 For those of you who don't know who this man is, what are you doing in this room? Seriously, if you have any interest in radio or anything like that, if you don't know who he is, you need to watch this, enjoy it, and then leave and just get on Google, find all the rest of his talks. This man has done everything from printing upside down pictures of people's faces on the waveform that I was trying to decode through controlling 30-year-old space probes, which I'm not certain. Was it launched before or after you were born? Before. The man is quite impressive. He's taken over things in space that were launched before he was born. I really don't know what else to say except for listening to everything he has to say because I need to sit down and do the same. Thank you much. Muchly for that introduction, very kind. So, thank you for attending and coming out today. My name is Barlett Siever. I work at Bastille Networks. We're securing the Internet of Things. And today I'd like to go on this workshop with you to actually go through and show you some tools and tricks and techniques that you can use with open-source software, Gunnu Radio, and software-defined radio hardware to begin to reverse engineer signals. So the idea is that you have something out there that you see on your spectrum, something that looks interesting. It might be coming from a terrestrial source. It might be coming from a satellite. And you have no idea what it is. There's no information about it. You can Google around, but what have you got to search for? What keywords? So the idea is that you can apply some pretty common little tricks. I'll show you what they are in Gunnu Radio, and you can go out and apply them. And once you learn a little bit more about the data, the modulation that you're looking at, then you can go and do some additional research about that on the Internet. So what I'm going to do today for those people that actually have their SDR set up with Gunnu Radio is I have recorded some signals off the air, and I am actually now re-broadcasting them over the air. Well, let's just say if I'm being recorded, then I would ideally be transmitting them into a dummy load. So if you want to record anything, then you should be really, really close. But let's just say if you wanted to try and see if there was a signal there, I think 622 MHz looked unoccupied at the moment. Yeah, something like that. So just a moment ago, I was running... So this is... Who's actually heard of or familiar with Gunnu Radio? Just show of hands. All right, everyone. So everybody's seen GRC? Does anybody not entirely show what GRC is? The Gunnu Radio companion is a graphical user interface that sits on top of the Gunnu Radio runtime, and it's used to actually generate the Python code that invokes Gunnu Radio. So Gunnu Radio, the performance stuff is written in C++ and assembly, and then you've got Python code that can be used to glue everything together at the application level, and then you have this GUI also if you want to attempt to run things there. And what's happened here? Naturally, the cost of the demo has struck me right away. Why didn't that work? Amazing. What happened there? I haven't been very lucky this week. Whoa. All right, never mind. We'll skip that. I just wanted to show you the radio spectrum, but maybe instead I can run communication zero. So I'm just going to bring up the radio spectrum now. I know what's going on. The problem is, and this can happen sometimes when you have multiple SDRs connected to the one computer, you don't know what it's going to pick up. I actually have a B200 and an N210 connected, and I think it was trying to use the N210 and failing because it can't quite support the bandwidth. So let's give that one more go then. Where's my Gunnu Radio? There you go. All right. So if we go to 622 mega... Oh, that's sample rate. Probably can't go that high. Let's go to 2010 megahertz sample rate, and if we go to 622 megahertz, then can you see this central portion in the band there? There are these interesting signals there. Now take it down to one megahertz. You can see we've got the spectrum here, right? And as it happens, I have recorded this at some point many years ago now actually, and if you want to try and receive this signal, it'll be there. So I will try to increase the amplitude so that you can get a good clear capture of it. And this signal, as it turned out, was actually coming down from one of the transponders on a satellite in geostationary orbit above Australia. I had a friend, and he had a dish pointed up at this particular bird, and the satellite decoder boxes with which you used to watch satellite television has one of those LNB through ports on the back. So the dish has a low noise block down converter, and you get the down converted signal coming out the back of one of these boxes, and I thought, well, hook a USRP up to it, and then actually see what else is coming down from the bird. So if we have a quick look at this presentation here, this one is an old one that I put together, and you can have a look, it's on my website, but this is sort of going to be the basis for what we're going to do today. So a lot of satellites up there are actually known as bent pipes, so all they do is they receive signals from the ground and then re-broadcast them back down to the earth. So in a lot of instances, you might have various V-SAT terminals or small transmitters that will transmit up to this satellite in geostationary orbit. It receives a signal, like in fact certain SATCOM transponders on planes, you might think of MH370. It's come back into the light of the news lately, and they're sent back down and usually received at a central location. So apart from just being a bent pipe on all of these transponders on a satellite, they also send down telemetry, they send out information about the satellite and the health of the satellite, and they're also accepting commands from the ground station to change very subsystems on board. So this is the particular satellite that we were looking at at the time. These are the up link and down link frequencies. Lots of transponders they use for TV, but some other interesting narrowband things. And if you look up the public manual for the satellite, it actually gives you the spot beam coverage for the continent that it's facing. It also gives you the band plan of the channels on the transponders and actually went to the ground station to get pretty pictures of that. And if you go and look at your frequency regulatory authorities database, you can see that it's actually got a whole bunch of point to point links and other frequencies allocated for television, digital television. And what do you know, they went into the ground station itself, so you can see what sort of modems they're using. So once you actually have a look and zoom in, do a bit of analysis there, you can quickly figure out what style of modem they're using, get the manual, see what kind of tracking receivers and control systems they're using, read those manuals too so you can do a little bit of background recon regarding the systems that might be used. Yes, question. I didn't get in there. CNET got in there and they published the photos publicly online. I mean, I'm sure they probably had to get permission and it was all vetted, but it was by accident that I found that it was just interesting to see what information could glean from that. And as I did this research, I quickly discovered that there are particular protocols, particular scramblers, particular forward error correction processes that are quite common to satellite links. So it gave me a good idea on where to start. So to actually receive things, you need a satellite dish, a low noise block, down converter because these signals are up at 11, 12 gigahertz. You want to get that down for something that a software defined radio can actually receive. This is an example. One of them, if you're doing narrowband stuff, you want to get something with high stability so that your signal doesn't move around that much. A lot of the cheap dishes that you get that you mount on the side of a home to just receive television, they're very cheap and then don't have a very stable local oscillator later inside. But that's okay because the signals that are coming down for TV are very broadband. And if you have a very broadband signal, then your receiver can actually lock onto that signal and track it as it moves around due to the instability in your oscillator. If you're looking at very narrowband stuff, then that's harder to track if it moves around a lot. So you need to pay extra for one of these. And then you can do some more Googling around. I found that this Optus D1 bird might have had this sort of telemetry transmitter. It says it's using phase modulation, so that's another clue. And this is a picture of the telemetry there. We'll come to that. We'll come to the visualization too. And then, so what we're going to go through is actually decoding one of these interesting narrowband transmissions that I found from the bird. And we'll go, excuse me, through each of these steps to try and get at the raw data. And then eventually, once we get there, we'll talk about phase shift keying and scrambling and forward error correction. And we're basically going to go through this process that I'll demonstrate to you. So I know that we have two hours blocked out. I've created a very ambitious schedule and I'm sure we're not going to get through all of it. But if we can, I would have liked to get to a point where we reconstruct some of these flow graphs. Wrong way. So we're going to try and look at that satellite downlink radar over HF and what that looks like. Using fast autocorrelation to discover periodic components to signals and then help ID them so that applies to the radar as well as to digital radio Mondial, which is an OFDM narrowband transmission over HF. And that is used to actually broadcast digital audio around the world over very, very long distances. And then look at actually the beacon, the telemetry beacon coming down from that satellite and how you can create a flow graph to do that. So we'll get started on that. Any questions so far? All the people that are participating have got their receivers set up. Have you been able to tune to that frequency and you can see signals? Yeah. All right. So let's have a look at what's going on here then. I'm going to cheat a little bit and I'm just going to replay it from a file. It's the same file that's going out, but I'm just going to replay it from a file here. So what we'll do is we'll try and do things from first principles. And please at any stage, if you have questions, then just shout them out and I'll repeat it from the mic. I must say there's a guy here that's just stepped in the room. I have to point him out because he's an absolute legend. This guy here helped me out a big time last year at DEF CON. We were sitting in the Penn & Teller Theater and it was a huge line. It was really difficult to get in and we camped out and we finally got a seat. And I got a call from my friend Austin Epps who was the lead engineer on the ISE E3 reboot mission