微波EDA网,见证研发工程师的成长!
首页 > 研发问答 > 微波和射频技术 > 天线设计和射频技术 > Can you piggyback RF communications on cellular transmit/receive frequency bands ?

Can you piggyback RF communications on cellular transmit/receive frequency bands ?

时间:04-04 整理:3721RD 点击:
My question is purely hypothetical and there is no immediate plans for any such application. But I was just curious is it possible to make use of the cellular frequency bands (as set out by a country's regulations and by the cellular providers) for some sort of covert type communication other than for voice, data or text types of cellular communications ? Would it be too difficult and complex to develop such an application that uses cellular radio frequencies or could it be done without too much concern for potential interference or the sharing of channels of nearby normal cellular transmissions ? Could such an application be developed without having to cross over many hurdles ? If this covert communications is possible would the cell frequencies used not reach the base stations of the wireless carriers as noise or can a peer to peer communications be possible by passing the base stations ?

Whether it appears as noise or not, it would interfere with normal traffic and be investigated very quickly. That doesn't make it very 'covert' !

You certainly can't use cell base stations as repeaters, they don't work that way at all and it would be very difficult to disguise another transmission so it could 'sneak through' un-noticed.

Brian.

Hello betwixt. Thank you. Please do not be offended but would you mind if I asked if whether you are a RF engineer by profession ? I will understand if you do not wish to disclose the answer on a public forum. The reason I am asking is I would like to know from a RF engineer that using such quad band cell frequencies would have drawbacks and hurdles to overcome before a perfect and efficient system could be established. I agree that the likelihood of covert communications could be detected as noise at the base station and would defeat the purpose of being covert in nature. The other point I wanted to ask is if a covert system using cell frequencies was designed how would it be possible to prevent the covert communication signals from reaching the wireless carriers base stations and cell towers ? Perhaps by way of a lower power amplified RF signal ?

Thanks again

I worked on the design of cell base stations for a major US comms company although I am no longer working in that particular field of electronics.

I'm not really sure what your intention is. To actually use the normal cell traffic to hide a cell transmission or to hide another 'non-cell' transmission amongst the existing carriers.

Using the cell traffic itself is very difficult because the base stations allocate time slots to each connected device, it means they need to interrogate and verify all devices in range to see if they are authorized to use the service. If the service providers database grants permission, the device then has to observe it's allocated time slot to receive and transmit time compressed data packets. Breaking in is almost impossible.

If you want to hide another independant signal it would also be difficult. There isn't space for another 'cell lookalike' GMSK signal and anything narrow band would be immediately obvious. The cell broadcasts also employ frequency hopping to the chances of finding a frequency clear for long is unlikley and they also adaptively adjust their output power so if you find a 'quiet' spot it may only be because the transmission at that time is at low power output. If you interfere someones signal the transmitter power will automatically increase to try to overcome it. The 'fixed' frequencies are the time slot administration transmitters but if you interfere with one of those you could block the entire cell coverage area.

Brian.

sure. they have been doing that with intellsat for decades.
you need a spread spectrum signal and a transmit power that keeps it under the "noise floor" of the environment, which is higher than thermal noise. Also the spread spectrum signal has to be devoid of any modulation frequency peaks...I mean really devoid of them.

It is easier to do it for satellite, since the range is pretty much a constant...i.e. wicked long. for a cell phone the range can be anywhere from 200 feet to 30 miles....so making sure the spreading signal is below the noise floor is difficult technically

The reason for the interest is because I have knowledge of a company which is investigating certain hi tech devices which contain embedded RF technologies which may not be certified for use (if required) in the countries where these devices are being used.

It has been said that it is impossible to discover the frequency(s) being used by way of reversing the integrated circuit die. Any ideas on how we can isolate these "hidden RF frequencies" ? Is it possible to determine the range of frequencies being used if the IC is using some kind of pass band filter ?

Any ideas ?



Thank you biff44. Would you then be saying that it is possible and could work quite efficiently barring the following ?

