Saturday, March 23, 2019

"Receiver Hunting" And Similar Stories

A couple of days ago, I stumbled across a post on Western Rifle Shooters Association called Receiver Hunting.  Sounded right up my alley so I took the link to Outland Tek Musings

In case you didn't read this or don't know what it's talking about it concerns locating receivers by searching for their spurious radio emissions, in particular, the local oscillator.  I'll define that in a minute.  Saying you'll tune for an LO assumes a standard architecture for the radios you're interested in finding.  That's not as good an assumption as it was as recently as 10 years ago, but we're talking going from being almost absolute certainty to 95% of receivers out there.   It's still a good assumption just not a dead giveaway. 

In the earliest days of radio, about a hundred years ago, it was common to try to tune all the circuits in a radio to the radio frequency you wanted to tune in, and amplify the signal from the several millionths of a volt (microvolts) at the antenna to closer to 1 volt to drive headphones or a speaker.  This architecture was called Tuned Radio Frequency or TRF because that's what it was doing!  Every stage that could be tuned was tuned to the same frequency, and changing stations was laborious.  In my career, I saw exactly one modern use for a TRF design, but I've heard they're in some remote controls. 

The architecture allowed listening to radio stations (this was before broadcasting) but was hard to make work over wide frequency ranges.  First, there were a couple of adjustments to tune any frequency, not just one.  Second, almost every amplifier (vacuum tube) available had less amplification as the user tried to tune higher in frequency.  Edwin Armstrong, the closest to a real "father of modern radios" that I can think of, developed what he called the superheterodyne approach to receiver design. 

The approach embodied a couple of very important ideas.  First, it moved some of the amplification (engineers call that gain) to a fixed frequency, and split the gain up into two or more frequencies.  This makes it less likely for weak signals from elsewhere in the radio to leak into an earlier stage and cause problems (you've probably been around a PA or other amplifier that squeals with feedback?  Same principle, different frequencies).  Second, it introduced the concept of having one section, often one component, that tuned to change frequency.  To do so, Armstrong introduced an oscillator into the radio and a component that multiplied the two signals by each other.  Because it was inside the radio, he called it a local oscillator, or LO, as in local to the radio.  Due to the weirdness of trigonometry, when two sine waves are multiplied, you create the sum and difference of the two.  Either the sum or difference is filtered out to become the Intermediate Frequency (IF), the other is effectively discarded. 


Over the years, the technologies for the parts have changed, but the architecture has stayed almost exactly the same.  While I don't have one of those ubiquitous Baofeng Chinesium radios, a standard architecture would work like this, for the amateur 2 meter band.
  • RF amplifier - tunes 144 to 148 MHz with filtering that drops the undesired signals as you get farther from the desired band (that is, they offer more protection as the frequency goes farther above or below where the radio is tuned)
  • IF Filter would be at 21.4 MHz, where very good crystal filters are now readily available
  • Local Oscillator would tune RF+IF or 144.000 + 21.400 MHz or 165.400 MHz to 169.400 MHz 
Getting back to the original story, what Outland Tek Musings was saying was that even if you're not transmitting intentionally, your receiver's local oscillator is running.  By tuning for your LO, an adversary could know (1) someone is there and then, by making a reasonable assumption like this architecture (or by more intelligence gathering) an adversary could find your local oscillator and know what frequency you're listening to.  Which means what frequency they should listen to in order to intercept your communications.

How strong is it going to be?  Not very.  It's going to vary with the quality of the radio because the things that make the LO weaker are (1) the mixer, (2) the amount that leaks (backwards) through the RF amplifier and (3) how well the filter knocks down the LO.  Given an LO putting out 5 to 7 milliwatts,  the LO is likely to be under 250 microwatts.  In a good radio, it can be rather low.  I wouldn't doubt it could be heard from more than a few houses away, perhaps a few hundred feet.


To be honest, my reaction to the post on Outland Tek Musings was mild surprise that it wasn't widely known, and that's really "my bad".  I've been hanging around with too many other Radio Graybeards.  Experienced radio monitoring hobbyists know this.  The idea has even been commercialized as a way of determining what channels TV viewers were tuned to because all TVs used the same IFs and LOs.  That's right, a competitor to the Nielsen ratings did this (1970s IIRC).

