Improvised Radio Control System

Experiment’s CaseD and CaseO_RC include possibility that an opponent possesses an explosive device that can be activated remotely. Here, an improvised RC system for the explosive device is implemented using off-the-shelf consumer electronics that can also be used in other RC systems, such as, RC toys, personal mobile radios, drones, wireless doorbells, et cetera. The components and their shipping cost about 20–30 euros in online store. By using RC system, opponent’s transmitter can send to explosive-activating frame to the receiver. Ignition of a light-emitting diode (LED) lamp illuminates the success of the activation of the explosive. Figure 4.2 illustrates laboratory scenario of such remotely activated explosive device.

Receiver RX−9X8Cv2, HK−GT2_RX, HK−T6Av2

Battery Pack

4.5− 6.5 V

Micro Servo HXT900

Transmitter

HK−T4A−M2, HK−T6A−M2

LED light 3.5 W Car Battery

12 V +

-

Figure 4.2. Laboratory scenario of improvised radio control system.

The laboratory scenario of the detonation activation

As mentioned earlier, the basic idea here is that RC system turns on light bulb which simulates an activated explosive. When frame transmitted from the transmitter is correctly decoded by the receiver, pulse-width modulation can be utilized to control a micro servo.

Hence, the micro servo bends conductive metal strip so that it reaches another one. As a

result of this, current flows from a 12 V battery pack to the 3.5 W LED lamp which indicates an activation of the explosive. Also, the receiver needs a separate 4.5–6.5 V battery pack.

Several different receivers are used: an eight-channel Turnigy receiver, a three-channel HobbyKing receiver, and a six-channel Turnigy receiver. Performance differences under jamming were not detected any of these receivers in laboratory experiments. Hence, two different transmitters, a six-channel HobbyKing transmitter and a four-channel HobbyKing transmitter, are used depending on the experiment case.

Gaussian Frequency Shift Keying

The explosive activation system which utilizes earlier mentioned RC components follows proprietary automatic frequency hopping digital system (AFHDS) protocol. All of the transmitters and receivers mentioned earlier utilize Amiccom A7105 wireless transceiver chips and they are fully compatible with this protocol. In the AFHDS protocol, 2.4 GHz ISM band is divided into 500 kHz subbands in which the transmitter circulates frame-by- frame through an FH pattern of 16 subbands. A working principle of one kind of an FH system was already discussed earlier in the context of the architecture of Link 16. Here, center frequencies of the FH pattern cover frequencies from 2400.5 MHz to 2479.5 MHz.

The transmitted frames are modulated using Gaussian frequency shift keying (GFSK) with 200 kHz of deviation. The GFSK [24] is modulation method which can be found in many standards, such as Wavenis and Bluetooth.

Let us consider an example of a scenario where the transmitter transmits only zeros and ones that are also called asbits. The fundamental principle of conventional frequency shift keying (FSK) is that it converts information by increasing carrier frequency𝑓_𝑐 for symbol duration of𝑖th bitone. Hence, it decreases the𝑓_𝑖for the symbol duration of𝑖th bitzero

𝑓_𝑖=

⎧{

⎨{

⎩

𝑓_𝑐− 𝛥𝑓 , 𝑏_𝑖 = 0

𝑓_𝑐+ 𝛥𝑓 , 𝑏_𝑖 = 1, (4.1)

where𝛥𝑓is peak deviation. The𝛥𝑓is maximum shift away from the carrier frequency𝑓_𝑐 in one direction. Experimental measurements showed that the chip has symbol duration 𝑇_{𝑠𝑦𝑚𝑏} = 2.0 𝜇s and𝛥𝑓 = 200𝑘𝐻𝑧. The𝑏_𝑖indicates the bit that needs to be transmitted.

Here, the sequence transmitted from the transmitter to the receiver is constructed of𝑁= 250 bits, and its structure will be discussed in more detail later. Bit sequence𝑏_𝑖 ∈ {0, 1}

must be mapped to non-return-to-zero (NRZ) sequence𝑠_𝑖meaning that when the bit zero occurs, symbol -1 is transmitted and when the bit one occurs, symbol one is transmitted.

Basically the NRZ sequence𝑠_𝑖 ∈ {−1, 1}. Duration of single NRZ sequence is roughly500 𝜇s. By applying Gaussian filtering to the square-wave NRZ sequence, the GFSK can be obtained.

At first, we will look into the construction of Gaussian filter. The Gaussian filtered rectan- gular pulse𝑔(𝑡)can be expressed as follows:

𝑔(𝑡) = 1 2

⎛⎜

⎜

⎝ erf⎛⎜⎜

⎝

𝑡 +^{𝑇𝑠𝑦𝑚𝑏}₂ 𝜎𝑇_{𝑠𝑦𝑚𝑏}√2

⎞⎟

⎟

⎠

− erf⎛⎜⎜

⎝

𝑡 −^{𝑇𝑠𝑦𝑚𝑏}₂ 𝜎𝑇_{𝑠𝑦𝑚𝑏}√2

⎞⎟

⎟

⎠

⎞⎟

⎟

⎠

, −4𝑇_{𝑠𝑦𝑚𝑏}≤ 𝑡 ≤ 4𝑇_{𝑠𝑦𝑚𝑏} (4.2) where

𝜎 = √ln(2)

2𝜋𝐵𝑇 (4.3)

The 𝜎is variance, and the 𝐵𝑇 is bandwidth-time product that determines width of the Gaussian filter. For practical implementations, span of the𝑔(𝑡)has to be restricted, which can be seen in (4.2). In this case, the signal transmitted through the Gaussian filter affects four of the previous and four of the following symbols. Figure 4.3 illustrates variations of different pulses with the different𝐵𝑇values.

