1/17/2019 Версия для печати

Oleg Vasiliev , Candidate of Technical Sciences,

Dmitry Olegovich
Egorov, Alexey Nikolaevich Kadykov.

Systems of intellectual blocking of cellular telephony, communication

channels and control

The article briefly discusses the strategy of building systems to suppress radio communication and control, using
panoramic reception to detect short signals and block the subscriber receiver with a short spectrum-matched pulse. An
embodiment of such a system is presented using direct down-conversion of the frequency range and further digital
processing of quadrature components on a Tornado E67 DSP controller.

The task of signal suppression is extremely important for anti-terrorist equipment for neutralizing radio channels of
remote control and systems for protecting information leakage channels. Since in many cases a priori data about the
signals to be blocked is negligible, then usually the entire range in which the radio can control or transmit information
can be suppressed. The wider the covered frequency range and the greater the power of the jamming noise, the less
likely the command will be transmitted over the radio link. Indisputable, but primitive. Energy, and human resources are
not limitless. The principles of repression used in electronic warfare are not at least humane in peacetime. The
suppression system can be optimized by making it intelligent: first detect the signal and evaluate its parameters, and
then point-to-block the receiver of the radio link to which the information contained in this signal is addressed. As in the
missile defense system, we first discover the target, calculate its trajectory, and then launch our anti-missile to defeat it
Shooting all the missiles immediately meaningless, and expensive.

A typical example of this kind of systems are cellular suppression devices in a given area, building, or room. Signals in
cellular networks can be either a command radio link or used to transmit confidential information. Similar functions can
be performed by any modern radio lines that meet the standards of wireless computer networks (WLAN, Hi-Fi, Zig-Bee),
various wireless access systems, etc. The energy gain in such systems as compared with systems using barrier noise
reaches tens of decibels with their identical efficiency.

Detection of a short pulse in a given range

When building modern intelligent blocking systems, as well as radio monitoring and information protection systems, the
main task is to quickly detect and calculate the parameters of short signals of up to several microseconds. These signals
can be either single, for example, be a coded control command, or be an instant sampling from a stream of radio pulses
of various frequencies. Such a stream can be a channel for transmitting information in a communication system that
conforms to a specific communication standard, where frequency hopping is used to improve noise immunity. The FH
mode is characterized by a pseudo-random change of the carrier frequency of a radio pulse at a high speed, for
example, for the Bluetooth standard, it occurs 1600 times per second in the 79 MHz band. Accordingly, the spectrum of
a single pulse occupies a frequency band of about 1 MHz.

Frequency hopping mode is used to expand the spectrum (FHSS - Frequency Hopping Spread Spectrum) in wireless
computer networks for transmitting data using the IEEE 802.11 protocol and in various military radio systems.

One of the most typical examples is the FH jump mode in the GSM cellular standard, which is effectively used to combat
signal fading, mainly when driving in a car. The duration of a radio pulse, or slot, in the GSM standard is 577 μs, and the
duration of a radio pulse when a subscriber handset requests a connection, in the case of both outgoing and incoming
calls, is only 300 μs. The output of a mobile phone on the air with a request pulse (Random Burst) is carried out on the
duplex frequency of the control channel of the base station. The entire subsequent process of information exchange
between the subscriber terminal and the base station can already occur in the jump mode. The number of used
frequency channels is determined by the base station.

Consider further the problem of detecting a short radio pulse, mainly in relation to the GSM cellular telephony system.
The system that solves the problem of detecting a short pulse signal can be constructed in various ways. It is known tha
the probability of detecting a signal depends on the signal-to-noise ratio, that is, on the signal energy and receiver
sensitivity. The most important issue is the alignment of the signal and receiver bands. Ideally, the bandwidth of the
receiving device to the detector should follow the shape of the envelope of the spectrum of the radio signal. Obviously, if

1/6
1/17/2019 Версия для печати

the bandwidth of the receiving device, or the filter band of a measuring device operating on the wideband output of the
intermediate frequency of the receiver, is several times already the radio pulse band, then such a receiver simply does
not react to the signal acting on its input. For a correct construction of the detector, full a priori data about the signal,
including the carrier frequency, are necessary. In the considered problem with a carrier jumping in frequency, it is
necessary to know all the possible frequencies used for the jump mode. For the GSM standard, these are frequency
channels: 124 full-duplex channels in the 890 - 915 MHz range (reverse channels, subscriber terminals - base station)
and 935 - 960 MHz (forward channels, base station - subscriber terminals), and also 374 channels in the 1710 range -
1785 MHz and 1805 - 1880 MHz. The spacing between channels is 200 kHz. Actually, of course, only a certain number o
channels are used on which the base station can operate. This may also be related to the distribution of the frequency
grid between different communication operators. So, we will assume that all a priori data is known to us, and the task is
reduced to the energetic detection of a signal over a time interval and the estimation of its parameter — the carrier
frequency, or the number of the frequency channel in the GSM system.