Today there are architectures that don't have local oscillators and are immune to this sort of monitoring.  These are called direct sampling radios, and are Software Defined Radios (radios in which some or most of the functions usually done in tuned circuits are done in software).  For VHF and UHF, this is still rather pricey in the ham radio world, but they are available in high dollar commercial radios.  For HF, there are low cost, hobbyist radios

Are you wondering "what's up with this?  What are you really getting at?"  This topic is something that I consider in my home field.  I've designed radios like this for lots of years.  It makes me wonder what folks would like to know about in the wide world of radio.  Perhaps I can post something regularly.  Let me know in comments, or email to SiGraybeard at Gmail. 



25 comments:

  1. Yeah, more stuff to teach the pups. "LO Leakage....what's that?" has been heard more than once in my career. And then you (we?) get to teach them the basics of shielding, grounding, and bonding, after we teach them about good receiver design principles.

    The Brits had sniffer vans that drove around looking for "unlicensed" TV sets. How they isolated a particular TV in a crowded urban environment must have been a bit labor intensive.

    ReplyDelete
  2. I like this sort of post a lot.

    ReplyDelete
  3. Good basic information. For a given definition of basic.

    On boring nights at the listening post, we'd check the equipment by tuning in the LOs of the other gear and verifying stability. Good memories.

    ReplyDelete
    Replies
    1. Good basic information. For a given definition of basic.

      That's why I wrote this. I'm a bit sensitive to "for a given definition of basic" now - and it's probably because I'm out of touch with what people know and want or need to know.

      I recall having a talk with an adult about electrons back in the early 80s, and I was surprised they really didn't know what an electron was, or that they even existed. When you've been a radio hobbyist for as long as you can remember, electrons are as real as a brick, not an obscure/bizarre concept.

      Doing a radio course that goes from "this is an atom" to a software defined radio is long book.

      Delete
    2. You don't have to write the whole book, sir.

      Just write what you think a licensed operator (be it T, G, or AE) should be learning as they develop their skill sets.

      Between you, OTM, and Brushbeater, there would be quite the practical faculty.

      With respect,

      ca
      wrsa

      Delete
  4. I heard the Germans in WWII used this technique to catch people listening to Allied radio broadcasts.

    ReplyDelete
  5. Don't worry about what content to put into posts, just write about what you know. That's the surest way to add real content to the intertubes. Trying to figure out what people want to read is a fool's game. Write something interesting to some population, and that population will find you.

    I was all ready to jump on SDR, but then you got around to it at the end. Although, theoretically, it's possible to get pretty good profiles of what a CPU is doing based on directly-radiated digital signals...

    ReplyDelete
    Replies
    1. it's possible to get pretty good profiles of what a CPU is doing based on directly-radiated digital signals...

      Supposedly, back in the days of CRTs instead of LCD monitors, the guys who had the tricks could park in the parking lot outside of a building and as they pointed an antenna around could literally recreate what was being displayed on a CRT by its emissions. I found it hard to believe because of my experience with antennas and thinking about how close computers were to each other. How could they resolve different monitors?

      The same thing would apply to the computer emissions. In a building where everyone has a computer on their desk and there's a couple of hundred different CPUs running, how can you pick out the one you want?

      One of the last things I heard about Tempest was that in the effort to reduce power in laptops the manufacturers made the laptops invisible to monitors.

      Whether that's true or disinformation, I don't know.

      Delete
    2. That was called "Van Eck Phreaking".

      https://www.techopedia.com/definition/16167/van-eck-phreaking

      Delete
    3. Exactly (thank you). The CRTs in secure areas I worked in had to be aligned in specific directions to minimize the possibility of interception, because the main radiated lobe was in the direction of the e-beam. Thus, everybody's desks were pointed at the wall that was the most shielded.

      Delete
    4. LCD screens made it harder, and the proliferation of chips has made it more challenging to zero in on just one. End of statement.

      Delete
  6. For what it's worth, I'm not posting any comments here again. The damned captcha's have gotten ridiculous. I don't have the time to play "intelligence" for some stupid machine vision algorithm.

    ReplyDelete
    Replies
    1. Are they worse than anywhere else? I don't see any settings open to me that I can affect the captcha things with.

      Considering that some nights I'll get a dozen spams from India or Pakistan even with Captcha in place, I doubt it does anything. It's probably worth the experiment to see what happens if I turn it off. I think I can turn it off.

      Delete
  7. How [the British TV licensing enforcers] isolated a particular TV in a crowded urban environment must have been a bit labor intensive.

    Suppose every house on the block had a TV license except one. Go knock on that door, announce they're busted by the van outside covered in antennas, and see if they confess.

    It makes me wonder what folks would like to know about in the wide world of radio.

