EC312 – SX20-EW Jamming

advertisement
EC312 – SX20-EW Jamming
We are devoting a good portion of this course to learning about wireless communications systems and the
associated considerations, from modulation to gain to antennas and signal propagation. Why? Because “Cyber”
doesn’t exist solely in a single computer or a closed
network. You can have a significant impact by
using Electronic Warfare as an enabler for Cyber
effects. http://breakingdefense.com/2013/04/admgreenert-wireless-cyber-em-spectrum-changingnavy/
Now we’re going to put all that knowledge to the
test and apply your cyber skills in a wireless
environment.
Set-up.
Equipment required:
□ Your issued Laptop
□
□
□
□
□
□
□
□
MATLAB Code RCcode.m and getkey.m
o This code is available at U:\Cyber2\EC312\SX20
LeCroy “Wave Surfer” 104MXS 1GHz Oscilloscope
Anritsu MS2711D Spectrum Analyzer
Telescoping Antennas w/ BNC connector
RC Vehicle
Signal Generator & accessories (Instructor will set up)
TURN OFF YOUR CELL PHONE! (The next hour of your life will be easier if your cell phone isn’t
adding noise to the Electromagnetic Spectrum.)
Your instructor will divide into 4 groups.
Two groups will work with the 27MHz cars in the back of the lab (EW27 groups A and B)
and two groups will work with the 40MHz cars in the front of lab space (EW40 groups A and B)
A groups will perform Part I and II (pages 2-5 on lab) first and then do Part III (pp.6-10).
B groups will perform Part III (pages 6-10 on lab) first and then do Part I and II (pp.2-5).
Then both A and B will work on Part IV (pages 11-14 on lab), and you will have a splitter, so you will
work in different portions of your space.
1
EC312 – SX20-EW Jamming
Part I: Data Collection
Communications System. For this Security Exercise, we’ll explore the entire communications system employed
by a Radio Control (RC) vehicle… And then we’ll exploit it!
Answer the questions below to examine the RC vehicle’s communications.
a)
b) Coiled wire right under here!
Note: These images resemble the models in your classroom enough to give you the general idea. We can’t all
have Ferraris, after all!
Question 1: Which image most closely represents the transmitter?
Question 2: Where is the receiver?
Question 3: What type of channel does this communications system involve?
Question 4: What do you expect your “information” to be in this case?
Question 5: What will happen when the “information” is recovered at the receiver?
Question 6: What type of antenna does the transmitter use?
Question 7: What would you expect the beam pattern of this antenna to look like?
Question 8: Do the transmitter or receiver give any indication of carrier frequency? If so, what is fc?
( either 27.145 MHz or 40.680 MHz)
2
EC312 – SX20-EW Jamming
To verify the carrier frequency of the transmitted signal, use the Anritsu MS2711D Spectrum Analyzer.
□
□
□
□
□
□
Press “Recall Setup” (Hard Key
#6)
Ensure “Default” is highlighted
Press “Enter”
Set “Center” to the carrier
frequency determined
Question 8.
Set “Span” to 200 kHz
Transmit from RC vehicle
controller (ensure power is on);
signal will display on the
spectrum analyzer
Question 9: What is the carrier frequency? Draw the signal in the frequency domain.
Can you see any difference when you transmit forward vs reverse or any of the other directions?
3
EC312 – SX20-EW Jamming
Part II: Jamming
Now that we have some basic intel, think about what could happen if your instructor was to transmit ( from signal
generator) a signal at the carrier frequency?… The answer: It depends!
In lecture, we learned that the effectiveness of EA/Jamming is dependent upon the Jamming to Signal Ratio (JSR).
The JSR is dependent upon both the power of the jammer and the transmitter as well as the distance of the jammer
and the transmitter from the receiver.
In this lab, our scenario looks like this:
The JSR depends on the received signal power at the car and the received jamming power at the car:
JSR=
J PJ (W )
=
= PJ ( dB ) − PS ( dB )
S PS (W )
Generally, if the JSR is greater than 1 (or 0 dB), jamming will be effective.
□
Play time! Drive your vehicle around the classroom.
Question 10: What two conditions (with regards to frequency and received power) must exist for
4
EC312 – SX20-EW Jamming
jamming to be effective? Get your instructor’s signature to continue.
