Question about reverse-engineering a new mode

This is a bit of an idle question, but I’m hoping some knowledgable
folks on
here can offer advice. Mostly I’m trying to understand better what I
don’t know, and the size of the challenge, before jumping in to a
project:

I’d like to try decoding some AVL traffic in the 700-MHz band (GPS
locations
broadcast by transit vehicles to a central collector, where predictors
are
used to generate the ETAs displayed on electronic bus-stop signs). The
modulation is 4-FSK, similar to P25 except wider with a higher symbol
rate,
emission designator 20K0F1D. The particular frequency(s) should be easy
enough to discover. Transmissions are short packets on shared channels
with
some kind of slotted aloha or CSMA MAC. A rate-3/4 convolutional code
is
used. The preceding is public information gleaned from the web. I
haven’t
captured any signals yet.

The known unknowns: preambles and framing stuff, symbol mapping,
the particular rate-3/4 code used (only a couple of candidates though),
and,
the scrambler (whitener) and its initialization. AFAIK there is no
encryption per se. The payload is supposed to be TCP/IP, so there could
be
some sort of header compression.

My question, then, is given this information, are there reasonable odds
of
success? I have some digital comms background from grad school but
little
to no practical experience. Wondering if this might be an excuse to
pick up
a HackRF etc. and learn GNU Radio, or if it’s likely to be a dead end.

Thanks,

Mark

FIPS compliant security, device security, network security, access
controls, and application level security are all integral parts of
Public
Safety Network design and operation and AVL in particular. It is just
not
intended to be “super duper” APRS. I would not spend a lot money on
equipment if this is your only goal and the amount of money I would
spend
would cover a RTL-SDR dongle and not much more until such time as I was
certain that these serious impediments were surmountable. That said,
hackers (the good definition) live for this, and I encourage it.

Bob

Well, I do not expect public safety standards for bus AVL, often enough
they are nothing more than a pimped APRS system. Would be interesting
how the standard is called, what manufacturer…

I have built a system for an aviation authority (!), some years ago.
They needed a system to transmit high precision location data from
planes to ground station, for periodical recertification of ILS, radars,
beacons and such stuff around airports. Their demand was, the new box
must look exactly like the old one, in case somebody asks if the stuff
is still the hardware mentioned in the license; I’m not kidding. So I
have bought some 9k6 packet radio controllers with TRX on board,
modified the filters for around 300 MHz, programmed their assigned
frequencies into them, set them in some special mode to simulate a 4k8
RS232 cable…then took the sample of the old system, went to a milling
shop, with the order “make me six boxes like this one, but so that I can
install this different PCB into it”. We put the modified ham gear into
the boxes, made the interfacing 100% compatible, so the drop-in
replacement was perfect.

If you find (in central Europe) 9k6 FSK packet radio bursts in MIL AV
UHF band containing NMEA packets, it is very likely that it is my fault
:slight_smile: Quite often you can find simple stuff in places where really
something highly sophisticated is expected.

Ralph.

From: [email protected]lid
[mailto:[email protected]lid] On Behalf Of
Robert McGwier
Sent: Tuesday, May 26, 2015 12:27 PM
To: Mark H.
Cc: GnuRadio D. GnuRadio
Subject: Re: [Discuss-gnuradio] Question about reverse-engineering a new
mode

FIPS compliant security, device security, network security, access
controls, and application level security are all integral parts of
Public Safety Network design and operation and AVL in particular. It is
just not intended to be “super duper” APRS. I would not spend a lot
money on equipment if this is your only goal and the amount of money I
would spend would cover a RTL-SDR dongle and not much more until such
time as I was certain that these serious impediments were surmountable.
That said, hackers (the good definition) live for this, and I encourage
it.

Bob

On Tue, May 19, 2015 at 3:04 PM, Mark H. <[email protected]
mailto:[email protected] > wrote:

This is a bit of an idle question, but I’m hoping some knowledgable
folks on
here can offer advice. Mostly I’m trying to understand better what I
don’t know, and the size of the challenge, before jumping in to a
project:

I’d like to try decoding some AVL traffic in the 700-MHz band (GPS
locations
broadcast by transit vehicles to a central collector, where predictors
are
used to generate the ETAs displayed on electronic bus-stop signs). The
modulation is 4-FSK, similar to P25 except wider with a higher symbol
rate,
emission designator 20K0F1D. The particular frequency(s) should be easy
enough to discover. Transmissions are short packets on shared channels
with
some kind of slotted aloha or CSMA MAC. A rate-3/4 convolutional code
is
used. The preceding is public information gleaned from the web. I
haven’t
captured any signals yet.

The known unknowns: preambles and framing stuff, symbol mapping,
the particular rate-3/4 code used (only a couple of candidates though),
and,
the scrambler (whitener) and its initialization. AFAIK there is no
encryption per se. The payload is supposed to be TCP/IP, so there could
be
some sort of header compression.

My question, then, is given this information, are there reasonable odds
of
success? I have some digital comms background from grad school but
little
to no practical experience. Wondering if this might be an excuse to
pick up
a HackRF etc. and learn GNU Radio, or if it’s likely to be a dead end.