    I'd like to buy a kit for a 900 MHz SDR 5 Watt transceiver, with a bandwidth less than wifi but much wider than voice, portable like a small cellular bag phone, integrated with a Linux singleboard. Source code for everything is included, and out of the box it is functional at least for voice. Implementing one of the spread spectrum techniques would be lovely, but is optional.

    The captchas here are much worse than others I encounter, I can spend 3-4 times as much wall clock time doing multiple screens as on anywhere else.

    ReplyDelete
    Replies
    1. The captchas here are much worse than others I encounter, I can spend 3-4 times as much wall clock time doing multiple screens as on anywhere else.

      I went to turn it off, and tried commenting on another system I keep for tests. On this machine, I stay logged in. On that one, I'm not only not signed in, it's anonymized as best as I can. I can't turn Captcha off as seen from that machine.

      It might be browser dependent.

      I posted a query to their help forums to see why I can't turn it off.

      I'd like to buy a kit for a 900 MHz SDR 5 Watt transceiver, with a bandwidth less than wifi but much wider than voice, portable like a small cellular bag phone, integrated with a Linux singleboard. Source code for everything is included, and out of the box it is functional at least for voice. Implementing one of the spread spectrum techniques would be lovely, but is optional.

      Being a confirmed free market guy, if I could do such a thing, I'd sell it. That's a pretty specific set of desires. It sounds to me like a couple of years of development effort with some serious costs in renting test equipment, getting FCC certification, and all. Gotta recoup those costs. From a tech side, 900 is high enough that direct sampling is probably out. I'm pretty sure it's out for anything under a few thousand bucks. Are you expecting a radio that does exactly what you want, exactly the way you want, to cost $100? More like a Chinesium $30 HT?

      Delete
  8. The place I normally blog uses Askismet for spam control. Every once in a while something gets thru. Don't know how to add or config that, as there is someone else that does the tech side. The site is hosted, and runs on wordpress, which is more than what you've got here with blogspot.

    WRT the bespoke radio, if limited to the 900mhz ham band you won't need FCC certification, correct?

    There are 900mhz spread spectrum HTs available off the shelf from Motorola, I'm guessing they are in the unlicensed part of the spectrum, but haven't looked closely at them.

    The original article is at the current online home of Sparks31 who has been trying to help people, especially in the prepper and liberty communities learn about communication for a number of years.

    I don't like captchas generally, but I prefer the picture based ones to squiggly lines over ambiguous text, although having more than one picture test is annoying. I'm sure it limits comments, but it does provide more anonymity-which I wholly endorse. Please DO NOT go to comments only from known and realworld linked posters.

    And finally, I'm with the other commentors, write what you want. Some of us will find it interesting.

    nick flandrey

    ReplyDelete
    Replies
    1. I just spent too long trying to get through a captcha session testing in Chrome, so I feel your pain. The answer I'm getting from Google is that there's nothing I can do to change that. It's totally out of my control.

      I avoid captcha by staying logged into my blog, but I understand a lot of people don't like that idea.

      On the 900 MHz ham band, 902 to 928 MHz, ham gear doesn't have to be certified to the same rules as commercial gear, but a quick look shows that amateur gear still needs to meet amateur rules (part 97). Unlike other ham bands, there are some part 15 rules for 902-928. Those don't require a license.

      Delete
  9. Are you expecting a radio that does exactly what you want, exactly the way you want, to cost $100? More like a Chinesium $30 HT?

    I thought the fivedash kit you mentioned for $89 and $129 assembled was a great price point. If a kit of the circuit board plus the parts was under $200, not counting the Linux board, I'd buy a few. Then I'd be responsible for assembly, case, battery system, connectors, buttons, front panel, etc. All of this to enable tinkering with the software, which is the part I'm interested in.

    with some serious costs in renting test equipment, getting FCC certification, and all.

    It's a kit, which means you are not legally obligated to do all that, the person operating it is. Being a responsible designer, you'd want to make sure it can comply if it was built and cased properly, but you can do that by informally testing it with equipment your radio buddies already have.

    WRT the bespoke radio, if limited to the 900mhz ham band you won't need FCC certification, correct?

    It doesn't legally require any certification, testing, or licensing to assemble and sell a kit. The fivedash guy is selling assembled boards, and it's still a kit. Call it an "80% transceiver".