saying that one of the science experiments needed to be rebooted. And of course you don't get on the Wi-Fi at a place like this. And I need to SSH in to the computer that we left at the Air Receiver Radio Telescope to send commands to the satellite to reboot this thing because it was doing the fly-by and we only had limited amount of time and we were getting valuable science data from a particular solar science data recorder. And I didn't know what to do. Unfortunately I had no cell reception so I couldn't tell it to my phone. But I was sitting next to Anne as we got talking about SDR. And he said, oh, look, I've got a phone here with tethering capability. And I thought, oh, I've sized him up. He seems like a good bloke. I'll trust my judgment on this. And he was nice enough to let me tether to his phone. So we actually ended up communicating with the space probe flying toward the Earth at 4.2 kilometers a second, first from my laptop tethered over Wi-Fi to his telephone then from his telephone over the cellular network to the core network and then out an IP gateway to a laptop in Arrasibo through SSH that was then connected to the radio telescope via software-defined radio sending out at 2.1 gigahertz commands up to the boot. So thank you very much for your help there. That really pulled me out of a tight spot. It's generosity like that in the lack of reliable Wi-Fi that really makes it all worth it. So thank you. So that file that I've got playing over the air is actually, I realized I might actually use this because I need two hands. How do you operate this thing? It's mechanical. It's too hard. All right, I'll just make do. So what we've got is we've got this WAV file. And usually, when you've got a WAV file or a capture file, you need to know what sample rate you've recorded it at. And I know that I recorded this one at one mega-sample per second. So you can put in a million. I generally like to do a bit of a shortcut so you can go int 1e6 like that. And that gives you your sample rate. If you're capturing, you can probably sample at one mega-sample per second because the original capture is like that as well. So in this case, I've got a WAV file. It's a WAV file because I actually like to use HDSDR, which is this app. This is actually running under wine on my Mac, but you can run it natively under Windows and you can also run it under wine on Linux. And with some trickery, you can connect them to all sorts of different software defined radios too. There's XTO plugins. I wrote one a while back and it supports U-SURFs and RTL and FunCubes and UDP streaming to Gnu Radio. There are other ones there that are sort of newer for RTL and things like this. But if you were to find that file and play it back, is it this one? No. This one. So this is the file. This is what it looked like when I was originally recording it and you can see all these narrow band signals there coming down. I thought, hmm, it would be interesting to try and figure out what these actually are and how the data is encoded and how it's modulated. And if this was coming in live through, say, U-SURF, I would click record and it will record this WAV file. Similarly, you could use other utilities like RX samples to file and that would just give you a baseband capture file the same way. But here, because we've got a WAV file, we have INQ. It's a complex recording. So we want to turn that into something complex. So we go float to complex. And we can hook that up easily like this. And because we're also playing back from a file, we're not actually using any hardware in the loop, like a U-SURF or an audio card. We ideally want to use a throttle to make it look like it's a live stream. If you don't use a throttle and a flow graph, the flow graph will run as quickly as it possibly can because there's nothing supplying any back pressure. There's nothing with an external hardware clock to impose a rate across the entire flow graph. So sometimes you want flow graphs to run as quickly as they possibly can because let's say you want to process a bunch of files in a batch system. There you don't want to be IO bound or anything like that. You just want it to be CPU bound so it runs as fast as you possibly can here. We want it to run in real time, so we do that. You can just grab Tim, where are you? So Tim O'Shea here, I should point out, is a very integral member, part of the GNU Radio development team. He's going to be speaking later on some interesting stuff. But he's made enormous contributions to GNU Radio. Really, really clever guy, done some amazing stuff. And I've got to apologize, especially to you. I'm still going to use WX today. So GNU Radio supports two different sorts of GUI frameworks for displaying stuff on screen, once QT. This is the new world order. It's really nice, but I just happen to be old school and I like WX, so I'm going to switch it to WX. Now, you can drop in one of these FFT sinks, hook it up, and just run this, and we'll call it... And there, once again, we have that spectrum that we saw, both in HDSDR and that you guys should see on your laptops. So that means we're correctly now decoding this WAV file. The next step of this is that we want to actually focus in on one of these transmissions. So this is essentially step one. This is known as channel selection. And what you can do then is you can use what's called the Frequency Translating FIR filter to narrow in on a particular signal of interest. So what I'm going to do is I'm going to leave the main one there and then I'm going to get this second FFT, hook this up. But we need to figure out how much we're going to decimate by, because remember, initially we started with a one-megasample per second stream, and we want to narrow that down to a much narrower bandwidth. So I'm going to just completely guess and say we're going to decimate by 20 and end up with a particular sample rate there. So if you like to use GINU radio companion, then I highly recommend you get in the habit of using variable blocks. Because what variable blocks let you do is put in these little expressions. And so when you change something somewhere in your flow graph, you only need to change one parameter once and that'll ripple through the rest of your flow graph if you put these expressions in your variable. So instead of hard coding in numbers all over the place, if you think, oh, crap, I've got to change that sample rate, if you have it in one variable and reference that everywhere else, just like in normal programming language, then it makes it really easy to continue development and update things properly. So in this instance, what I've said is I want to have a baseband rate of 50 kilohertz. So I'm going to go from a 1 mega-sample second down to 50 kilohertz. And that means that if you calculate your decimation factor, then that's the original sample rate, which is 1 mega-sample second, divided by 50 kilohertz. So that gives you a decimation factor of 20. And so for the translating FII filter, you put in a decimation like that. Now, the second part of the frequency-translating FII filter is that, sure, you can squish a narrowband stream right down, but you need to filter, because all of the other content in the original capture file will then wrap around inside that. So one very important part of interpolation decimation is filtering. And so what you've got to do is you have to define your filter taps. And that defines essentially how your filter is going to work. What we want to do is we want to use a low-pass filter. And can you already have this cool filter design tool? I don't know if that works on my Mac, actually. Oh, it does. Right? And I'm not going to use this too much, but what you can do is you can actually use it to design and analyze filters. So here we have one, we're going to bring this up. We said we have a sample rate of 32K. We want the passband to end at, what's that, 5K? Stopband at 6. And it will actually visualize the roll-off of your filter and the ripple. And you can look at the taps, the phase response, get the filter coefficients. And you can design all sorts of different types of filters here. So it's really, really handy. I'm not actually going to use this now, but just something to keep in mind as you go and use the utilities. That's just in tools, filter design tool. By the way, Tim, if I've missed anything here, anything to add, just shout out. So in this case, I'm going to need some taps. And what I'm going to do is I'm going to... I can't see that. I'm going to use a variable. Right? I'm going to call it taps. And the value here is not just a number. It's actually calling a function. So within GNU Radio, there's a module called the FIR designer. And that has a function called low pass. So what this is going to do is it's going to generate the taps for a low pass filter, given these arguments. Now, you can go and look in the documentation. It's all there, but the first one is the gain. So I'm going to leave it at one. The second one is the incoming sample rate. So we know that's one mega sample per second. So we use that. And then the last one here is the transition bandwidth, which means over what gap you want your start... the end of your start band to go to the beginning of your start band. So we just pick an arbitrary number there. One kilohertz is fine. And then this third value here is the translation... I just call it the translation bandwidth. So it's actually what the bandwidth of the filter is going to be. And because I have that as a variable there, it means that we can control it when the application is running. And I'll show you what that looks like. So we put that in there, click OK. And then also I've got here a slider now, which is called translate bandwidth. And the minimum of zero, the maximum is the base band rate. So it's zero to 50k. And this means that we can actually change the low pass filter while it's running. And the second one here I've got is the translation frequency. And this is the frequency that we're going to shift the original recording to, which is going to be the new base band signal. So let's run that and see what happens. Python quit unexpectedly. Oh, what does it say there? Terminating with unexpected exception of type buffer add reader, n zero preload must agree n zero. What am I... Oh, you know what it is? Bandwidth, this should be... Oh, I didn't set the taps. So we have that variable taps, but I never actually used it. That would do it. So I'm going to put taps in here. Now one cool thing in Guru radio is that when you enter in variables and expressions here, you can hover your mouse over that particular field and it will give you a tool tip that will evaluate what's in that field. So you can see the decimation is 20. The taps, it's actually run the code, right? It's run that low pass function and it's returned those taps. It's not showing you all of them there, but it's just giving you a preview. So now let's run it. Where's my GUI? There we go. There's one other thing I forgot. This gets me all the time too. When you just drag GUI blocks in, it's really important that you actually check what your incoming sample rate is. Notice that here