□
Your instructor will generate a 20 dBm FM signal at the carrier frequency.
Question 11: What is your instructor’s target?
□
While your instructor is transmitting the jamming signal, experiment! Attempt to control the RC car with
its transmitter at different distances from both the jammer and the RC car.
Question 12: When your instructor transmitted a jamming signal, were you still able to control the RC
car? When could you control it? When couldn’t you?
Question 13: Use the Anritsu MS2711D Spectrum Analyzer to draw the jamming signal in the frequency
spectrum. How does this change if you transmit while standing next to the Spectrum Analyzer? Move the
Spectrum analyzer away to see the effect of the transmit signal and jamming signal with distance.
Question 14: How could you increase the range of the jammer? (How is jamming range dependent on
signal power?)
5
EC312 – SX20-EW Jamming
Part III: Reverse Engineering
So now we know the carrier frequency and the effects of transmitting a higher signal power on that frequency, but
if we want to make a bigger impact, we need to know more about the RC car’s signal. What does the transmitted
signal look like? What type of modulation does it use? How do controls work? To accomplish this, we’re going
to look at the signal using the LeCroy “Wave Surfer” 104MXS 1GHz Oscilloscope.
Make sure you have the BNC telescoping antenna on Ch1 input.
Channel 1
6
EC312 – SX20-EW Jamming
First, some initial set-up for the O-Scope:
□ Touch yellow box on lower left corner of touch screen to configure Channel 1 with the following settings:
o Set Volts/div to 20 mV
o Set Coupling to DC50Ω
o Set “Trigger” to 25.0 mV
o Touch “Timebase” to set Time/Division to 5.00 ms/div
o Press “Close” (top right corner for Channel 1 menu)
Once you’ve set up your Channel configuration on the O-Scope, it’s time to capture the signal.
□
□
□
On “Trigger” section of O-Scope display, select “Normal”
Holding RC car transmitter close to the O-Scope, send the
“forward” signal by driving the car forward. Ensure antenna is
extended!
When your signal is displayed on the screen, press “Stop” on
Trigger menu, while still sending the “forward” signal.
If done correctly, your O-scope display should look similar* to this:
* Captured signal may vary – that’s ok for now!
7
EC312 – SX20-EW Jamming
Question 15: What type of modulation does this car use?
Question 16: What pattern of 0’s and 1’s does the transmitted signal represent?
Question 17: What does the baseband binary signal look like? (Draw the square wave.)
To be able to control the RC car, we want to be able to do more than just drive it forward. How does the signal
change for reverse, left, or right?
Think about the controls – how many different signals do you expect to control the car? In addition to driving
forward, the car can operate in reverse, as well as turning left and right… and any combination thereof! There are
actually 8 different combinations of signals, but in the interest of time we’re only going to worry about four:
Forward, Reverse, Forward & Right, and Forward & Left. Here’s the catch: The chips that process the signal
and control the vehicles motion aren’t necessarily wired the same way in every car, so you need to identify which
operation each transmitted signal represents!
Examine each transmitted signal by repeating the process you just followed to capture the signal:
□ On “Trigger” section of O-Scope display, select “Normal”
□ Transmit desired signal.
o Forward
o Reverse
o Forward AND Right (This is different from the signal to pivot the wheels to the right only!)
o Forward AND Left (This is different from the signal to pivot the wheels to the left only!)
□ When your signal is displayed on the screen, press “Stop” on Trigger menu.
Question 18: Match the transmitted signals to the operations they represent by circling the correct
response on the waveforms that follow. The signals can be distinguished by the number of 1’s being
transmitted after the 4 large sync pulses.
8
EC312 – SX20-EW Jamming
Forward or Reverse or Forward-Right or Forward-Left??
( # of 1’s: 10)
Forward or Reverse or Forward-Right or Forward-Left??
( # of 1’s: 40)
Forward or Reverse or Forward-Right or Forward-Left??
( # of 1’s: 34)
9
EC312 – SX20-EW Jamming
Forward or Reverse or Forward-Right or Forward-Left??
( # of 1’s: 28)
Question 19: Now that you’ve identified the modulated signal that controls the car, could you
determine the baseband binary signal (square wave) for each function?
