Digital Signal Analysis
DTest (Digital Test) Software Option
RadioInspector’s digital signal analysis option ‘DTEST’, is a specialized software package consisting of program demodulators designed for digital (software) demodulation and identification of the most common communication standards and signal classification in accordance with these standards. DTest uses an array or a stream of IQ data transmitted from a receiver, spectrum analyzer or SDR instrument with the specified bandwidth, sampling rate and the minimum IQ recording length (the specified bandwidth and required recording IQ length is determined by the standard of the analyzed digital signal).
RadioInspector’s digital analysis program analyzes and decodes the actual signal wave form and data packets to provide fast and accurate real-time signal recognition, analysis and classification.
The current version of RadioInspector’s “DTest” option implements demodulators for the following communication standards:
- UMTS 3G
- APCO25 (with voice demodulation)
- DMR/MOTOTRBO (with voice demodulation).
- IEEE 802.15.4 (ZigBee, ISA100.11a, WirelessHART, MiWi)
- Digital Video Broadcasting (DVB-T2) (With on-screen demodulation using “IQ Process Pro”)
*Wi-Fi network and device monitoring, detection and analysis is performed using the advanced, stand-alone Wi-Fi Inspector hardware / software system.
The DTest option is used to provide an operator with greater detailed information about a signal of interest in addition to the standard bandwidth, signal strength and spectrogram (waterfall) display. The program analyzes the data, identifies the supported communication standard, demodulates on-air protocols confirming and displaying additional data including the network address (addresses of base stations and handhelds), a unique transmitter ID and other information depending on type of signal being studied. The program illustrates if a signal is legal or illicit by comparing them with a “white list” of legitimate users. Measuring data packet signal levels enables amplitude direction-finding of illicit transmitters. If the receiver or spectrum analyzer can send a real-time flow of IQ data (with a bandwidth of greater than 2 MHz) then analogue video for PAL / SECAM / NTSC TV can be demodulated and displayed.
The DTest program provides four advanced operational capabilities.
- Automated analysis of digital signals within authorized frequency ranges: Provided in a separate dedicated DTest program window for GSM, DECT, Bluetooth and IEEE 802.15.4 (ZigBee, ISA100.11a, WirelessHART, MiWi).
- Signal Classification Analysis Recognition Sub-System (SCARS): Which provides digital signal analysis of all supported communication standards manually or automatically during spectrum scanning.
- Audio demodulation mode: Audio demodulation for Apco25, DMR and TETRA signals (where encryption is not used) with additional detailed information provided about signals in the audio tuner window. (Also includes AM/FM and analogue video PAL, SECAM, NTSC demodulation).
- Digital signal testing and audio/video demodulation during post analysis: Both digital signal testing and audio/video demodulation functions can be performed during post analysis of recorded IQ data, with the IQ Process Pro software application.
*For information on IQ Process Pro, please see the RadioInspector IQ Data Analysis section.
DTest: Automated analysis within authorized frequency ranges
Automated analysis of digital signals within authorized frequency ranges is performed in the DTest program option window for the following standards: DECT, GSM, Bluetooth and IEEE 802.15.4 (ZigBee, ISA100.11a, WirelessHART, MiWi)
These standards are characterized by the fact they operate in the appropriate frequency range defined by the standard. In this window an operator can get information including addresses, IDs of all transmitters for these standards, build a topology of the network or identify clandestine working transmitters.
Demodulation of DECT signals provides detection of base station addresses (RFPI addresses) and connected handsets which are in active mode (talk mode). For each base station and active handset, signal levels are calculated to assist in locating devices using amplitude direction finding techniques. Programming the list of authorized addresses for DECT base stations allows the operator to discover new DECT voice data channels present in a controlled premise, which might indicate a compromised DECT system.
The GSM demodulator derives the MCC, MNC, LAC, CI, and sector information. In addition, the TCH data channels that are linked to the analyzed BCCH channel, and neighboring BCCH channels can be received. Knowledge of these parameters allows the operator to determine the topology of GSM networks (GSM450, GSM850, GSM900, GSM1800, GSM1900). Illegal GSM base stations and GSM bugging devices can then be determined. RadioInspector’s GSM signal analysis allows identification of “cloned” base stations which can be used for man-in-the-middle attacks, allowing the interception of GSM traffic. An authorized channels lists can be programmed for different locations.
The Bluetooth signal demodulator includes a TSCM specific active search method for Bluetooth signals. In active search mode, RadioInspector DTEST commences searching for Bluetooth synchronized devices that are in the ‘allowable detection mode’ and provides their name and MAC address. This method shows active Bluetooth devices which although may not be a threat, may pose an emissions or technical security hazard. An estimation of transmitted traffic is displayed and an evaluation of this transmitted data can determine if voice, burst data or file transmissions are occurring. RadioInspector also scans all Bluetooth frequencies and searches for Bluetooth emissions.