it was valid to have one mega sample per second because it's coming from the original source file. But actually we've decimated here, so everything after this has a sample rate of... Yeah, and what's the variable name for that? Somebody set it over here? BB underscore rate. Right. So now... That times a charm. So now at the bottom here, we have our original one meg incoming signal and you can see that it's from negative 50 to 500 to positive 500 kilohertz. And here we've got nothing because our translation frequency is actually zero. So now if we move the slider, it's not gonna do anything because I haven't actually added that variable in here. So now when you change the slider, it's gonna change that value. All right. There we go. So if I move the slider across a little bit, you can see there there's a particular signal, right? That's one of the narrowband signals and I can keep moving that and you get to the next one. And you get to the next one and you get to the next one as you go through the band. So they're all there. And what this has allowed us to do is now zoom down into one of those and we can analyze that further. Now there are a couple of other little tricks you can do. The first thing is that here we know that the variable is called translation frequency. And what we're gonna do is we're gonna copy that and in this GUI sync we're going to set the variable here so that when you click on a particular point in the GUI, that's gonna program the frequency. Now, in addition, I've modified GNU radio a little bit and this is all on my GitHub if you wanna download it but we need to maybe get this stuff merged even though it's WX. But there are these extra options here so you've got frequency of interest. So we're going to put this in there as well and now when we run it, check this out. See the green line here? You can click and it will take the slider there and also the translation there. So you now wherever I click is gonna be where we're actually decimating to. And that's nice. It makes things a little bit more interactive and easier to do. Now, the problem is when we close this every time we run it again, our variables are gonna be back to the defaults and that's okay in certain situations but in other situations, you want it to be persistent and there's actually a nice block to do that. So if you look up in your tree there's the variable config block and that actually allows you to persist variables between runs. So the way it works is that you give it a configuration file. So I'm gonna call this qpsk.txt. You can give it the section that you want to store it in the file, the option. So we're gonna call this xlate. I highly recommend for strings there's general practice to always wrap them in single quotes. Otherwise, they might get interpreted as stuff. And so the idea is that we want to write back the last value that it was set out. So we use this and we're gonna just by convention call this config xlate. And when you run the flow graph, it'll load this variable up with whatever was stored in the file. So then the default value for the slider becomes instead of bbrate it becomes not the bandwidth, sorry, this one, instead of zero it becomes what we had in the file. So now when I run it I can click over here, say on this one, and this is gonna be remembering this offset now. So that's good. So the next step is we've identified the signal and what we want to do now is try and figure out what kind of modulation it actually is using. Now often on the ground there are all sorts of modulations in use, but because this is a satellite link, often for satellite links PSK, phase shift keying is very popular. It's nice and simple, and one thing that is distinguishing about space links with satellites, unlike the earth is that because you're pointing directly up and the beams are coming directly back down, and there are no, for example buildings in the way, you don't really have to worry about multipath. So these sorts of single tone modulation schemes work quite well. On the ground, that's not the case. If you think about this sort of urban environment, there are buildings everywhere, there are urban canyons, the signals are gonna bounce around of all sorts of different things, you're gonna get lots of RF reflections and they're all gonna destructively interfere at your receiver and degrade your signal. That's why in modern modulation schemes, OFDM is pretty much the scheme of choice because it's well designed to be equalized at the receiver so that your receiver can actually take into account that multipath through some fancy processing and recover a good signal. Not something you have to worry about for satellite links. So the next step is we're gonna take a wild guess that this might be some sort of phase shift keying. Now with phase shift keying you can have BPSK, QPSK, 8PSK basically determines the number of points in your constellation. But we don't know what they are and there's a really easy technique that you can use to figure out what the order of your phase shift keying actually is and I'll show you what that is. But the first thing is we need to clean up our user interface a little bit. So I'm gonna add a notebook. Can you do Tim, can you do notebooks or equivalent in QT? What? Alright, okay. So I'm just gonna give these things some names. First one we're gonna call it cap and the next one we're gonna call it BB and the next one we're gonna call it power. And then down here you can put the notebook. So I'm gonna call it MB0 and call the notebook NB. And this one we're gonna put in NB1 and then we're gonna use another FFT and we're gonna put that in NB2. Now, there's a really neat tricky thing to do with PSK which is multiply the signal by itself a certain number of times. So basically you raise each sample to a power and when you get nice peaks popping up out of your FFT, you've identified the order of the modulation. So you can square it and if you get peaks it's be PSK. If you raise it to the power of four and you get peaks after an FFT it's QPSK. If you do eight then it's right, easy. So if you have GRBass installed there's a block there called the power block and if you don't have that then you can cheat and you can basically just do this. Right? So you'll end up having the same signal going to each of these ports if you want to raise it to the power of four. But we're not going to do that because we don't want to restart the flow graph. This one you can actually change it at runtime. So I'm going to add a slider now so that we can change the power of the exponent. So it's going to be one by default. We're going to go from one to say eight. And then why is that complaining? Oh it's blacklisted of course it is. So now we just basically take that off our original signal put it into an FFT like that and then run. Now because we've got the config there hopefully it remembered our channel selection from last time which it has. There you go. Baseband is there and then we go to the power. Now we raise it to one so we should get exactly the same signal but if we do it to the power of two it's disappeared. Can anybody tell me why it's disappeared off the current chart? Think about the values. I'm taking the samples and I'm raising them to a power. What kind of scale? Yeah that's right. Small number. We've raised it to a power. It's going to get much smaller. Luckily it's still going to be there so we auto scale and it's there and we average it. You can see that it pretty much has the same sort of shape. We're not seeing any peaks so it's probably not BPSK. Now let's raise it to the power of four. Let's take for three BPSK. So we're going to go to four. We're going to turn the average off, make it skip along, auto scale. What do you know? Look at that. We've got some nice peaks there. Now because our signal here is actually quite narrow band, narrower than the channel we've decimated to, I can drag the slider that's actually changing the low pass filter there and watch what happens. I can narrow that in to cut out all the noise around our signal of interest and it's just going to be left with that. So now if we go to the power, it's also cut it off here. We've got some nice peaks. Now with BPSK you get these characteristics peaks where you get one large one in the center and that's really neat because it's almost like it's recreating the carrier that is suppressed normally in phase shift keying. And what's cool about this is that you can actually look carefully and you see how it's off zero? That's because when I did my channel selection and my frequency translation I didn't hit the center frequency of this particular signal right on, it's slightly off. So you can use this as a carrier to track your signal and then mix it exactly back down to base band. So that's doing some very fine frequency correction. It's a nice little technique. We don't really have to worry about that now because we're going to use a costus loop led it to take care of this. But what's important is that these two peaks on the side have also shown up. So these three together show you that it's QPSK. And what's also interesting is that although we're slightly off, we can correct for this manually say if we have a look here, we're at about what's that, 800. So if we get rid of that oh, wrong way. Center it up a little bit. And actually, if you look carefully, it's moving around a little bit as well. So you can test that by turning on peak hold. And if you end up scraping out a bit of peak hold there, it means that actually you've got clock drift. It could be your receiver. It could be the LNB. It could be the satellite or it could be the original transmitter on the ground. All these things can contribute to this frequency change. And it's important when you design a receiver to be able to handle this sort of clock drift. And I'll show you how to do that in a minute. But you can see that it's actually drifting quite a bit there. Well, it depends upon what you define as quite a bit. But it is drifting. Now let's just assume that's around about center there at zero. You can mix that down. You've got these peaks out here. Can anybody tell me what would determine how far away these peaks are from DC? Any guesses? Board rate, yeah. So with PSK it's really nice because you can actually figure out what the board rate of your signal is. We don't know anything about our signal. We just saw something interesting. We now know that it's QPSK and we now know how to actually figure out the rate at which symbols are being transmitted in our stream. So that's one way that works nicely with PSK. I'm going to show you another way that can be used to extract the board rate. And we're going to make a new tab. I think it should work for that, too. I'm not actually trying, but I think it should. I mean, it's easy to simulate that and get a gradient. So I'm going to make a new tab. I'm going to call it board. And then what I'm going to do is I'm going to do what is essentially very simple cyclostationary analysis. So what I'm going to do is I'm going to take the signal and multiply it with the delayed version of itself. So I'm going to get a delay block. I'm going to