    There are 900mhz spread spectrum HTs available off the shelf from Motorola

    I'm sure I can't get the software source code for that. It's a product with "the hood welded shut". I'm sure it's a perfectly nice product, and if you wanted exactly what it is, it would be great.

    a couple of years of development effort

    The NE2000 ethernet card was National Semiconductor's demo board for their chipset. That it was less fancy didn't mean it wasn't good, and cheap. Maybe a vendor with chipsets relevant to 900 MHz has a demo board which they would be happy to see copied. The important part to me is that the modulation scheme and so forth isn't baked into the chipset.

    From a tech side, 900 is high enough that direct sampling is probably out. I'm pretty sure it's out for anything under a few thousand bucks.

    The LimeSDR for $350 for an assembled board is overpowered for what I want, both the bandwidth of 61 MHz and the range of 100 kHz - 3.8 GHz. Let's instead say a bandwidth of 1 MHz and a narrow frequency range, using a chipset, no FPGA, less of a CPU. Probably move the 1 MHz I/Q data to and from Linux via USB.

    Commenting which requires a real-world identity is horrible. Probably not too far from the historical "intolerable acts", which I believe required revealing the communication to a court in order for it to be enforceable later.

    ReplyDelete
  10. I've read mailing list posts where the open source amateur radio sdr research principals say that ham radio must be seen to be particularly inoffensive, so it doesn't attract more regulation. To which I would respond, meekly complying with all demands to give up your guns and livelihoods and relocate into ghettos is not a winning strategy. If radio experimenters are eaten last, that still means they're eaten.

    The open source amateur radio sdr research seems to be carefully constructed so the radio bandwidth and spare cpu and memory is such that you can't possibly do internet techniques over it. Let me put that another way. If the feature selection was random, that distribution wouldn't have this sharp-edged feature block-out. It's like the ham radio experimenters know perfectly well what innovations the wider would-be user base wants to experiment with, and are carefully denying it to them. I'm sure that's just a conspiracy theory, but then again I have a hard-hat made from drawn aluminum.

    The 1 MHz bandwidth number I picked isn't carefully thought out, I just want it to be faster than dialup so I can run IP over it, and then sshfs and mobile mesh routing protocols. I understand there is radio design math that relates the resolution of bandwidth and amplitude samples you can distinguish from noise to payload bits per second. This is all stuff I don't know well enough to use, but buying a kit embodying a worked example is a fine excuse to learn it.

    ReplyDelete
    Replies
    1. I've read mailing list posts where the open source amateur radio sdr research principals say that ham radio must be seen to be particularly inoffensive, so it doesn't attract more regulation.

      Reference? I don't know any of those lists.

      It sounds fundamentally wrong to me because in every other service I know of, the FCC regulates the function and performance, not whether the radio is software defined or hardware. I was looking for my copies of part 97 and seem to have lost it somewhere along the way, but aside from the license class rules, it was all technical things, like occupied bandwidth, suppression of spurious emissions or harmonics - that stuff. That doesn't depend on the software, just pure hardware.

      Are the SDR mailing list guys afraid that they'll produce something that can be used out of band? Like, oh, 90% of everything?

      What I've thought a slowdown in switching to digital modulations is that hams want to take their narrow band FM and use digital modulation. That restricts them to slow digital rates. You just aren't sticking video in a 15kHz wide channel.

      Delete
    2. A "killer app" combination seems to be: Internet, telephone quality voice, and encryption that works. Like a smart phone: fast, gear is extremely sleek, anybody can use it, works everywhere; only not a parole ankle bracelet with a 1984 telescreen. This would be real innovation, which is why governments suppress it by gun control. In response, amateur radio seems to be crowding into ghettos and sewing callsigns on its clothes to demonstrate its political reliability.

      https://ecfsapi.fcc.gov/file/7520929151.pdf

      45. For nations to continue to authorize Amateur Radio, they must perceive it as harmless. There is no reason for anyone to expect that an encrypted communication is harmless.

      [...]

      Encrypted Amateur Radio and The National Interest

      47. The Federal Government has an interest in communications interception for purposes of National Security. Recent news has made that abundantly clear. Amateur radio is a direct peer-to-peer communications mode. Unlike the telephone system, it is not mediated by a communications provider that will honor "security intercept" requests as telephone companies do. It has international range in the case of HF and satellite. The need to monitor and police such a system, if encryption becomes common, would engender political pressure domestically against the further allowance of Amateur radio.


      https://www.eham.net/articles/30355?ehamsid=uiujcs6qujfve6pkktqch3doj0

      Encryption is a potential disaster for us because it defeats the self-policing nature of ham radio. If hams can't decode messages, we can't identify if the communication is appropriate for ham radio or not. A potentially worse problem is that encryption destroys the harmless nature of Amateur radio. For governments around the world to continue to allow Amateur Radio, it must be percieved as harmless. There's no reason for anyone to believe that encrypted communications are harmless. Foreign governments, and maybe even our own, will start to see hams as more of a threat. This is likely to have a chilling effect upon DXpeditions, which are already often viewed suspiciously by the host nations, and perhaps will even lead some countries to take Amateur Radio off of the air or limit our privileges in some way.

