same time DTEST, the IQ saved only once with a maximum sampling rate and a maximum recording duration from all selected standards to reduce the time of testing. (The program converts the IQ for each standard, the digital demodulation for all the selected standard is performed simultaneously in different threads of multi-core CPU).
Algorithm of program’s operation with simultaneous demodulation of the different standards is following:
The program selects the maximum value of the IQ sampling rate from all digital standards that need to be analyzed (let’s name it “Fd”). If the maximum sample rate of the instrument is less than the required sample rate for any digital standard, this standard can not be analyzed (the error message “insufficient IQ sampling rate” will be displayed).
The program selects the maximum recording duration of the IQ for all digital standards that need be analyzed (let’s name it “L”).
The program checks the ability to record required length of IQ based on the available memory of the instrument. The required memory size for IQ recording must be equal to M = Fd * L.
If the IQ memory size of the instrument is less than the “M” value, then new value is calculated as “L1” = Mavailable / Fd where “L1” is maximum recording time of IQ for selected instrument.
If “L1” value is less then minimum required recording time of IQ of any digital standards, demodulation of these standards is not performed (error message “insufficient size of the IQ memory” will be displayed).
For example, we have chosen the spectrum analyzer Rohde & Schwarz FSU. Digital standards TETRA, APCO25, DMR, GSM, Bluetooth, DECT are selected for analysis.
The minimum required sample rate for the simultaneous analysis of all selected standard is Fd = 2000 kHz (determined by DECT standard). The instrument is able to support this sample rate. The required recording time of the IQ is 1 second (L = 1 second defined by GSM standard). Required IQ memory size is M = 2000000 IQ words.
Rohde & Schwarz FSU spectrum analyzer has only memory size of 523,776 IQ words. This memory is enough to record IQ with length L1 = 523776/2000000 = 0.26 seconds with a 2000 kHz sample rate.
For the analysis of TETRA standard, IQ record length of 1,076 seconds is required. TETRA analysis test will not be performed, the error message “insufficient size of the IQ memory” will be displayed.
For the analysis of APCO25 standard, IQ record length of 0,8 seconds is required. APCO25 analysis test will not be performed, the error message “insufficient size of the IQ memory” will be displayed.
For the analysis of DMR standard, IQ record length of 0,8 seconds is required. DMR analysis test will not be performed, the error message “insufficient size of the IQ memory” will be displayed.
For the analysis of DECT standard, IQ record length of 0,2 seconds is required. DECT analysis test will be performed.
For the analysis of Analogue TV standard, IQ record length of 0,1 seconds is required. Analogue TV analysis test will be performed.
For the analysis of GSM standard, IQ record length of 0,98 seconds is required. GSM analysis test will not be performed, the error message ” insufficient size of the IQ memory ” will be displayed.
To determine which standards can be tested at the same time for the selected instrument is possible to achieve by empirical methods.
AM and FM analogue signal demodulation
AM and FM analogue signals demodulation is possible for instruments that send a real-time flow of IQ data (currently available only from software defined radios or spectrum analyzers). Demodulation is possible over any frequency range provided by the instrument– from the maximum down to 200 Hz. For AM signals phase-locked loop techniques may be possible.
Demodulation of DECT signals provides detection of base station addresses (RFPI addresses) and connected handsets which are in active mode (talk mode). For each base station and active handsets, signal level is determined in order search for them using amplitude direction finding techniques. Determining the list of legal addresses of a DECT base station allows the operator to discover any new DECT voice data channels present in a controlled premise, which might be used as radio microphones. RadioInspector does not perform voice demodulation as DECT uses data encryption.
Figure 1. Signal analysis (DECT standard)
Demodulation of a TETRA signal determines the values of MCC, MNC, ColorCode and other signal parameters. These parameters may be used for monitoring of TETRA transmitters operating properly. If the “DMO” mode is in use (“DMO” mode is a mode where 2 handsets have a direct connection with the ability to activate one handset from another) RadioInspector pops up a warning message about “DMO” mode. DMO mode can very easily be used to turn a TETRA handset into an illegal and clandestine radio frequency-based listening device for creation and activation of clandestine. RadioInspector does not perform voice demodulation for TETRA signals.
Figure 2. Signal analysis (TETRA standard)
The GSM demodulator derives the MCC, MNC, LAC, CI, and sector information. In addition, the TCH data channels that are linked to the analyzed BCCH channel and neighbouring BCCH channels can be received. Knowledge of these parameters allows the operator to determine the topology of GSM networks (GSM450, GSM850, GSM900, GSM1800, GSM1900). Illegal GSM base stations and GSM bugging devices can then be determined.
Figure 3. Signal analysis (GSM standard)
RadioInspector’s GSM signal analysis allows identification of “substituted” base stations which can be used in the interception of GSM traffic. RadioInspector does not perform voice demodulation of GSM standard.
The BlueTooth signal demodulator determines the addresses (LAP addresses) of BlueTooth devices which are switched on and in an active state (BlueTooth devices operating in the beacon mode – that is, periodically broadcasting beacon data), or operating BlueTooth devices. An estimation of transmitted traffic is displayed. From the evaluation of transmitted data, It can be determined if voice, burst data or file transmissions are occurring. A List of Authorized LAP addresses can be used to identify any new BlueTooth transmitter such as a BlueTooth keystroke logger,operating in a controlled premise. Received signal levels can be used to search for a BlueTooth transmitter with a given LAP address.
Figure 4. Signal analysis (BlueTooth standard)
Analog television PAL/SECAM/NTSC
The TV demodulator classifies TV Signals. The operator simply places a cursor onto the TV signal frequency identified by RadioInspector, and the demodulated video is displayed in a separate pop-up window.
Figure 5. Signal analysis of analog TV
When demodulating a TV signal RadioInspector defines the correct TV standard and synchronizes video accordingly. At low signal/noise ratios, if the program cannot synchronize the image and if video coding is in use, manual synchronization of lines and video frames can be used to provide a better display.
Figure 6. Video frame (Analogue TV)
The APCO25 demodulator allows classifying APCO25 signals, displaying the source and destination addresses of messages; determining the network ID and demodulating voice if encryption is not used.
Figure 7. Signal analysis and voice demodulation (APCO25 standard)
The DMR demodulator allows classifying DMR signals. The operator simply places a cursor onto the DMR signal frequency identified by RadioInspector, and the network ID source and destination addresses of messages are displayed in a separate pop-up window. Demodulation of voice is possible if encryption is not used.
Figure 8. Signal analysis and voice demodulation (DMR standard)
For ease of use of RadioInspector’s “DTest” option, a special software utility was created to automatically ‘identify while scanning’ signals that exceed an operator defined RF signal level threshold line. This utility is used to automatically identify the DECT, BlueTooth, GSM, TETRA, APCO25, DMR and Analogue TV communication waveforms. The operator simply selects “Signal Classification of Common Signals” and a list of identified and classified signals is created automatically while scanning the radio frequency spectrum.
Figure 9. Software utility for signal analysis of communication standards