set the delay to 1. And then I'm going to get... Because we're in the complex domain, you can get the complex conjugate multiply block. Like this. And then hook that up to the original stream. And then we're going to take an FFT of this. But we don't want a complex FFT. We want just an FFT of the magnitude of the output. So we're going to go complex to magnitude. We're going to discard the phase information from our complex stream. Just look at the bins. Take an FFT and see what pops up. So I've got that on the wrong wrong tab there, but I'll correct that in a minute. We bring our low pass filter in again. We've got our nice channelized signal there. But notice here we're multiplying the signal by one sample delayed version of itself and then taking the FFT of the magnitude. And this has the nice effect of actually uncovering the periodicity of the symbols in your original captured stream. And once you take the FFT, you're basically looking at these strong frequency components that'll pop out of the timing in your signal. And in this case you look for the first peak and you if we put the mouse cursor there it's actually at 9.6 So it's actually what do you know? What common board rate is it? 9600. Like the old modems in the old days. So that's kind of neat. You can get that information out pretty quickly. Now we can take that a step further and this is where some a little bit more GNU Radio trickery comes in. Let's say we don't just want to be able to put it into an FFT and have to read off a graph and manually look for the first peak. We want GNU Radio to do all that for us. And you can actually do that with some blocks. And what I want to emphasize is that you can do these sorts of constructions within GNU Radio and they're all, as you can see pretty simple mathematical operations. But I want to emphasize that in this particular setup we're looking at a streaming continuous flow of this particular channel. In other communication systems you're going to have bursts of data. And those bursts of data you might need to analyze this discrete sets of samples instead of in a continuous fashion. So for that I recommend that you might consider using something like Boardline. It's growing pretty popular now. I've been using it for years and Eric Olson, who's the author keeps adding more features and increasing the FFT process size and it's even featured on documentaries on TV and things like that. It's making interesting appearances. But it's champacked with really lots of advanced tools that make it really an indispensable tool that you can use. And I might also add that in there's a block called the Boardline Sync so like the QT sync and the WX sync you can drop one of these blocks in, hook it up to your flow graph when you run the flow graph it'll run Boardline and actually feed the samples into it live if you want to do something cool in Boardline. So if you want to check that out. This here is actually another capture I did off another transponder on that satellite and what's interesting about this capture is that instead of being those continuous streams like you saw here, what are the damn meta keys on the Mac for doing this? Why doesn't it work? Oh no it's just slow. There you go. That's because where is my scroll control? Okay there we go. So here you've actually got a bunch of different channels allocated on this transponder but you have bursts of data coming up from the ground and then being relayed by the satellite. I mean I'm just theorizing this I don't know for certain. But what's interesting is that these are all individual bursts, individual packets and they're in different channels and you'll also notice that they're of different color intensity so obviously they're different amplitudes so you might surmise that actually they're distributed around a wide geographical area, they might be sort of offset pointing, they might have larger distances so you get different amounts of attenuation and so those packets are coming through and it's some sort of a TDMA system, time division multiplexing for multiple users and also you'll note that you have these regular blocks that occur at the beginning of a packet so this is some sort of synchronization signal so that the receiver can lock onto these particular signals that might be coming from different areas because they're all going to have a slightly different frequency offset so if you just in this instance have a tone the receiver knows what tone to expect it can lock to it quickly with a PLL and it can have a good chance of decoding the rest of the packet now because they're bursts having that kind of continuous analysis and guinearity doesn't really work so in this case you probably use board line for example you can select a packet like so and then right click and you can actually go save selection as so that'll actually allow you to pull that selection out you can import those raw samples into something like octave which is the open source equivalent of MATLAB or like we'll hopefully have time to do a little bit later on use numpy and matplotlib and there are some really nice DSP filtering functions in there and you can actually then do the same process each step as we've been doing guinearity so channel selection filtering and then multiplying all the samples by themselves or raising to a power and so on then plotting it out and just getting these static graphs so I just want to emphasize that you can do all this on a burst basis as well I'm not going to go through it this time but just keep that in mind if you want to do analysis like this later on so we got up to to this stage but the target is to get actually a number appearing on the screen telling us what the board rate is how do you go about doing that so let's have a quick look at that I'm going to be a little bit lazy and just copy some of the stuff that I had before interests of time what is this crazy thing start right so what's happening here is that you'll notice we have our construction here during the cyclo station analysis you've got the delay multiply conjugate, complex to mag and the FFT sync we did that already but you'll notice that there's this additional line coming down from the output of the magnitude this is going into the stream to vector block what we want to do is we want to do an FFT so remember when we put this block down it has an FFT module inside it already that's going to do the FFT but now we're breaking it out we're breaking out the raw components so we're going to do an FFT manually here that this is already doing so when we did that remember we saw that nice graph with that big peak at 9600 we do the FFT because this is accepting vectors we're going to go stream to vector and then vector to stream right but because we have a FFT of a real floating point sample stream you get symmetry you get a symmetrical spectrum when you do that because it's real and sort of complex it's just the nature of the transform so actually what we want to do then is we want to throw out half the information because it's just symmetrical duplicate of the first half of it and to do that you can use this in n block so we had a transform size of 4k and what we're saying is we want to keep 2,000 of those out of the 4,000 so we basically throw out the second 2,000 samples and then once we've got those 2,000 samples which now represent that spectrum that we saw on the GUI before we go stream to vector turn it back into a vector get the magnitude because we're just interested in the strength of all those bins so we go back to vector to stream and this is where it gets a little bit interesting because if you I'll run the flow graph again so you can see if you look at the FFT then it's a little bit difficult to see maybe you'll be able to tell but we said find the first highest peak it looks like this one right if you were going to search through the magnitudes of all of these bins the FFT transform is that going to be the largest peak that it finds? look over here you get this very rapid increase toward DC so actually there are some very low frequency components of the signal that are very very strong we're even up to DC and so if you were to try and find the bin that has the maximum value in it you're going to end up finding something down there which is not what we want so a little work around for that I'm hoping this will get you in the mindset of doing interesting hackery with GNU radio the idea is that up to this point all we've been doing is getting that FFT information we've been cutting out the second half of the FFT we've got that bit information and we just want to find the bin that has the most energy in it but we want to ignore those bins down the front near DC because that's not going to give us the information that we want we want to look for peaks further out so what I'm going to do now is I'm going to get this vector source and I'm going to multiply every 2,000 points which is one transform by this vector so the first 10 elements there are 0 and in the remaining elements so FFT size 4k divided by 2 is 2k minus 10 are all going to be 1 so effectively you're nulling out the first 10 bins so you ignore them completely and then you multiply that by your incoming stream here you turn that back into a vector and then you use argmax and what argmax does is it goes through and it finds which index into your incoming vector has the highest amplitude so you're going to go through each of those FFT bins and you're going to find the one with the highest energy which is the one that we're interested in that's going to come out here maxvec turned it into a short to float and in the number sync it would ordinarily just give us the index of the bin which is kind of useless we want to know what that is in the board rate in terms of our system so actually you need to apply a factor and that's going to multiply that index by this magic number to give us a board rate and that's the bbrate baseband rate divided by the FFT size because if you think about what the transform does it's normalized ordinarily but it's 4000 samples over 50 kHz worth of sampling rate so you basically unnormalize it to get your system rate and so once you do that it's just a very basic formula once you do that let's run this then that's our FFT as you saw before then you get your number sync finding the peak multiplying it by that factor and then you get your board rate notice that it's not quite 9600 that's because you have quantization steps now for the bins if you divide 50k by 2k you're only going to be going up in steps but generally speaking in practice if you look at these things and it looks very close to a standard kind of number it's probably going to be that standard kind of number and that way you know what the symbol rate is going to be down the next step is we want to actually start demodulating this thing so what we're going to do is we're going to throw in the steps that you would normally use to decode one of these signals so what I'm going to do over here is put some blocks down so we know now that the board rate is 9600 so I'm going to make a variable called board put in 9600 because we know that about our system now and I'm also going to be able to calculate this new variable I'm going to call it samples per symbol so that's what's that? Samps per now who can tell me what this is going to be if we know the board rate which is 9600, yep and what's our sample rate at this baseband level now what's that? and what's that value? 