Thanks,

Mark


Discuss-gnuradio mailing list
[email protected] mailto:[email protected]
https://lists.gnu.org/mailman/listinfo/discuss-gnuradio

Bob McGwier
Co-Founder and Technical Director, Federated Wireless, LLC

Research Professor Virginia Tech

Senior Member IEEE, Facebook: N4HYBob, ARS: N4HY

Faculty Advisor Virginia Tech Amateur Radio Assn. (K4KDJ)

On 26 May 2015 03:28, “Robert McGwier” [email protected] wrote:

[…]
That said, hackers (the good definition) live for this, and I encourage
it.

Just wanted to emphasise this. Go for it! Worst case, you learn a lot of
interesting things.

Cheers,
M

Bob

On Tue, May 19, 2015 at 3:04 PM, Mark H. [email protected] wrote:

This is a bit of an idle question, but I’m hoping some knowledgable
folks on

here can offer advice. Mostly I’m trying to understand better what I
don’t know, and the size of the challenge, before jumping in to a
project:

I’d like to try decoding some AVL traffic in the 700-MHz band (GPS
locations

broadcast by transit vehicles to a central collector, where predictors
are

used to generate the ETAs displayed on electronic bus-stop signs). The
modulation is 4-FSK, similar to P25 except wider with a higher symbol
rate,

emission designator 20K0F1D. The particular frequency(s) should be easy
enough to discover. Transmissions are short packets on shared channels
with

some kind of slotted aloha or CSMA MAC. A rate-3/4 convolutional code is
used. The preceding is public information gleaned from the web. I
haven’t

captured any signals yet.

The known unknowns: preambles and framing stuff, symbol mapping,
the particular rate-3/4 code used (only a couple of candidates though),
and,

the scrambler (whitener) and its initialization. AFAIK there is no
encryption per se. The payload is supposed to be TCP/IP, so there could
be

some sort of header compression.

My question, then, is given this information, are there reasonable odds
of

success? I have some digital comms background from grad school but
little

to no practical experience. Wondering if this might be an excuse to
pick up

Thanks everyone for your responses. The funny thing is, I already
concluded
the way to go was to hook up an RTL-SDR dongle and start poking around.
Should be here this week.

I know the frequencies (based on FCC license search) and the hardware
manufacturer (IPMN). AFAICT there are a variety of technologies
available
for AVL, so any given transit agency is likely using something
different.

I see no insurmountable barriers getting to the point of successful
Viterbi
decodes. After that, it seems quite difficult. First I have to guess
the
whitening polynomial and its initialization, then figure out packet
framing,
and possible source coding. And all of this assumes nothing is
intentionally encrypted…

Mark

Andrew Clegg [[email protected]] wrote:

On 26 May 2015 03:28, “Robert McGwier” [email protected] wrote:

broadcast by transit vehicles to a central collector, where predictors are

the scrambler (whitener) and its initialization. AFAIK there is no

Mark

Bob McGwier


Discuss-gnuradio mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/discuss-gnuradio

Sounds like an interesting project. I’d like to know more about the
spectrum aspect – do you know which band segments in 700 MHz are used
for this in the U.S.? Me and my spectrum analyzer want to know :slight_smile:
Andy
Date: Tue, 26 May 2015 06:28:44 -0700
From: [email protected]
To: [email protected]
CC: [email protected]
Subject: Re: [Discuss-gnuradio] Question about reverse-engineering a new
mode

On 26 May 2015 03:28, “Robert McGwier” [email protected] wrote:

[…]

That said, hackers (the good definition) live for this, and I encourage it.
Just wanted to emphasise this. Go for it! Worst case, you learn a lot of
interesting things.
Cheers,

M

Bob

On Tue, May 19, 2015 at 3:04 PM, Mark H. [email protected] wrote:

This is a bit of an idle question, but I’m hoping some knowledgable folks on

here can offer advice. Mostly I’m trying to understand better what I

don’t know, and the size of the challenge, before jumping in to a project:

I’d like to try decoding some AVL traffic in the 700-MHz band (GPS locations

broadcast by transit vehicles to a central collector, where predictors are

used to generate the ETAs displayed on electronic bus-stop signs). The

modulation is 4-FSK, similar to P25 except wider with a higher symbol rate,

emission designator 20K0F1D. The particular frequency(s) should be easy

enough to discover. Transmissions are short packets on shared channels with

some kind of slotted aloha or CSMA MAC. A rate-3/4 convolutional code is

used. The preceding is public information gleaned from the web. I haven’t

captured any signals yet.

The known unknowns: preambles and framing stuff, symbol mapping,

the particular rate-3/4 code used (only a couple of candidates though), and,

the scrambler (whitener) and its initialization. AFAIK there is no

encryption per se. The payload is supposed to be TCP/IP, so there could be

some sort of header compression.

My question, then, is given this information, are there reasonable odds of

success? I have some digital comms background from grad school but little

to no practical experience. Wondering if this might be an excuse to pick up

a HackRF etc. and learn GNU Radio, or if it’s likely to be a dead end.

Thanks,

Mark


Discuss-gnuradio mailing list

[email protected]

https://lists.gnu.org/mailman/listinfo/discuss-gnuradio

Bob McGwier

Co-Founder and Technical Director, Federated Wireless, LLC

Research Professor Virginia Tech

Senior Member IEEE, Facebook: N4HYBob, ARS: N4HY

Faculty Advisor Virginia Tech Amateur Radio Assn. (K4KDJ)


Discuss-gnuradio mailing list

[email protected]

https://lists.gnu.org/mailman/listinfo/discuss-gnuradio

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs