Identify That Signal - Help

Identify That Signal - Help

Postby admin » Tue Aug 20, 2013 10:38 am

I have found a signal its is definatly FHSS and in the 900Mhz ISM band, I suspect it is from the Silver Spring radio module in the power meter. I have viewed the signal in Baudline (Pics Below) but all I can get is a vague blob so I have no clue on the modlation type however the exact same pattern repeats in different parts of the spectrum and with a regularity so I know its man made. Can anyone recomend a better way to analyse this signal ?. The signal itself is very short the small part is only 5 milisecond.


Exmaple.png
Exmaple.png (446.63 KiB) Viewed 7632 times



Example1.png
Example1.png (295.27 KiB) Viewed 7632 times
admin
Site Admin
 
Posts: 28
Joined: Mon Nov 19, 2012 11:54 pm

Re: Identify That Signal - Help

Postby geekskunk » Tue Aug 20, 2013 12:44 pm

For confirming the source you could try simply powering off the device in question, or use a highly directional antenna to isolate. When you confirm the source you may be able to find specific referene material on the transmitter and waveform.

For demod, to start you could just attempt to process 1 hop to figure out the modulation and baud rate. Since it is so short, if you artificially process it at a much lower sample rate it may be easier to work with. Each burst pictured starta with repetitive pattern, maybe alternating 1/0, that feature should help with processing.

For processing whole widerband FHSS you could test to see if hop pattern has any pattern or seems random. Look for frequency usage/repeats. Hop rate, dwell variable or consistent, frequency spacing minimum between hops, BW of a dwell.

Might be interesting to see a image of why you think it is FHSS, like adjacent hops in time but on different frequencies (a widerband shot.)
geekskunk
 
Posts: 6
Joined: Sun Jul 28, 2013 9:05 pm

Re: Identify That Signal - Help

Postby admin » Tue Aug 20, 2013 1:08 pm

It is hard to isolate as every meter has one, however I did look up the manafacturer patent and it is FSK modulation and I know how the hops are calculated. But I cant see the FSK in baudline its just a blob I am a noob in baudline so im sure im doing something wrong I guess its a matter of finding out how to cleanly view the signal once at that point I think i will be right.
admin
Site Admin
 
Posts: 28
Joined: Mon Nov 19, 2012 11:54 pm

Re: Identify That Signal - Help

Postby geekskunk » Tue Aug 20, 2013 2:36 pm

I think you could be seeing the FSK, just the baud rate is so high it is difficult to see. If you could collect at a smaller BW (have less "noise" on either side of the waveform) it may may it more manageable to work with.

I haven't played with baudline yet, I may have to try to re-create your recording and play around with it to give better advice.

My A/C unit has a control device on the exterior for power company control. I live in dense neighborhood so I understand how it could be impossible to isolate from a neighbors unit. (In my case is only about 15 feet away.) Wishful thinking you might have been in a more rural area.

You may find Ossmann's recent brief and research planned interesting: Log in or register to see all links
geekskunk
 
Posts: 6
Joined: Sun Jul 28, 2013 9:05 pm

Re: Identify That Signal - Help

Postby sigblips » Wed Aug 21, 2013 10:27 pm

It is difficult to tell exactly what your modulated signal is just by looking at the Log in or register to see all links spectrogram image. A cleaner looking image would help but even better would be if you attached a small I/Q data sample file.

There are many different modulation types that your signal could be. Below is a similar looking image that was collected at 1528 MHz for the Log in or register to see all links at the Allen Telescope Array (ATA). This signal has the same 3 tones and packet structure. The modulation type is Quadrature phase-shift keying (QPSK).

setiQuest 3-tone pulsed QPSK.jpg
setiQuest 3-tone pulsed QPSK.jpg (245.49 KiB) Viewed 7172 times

Your signal could be PSK or it could be something else. Need to examine the raw samples to know for sure.
User avatar
sigblips
 
Posts: 2
Joined: Wed Aug 21, 2013 9:31 pm
Location: Cupertino, CA

Re: Identify That Signal - Help

Postby admin » Thu Aug 22, 2013 1:33 am

Very interesting definatley see a similarity in those signals, I managed to capture a small sample of the signal is question it is centered at 921.5Mhz, 2Mb sample rate and is 8Bit unsigned Log in or register to see all links. The only thing I know for sure is its FHSS, if its what I think it is and thats a smart grid transmitter from silver spring the manafacture says it should be running at 100Kbps and I heard some other says it was FSK but thats just guessing.
admin
Site Admin
 
Posts: 28
Joined: Mon Nov 19, 2012 11:54 pm

Re: Identify That Signal - Help

Postby geekskunk » Thu Aug 22, 2013 6:31 am

Was able to get abit better view of the signal with the settings and steps below. To summarize I am going to agree/say it is a FSK (technically MSK/GMFSK) 100Kbs, 50kHz Shift.

It might be possible to manually determine bits, but it would be REALLY tough. Better off figuring out a way to demodulate it. (GRC? MATLAB? ) Too bad baudline does not have a demodulation tool. (Perhaps others know some tools for doing that.) The previous posts SETI picture somewhat looked like a constellation plot from a PSK demod, but I couldn't figure out how to do such a thing with my buadline. Just started playing with it tonight. More notes below.