50k so how many samples do we have per one board? anyone? yep okay now we got 5 anybody see that there's a problem with that number? it got rounded down is that a good thing or a bad thing? it's a bad thing because the timing has to be exact they don't divide into one number so this is a common problem with python what's the way to get around it? I heard the answer there but maybe from someone further back as well yeah or you just do 1 dot times out the front and now we got 5.20833 so this stuff is very important and these little gotchas can really break your system so what we're going to do then is we're going to take the signal again from our decimated output and we're going to plug it into the clock recovery block now in GNU radio there's a really nice new block called the polyphase clock synchronizer I recommend you use that when you're designing system where you know all the parameters but in this case this is an old one well enough for the purposes of this kind of blind analysis so I've dropped that in and it has some parameters there I'll go through it when I run it just to give you a visual idea of what they do but basically this controls how quickly and how tight it will try and lock to a signal and in some systems you want to give it lots of slack in other systems you want it to be really tight because you know that it's not going to deviate too much from that and the next standard step is to add in this costus loop and what a costus loop does is it accounts for some frequency error in your original signal so as you saw remember how we had the peak hold and it was moving back and forth off DC this thing can then remove that frequency offset and I'll show you visually what that looks like before and after so what we've got now is costus loop this also has some parameters to tell it how quickly to lock to stuff one of them is the loop bandwidth and I'll show you that but when I'm just missing a slider here what's that one here and what's that another little thing you can do is often when you're translating between normalized frequency and the frequency of your app you often end up using magical constants like pi you can type in 3.1415 9.2 blah blah or you can actually just use math.pi or numpi.pi here you can see that it's coming up in red and that's because there's no math module so you need to use the import block like so and then we just go import math if only it was that simple in real life because math is hard so now with this little construction here this should let's see what happens give us the ability to lock on so that's actually looking like a dog's breakfast the button yeah so this is not working and there's a very good reason why it's not working I haven't quite figured out what that is yet but really it should look like here's one I prepared earlier oh it keeps appearing on the wrong display looks like this so we knew it was QPSK so we knew it was order 4 and if you actually look in the costus loop it asks you for the order and we know that it's 4 so we put in 4 done clock recovery here we came ah that's what it was pardon me I forgot this important step so some of these blocks can be a little bit finicky one of them is this clock recovery block and ideally it always looks for normalized samples so what that means is in GNU radio the idea of a normalized sample is a floating point sample between negative 1 and 1 that's the idea of normalized and the clock recovery block is expecting that this particular block can go into the weeds if your amplitudes are too high or too low and one way of making sure that your amplitudes are correct is by using an AGC block auto automatic gain control and if you have a look there are a bunch of different blocks this one's pretty simple and you can see here that you've got the rate so this is how quickly the AGC operates this is like a arbitrary unit the reference is the reference level you wanted to get to we want to get to 1 and the current gain that you start with and the maximum gain that it can actually apply to your signal so in that case it's an arbitrary high number yeah so there's another AGC block AGC 2 and that has attack and delay values and that does it a slightly different way so here we've got the AGC and now we're going to connect that up to our original signal so what I'll do now is I'm going to disconnect this one and I'm going to show you each step and sometimes it's nice to do this but because you've designed part of your flow graph already you don't want to end up disabling a million blocks so you can use the null sync just drop that down, hook it up and then it'll run as normal and then you can hook up your probe essentially to any point so I've hooked it up to the AGC this scope and you'll see this at the bottom of the screen and hopefully you see how the scale was changing it was pretty quick that's actually AGC kicking in effect so the original signal is pretty low and then so it amplifies the signal more and more and more at the rate of your gain and then it basically gets roughly to your the point that you want so here it's not looking particularly pretty where immediately after the AGC right so we need to do clock recovery and then we need to apply that frequency offset so now let's switch to post clock recovery like so now you'll notice here that this constellation plot looks different from the previous one how was that there's nothing in the center and that's good because it means that the clock recovery algorithm has locked onto your incoming signal and it's sampling at about the right time and when it samples at the right time you expect it to be sampling somewhere out where during the midpoint of your sample where it will result in some point that has an amplitude out here outside of the origin which is good that's what we want so that's a good signal but we don't have a clean constellation because if you were to visualize this the constellation itself is actually rotating and when you have rotation on this constellation plot that means that you have some additional frequency component that's part of your clock recovered signal so we need to get rid of that additional frequency component to get a nice stable constellation and the cost to slip will do that for us so if we get rid of that now we don't need this anymore hook that up and fingers crossed this time it'll work let's see what we got what do you know there we go now the cost to slip is now working it's doing its thing it's removing that frequency component and we get these four dots now remember that I've added a couple of these sliders across as well so we've got the gain mu the cost to slip bandwidth and so on you can now play with these at runtime to see what effect it has on the constellation so let's say I want to change the cost to slip bandwidth this is essentially saying how tightly it's going to look at the incoming signal and how much it can deviate by before it'll sort of flip back so if I really open it up then you can see how it's sort of losing sync now and the points aren't as tightly grouped anymore that's because we've opened it up way too high and it's sort of going into the weeds and looking beyond where it really should if you have a stable signal then generally you can usually put the loop bandwidth down considerably and that means it'll track very very tightly to whatever frequency offset is in there and as you can see it cleans up the constellation quite well so now the other ones are the gain mu I won't go into these too much but they basically control you can do a bit of reading how the clock recovery block works and how strictly it adheres to the timing that it's figuring out from the signal again you usually can put these kind of low if you bring these up then again things start to look messy so we can keep that nice and low as well so we've got a recovered stream now we have our recovered symbols that's really good we know the timing we know it's QPSK at this point you could actually pull out digital ones and zeros because you have a constellation and each of these points are going to map to two bits so this could be 0 0 1 1 1 and 1 0 if it's gray coded so if you look on Wikipedia I think I have a page for that you can see here this is a gray coded QPSK plot and the gray coding is important because it means that only one bit is changing between adjacent constellation points that means if you accidentally get the wrong phase you only end off wrong by one bit instead of potentially two so that's important so if you want to learn a bit more about it that's a good place to look now the thing is we've got raw bits now and we can actually look at that and visualize it but it's probably not going to give us anything information because it's probably scrambled links are usually whitened so you have some sort of pseudo noise code put on top of it to distribute the energy through the spectrum that's pretty standard stuff and there might be forward error correction on there, question to the back often in these sorts of situations you just got to go through the permutations so I'm going to show you how to do that in terms of the forward error correction actually right now so at this point if we look at our reference design here we have our cost to slip it's giving us our symbols out and now we want to actually figure out how we to get our raw bits out of there so I'll give you a very brief introduction to convolutional codes so there are different classes of forward error correction out there and one is called convolutional coding and this has been used a lot and for space applications one of the most famous instances that is sort of referenced everywhere and actually turns up here is the Voyager, NASA Voyager space probe and the way convolutional code works is that it's essentially a shift register you have your individual incoming bits going into the shift register and once every cycle through your register you have these taps that come off and you evaluate them and then you get your bits you get your resulting bits coming out and you can have different sorts of codes you can have systematic codes and non-systematic codes but what this does is given one input bit it'll produce say two or three bits output and those additional bits will give you a special sort of redundancy in your stream and at the receiver side for convolutional codes you can use a decoder called a Viterbi decoder using the Viterbi algorithm and it basically creates I won't go into the details but this sort of trellis depending on what those taps were for your shift register and as your bits come into your trellis depending on how your code is designed you can go through and figure out the most likely path through the trellis of your original data bits that resulted in the bits that were sent over the air and why this is really cool is that if you end up having an incorrect bit somewhere