#blocking cellular communications
SYSTEMS OF INTELLIGENT BLOCKING OF CELLULAR TELEPHONY, COMMUNICATION AND CONTROL CHANNELS
VASILIEV Oleg Aleksandrovich, Candidate of Technical Sciences,
EGOROV Dmitry Olegovich,
KADYKOV Aleksey Nikolaevich.
The article briefly examines the strategy for constructing systems for suppressing radio communication and control channels using panoramic reception to detect short signals and block the subscriber's receiver with a short spectrum-matched pulse.
A variant of implementing such a system is presented using direct conversion of the frequency range down and subsequent digital processing of quadrature components on the Tornado E67 DSP controller.
The task of signal suppression is extremely important for anti-terrorist equipment for neutralizing remote control radio channels and information leakage channel protection systems.
Since in many cases there is negligible a priori data on signals to be blocked, the entire range in which the radio control or information transmission line can operate is usually suppressed.
The wider the frequency range covered and the greater the power of the barrage interference, the lower the probability of executing a command transmitted via a radio line.
Undeniable, but primitive.
Energy and human resources are not unlimited.
The principles of suppression used in electronic warfare are, at the very least, inhumane in peacetime.
The suppression system can be optimized by making it intelligent: first detect the signal and evaluate its parameters, and then pointwise block the radio line receiver to which the information contained in the signal is addressed.
As in the missile defense system, we first detect the target, calculate its trajectory, and then launch our anti-missile to destroy it. It is pointless to fire all the missiles at once, and it is expensive.
A typical example of such systems are devices for suppressing cellular communications in a given area, building, or room.
Signals in cellular networks can be both a command radio line and used to transmit confidential information.
Similar functions can be performed by any modern radio lines that comply with wireless computer network standards (WLAN, Hi-Fi, Zig-Bee), various wireless access systems, etc.
We will consider below the strategy and basic principles of constructing intelligent blocking systems and show with an example that the energy gain in such systems, compared to systems using barrier interference, reaches tens of decibels with their equal efficiency.
Detection of a short pulse in a given range
When constructing modern intelligent blocking systems, as well as radio monitoring and information protection systems, the main task is the rapid detection and calculation of the parameters of short signals lasting up to several microseconds.
These signals can be either single, for example, a coded control command, or an instantaneous sample from a stream of radio pulses of different frequencies.
Such a stream can be a channel for transmitting information in any communication system that corresponds to a certain communication standard, where a frequency hopping mode is used to improve noise immunity.
The FH mode is characterized by a change in the carrier frequency of the radio pulse according to a pseudo-random law at a high speed, for example, for the Bluetooth standard it occurs 1600 times per second in a band of 79 MHz. Accordingly, the spectrum of one pulse occupies a frequency band of about 1 MHz.
The frequency hopping mode is used to expand the spectrum (FHSS – Frequency Hopping Spread Spectrum) in wireless computer networks for data transmission using the IEEE 802.11 protocol and in various military radio systems.
One of the most typical examples is the FH hopping mode in the GSM cellular communication standard, which is effectively used to combat signal fading, mainly when driving a car.
The duration of a radio pulse, or slot, in the GSM standard is 577 μs, and the duration of a radio pulse when requesting communication by a subscriber handset in both outgoing and incoming calls is only 300 μs.
The mobile phone goes on the air with a request pulse (Random Burst) on the duplex frequency of the base station control channel.
The entire subsequent process of information exchange between the subscriber terminal and the base station can already occur in the hop mode. The number of frequency channels used is determined by the base station.
Let us further consider the problem of detecting a short radio pulse, mainly in relation to the GSM standard cellular telephony system.
A system solving the problem of detecting a short pulse signal can be built in various ways.
It is known that the probability of detecting a signal depends on the signal/noise ratio, i.e. on the signal energy and the receiver sensitivity. The most important issue is the matching of the signal and receiver bands.
Ideally, the passband of the receiving device to the detector should repeat the shape of the spectrum envelope of the radio signal.
It is obvious that if the bandwidth of the receiving device, or the filter bandwidth of the measuring device operating on the broadband output of the intermediate frequency of the receiver, is several times narrower than the radio pulse bandwidth, then such a receiver will simply not respond to the signal acting on its input.
For the correct construction of the detector, complete a priori data on the signal, including the carrier frequency, are required.
In the problem under consideration with a frequency-hopping carrier, knowledge of all possible frequencies used for the hopping mode is necessary.
For the GSM standard, these are frequency channels: 124 full-duplex channels in the range of 890–915 MHz (reverse channels, subscriber terminals – base station) and 935–960 MHz (forward channels, base station – subscriber terminals), as well as 374 channels in the range of 1710–1785 MHz and 1805–1880 MHz.
The spacing between channels is 200 kHz.
In reality, of course, only a certain number of channels are used on which the base station can operate.