We now know the bits that are transmitted to control the forward, turning, and reverse motions of the RC car. We
also know that we can’t transmit the baseband binary signal, so we need to modulate it on a high frequency
carrier. If we can generate the bits and mix it up with the high frequency carrier, do we need the “real” remote to
drive the RC car? Let’s find out!
10
EC312 – SX20-EW Jamming
Part IV: The Hook
In this section, you’ll use the MATLAB code provided and your laptop soundcard to generate and transmit control
signals to the RC car. You may have noticed that each transmitted signal consists of 4 wide “sync” pulses
followed by a trail of 0’s and 1’s. Since you’ve already matched the waveform to the driving direction, now all
you need to do is determine the number of 1’s in the trail following the sync pulses. For example, in the image
below represents 01110111011101110101010101010101010101110 in binary (check back to HW19 if
you’re not a believer yet!). For this sequence of bits:
01110111011101110101010101010101010101110
sync pulses
trail (of ten 1’s)
Question 20: Fill in the table by entering the number of 1’s trailing the sync pulses for each RC car
operation determined in Question 18. You must find the exact value!
Direction
Forward
Number of 1’s
in trail
Reverse
Right
Left
N/A
N/A
Fwd-Right
Fwd-Left
Rev-Right
N/A
Rev-Left
N/A
The MATLAB code takes input from the arrow keys on your laptop and generates the baseband binary signals to
control the RC vehicle. Since we only determined the binary waveform for 4 of the 8 possible operations, we’ll
be slightly limited in the operation of our RC vehicle – we won’t be able to turn while operating in reverse. (This
is solely in the interest of time… We really don’t want you stuck here counting 1’s until Graduation! Seriously.)
□
In MATLAB, update the “Setup Major Variables” section of your RCcode.m code (shown below) with
the number of 1s in the “trail” in preparation of taking over the RC vehicle.
%%%%%%%%%%%%%%%%
% RC CAR CODE %
%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
%
11
EC312 – SX20-EW Jamming
% PRESS SPACE TO TERMINATE EXECUTION
%
%
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
% !!!!! NOTE !!!!!
% If you do something wrong and Matlab terminates unexpectedly (you get a
% lot of angry red Error messages) you will have to close out and restart
% Matlab in order to clear out the sound card buffer!!!
%
% Forward = Up Arrow
% Reverse = Down Arrow
% Forward Right = Right Arrow
% Forward Left = Left Arrow
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Clear out memory and initialize default settings
%
% DO NOT CHANGE THIS SECTION
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
clear all
close all
set(0, 'DefaultAxesFontSize', 14)
set(0, 'DefaultAxesFontWeight','Bold')
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Change
This
Section!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Setup major variables
%
% CHANGE THIS SECTION ONLY!!! (FOLLOW LAB INSTRUCTIONS) %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
forward_1s = 01;
reverse_1s = 01;
Insert Number of 1’s from Question 20 table here!
right_fwd_1s = 01;
left_fwd_1s = 01;
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
sam_per_sym = 22; %fs/Rb = 44.1e3/(1/Tb), Tb ~ 500us
fs = 44.1e3;
% Set sampling rate to sound card rate
Rb = fs./sam_per_sym;
fif = 10e3;
% 10.0 kHz "baseband" (IF) Frequency
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Generate the original data to manipulate the car
%
% DO NOT CHANGE THIS SECTION
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
sync = [1 1 1 0 1 1 1 0 1 1 1 0 1 1 1 0];
forward = [sync repmat([1 0], 1, forward_1s)];
reverse = [sync repmat([1 0], 1, reverse_1s)];
right_fwd = [sync repmat([1 0], 1, right_fwd_1s)];
left_fwd = [sync repmat([1 0], 1, left_fwd_1s)];
pause = zeros(1,500);
key = 0; % Initial Keyboard Value
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Reads inputs once per second
%
% DO NOT CHANGE THIS SECTION
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
while key ~= 32 %Press space to stop
key = getkey(1);
if key == 30
data = [forward forward forward forward forward forward forward forward];
elseif key == 31
data = [reverse reverse reverse reverse reverse reverse reverse reverse];
elseif key == 29
data = [right_fwd right_fwd right_fwd right_fwd right_fwd right_fwd right_fwd right_fwd];
elseif key == 28
data = [left_fwd left_fwd left_fwd left_fwd left_fwd left_fwd left_fwd left_fwd];
else
data = [pause];
end
% Generate Polar NRZ
time_stop = length(data).*sam_per_sym;
12
EC312 – SX20-EW Jamming
up_data = zeros(1,time_stop);
time = linspace(0,(1/fs).*time_stop, length(up_data));
% Upsample
for i = 0:length(data)-1
up_data(sam_per_sym.*i + 1 : sam_per_sym.*i + sam_per_sym) = data(i+1);
end
% Generate the "baseband" (IF) waveform
s_lo = cos(2.*pi.*fif.*time);
s_if = s_lo.*up_data;
soundsc(s_if,fs)
end
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
□
When your code is updated, run it by pressing
□
You will get a grey flashing screen with the heading “Press a key”.