As follows from the fundamental relation (1) for calculating the sensitivity of the receiver, the minimum power of the
detected signal increases with increasing analysis bandwidth, or receiver bandwidth:

P = -174 dBm + NF + 10lgB + A, (1)

min
where NF is the receiver noise figure;
B - receiver bandwidth;
And - the detection threshold, set in accordance with the selected criterion.

In the case when the signal is a radio pulse in a system with hopping frequency (FH), or n frequency channels, with a
common detection band B = nF, where F is the frequency band occupied by one channel, the minimum power of the
detected signal is follows from the expression (1), is increased by 10 lgB / F = 10 lgn dB in comparison with the single-
channel detector. For a GSM cell phone system, this is 10lg124 = 20.9 dB for the lower band, and 10lg374 = 25.7 dB fo
the upper bands, respectively.

So, the broadband detector is inferior in the energy of the detected signal to the detector that is matched for the channe
bandwidth in the examples by 20 or more decibels. However, with a sufficiently powerful signal, it guarantees detection
of the signal, while the single-channel detector in the scanning mode by channels has a negligible probability of
detection. It is clear that to maintain the minimum power of the detected signal and the guaranteed probability of its
detection (equal to one), a multi-channel detector is needed in which the number of matched receivers equals the
number of frequency channels in the system, specifically 124 + 374 = 498 receivers for the GSM system.

Spectral estimation in the problem of detection

The task of multi-channel detection can be solved by applying digital signal processing techniques. The classical method
of signal detection is the spectral estimation of the components of the direct Fourier transform for the signal + noise
acting at the receiver input mixture. To obtain a spectral estimate, it is necessary to digitize the signal and calculate its
spectral representation on a digital processor (DSP) using well-known algorithms, such as the Fast Fourier Transform
(FFT). Ideally, the received signal should be digitized as close as possible to the antenna, since in this case the digital
representation of the signal will have the minimum possible spectral loss during further digital processing.

The classic signal filtering path, i.e. Separating a narrowband frequency channel from a wideband mixture of signal and
noise requires several frequency transformations through mixers and appropriate analog filters until the required
accuracy (quality) in channel separation is achieved. A digital signal processing system (DSP) typically uses a signal
taken from the receiver’s broadband intermediate frequency output, the values of which are usually chosen from the
standard set: 10.7 MHz, 21.4 MHz, etc. Sometimes an additional down conversion is used to use of lower frequency, but
with a greater number of bits and, accordingly, a larger dynamic range of the ADC. The signal digitization frequency is
selected 2 - 3 times higher than the upper limit frequency of the IF path of the receiver.

The rapid development of digital technologies and the emergence of high-speed ADCs with clock frequencies up to 1 GHz
and higher have recently caused a trend of ever greater bias of digital signal processing systems (DSP) towards the
antenna. With a standard receiver dynamics on an output of 60–70 dB for digital processing without significant losses,
using a 12-bit ADC with its own dynamic range of 72 dB is sufficient. Such ADCs with a sampling frequency of 65 and
105 MHz are produced, for example, by Analog Devices.

2/6
1/17/2019 Версия для печати

In addition, it is possible to extend the frequency range of the analyzed signals to approximately the value of the
sampling frequency of the ADC using modern methods of decomposition of the input signal into quadratures. Virtually al
digital demodulators and digital signal processing systems in cellular telephony, wireless computer networks, etc., work
on this principle. Recently, direct down converters (DDC - Direct Downconverter) have appeared on the market of
integrated circuits for processing high-frequency analog signals, which allow to obtain the in-phase and quadrature
components of the converted input signal in the frequency range up to almost 100 MHz. Next, the in-phase and
quadrature components are sent to two synchronously operating ADCs, the sample is stored in the buffer memory, and
then transferred to the DSP to calculate the spectrum.

System implementation

The principle described above was used by developers to solve the problem of constructing the receiving part of the
system of intelligent blocking of cellular communication and wireless access of all standards operating in Russia. As an
example, let us consider a specific receiving path intended for real-time monitoring of direct or reverse channels of a
cellular GSM radio link, in particular, for monitoring broadcasting and determining the carrier frequencies of subscriber
units. The total frequency range in this standard is 100 MHz. For its control, four linear receivers with a bandwidth of 25
MHz each are used, built on the principle of direct conversion of signals “down” with decomposition into quadrature
components and an autonomous DSP system. The block diagram of the linear receiver is shown in Fig. 1. Input signal
through the switch, switching direct and reverse channels, goes further to the direct down converter. The local oscillator
contains a VCO and a frequency synthesizer, controlled by the DSP system through a microcontroller over the RS-232
bus. The DSP system controls the gain of the converter in the range up to 46 dB. Since the frequency of the local
oscillator is chosen equal to the center frequency of the band and quadrature processing is used, the passbands of the
low-frequency filters are chosen equal to half the band width, i.e. 12.5 MHz. The quadrature signals from the converter
after filtering by the low-frequency filter are fed to the DSP system. Since the frequency of the local oscillator is chosen
equal to the center frequency of the band and quadrature processing is used, the passbands of the low-frequency filters
are chosen equal to half the band width 12.5 MHz. The quadrature signals from the converter after filtering by the low-
frequency filter are fed to the DSP system. Since the frequency of the local oscillator is chosen equal to the center
frequency of the band and quadrature processing is used, the passbands of the low-frequency filters are chosen equal to
half the band width 12.5 MHz. The quadrature signals from the converter after filtering by the low-frequency filter are
fed to the DSP system.