-4 -3 -2 -1 0 1 2 3 4

symbol period (T_s) 0

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

amplitude

BT = 0.2 BT = 0.4 BT = 0.6

BT = (corresponds to FSK)

Figure 4.3. A Gaussian filtered rectangular pulse.

If Gaussian filter is not applied which corresponds to a, FSK situation, the pulse is a rectangular meaning that frequency changes rapidly when the symbol changes to different.

However, as the Amiccom A7105 wireless transceiver chip utilizes GFSK for which the Gaussian filter is used to smoothen the shape of the frequency pulse [1]. The signal transmitted from the RC transmitter was captured with the IBFD transceiver’s antenna.

Hence, it was concluded empirically that the RC’s𝐵𝑇value was about 0.6.

Finally, let us focus into modulating NRZ sequence with an Gaussian filter. Gaussian filtered NRZ sequence’s phase𝑦(𝑡)can be expressed as follows:

𝑦(𝑡) =

𝑖=𝑁−1

∑

𝑖=0

𝑠_𝑖𝑔(𝑡 − 𝑖𝑇_{𝑠𝑦𝑚𝑏}), 0 ≤ 𝑡 ≤ 𝑁𝑇_{𝑠𝑦𝑚𝑏}. (4.4)

Hence, the total GFSK modulated signal𝑠_{𝐺𝐹𝑆𝐾}(𝑡)is 𝑠_{𝐺𝐹𝑆𝐾}(𝑡) = cos [2𝜋𝑓_𝑐𝑡 + 2𝜋𝛥𝑓 ∫^𝑡

−∞𝑦(𝑢)𝑑𝑢] , 0 ≤ 𝑡 ≤ 𝑁𝑇_{𝑠𝑦𝑚𝑏}, (4.5) where∫_−∞^𝑡 𝑦(𝑢)𝑑𝑢is normalized phase pulse. The generation of𝑠_{𝐺𝐹𝑆𝐾}(𝑡)can be imple- mented in practice, for example, by using a voltage controlled oscillator [8]. In conclusion, the GFSK can be implemented by frequency modulating carrier with real baseband signal where Gaussian filter𝑔(𝑡)is used.

Structure of the Frame

Accurate information of a frame’s structure is not publicly available. However, datasheet of the A7105 [1], hobby forums and, self-study were useful while visualizing frame. Frame’s structure is illustrated in Fig. 4.4.

Word 1 Word 2 Word 3 Word 4 Word 5 Word 6 Word 7 Word 8 Word 9 Word 10 Word 11 Word 12 Word 13

Preamble

Carrier

8 bits

32 bits 16 bits 2 bits

ID codes

Payload CRC

Dummy Bits

Figure 4.4. A structure of the frame.

At first, only carrier is transmitted so that the receiver can detect the transmitted frame from the right subband. Total duration of this is around 60.2𝜇s which is followed by preamble consisting of alternating zeros and ones. Its shape is determined by an identity (ID) code.

If the first bit of the ID code (word 1) is zero, the preamble is 0101...0101, and if the first bit is one, the preamble is 1010...1010 [1]. Experimental studies showed that the preamble of the used transmitter and the receiver is set to the 32 bits and its purpose is to synchronize transmission timing between two or multiple systems.

The words 1 and 3 are the transmitter’s 32 bit IDs (𝐼𝐷₁and𝐼𝐷₂) which remain unchanged regardless of measurement situation presented in this thesis. Experiments show their hexadecimal values of 2AC57554 (𝐼𝐷₁) and 1438D (𝐼𝐷₂), however, these may differ depending on the connected transmitter and receiver. Probably the𝐼𝐷₁is used to continue preamble as zeros and ones. Generally, the ID codes are used for authentication purposes between the transmitter and receiver. In an RX mode, chip checks the received ID and compares it to its ID register [1]. If these IDs match, payload can be decoded to control detonation of an explosive.

The word 2 is used for binding purposes, and it is either hexadecimal value of 0x55 or value of 0xAA depending on a binding button’s state in the transmitter. When the binding button is pressed, the transmitter starts transmission at its lowest carrier frequency without FH. Thus, the receiver listens to this transmission and marks up the IDs transmitted. The following words 4–11, also called as payload, are 16-bit channels 1–8 for transmitting tactical information. The transmitter and the receiver used here utilize only six channels so the channels seven (word 10) and eight (word 11) remain unused.

The word 12, according to datasheet [1], is cyclic redundancy check (CRC) bit string which is automatically transmitted after payload. The CRC is cyclic code that is used for detecting errors in transmitted data. The transmitter’s circuit calculates the CRC of the payload by calculating checksum of polynomial and the payload. The payload does not include the preamble or ID codes. Also, the chip A7105 utilizes a CCITT-16 CRC polynomial standard (𝑥¹⁶ + 𝑥¹⁵ + 𝑥² + 1). However, according to a source [57], the CCITT-16 polynomial standard uses the polynomial𝑥¹⁶+ 𝑥¹²+ 𝑥⁵+ 1for an error detection which differs from the datasheet’s polynomial. Measurements with the Matlab showed that the CRC changes depending on the sent frame, but a dependence to these polynomials was not observed.

Finally, last two bits (word 13) are so-called ”stop bits” which importance is difficult to evaluate. It is likely that these two bits give additional margin before the frame ends. Also, these stop bits facilitate decoding when few bits at the end of the frame are known.