      Delete
    3. I think you're taking Perens out of context with, ... meekly complying with all demands to give up your guns and livelihoods and relocate into ghettos is not a winning strategy. If radio experimenters are eaten last, that still means they're eaten. He's talking about day to day operation of ham radio around the world and how to fit a new mode into existing infrastructure. (This thing about every new digital mode being greeted suspiciously is getting a bit old.) However thinking of Perens as a guy who has his dumped heart and soul into developing the open source codec and FreeDV, I can understand his perspective.

      Encryption like you envision is currently illegal in ham radio (97.113 section A-4) and has been for as long as I can recall. Encoding (Baudot RTTY, PSK31, Olivia, SSTV, and so on) is not illegal.

      It appears that the proposed rulemaking petition from '13 he was commenting on was dismissed, as he was recommending. That petition (RM-11699) was to make encryption legal in the context of emergencies or training for emergencies. If I read the FCC response correctly, the reason they dismissed the petition was that they thought the argument saying encryption was necessary was invalid. That is, they didn't use Perens' arguments specifically against the petition.

      Also, I stand corrected on Part 97 acceptance for radios like this. It's hardly ever necessary. That's an artifact of the CB amplifiers of the 70s.

      Delete
    4. I think you're taking Perens out of context with [...] He's talking about day to day operation of ham radio around the world and how to fit a new mode into existing infrastructure.

      The original context in which I learned about Perens' position was when I asked about encryption over the existing narrow channels. In response I got the 'must be perceived as harmless else doom' reply. Look at the second piece. He complains the harm will result from "crime, operating a business, downloading pornography". This is only about content, not about new modulations interfering with existing channel plans. I think his position actually meets the definition of collaborationism:

      https://en.wikipedia.org/wiki/Collaborationism

      Encryption like you envision is currently illegal in ham radio (97.113 section A-4) and has been for as long as I can recall.

      I'm sure any radios you design would be consistent with publicly admirable goals of spectrum efficiency and innovating around patents. A commercially interesting niche could be kits of Internet of Things platforms for amateur radio experimenters, for dense sensor networks which can hear each other and have to coexist. I hear that spread spectrum is a popular technique for this. Become a wizard, and turn the merry woods around your rural home into an enchanted forest. Where the very trees have eyes, and watch interlopers from every direction.

      Delete
  11. I seem to remember, from the Basic Electronics course that I took in the Navy over 50 years ago, that the reason super hetrodyne receivers were invented was that the amplifier circuit in line between the oscillator and the antenna blocked spurious leakage from the oscillator circuit, thus rendering RDF efforts aimed at finding a clandestine or other receiver ineffective. Sort of like putting a door on a barn so the cattle and horses don't get out.

    When I read the article at WRSA claiming that as a technique at finding clandestine receivers, my immediate thought was that's not true with the receivers I know about. Now I'm not familiar with the design of the receivers cited in the WRSA article so can't make a judgement on those in the area of spurious radiation.

    Any way, I think articles that explain radio design, especially the purpose of designing radio circuits in certain ways, to people with little to no electronics background, would be beneficial. Have at it sir.

    Nemo

    ReplyDelete
  12. I seem to remember, from the Basic Electronics course that I took in the Navy over 50 years ago, that the reason super hetrodyne receivers were invented was that the amplifier circuit in line between the oscillator and the antenna blocked spurious leakage from the oscillator circuit,

    Well, that's a faulty explanation (or faulty memory - I get that way sometimes). If it's a Tuned RF radio, and they all were before the superhet, there's no oscillator to radiate. It's just tuned amplifier after tuned amplifier until you get to the detector.

    In a superhet, the input side to the mixer, the RF amplifier does act to reduce LO leakage, but that doesn't apply to the Tuned RF architecture.

    Any way, I think articles that explain radio design, especially the purpose of designing radio circuits in certain ways, to people with little to no electronics background, would be beneficial.

    You're in luck. That's what I've been moving towards.

    ReplyDelete