This may also be related to the distribution of the frequency grid between different telecom operators.
So, we will assume that all the a priori data are known to us, and the problem is reduced to energy detection of a signal over a time interval and evaluation of its parameter – the carrier frequency, or the frequency channel number in the GSM system.
As follows from the fundamental relationship (1) for calculating the sensitivity of the receiver, the minimum power of the detected signal increases with the growth of the analysis band, or the receiver bandwidth:
Pmin = -174 dBm + NF + 10lgB + A, (1)
where NF is the receiver noise figure;
B is the receiver bandwidth;
A is the detection threshold set in accordance with the selected criterion.
In the case where the signal is a radio pulse in a system with a frequency hopping mode (FH), or over n frequency channels, with a total detection band B = nF, where F is the frequency band occupied by one channel, the minimum power of the detected signal, as follows from expression (1), increases compared to a single-channel detector by 10lgB/F = 10lg dB.
For a GSM cellular communication system, this is 10lg124 = 20.9 dB for the lower range, and 10lg374 = 25.7 dB for the upper range, respectively.
Thus, a broadband detector is inferior in the energy of the detected signal to a detector matched by the channel band in the examples given by 20 or more decibels.
However, with a sufficiently powerful signal, it guarantees detection of the signal, while a single-channel detector in channel scanning mode has an extremely low probability of detection.
It is clear that in order to maintain the minimum power of the detected signal and a guaranteed probability of its detection (equal to one), a multi-channel detector is required, in which the number of matched receivers is equal to the number of frequency channels in the system, specifically 124 + 374 = 498 receivers for the GSM system.
Spectral Estimation in the Detection Problem
The problem of multichannel detection can be solved using digital signal processing methods.
The classical method of signal detection is spectral estimation of the components of the direct Fourier transform for the signal + noise mixture acting at the receiver input.
To obtain a spectral estimate, it is necessary to digitize the signal and calculate its spectral representation on a digital signal processor (DSP) using well-known algorithms, such as the fast Fourier transform (FFT).
Ideally, the received signal should be digitized as close to the antenna as possible, since in this case the digital representation of the signal will have the least possible spectral loss during further digital processing.
The classical way of signal filtering, i.e. separating a narrowband frequency channel from a wideband mixture of signal and noise, requires several frequency transformations through mixers and corresponding analog filters until the required accuracy (quality) in channel separation is achieved.
A digital signal processing (DSP) system usually uses a signal taken from the wideband output of the receiver's intermediate frequency, the values of which are usually selected from a standard set: 10.7 MHz, 21.4 MHz, etc.
Sometimes additional down conversion is used to use lower frequency, but having a larger number of bits and, accordingly, a larger dynamic range ADC. The signal digitization frequency is selected 2 – 3 times higher than the upper limit frequency of the receiver IF path passband.
The rapid development of digital technologies and the emergence of high-speed ADCs with clock frequencies of up to 1 GHz and higher have recently generated a trend of an ever-increasing shift of digital signal processing (DSP) systems towards the antenna.
With a standard receiver dynamic range of 60–70 dB at the IF output, a 12-bit ADC with its own dynamic range of 72 dB is sufficient to perform digital processing without significant losses.
Similar ADCs with a sampling frequency of 65 and 105 MHz are manufactured, for example, by Analog Devices.
In addition, it is possible to expand the frequency range of the analyzed signals approximately to the value of the ADC sampling frequency using modern methods of decomposing the input signal into quadratures.
Almost all digital demodulators and digital signal processing systems in cellular telephony, wireless computer networks, etc. operate on this principle.
Recently, the market of integrated circuits for processing high-frequency analog signals has seen the emergence of direct down converters (DDC – Direct Downconverter), which allow the output to receive the in-phase and quadrature components of the converted input signal in a frequency range of almost 100 MHz.
Then the in-phase and quadrature components are fed to two synchronously operating ADCs, the sample is stored in the buffer memory and then transferred to the DSP for spectrum calculation.
System implementation
The principle described above was used by developers to solve the problem of constructing the receiving part of the system of intelligent blocking of cellular communications and wireless access of all standards in force in Russia.
As an example, we will consider a specific receiving path designed for real-time monitoring of direct or reverse channels of a radio line of cellular communications of the GSM standard, in particular, for monitoring the broadcast and determining the carrier frequencies of subscriber devices.
The total frequency range in this standard is 100 MHz.
Four linear receivers with a bandwidth of 25 MHz each, built on the principle of direct signal conversion “down” with decomposition into quadrature components and an autonomous DSP system are used for its control.
The block diagram of the linear receiver is shown in Fig. 1.
The input signal through a switch that switches forward and reverse channels is then fed to the direct converter “down”.
The heterodyne contains a VCO and a frequency synthesizer controlled by the DSP system via a microcontroller via the RS-232 bus.