Process/TransformSize/2048
Windowing/Couchy/29.03
Screenshot082113211518.png
Screenshot082113211518.png (30.38 KiB) Viewed 7118 times

Zoomed in more abit more:
Screenshot082113211649.png
Screenshot082113211649.png (27.72 KiB) Viewed 7118 times

Zoomed in as far as Baudline allowed, slightly after the repetitive pattern:
Screenshot082113211749.png
Screenshot082113211749.png (24.23 KiB) Viewed 7118 times

Region of interest Highlighted then adjusted input/color Aperture to make the signal "pop" more
Screenshot082113212149.png
Screenshot082113212149.png (4.98 KiB) Viewed 7118 times

Screenshot082113212400.png
Screenshot082113212400.png (139.05 KiB) Viewed 7118 times


Manually measuring baudrate of signal: (with time makers)
Duration of 10 likely bauds = .0001 (seconds), so 1/(.0001) x 10 = 100,000 ----So I think your correct about the source of the signal, and your information on it sounds correct.

From the images above I think it is still hard to say "FSK" (maybe the documentation was using that in generalities), but perhaps it is really MSK:Log in or register to see all links. Getting a measurement of shift between the high and low freqs was tough to do. I was finding around 50K (which makes the MSK a good match, and perhaps explains abit why the frequency transitions look so blurred.) All told this was a stretch to do in baudline. MSK is tough to look at and be certain, could be GMFSK I suppose, also it kinda looks BPSK abit... Perhaps someone else will figure out a more refined was to be sure (other than eye-balling it.)

Screenshot082113213836.png
Screenshot082113213836.png (28.21 KiB) Viewed 7118 times

Screenshot082113214011.png
Screenshot082113214011.png (29.53 KiB) Viewed 7118 times
geekskunk
 
Posts: 6
Joined: Sun Jul 28, 2013 9:05 pm

Re: Identify That Signal - Help

Postby geekskunk » Thu Aug 22, 2013 6:49 am

You already mentioned Silver Springs Network, if you have not seen this, you may find very interesting/helpful. Does confirm the 1/0 pre-amble, 50k shift, freq range and 100k baud rate. With abit of work you could likely confirm the channel usage. Not sure if this is a final doc, but loaded with good info.
Log in or register to see all links (Found via a google on the words "silver spring network 100kb FHSS"
geekskunk
 
Posts: 6
Joined: Sun Jul 28, 2013 9:05 pm

Re: Identify That Signal - Help

Postby admin » Thu Aug 22, 2013 8:27 am

Very impressed, goes to show what baudline can do when you know how to use it, Im going to fool around with gnuradio-companion to see if I can start to decode this thing. Once I can decode and find the beacon frame implementing the FHSS should be pretty easy, then its a matter of if they bothered to encrypt the data ;)
admin
Site Admin
 
Posts: 28
Joined: Mon Nov 19, 2012 11:54 pm

Re: Identify That Signal - Help

Postby sigblips » Fri Aug 23, 2013 1:18 am

Very nicely done geekskunk. Good MSK signal ID and impressive use of baudline. As you've discovered, Log in or register to see all links has many configurable parameters and controls that can be used to help extract signal information. The new IQ display is in a beta version of baudline that is under development and hasn't been released yet. If you would like to see more demo baudline IQ images then check out my Log in or register to see all links and my recent Log in or register to see all links.

The rule that the frequency delta equals half the symbol rate makes MSK an unusual modulation scheme that can look like both FSK and OQPSK. This rule makes MSK very fast, constant modulus, and difficult to identify. This baudline image shows FSK looking transitions in one of the packets. Notice the 01010101... preamble at the start.

AMR-92_HackRF_MSK_spectrogram.png
AMR-92_HackRF_MSK_spectrogram.png (82.17 KiB) Viewed 7049 times

That is an entire packet. I used baudline's "blip Fourier" transform with focus=1 for some improved time resolution and increased image detail. If you really wanted to and were very patient you could extract the bits from that image. It would be a bit easier (heheh get it?) if you used a zoomed in image like this though:

AMR-92_HackRF_MSK_spectrogram zoom in.png
AMR-92_HackRF_MSK_spectrogram zoom in.png (76.83 KiB) Viewed 7049 times

Then I used baudline's Log in or register to see all links to measure a stable 100K symbol/sec rate with an error of about ±100 symbols/sec. The following IQ constellation display of the 010101... preamble verifies the MSK phase relationships:

AMR-92_HackRF_MSK_preamble_IQ.png
AMR-92_HackRF_MSK_preamble_IQ.png (13.28 KiB) Viewed 7049 times

The bunch of lines is one side of a square and represents the (-1,+1) and (+1,+1) constellation points. The other points of the MSK phase transitions can be traced out but are less defined. There is a lot of variation with the symbols that follow the preamble and something seems odd in phase space. It could be phase distortion caused be the signal source, HackRF, or the environment. Let me know if you can successfully demodulate the MSK bits using a phase technique. It might be tricky.
User avatar
sigblips
 
Posts: 2
Joined: Wed Aug 21, 2013 9:31 pm
Location: Cupertino, CA

Next

Return to General

Who is online

Users browsing this forum: No registered users and 1 guest

cron