in here then it will see it was probably not the most likely path because it was a bad bit and there's actually another path that you can go through that will give you a higher what's called a higher metric through your path and it tries them all in parallel which is why they're very slow in general purpose PCs but if you do it on an FPGA they're blindingly fast because you can compute all the paths in parallel but it tries to find the most likely path and then that is actually they will be the bits that were hopefully transmitted initially over the air so then you remove those additional redundant bits and you get your original code back and the length of that path is known as the constraint length and the constraint length is the length of the shift register so it all comes together quite nicely this transmitter side is very simple the Viterbi algorithm takes a little bit more to get your head around how it works but it's really cool even though it's really cool it's actually been surpassed now by much more modern codes there are turbo codes that are used for example in LTE and now on satellite links and then other sorts of classes of code that are much more efficient than this one of these things are actually on space probes that have flown outside the solar system and are really suitable for these sorts of deep space links as well so if you do some research you can see that satellite links tend to use the convolutional code you can guess that they're probably going to use Voyager because it's standard everybody's pretty much implemented it it's a highly optimal configuration of this convolutional code so we can try running that as the decoder now the thing is that GNU Radio actually already has a block to do that particular oops CC what the hell CC it has all the letters in it oh there we go CCSDS and this is like a space standard you can do the encoding or decoding of this stream but it's not as simple as that unfortunately if you're going to just start doing error correction stuff in GNU Radio probably stay away from this one there's a new relatively new module in GNU Radio called GRFEC it's in the tree and it supports a much wider variety of encoders and decoders and it's blindingly fast it's really really neat I'm going to use this one for a particular reason the complication here is that we have a PSK signal being transmitted we have a receiver that is now locked onto it we've recovered the symbols and we end up with that constellation so if I run it again you'll see what I mean here there's that constellation so if you look here at the bottom you can see our constellation this is all well and good and I can say this is going to be 0 0 0 1 1 1 1 0 fine, you can decode, get the bits out Bob's your uncle the problem is that our receiver might not be synchronized to our transmitter so you know how this is all quadrature stuff we've got our i and our q it's quite possible that our transmitter receiver happened to just have their oscillators come on at a time where the i and q were actually swapped or the whole thing might be rotated basically you have the problem where you don't know how your receiver is aligned with this transmitter that might be on the other side of the world and what that means is that you can actually end up having this constellation relative to your transmitter rotated 90 degrees or it might be conjugated which means that the entire thing is flipped through the complex plane and you don't know any of this stuff but you need to account for it so your receiver has to go through and try all of these different permutations of conjugation rotation, inversion shifting bits because you don't know how the state machine of the decoder on your receiver side is relative to the state of the of the transmitter so you need to be able to synchronize to it and then the other thing that's going to be the conjugation systems often what's done is you know for example what the there's a preamble right so there's a fixed code that's documented that's transmitted by the the transmitter and when it gets to your receiver then you can try to correlate against that code you can try correlating against the code as it is in like a zero phase shift a 90 degree phase shift a conjugated constellation you can precompute these correlate against them all simultaneously and as soon as you get a correlation peak on one of them you know uh-huh that's what it is I'm going to rotate, I'm going to conjugate, I'm going to invert and then we've logged on to the stream but in this case we don't know what the preamble is right because we're coming at this blind we don't have a clue what it is but what we can do is we can exploit part of the Viterbi algorithm and remember how when I showed you that trellis it tries to draw a path through and determine the metric so it tries to score to all the paths to see which one was the most likely and then it picks the most likely one and derives the your raw data bits from that what we're going to do what you can do is that you can modify the um the ccsds decoder and so I've modified it in this version of greener radius that not only does it give you the output bits but it also gives you the path metric and the path metric is essentially a score telling you how well the decoder is actually doing so that if you get in this case, once you do a bit of um, fidgeting with the numbers if you get a path metric of zero that's actually the best number that you can get that means that the the soft bits that you're getting coming in from your constellation map perfectly through a valid path through your trellis so that's good as soon as you get incorrect bits that don't fit nicely with your trellis so they don't give you a path that's valid for your um, code then your metric actually goes up and that's bad so if you get a metric that's really noisy and high it means that you probably haven't locked on and synchronized to your signal but if you try these different rotations and constellations and then you wait for the path metric to go back to zero or really close to it then you probably do have a lock and so what I've done is I've actually condensed that into this this auto thick block here so it takes in the raw stream coming from the constellation and then it outputs the byte stream but internally it's actually applying rotations and conjugations and inversions to your constellation and trying all the different combinations until the path metric goes to zero and I mean fundamentally you can break this out if you were to break it out then really what you get is something like this um so this is more a strip down version but the first step is the conjugation and the next step is the phase rotation so here you just multiply it by zero or um I'll show you the expression here actually but you can multiply it by various numbers that will actually rotate your constellation and then if you're using this particular convolutional code you might need to delay by one sample because you might be misaligned and then you can do that delay and each of these blocks are controlled by a state machine that will you know conjugate and then not conjugate and then rotate phase conjugate not conjugate rotate phase again conjugate not conjugate delay reset everything try everything again and you keep going through this long process until you find the right steps and that's what that auto effect block actually does so restore that and what I'm going to do now is I'm going to run it and I would like you to pay attention if you can to the I'll bring the console over so that you can read it properly I don't know where GRC is running which terminal is it here we go got it and then magic incantation okay so I'm going to run this I want you to observe what's printed out so auto effect starting up here and you can see here it's beginning the search it applied a rotation that didn't work because our bit error rate was still really high it's the metric coming out of the Viterbi decoder applies a rotation still really high applies a rotation a conjugation and a delay in the Viterbi samples still no lock applies a rotation still no good rotation conjugation no good rotation again so it basically does all of these permutations and you can see that it's testing each one of them waiting for the path metric to come out it's still too high and then what do you know we step through here we applied a rotation and we had no conjugation in this particular instance and we locked so our path metric now is really low and you can actually then see this I'll run it again but this time we can actually watch the graph of the path metric which is just coming out of this port so this is a graph of the path metric coming out of the Viterbi decoder so this is zero and we want it to be down at zero but as you can see it's sort of in the four or five thousand range so this is pretty noisy it's really high it's above our magic threshold it hasn't found anything yet and as it steps through and rotates and delays and inverts and so on look at that do you see that that's now got a lock and you can see that there are these little humps here and remember how a constellation wasn't particularly clean you can see here at the bottom it's not a particularly tight looking constellation there inevitably you're going to have constellation points that veer off and end up in the wrong quadrant and that will give you the wrong bits you'll get bit errors and so as you go through the Viterbi decoders path you'll end up getting some bits that are wrong and it'll figure that out and then output something that's a little bit higher but this is still low enough so that it'll give you the correct output bits question here it's possible the question was if you were essentially a man in the middle and you wanted to to corrupt this link you could get in there and actually insert bad bits right it's possible I mean it just depends upon how you do it in this case remember we're coming up blind so we have no a prior knowledge about what we're looking for usually you wouldn't do it this way usually you would look for that known sequence so this is a bit of a hacky way of doing it but it kind of works so as you can see here it's actually running it's locked and it's doing its thing and we're now outputting these raw bits coming out of the decoder to a file so the next step is we've got the raw bits we need to visualize that file to see whether there's some sort of structure to it and that will be the next step so what I'm going to do is I might just run that again just so you can get a sense of the final app as we were putting it together so we've got a constellation plot we've selected our channel just as a review we've got our channel there let's tighten up the you remember how I used the config variable block really I should be using one for the bandwidth as well so it remembers it whenever I boot it up and get instead of having to adjust that manually we're not using the power the board rate is here we've got the peak we've got that coming out as 9600 board and then our path metric is as you can see very low there so I'm just going to let that run for a minute and it's going to go to a file