The DSP system controls the gain of the converter in the range up to 46 dB.
Since the heterodyne frequency is selected equal to the central frequency of the range and quadrature processing is used, the passbands of the low-pass filters are selected equal to half the width of the range, i.e. 12.5 MHz.
The quadrature signals from the converter after filtering by the low-pass filter are fed to the DSP system.
Fig. 1. Block diagram of the linear receiver
The autonomous DSP system, which performs the functions of a digital detector-analyzer, is built on the basis of an autonomous DSP controller of the TORNADO-E67 type from MicroLab Systems Ltd, on which a daughter module board of a high-speed ADC/DAC with a parallel AD/DA interface PIOX DCM is installed, as shown in Fig. 2.
The controller with the daughter board has two 12-bit parallel synchronous ADCs at the input with a maximum clock rate of 65 MHz. The clock generator is installed on the board.
Thus, the daughter module allows digitizing two input signals in a band of up to ?
30 MHz and transmit data accumulated in the 256 K FIFO buffer memory via the parallel 16-bit PIOX-16 I/F interface to the DSP controller motherboard for signal processing.
In addition, at the input, the daughter module contains two static 4-bit MUX multiplexers in front of the ADC, which allows organizing 4 channels of quadrature analog-to-digital conversion, sequentially performing high-speed sampling for calculating the spectrum using FFT algorithms.
Fig. 2.
The main core of the TORNADO controller is the digital signal processor (DSP) TMS 320C6701 (32 bits, floating point 1000MFLOPS) from Texas Instruments, whose architecture is optimized for parallel computing.
The board contains a high-speed synchronous burst SRAM (SBARAM), synchronous SDRAM and FLASH memory chip.
The board has a dual-channel universal synchronous/asynchronous transceiver USART (10 Mbit/s) with two dual-channel interfaces RS422 I/F (10 Mbit/s) and RS232 (115 kbit/s), as well as a USB controller for connecting a control computer via the USB bus.
The board contains a parallel PIOX-16 interface for connecting a daughter module, a serial SIOX interface for controlling external devices, and a JTAG port for connecting emulators.
The controller requires no more than 17 μs to process data and calculate a complex spectrum of 2 by 1024 points using the FFT algorithm.
Hardware and software debugging using TI XDS510 and MicroLAB Systems MIRAG-5100 scan emulators was performed with the support of the Code Composer Studio IDE integrated software development environment from TI.
The total time for accumulating a sample and calculating a complex spectrum is 20 μs, which allows for three times during the duration of a request pulse to detect a signal with 100% probability.
Having solved the problem of detecting the request pulse and in accordance with the standard protocol, the DSP system calculates the channel and time interval in which the base station will transmit information intended for the specific subscriber who issued the request.
By controlling the fast frequency synthesizers of the suppression unit, it is easy to put a point interference to the subscriber's receiver and prevent it from receiving the information required for authentication. The subscriber's handset, having made a number of attempts to establish a connection, returns to the idle mode, remaining in service in the network.
The DSP system performs both the functions of discrete spectral analysis and the functions of controlling receivers and the entire system as a whole.
One DSP controller fully ensures the detection and analysis of GSM cellular signals in real time, since real-time analysis of the GSM cellular network requires the greatest computing resources.
A similar DSP controller simultaneously processes signals of cellular telephony standards AMPS/DAMPS, CDMA, NMT-450, WCDMA and wireless access DECT.
The system can operate in a completely autonomous mode or with data output to the control computer via the USB bus.
Downloading of programs for the DSP and system parameters is also performed via the USB port.
The user interface is shown in Fig. 3.
Fig. 3
The efficiency of suppression by targeted interference in relation to barrage interference for systems with time division of access (TDMA) is determined by the same ratio of the bandwidth of the entire range of barrage interference and the bandwidth of the channel in which the targeted interference operates, i.e. 20 – 26 dB in the lower and upper ranges of the GSM standard.
However, given that the targeted interference is short-term (a packet of four pulses with a duration of 200 – 300 μs), and the barrage interference acts constantly, the real (integral) efficiency of the intelligent suppressor is incomparably higher than the system with barrage interference.
The equipment described above is designed to prevent information leakage via cellular telephony channels and wireless access during closed events and meetings in large rooms and halls.
To ensure silence, it can be used in theaters, concert halls, etc.
Literature
1. Gromakov Yu.A. “Standards and systems of mobile radio communication”, publ. Mobile TeleSystems-Eco-Trends, Moscow, 1997.
2. S.L. Marple, Jr. “Digital Spectral Analysis and Its Applications”, MIR Publishing House, Moscow, 1990.
3. Vasiliev, O.A., Egorov, D.O., Kadykov, A.N. “Digital Signal Processing in a Radio Monitoring System”, Engineering Microelectronics (Chip News), No. 6, 2003.