1. transmit power that keeps it under the "noise floor
2. devoid of any modulation frequency peaks

I've never seen a 'tuned' IC that works on a particular frequency. All the ones I have seen or used rely on external tuned circuits or resonators, in other words the IC is generic and no amount of reverse engineering will expose anything other than a broad range of frequencies it might be optimized for.

Typically, ICs for low power data transmission use a resonator and PLL to multiply it's frequency up to final carrier rate. When viewing an actual module, the frequency is fairly easy to guess, it will typically be the nearest multiple of the resonator frequency to the wavelength of the quarter wave antenna. Of course anyone looking on a spectrum analyzer would spot it and be able to read the frequency anyway.

I think most satellites use linear transponders so predictably dispersing the RF energy on the uplink and reconstructing it from the downlink is possible but given the crowded cell frequencies and need to work point-to-point would make it far harder.

Brian.

Brain just clarify the above comments. You are saying that it is rare to find a RF device (Tuned IC) using just a single frequency but rather a range ? Secondly you said "When viewing an actual module, the frequency is fairly easy to guess" yes ? Does this imply that by way of decapsulation and the study (some reversing) of the tuner found in a RF device IC the range of used frequencies can be determined yes ?

Thank you

How can it communicate then?

when you add the coding gain of the digital demodulation process, you end up with an effective Signal to Noise ratio that is positive.

if you are using a satellite system, it as to be a "bent pipe" type system with all receiver processing on the ground.

https://www.tapr.org/ss_intro.html

I actually worked on one of these systems back in the day. Had to "invent" a way to make a BPSK modulator with almost NO carrier leakage, since the carrier leakthru would be unmodulated, and would have degraded some other narrowband paying customer's communications system.

What I mean is that to accurately manufacture a silicon device that oscillates at a specific frequency is almost impossible. Even low frequency oscillators like the ones built in to microcontrollers are typically +/- 1% specified and have large frequency drift with temperature and voltage changes. They all rely on quartz or special ceramic resonators to stabilize their frequency. The unltimate transmission frequency will be derived from the resonator frequency so by reading what the manufacturer marked on it you can make a good guess at the range of possible multiples it may be. For example, if the resonator was marked 25MHz, you could reasonable expect the transmission to be 25, 50, 75, 100, 125...MHz after multiplication. The next step would be to make a guess at which of those it is likely to be. Knowing you are using the cell frequencies would obviously narrow down your choice but the antenna size would also give strong clues. It would be typically 0.25 wavelengths long so physically measuring it and converting the length to frequency (frequency = 1/wavelength) would help to narrow the likely candidate.

In a simple modulation scheme, feeding the modulator with a constant pattern of data will produce a constant energy spectrum at the antenna, it will exhibit peaks in energy at certain frequencies which would make it easier to spot. The trick is to disperse the energy peaks by encoding the data in a special way, often by mathematically mixing it with a psuedo-random number sequence. The randomized result will have a wider spread of energy which is more evenly dispersed and therefore looking more like noise to anyone investigating. As long as the receiving end can re-create the same number sequence it can mathematically restore the original data.

Brian.

With fractional N PLLs and DDS you can create almost any popular frequency on-chip from some standard xtal-reference. All the frequency source can be on-chip, so you really would not "see" where it communicates.

I agree that the antenna would be a better indication what band a device is designed for.

It's not completely clear to me what the actual question is.

In post #1 you asked if it could be possible for an alien communication protocol to pass a GSM base station. Betwixt explained why this can't work.

The other point is that a spread spectrum transmitter can well hide among other communication services so that it may be difficult to detect it from a certain distance, e.g. by a detector van driving down the street. But the generated signal can be always detected in the vicinity. You might be unable to decode the protocol if you don't know it's pseudo noise sequence and other modulation details, but you can see the transmitted spectrum.

So once the imagined device is set into operation, you can at least determine the occupied frequency band.

Copyright © 2017-2020 微波EDA网 版权所有

网站地图

Top