Sunday, April 28, 2019

Radio Sunday #5 – A Little Radio Hacking

Now that we have a little background, let's look at the problem that started this: how big a problem is someone monitoring the local oscillator in your handheld?  How far away can they be.  We're going to draw on the architecture of the superheterodyne and decibel relationships to show you how it's done in real life. 

I'm going to start with my VHF/UHF handie talkie, a Yaesu VX-6R.  This is a recent production multiband VHF/UHF HT that is “high end” compared to the cheap Chinesium HTs or Family Radio Service (FRS) radios out there.  I'm not sure if they're still in production, but they're still widely available (for example).  It essentially receives from 500 kHz (0.500 MHz) up to 1.000 GHz and transmits on amateur bands at 2m, 220 MHz and 440 MHz.  Let's take a quick look at the specifications.

At the top, it says the architecture is dual conversion for AM or Narrow FM no matter what frequency you're tuned to.  For AM and NBFM, it converts to 47.25 MHz, then down to 450 kHz.  The first LO is likely to be a phase-locked loop frequency synthesizer with ways to switch the frequency (there are several), and the second LO is a fixed oscillator 450 kHz above or below 47.25 to mix 47.25 down to 450 kHz.  I think about the tuning range required of their synthesizer and see it could tune on high side or the low side (of 47.25 MHz), but high side is going to be easier, so I predict that the radio will have it's LO at the tuned frequency + 47.25 MHz. 

That's easy to test.  I happen to have the 2m frequency of 146.925 MHz programmed in, so I tune the VX-6R there and tune a second receiver (a long obsolete Icom R-10, 500 kHz to 1300 MHz, all-mode receiver) to 146.925 + 47.250 or 194.175 MHz. Sure enough, it's there.   

The question about this LO “leakage” is how strong it is, and over what sort of distances is it detectable.

Here's some rough numbers to guesstimate what that level should be.  Consider our block diagram of a receiver: everything we want to think about is on the left end with reddish or pink background.

This assumes typical performances, not excellent, high end military or best performances.  That local oscillator, the source we're listening to, is running at roughly +7 dB, 5 milliwatts.  The mixer will suppress that LO signal coming out of it's RF input pin on the left, and that amount is usually specified for the mixer.  This is a wideband application, and those are usually not the best.  Usually around 20 dB.  That puts the LO at the output of the RF amplifier at  7 – 20 = -13 dBm.  The amplifier will provide attenuation of signals on its output going “backwards” toward the input, usually called reverse isolation.  That depends strongly on the amplifier design and, again, I'm assuming this isn't a very high reverse isolation design, and call it 25 dB isolation.  Now were' at -13 – 25 = -38 dBm.  Finally there will be some filtering.  This is where a single purpose, ham band only (or whatever other band you're using) receiver has the advantage, in that they can design a better filter here.  During filter design, it's possible to decide you want better rejection of undesired signals above or below where the radio is receiving.  It's reasonable to get another 30 or 40 dB isolation from the filter.  That says the signal at the antenna connector would be -68 to -78 dBm, as a back of the envelope guesstimate.  Could be worse or could be better. 

How strong is mine?  This is a tricky measurement because the second receiver doesn't have a calibrated signal strength meter, but I can tell it's fairly weak.  I can connect the VX-6R directly to the receiver (and making sure my transmitter can't transmit into my receiver!), note its level on the radio's "S-meter" and set a signal generator to same level as the signal I get from the VX-6R.  That tells me roughly -75 dBm.  I can directly measure it by putting it on my (also ancient, long obsolete) spectrum analyzer and directly measure what's coming out of the antenna port.  That tells me around -82 dBm.  Those numbers agree pretty well, considering the crudity and lack of “real” amplitude calibrations anywhere. 

You can see in this photograph that I set the radio to 150.000 MHz (sideways, on top of the spectrum analyzer); first so that it can't transmit into the analyzer and second so that I could add 47.25 MHz easily in my head.  There might be whole dB of loss in the cable and adapters between the radio and the analyzer, but I doubt that.

How detectable is -82 dBm?  At what kind of range?  We have to set a sensitivity level to compare to, and here I'm going to say a reasonably good receiver will detect a signal at about -135 dBm (for those who understand, I'm assuming 500 Hz “CW” bandwidth -147 dBm noise floor - and adding 12 dB to split between NF and SNR; that is, say a 6 dB NF and 6 dB SNR, or a 3 and 9)  this isn't precise, but we just don't know enough about what the other side could be using.  That says my signal (at -82) is 53 dB stronger than needed to detect it.  How far away does the bad guy need to be for that signal to fade below threshold?  Roughly 180 feet.  I have a file in Mathcad that tells me the path loss for a given distance and frequency that lets me play with numbers to get close to 53 dB path loss. 

When you're trying to derive numbers like this, remember radio (and light, and other electromagnetic radiation) falls in an inverse square law (illustration near bottom).  If the guy trying to monitor you is twice as far away, he'll get 1/4 of the power; 6 dB down.  That means the signal lost 3/4 of its power by doubling distance.  Likewise to double the range you need to add 6dB, 4x more power, or the monitor needs 6dB more signal acquisition. 

This is a weak signal to detect near that distance, and the quality of the operator and their gear matters.  If they have a high gain antenna, they they could double or quadruple the distance they could detect the radio from, but have to point the antenna at you.  Methods of signal intelligence are whole 'nother set of questions.

Because I've been a ham since I was 22 and have been experimenting with radios since I was 13, I've accumulated some radios and test equipment over time.  I talked about using my old radio, a particularly old example of the Icom R10, because I wanted to point out that a wideband radio is a cheap spectrum analyzer and I found the signal there first.  I'm not up to date on how their current offerings compare but what sets the R10 apart from some radios - and what you should look for - is that at any frequency you can dial up any mode.  For listening for LOs, which aren't modulated, you need to listen in CW or SSB modes.  I'm sure there are other radios out there that would fit the bill as well as the old R10s, I just don't have a rehearsed answer for what to get.

EDIT 4/29/2019 at 1050 EDT: Improved paragraph about power loss with distance (third from last) and corrected error pointed out by drjim in the first comment. 


  1. you lose 1/4 of the power....

    Should be you're DOWN to 1/4 power, or you lose THREE-QUARTERS of the power.

    Most people never heard of 'inverse square law', and have no understanding of what it means.

    Had a friend who was terrified of microwave ovens. I told him every time he doubled the distance, he was only "exposed" to 1/4 of any leakage, so if he stepped back 4 feet, he'd be completely safe.

    And he did....

    1. D'oh!

      Thanks, DrJim.

      My biggest issue in writing this is what to cover and what to just mention. I've mentioned the inverse square law many times, but it's dumb on my part to think folks have read everything I've ever done.

  2. I don't know much about radios, except for WiFi, but your results
    make sense to me. Using the wifi analyzer app on my phone, I can detect APs I (and the wlan nic) would judge as too weak to use, in the -75 to -85 db range, at +/-150 feet, if not farther. 802.11 wants to be a lot closer before it will negotiate a successful connection, but I can see the SSID from a long way out.

  3. I am enjoying your Radio Sundays. I didn't realize there was that much bleed out of the LO through the antenna. Makes what I was told about about modern military radio systems more relevant.