□
Press your arrow keys to simulate driving your vehicle. ( Forward right is 2 keys pressed together)
□
If you need to end program at any time to go back and edit or stop, hit the space key.
.
Question 21: What do you hear? What type of signal is being generated?
Question 22: What do you need to do to transmit this signal so that the car receives it? Get your
instructor’s signature to continue.
Your instructor will use the same signal generator that transmitted the jamming signal in Part II to transmit the just
the carrier this time to mix with our RC code baseband signal and create an ASK/OOK signal.
The set up looks like the figure on the next page. The output from the laptop (RC code signal) is from our audio
jack.You should investigate the parts and recognize that one is a mixer that mixes the carrier with our baseband
signal and then the next is an amplifier which uses 16VDC to power it. (Remember an amplifier can’t provide
gain unless it has its own power source. The op amps that you used in EE331 lab had separate power sources.)
13
EC312 – SX20-EW Jamming
□
Bring your laptop to your instructor and get ready to drive!
Question 23: Do you need the car’s transmitter to control the car? What just happened?
Question 24: List some examples of how this might be significant in a military setting.
Need ideas? Check this out! http://www.engr.utexas.edu/features/humphreysspoofing
LCDR Jennie Wood and Assoc. Prof. Chris Anderson
14
EC312 – SX20-EW Jamming
Name:
__________________________________________________________________________________________
Question 1:
__________________________________________________________________________________________
Question 2:
__________________________________________________________________________________________
Question 3:
__________________________________________________________________________________________
Question 4:
__________________________________________________________________________________________
Question 5:
__________________________________________________________________________________________
Question 6:
__________________________________________________________________________________________
Question 7:
__________________________________________________________________________________________
Question 8:
__________________________________________________________________________________________
Question 9:
__________________________________________________________________________________________
Question 10:
__________________________________________________________________________________________
Question 11:
__________________________________________________________________________________________
Question 12:
__________________________________________________________________________________________
Question 13:
__________________________________________________________________________________________
Question 14:
__________________________________________________________________________________________
15
EC312 – SX20-EW Jamming
__________________________________________________________________________________________
Question 15:
__________________________________________________________________________________________
Question 16:
__________________________________________________________________________________________
Question 17:
__________________________________________________________________________________________
Question 18:
Forward or Reverse or Forward-Right or Forward-Left?
( # of 1’s: 10)
Forward or Reverse or Forward-Right or Forward-Left?
( # of 1’s: 40)
Forward or Reverse or Forward-Right or Forward-Left?
( # of 1’s: 34)
Forward or Reverse or Forward-Right or Forward-Left?
( # of 1’s: 28)
__________________________________________________________________________________________
Question 19:
__________________________________________________________________________________________
Question 20:
Direction
Number of
1’s in trail
Forward
Reverse
Right
N/A
Left
N/A
Fwd-Right
Fwd-Left
Rev-Right
N/A
Rev-Left
N/A
__________________________________________________________________________________________
Question 21:
__________________________________________________________________________________________
Question 22:
__________________________
Instructor/Lab Tech Signature
__________________________________________________________________________________________
Question 23:
__________________________________________________________________________________________
Question 24:
__________________________________________________________________________________________
16
Download