Detected emissions are resolved using advanced Bluetooth signal analysis which demodulates the packet headers, analyzes and defines the Bluetooth LAP. This unique capability detects hidden and clandestine Bluetooth transmitters even if those transmitters are configured to be hidden from standard detection methods. In the passive search analysis mode RadioInspector also searches for devices that have been altered to transmit using non-standard frequencies, enabling identification of sophisticated threat devices.
An authorized list of LAP addresses can be programmed to quickly display new or unauthorized devices operating within the controlled location.
IEEE 802.15.4 (ZigBee, ISA100.11a, WirelessHART, MiWi)
The 802.15.4 analysis window lists all detected transmitters. 800MHz, 900MHz and 2.4 GHz frequencies can be analyzed, and display the Pan Source and destination address of detected transmitter data packets, control packets, transmitted data size, last dB level of source data and time after last detection. An authorized transmitter list can be created to identify new or unauthorized devices operating within the controlled location.
Signal Classification Analysis Recognition System (SCARS):
The Signal Classification Analysis Recognition System is a highly sophisticated set of software algorithms and sub-routines that automatically classifies individual signals by modulation type, using the receiver’s IQ data stream and recognizes the signal modulation from known standards. Analysis of each signal is performed with an operator-selected rule set to define signal of interest (SOI) search parameters with recording of demodulated audio and IQ data. Spectrum and signal playback and analysis can be performed for individual signal events, including detailed post-event audio baseband spectral content analysis of detected signals.
SCARS works in hand with the RadioInspector DTest program to analyze, recognize and classify GSM, UMTS 3G, DECT, Bluetooth, Tetra, Apco25, DMR, IEEE 802.15.4 (ZigBee, ISA100.11a, WirelessHART, MiWi), Digital Video Broadcasting (DVB-T2), analogue TV (NTSC, PAL, SECAM with on-screen demodulation) communication standards. SCARS can be used during regular spectrum scanning with the main scanning GUI, during fixed frequency inspections as well as during digital signal processing with the RF signal analysis and performance measurement subsystem. SCARS Results for each individual signal tested can be exported to a separate Microsoft Word document directly from the results window, for use in technical reports or future comparative analysis.
(*A special version of DTest (AOR-DTest-DV1) has also been developed which provides specific capability for the AOR AR-DV1 Digital Voice Receiver. The option provides Signal Classification analysis and Recognition support for DPMR, NXDN, D-STAR, YAESU and ALINCO).
UMTS 3G: The UMTS 3G demodulator provides positive identification, measurement and decoding information including frequency, signal level, lac, ci, bsic, sector, traffic channels (TCH), boradcast control channels (BCCH) and operator identification.
APCO25: The APCO25 demodulator allows classifying APCO25 signals, displaying the source and destination addresses of messages, determining the network ID and demodulating voice if encryption is not used.
TETRA: Demodulation of a TETRA signal determines the values of MCC, MNC, Color-code and other signal parameters. These parameters may be used for monitoring of TETRA transmitters operating properly. If the “DMO” mode is in use (“DMO” mode is a mode where 2 handsets have a direct connection with the ability to activate one handset from another) RadioInspector displays a warning message about “DMO” mode which can indicate a potential compromise.
DMR/MOTOTRBO: The DMR demodulator allows classifying DMR signals and displays the network ID source and destination addresses of messages. Demodulation of voice is possible if there is no encryption.
DVB-T2: The DVB-T2 demodulator provides signal identification and classification. Detailed parameter information as well as on screen Video demodulation is provided using the optional, stand alone IQ Process Pro program.
SCARS can be implemented either manually or automatically.
SCARS Manual Operation
During manual operation, the operator selects the communication standards for testing from the SCARS menu, click on any signal of interest (SOI) and initiate analysis. Within seconds the results are displayed in a separate window directly on the spectrum scanning GUI.
SCARS Automatic Operation
For ease of use, SCARS includes a special software utility created to automatically ‘identify while scanning’ signals that exceed an operator defined adaptive signal threshold including amplitude, power over threshold, dB above ‘normal’ detected signal levels, minimum, current or average trace values, threshold tables with multiple sub-ranges and amplitude levels set across the spectrum or selected frequency ranges, or using the the unique Dynamic Threshold. This utility is used to automatically identify and classify DECT, GSM, TETRA, APCO25, DMR and analogue TV communication waveforms. Each detected signal is added to the current Detected Signals List and includes the SCARS classification result.
Audio Demodulation Mode
RadioInspector provides demodulation of TETRA, DMR and APCO25 audio signals if encryption is not being utilized. The table of documented sessions of registered transmissions appears below the radio scanner window when one of the digital standards is selected.
Additional information shown in the audio tuner and demodulation window, if applicable, includes the time and date, frequency, communication standard, channel number, mobile or base station identification, condition (presence of audio, open channel, inactive channel, Text /message transmission, private or group call etc.), source and destination identification, network color code, mobile country code-mcc and mobile network code-mnc.