and then I'm going to run some python code to actually read the file in and plot it using matplotlib so we can see if there's any structure and then take the next step in the process so I'm going to shut that down now and I'm going to switch to the terminal new tab and be python and I'm going to open my secret source here I can find it okay so alright now you can do this in all sorts of different ways I have a little program here that I might just use I'm just going to show you quickly here so you get a sense of what's going on this is now running under wine again this is some software that crashes under mono really quickly I need to put on my github but it's just I wrote it to do some simple manipulations on file so I'm going to import this satellite text file that we made it's basically look here it's what it looks like it's just the raw bits out of the terby decoder now we would expect that since it's outputting bits all the time for the first portion it's just going to be corrupt out because it hasn't locked on yet and then eventually we're going to get a locked stream after that so if we go here we've imported that file let's see what it looks like I'm just going to pick an arbitrary width it looks like noise not very helpful right so there's something going on here the first part I know that obviously we ignore but there's probably a scrambler because remember as you're sending communication systems you want to distribute the energy of your bits over the bandwidth that you're transmitting in you want to widen the signal and to do that you use some sort of pseudo random code some pseudo noise to spread the energy out and you can use these things called scramblers and I recommend that you read a little bit about them there's another good wikipedia article on scrambler you're going to have two types of scramblers one is the additive scrambler and the multiplicative scrambler there's an important distinction between the two one is self synchronizing and the other one is synchronous so one of them you need to look out for like a special preamble and then reset your scrambler so it can follow along the other one doesn't need that you can just do it and luckily in this case it is the multiplicative one that we're using otherwise we might be a bit out of luck but there's not much going on there now if you do a bit of research you can find that a very common scrambler using the satellite links is the IESS308 scrambler so we're going to run that and if you actually look at the source code for this scrambler I've got a python implementation this is the C sharp implementation it's really quite simple it's just you have some taps coming off some shift registers there's a latch in there and then it just calculates what the next bit is so it's really not that complex but the idea is that you give it a bit it puts it into the shift register and then calculates some tap values and then returns a bit from that question was there a question yeah so can you already has scrambling and de-scrambling blocks I believe the reason why I have to go down this route is because they generalize ones and this one had some extra flip-flops in the circuitry like I actually found a reference page that had it mapped out in commentary logic and I don't think you could realize it with the GNU radio one. GNU radio is nice because it has both the additive and the multiplicative scrambler was there another point so that was on the assumption that the first try was with Voyager so I figured oh it's probably going to be Voyager so try that and actually that's a good point I got lucky with Voyager and that CC SDS block was hard-coded to Voyager but actually if you use the new grfx stuff and you look at so this is the encoded definition using the new paradigm and there's the convolutional code one which is the more generalized one so this one, this convolutional coder is actually set up for the Voyager code these are the polynomials used to set the taps on the shift registers convolutional but you can configure these any way you like if you had some other ones that you wanted to try you would create that kind of state machine and go through and try them as well and then you would go there's another block that you would use with these ones to set it up so as an example what that looks like is like this here you have this fec extended decoder and then you have the decoded definition so here I've actually defined again the settings for for Voyager but in this case I've just reversed the taps and then you use this decoder object and you pass in the ID of the definition and then you can set the puncture pattern for punctured codes and then it just does the rest and then we do something where it tries different decoded definitions if you're trying to iterate through possible combinations and then one other thing to mention here also is that the code that we were looking at is known as the mother code and it uses the half rate code which means that for every bit that you put in it'll generate two bits but there's this cool notion of what's called puncturing the code so if you don't want to have a half rate code let's say you want a three quarter rate code so you give it three bits and it gives you four that way instead of having two for every one which is a lot of information that you're wasting on forward error correction if your link doesn't support that kind of bandwidth you might opt for a three quarter rate code so if you think about it for every three you get four or you might give it seven and then you get eight and that way you can actually change the code rate which is really nice so if you're running your automatic forward error correction synchronizing you actually have to try all of those different puncturing matrices as well because maybe the transmitter is not using a half rate code maybe it's using a three quarter rate code and so what auto effect does is it actually goes through and it tries all of these standard puncturing matrices as well I got lucky in that case because they were using a half rate code but you might be using something else so it's just something to keep in mind there and again there's a good article on that if you have a look here a little bit further down you actually have a good write up on puncturing using the NASA standard K equals seven convolutional code so what this is saying here is the mother code is half rate and you give it a bit and you get two out if you have the two third rate code then you will give it the four bits you don't transmit this one and then you get you basically give it two and then you get these three coming out you might have a three quarter rate code so you have three bits coming in you generate the normal two for one but then you don't send this one and you don't send that one and the receiver will know that oh you're using one of these puncturing codes so every time it gets around through its bit stream to a point where it says oh this is where it's been punctured it inserts a zero and the convolutional decoder will know when it's looking at the path metric oh I'm just going to ignore that because it was actually erased and it will still do its thing, it's a really nice property I won't go into the details but if you're interested you should definitely read more about it because it's cool punctured convolutional codes are widely used in satellite communications for example in intel set systems and digital video broadcasting what do you know okay so we were looking at the raw output which is here, so now remember we applied that common descrambler so let's see what that looks like we had noise at the beginning because remember we weren't locked to the signal but look what we have after that looks like we've got some structure there but still it doesn't look quite right can anybody tell me why exactly right yes so the response was we got long strings of zeros in some places and long strings of ones in other places and when you see that you know that you're under something, you're almost there but it's quite likely that your original data was also differentially encoded the idea there is that you don't actually encode the raw data bits you encode the differences between subsequent data bits and that's really good because it means that you do not end up with long strings of ones and zeros in common communication systems you want as many differences in your data between one and zero as many differences in the clock essentially, sorry, in the data so that with all those different transitions not particularly in this system but in other ones if they're doing clock recovery the more transitions you have the better your receiver can lock to the signal and recover the clock if you have a long string of zero or a long string of one there's no changing edges there so your receiver has nothing to lock onto the signal so, exactly right so the next step then is to crash the program unbelievable does it not import? how weird do we still have a valid file? oh, you know why? okay not to worry this can has bitten me before I'm just going to run this again to regenerate the data is that I'm lazy simply put and you will notice that you can have blocks I basically got in the terrible habit of writing C++ blocks and not writing GRC XML definitions for them and instead I put together this thing called the any block and what the any block lets you do is just put in arbitrary python so this is actually the python code to generate the print char block from GRBAS and I'm just supplying the arguments there I don't need to worry about making the XML for it and then that's really easy it just works and you don't have to do the extra effort the problem is that GRC evaluates all the python that it can in every single block both when you boot it up and when you switch back in between the graphs and change other blocks and stuff it needs to reevaluate everything and you notice that this is purple which means that it's text but even if as I said before even though it's purple and it's text it will still evaluate it which means that it will create a temporary instance of this block which also means that it will create this file and if there was a file already there it's just going to reset it and the contents will disappear that's why it became zero so that's me being lazy we've probably got enough information now let's try that one more time we've got our data there good let's run the program one more time import satellite data descramble differentially decode view data and you can see now it looks like legit data black this is idle time in the channel nothing's being transmitted and then you have these bursts that show up and these bursts appear to occur at random points in time so it's some sort of shared link maybe not a shared link but it's some sort of medium where there's some maybe telemetry system on the ground it gets some information queued up and then it sends it out as a burst and if you look carefully for example here you can see that it looks pretty common so there's a good chance there's some sort of common preamble, common synchronization information in that portion of the file and actually we won't do it now but if you