Fig. 1. Block diagram of the linear receiver

An autonomous DSP system that functions as a digital analyzer-analyzer is based on a stand-alone TORNADO-E67 type
DSP controller from MicroLab Systems Ltd, which has a high-speed ADC / DAC daughter module board with a parallel AD
/ DA PIOX DCM interface, as shown in Figure . 2. The controller with the daughter board has at the input two 12-bit

3/6
1/17/2019 Версия для печати

parallel synchronous ADCs with a maximum clocking speed of 65 MHz. A clock generator is installed on the board. Thus,
the daughter module allows you to digitize two input signals in the band up to? 30 MHz and transfer the data
accumulated in the 256 FIFO buffer memory via the parallel 16-bit PIOX-16 I / F interface to the DSP controller
motherboard for signal processing.

Fig. 2

The main core of the TORNADO controller is the TMS 320C6701 digital signal processor (DSP) (32 bits, floating point
1000MFLOPS) by Texas Instruments, whose architecture is optimized for parallel computing. The board uses a high-
speed synchronous packet burst SRAM (SBARAM), synchronous SDRAM, and flash flash memory. The board has a two-

4/6
1/17/2019 Версия для печати

channel universal synchronous / asynchronous transceiver USART (10 Mbps) with two dual-channel interfaces RS422 I /
F (10 Mbps) and RS232 (115 kbps), as well as a USB controller for connecting via USB control computer. The board
contains a parallel interface PIOX-16 for connecting a child module, a serial interface SIOX for controlling external
devices and a JTAG port for connecting emulators. To process the data and calculate the complex spectrum of 2 by 1024
points by the FFT algorithm, the controller takes no more than 17 μs. Hardware and software debugging using TI
XDS510 scanner and MicroLAB Systems MIRAG-5100 emulators was supported by TI's Code Composer Studio IDE
integrated development environment.

Суммарное время накопления выборки и расчета комплексного спектра составляет 20 мкс, что позволяет трижды
за время действия импульса запроса со стопроцентной вероятностью обнаруживать сигнал. Решив задачу
обнаружения импульса запроса и в соответствии с протоколом стандарта, система ЦОС вычисляет канал и
временной интервал, в которых базовой станцией будет передана информация, предназначенная конкретному
абоненту, выдавшему запрос. Управляя быстрыми синтезаторами частоты блока подавления, не сложно поставить
точечную помеху приемнику абонента и не дать возможности получить требуемую информацию для проведения
аутентификации. Абонентская трубка, сделав ряд попыток произвести соединение, возвращается в режим покоя,
оставаясь на обслуживании в сети.

The DSP system performs both the functions of discrete spectral analysis and the control functions of the receivers and
the entire system. One DSP controller provides full detection and analysis of signals from a GSM cellular system in real
time, since real-time analysis of a cellular GSM network requires the most computing resources. A similar DSP controller
simultaneously processes cellular telephony signals of the AMPS / DAMPS, CDMA, NMT-450, WCDMA and DECT wireless
access signals. The system can operate in a completely autonomous mode or with data output to the control computer
via the USB bus. Download programs for DSP and system parameters is also done via USB-port. The user interface is
shown in Fig. 3

Fig. 3

The effectiveness of the suppression of targeted interference with respect to the barrier for systems with time division
access (TDMA) is determined by the same ratio of the band of the entire range of barrier interference and the channel
band, in which the aiming interference, i.e. 20 - 26 dB in the lower and upper bands of the GSM standard. However,
given that the sighting interference is short-term (a pack of four pulses with a duration of 200–300 μs), and the barrier
interference acts continuously, the real (integral) efficiency of the intelligent suppressor is incommensurably higher than
the system with the barrier interference. The equipment described above is designed to prevent information leaks over
cellular telephony and wireless access channels when holding private events and meetings in large rooms and halls.

Literature

5/6
1/17/2019 Версия для печати

1. Gromakov Yu.A. “Standards and Mobile Radio Systems”, ed. Mobile TeleSystems-Eco-Trendz, Moscow, 1997.
2. S.L. Marple Jr. “Digital spectral analysis and its applications”, ed. “MIR”, Moscow, 1990.
3. Vasiliev, OA, Egorov, DO, Kadykov, AN “Digital Signal Processing in the Radio Monitoring System”, Engineering
Microelectronics (Chip News), No. 6, 2003.

Article published on the website: 05.05.2006

6/6