have a look at the steps after that they should all look pretty familiar now we selected the channel we did the we did the psk ordering we did all this stuff the scrambling differentially decoding for error correction error shift keying board rate all this good stuff the scrambled it got our packets there and then look for the preamble and then you actually get a packet out like this and you get the nice instance in at the top and then you get a sort of header and a sort of text and a text in these packets that go through and then you can pull those out and get these packets coming out and that has BCD and 16 bit sign integers and 8 bit signed integers and then you can graph it and you get these pretty lines out I have no idea what it was in the end because I was only recording for 2 minutes I'm sure if you record it over a long period of time you could correlate it with human activity somehow and figure out what was going on there but yeah that's kind of the idea and so this is a windows program but I'll just show you how you can do this nicely in python so two hands and where is it ok so we're going to go I'm not going to look at that screen so tell me if I've stopped something out import mat plot lib pie plot as plot good and then import numPy good so what we're going to do is we're going to open the file reading and then we're going to read that line and check that we've got something yep and now what we're going to do is we're going to turn the ASCII 1s and 0s into into bytes of 0 and 1 what did I do oh ok and then we want to find some good value 9 so we're going to say what is it height equals 9 to 6 and s2 s2 4 times height we're going to turn it into an image and we want it to be have nice dimensions so we do do that and then what we do is we want to actually see what it looks like ok so we had again all it's all scrambled right nothing to see there now you can then get the scrambler happening I did a simple port to to python again really really simple it's just a class state machine essentially with the shift registers and just call next on it so do we import that yes and then we create the scrambler we want to tell it to de-scramble and then we map that across all of the the values again takes a second and then let's see what that looks like I just I really like mapplotlib because it makes things really easy so now you can see we have that structure again except the colors aren't particularly nice for it and then the last step is to do that differential decoding and so this is a little bit tricky by the way if anybody's got any suggestions how it is better than I'm open to it but what I'm going to do here is I'm going to use zip function to create two copies of the array but they end up in tuples where one array is offset by one sample so you basically get these combinations I'm going to zip it up and if you have a look at what that looks like it looks like that so it's just basically the pairs now where the second pair is the same stream but delayed by one we need to add an empty one on the end because we'll be off by one for our image and then we're going to do the differential decoding and that's just going to be in that line there so what we're doing there is we're taking the second value in one of these tuples and subtracting it from the first value so it's basically the next sample minus the previous sample mod 2 for the entire stream and then let's see what that looks like and then voila we've got our packets out and then this is nice because now we can actually zoom in and see what these individual headers might look like and you can start playing around with it from there so that's just an example of doing some sort of simple visual analysis in python so thanks for braving with me almost at the end of the session hopefully that's giving you an idea of how you can go about doing blind analysis the last two very quick demos I'd like to show you were those HF radar things so this also includes audio I'll just very quickly show you how that works these sorts of things apart from looking at visually it's also really nice to be able to hear what's going on because that can give you a hint so I'm going to run this and I know for a fact that in this particular capture this was on HF so I think it was 17.9 megahertz this here is digital radio Mondial it's a 10 kilohertz OFDM carrier that's transmitting digital music and here is going to pop up a chirp a radar chirp that's being sent over the air to a long some long distance but this chirps really interesting because it actually changes the chirp rate while they're transmitting so they do a really quick one and they keep slowing it down and with radar as you change the chirp rate it actually changes the resolution with which you can resolve targets but it also affects the distance which you can do it and it's basically a tradeoff and here they're going through the spectrum so they can get high resolution close in and low resolution but further away and what I wanted to show you here was this fast auto correlation block this was originally written by this very mysterious guy called Frank of Radio Roush fame he did some amazing stuff with ADS-B and P-25 and Motorola stuff and CDMA before you and I even knew about software defined radio and he's a complete enigma but amazing talent guy I took his code and sort of spruced it up a bit for the New Guinea radio and what the fast auto correlation does is it actually looks for periodic structure within your signal so unlike when we were talking about discovering the board rate so that's actually the periodicity of the symbols themselves this is looking for larger scale periodic components to your signal so for example let's say you have on this case a chirp but the more obvious one is GPS and 3G CDMA mobile telephones if you consider they're both CDMA systems and a receiver has to lock on to the CDMA channel so it has to look for a particular code in there and part of the code one of the channels there is the common pilot channel I think which contains broadcast information and that is sent out on 3G at 10 millisecond intervals so there's going to be some mysterious stuff in your signal you've got no idea what's going on in there it's CDMA it's all coded all synchrony spread and everything same for GPS but you can hook this fast auto correlation block up to it and you'll get a strong peak at 10 milliseconds because it's finding that there's something repeating in there with a 10 millisecond interval with GPS the core acquisition code has a 1 millisecond peak because they have a chip rate of the chip length is 1,023 and their cyclic rate is 1.023 MHz so here we actually have this radar chirp that comes up and so I want to show you what that looks like and what it sounds like as well so you can hear the chirps and the radar which it's chirping it's basically sweeping a tone across the spectrum is changing the rate and it's running through here and again you look at the first big peak and you can see that every time it changes the peak moves along because the chirp rate is slowing down you can hear that and then again so now it's out here and that's it so I'll quickly show you what's going on here and also what I might do actually is to finish up throw a waterfall in there because it looks pretty here and NB2 and so before I run that I just want to show you here this is essentially, it's really easy to do a fast-order correlation we have our channel selection here you do an FFT you take the magnitude you do an FFT again and you take the magnitude of that as well and that will give you that plot that's all it is so that fast-order correlation block all it does is that and then you get your plot out really simple it relies on the special theorem you can read about it more online I don't know if you can pronounce it the Vino Kirschner theorem but it's a really simple and effective way of doing the transform and again like before we have this fancy plotting business so that you get your number sync out finds the first big peak and so when you run the thing you actually have that number sync telling you what the period of the chirp actually is so if we wait one more time hopefully we can oh snap I did it again hang on where's the waterfall here right? same old mistake right let's run that very good waterfall give it a second so just as the lead up in 30 seconds one this is done so the chirp rate is too fast for this slow waterfall to actually show you but when we slow down you can see this peak is moving across it's doing that thing and it's telling you what the period of the chirp is and then from that you can calculate what kind of range resolution you can get on your radar signal but yeah this could be some over the horizon radar so if you look there you can kind of see this this pattern there this diagonal line and that's your chirp, that's your tone moving across the frequency band and you can see these all all over the place all sorts of nation states doing weird things so I'll just finish very quickly that same capture has DRM, Digital Radio Mondial that same business and what's interesting about this one is that you can see there's that peak there that peak corresponds to the unguarded symbol time of an OFDM frame so if you want to figure out what OFDM timing is used here same process, same technique you can get that off and this if you invert this this is the subcarrier spacing within the OFDM frame once you do the cyclostation analysis and use that as your delay then you run that again you're running this on the delayed version of itself and you get this peak here and that's telling you the full OFDM symbol length and with that you can start to look at the OFDM subcarriers within your signal and what we're actually hearing now is this sonified and you can see we've got that peak again and it's kind of difficult to hear because we're actually listening to an FFT but there is actually a tone in there a very slight subtle tone that maps to this strong peak that represents the cyclic nature of the DRM signal so within DRM there's probably some synchronization code that's repeated every every so often making up the frame and that's why we get that response in the domain because we need to have the receiver synchronize to it question if you haven't seen Contact it's a really great film one of my favorites and then promise last thing very quickly back to the satellite thing remember how I was telling you there's telemetry the satellite will send down telemetry to let it know that it's okay the telemetry here we've got lots of things modulated onto this carrier it's actually using phase modulation we can tell from the research this now is the channel selected thing and you can see how this is slightly off center I'm using a PLL here to lock onto that signal bring it back down to baseband and then we can can you hear that beeping that's the satellite saying oh I'm here and that's the telemetry coming down from the satellite so you can visualize that and try to access and figure out the telemetries thanks for bearing with me hope you've learned something and I'll wrap up there I've gone over time a little bit so I'll be outside