This shows you the differences between two versions of the page.
Previous revision | |||
— | mission:log:2014:08:08:darc-side-of-munich-hunting-fm-broadcasts-for-bus-and-tram-display-information-on-90-mhz [2016/04/13 06:36] (current) – [Broadcast FM Primer] chrono | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== The DARC side of Munich ====== | ||
+ | [{{ : | ||
+ | When you live in Munich and use public transportation, | ||
+ | |||
+ | - How do they get powered? | ||
+ | - How do they get updated? | ||
+ | - Can we access the data as well? | ||
+ | - Is it possible to display other data? | ||
+ | |||
+ | ~~CL~~ | ||
+ | |||
+ | What follows is a journey describing how it's possible to answer these questions and learn something completely new in just a couple of days with the help of the Internet and other kindred spirits who shared and published their research and results. Read on and you will learn how the system works and get detailed answers to those questions. | ||
+ | |||
+ | |||
+ | <WRAP round info> | ||
+ | {{ : | ||
+ | **Call for Help**:\\ | ||
+ | If you see one of these Displays, please have a look at the top of the left side of the blue case, there should be a 4-digit numerical ID. Please drop | ||
+ | * the ID | ||
+ | * the name of the stop and the direction | ||
+ | in the [[https:// | ||
+ | </ | ||
+ | ===== ===== | ||
+ | |||
+ | ===== Research ===== | ||
+ | |||
+ | After a couple of fruitless runs through different search engines, to find out if anyone else might already have asked or even answered those questions, a post on the [[http:// | ||
+ | |||
+ | |||
+ | |||
+ | ^ Station | BR/B5 Aktuell | {{ : | ||
+ | ^ Frequency | 90.0 MHz |:::| | ||
+ | ^ Modulation | FM |:::| | ||
+ | ^ Output | 25kW ERP |:::| | ||
+ | ^ Polarization | Horizontal |:::| | ||
+ | ^ Location | Ismaning |:::| | ||
+ | ^ Coords | 48.25147, | ||
+ | ~~CL~~ | ||
+ | |||
+ | In another discussion on IRC, someone mentioned this [[https:// | ||
+ | datasheet]]. | ||
+ | |||
+ | The image in the datasheet is an actual picture of the displays we can find in Munich, so the probability increased even further. At least far enough to hack a crude a 3m dipole (aligned horizontally!), | ||
+ | |||
+ | ===== Verification ===== | ||
+ | |||
+ | Let's compress all the information found above into a summarized system description: | ||
+ | |||
+ | //The new infrastructure, | ||
+ | |||
+ | Thanks to codec, we have a revealing bootloop video: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | {{ : | ||
+ | ==== Broadcast FM Primer ==== | ||
+ | |||
+ | The next logical step is to have a crash course in broadcast FM technology and then just observe the band itself, to verify the existence of the DARC signal and the current theory. In simple terms, we need to build a simple software defined receiver, tuned onto a broadcast radio station on 90 MHz and feed the output into a spectrum analyzer, which will draw a nice picture for us, thereby making invisible radio frequencies observable. | ||
+ | |||
+ | ** But how does it look, what do we have to expect when we see the spectrum?** | ||
+ | |||
+ | Have a look at the following two images, which show the RF baseband spectral views in different sample sizes and different tools, both centered on 90 MHz with other broadcasting stations on 89.5 MHz and 90.6 MHz in the 2Msps view. | ||
+ | |||
+ | [{{: | ||
+ | |||
+ | [{{: | ||
+ | |||
+ | ~~CL~~ | ||
+ | \\ | ||
+ | **This looks fancy, but I don't know how to interpret it...** | ||
+ | |||
+ | The spectrum chart (left top/right bottom) shows what's going on right now, the waterfall (left bottom/ | ||
+ | |||
+ | It's also interesting to note, how the spectrum of B5 on 90.0 MHz is clearly distinguishable from the other broadcasting stations in the RF baseband. There seem to be two signals 76 kHz left and right from 90.0 MHz | ||
+ | |||
+ | **And where exactly is this DARC signal? | ||
+ | |||
+ | In order to determine the existence of the DARC signal we probably have to dig deeper (like opening another part of a matroska doll) and demodulate/ | ||
+ | |||
+ | Not really knowing the inner workings of broadcast FM won't make the job easier but the following chart seemed easy enough to understand and learn from. We basically just have to visually compare the spectrum to this chart and relate what we see at 19, 38, 57, and 76 kHz to identify each part of the multiplexed composite FM signal. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | **Mono** | ||
+ | |||
+ | The (L+R) Main channel signal is transmitted as baseband audio in the range of 30 Hz to 15 kHz. | ||
+ | |||
+ | **Stereo Pilot** | ||
+ | |||
+ | A 19 kHz pilot tone, at exactly half the 38 kHz stereo difference signal' | ||
+ | |||
+ | **Stereo Difference Signal** | ||
+ | |||
+ | The stereo difference signal (L−R) is modulated onto a 38 kHz double-sideband suppressed-carrier (DSB-SC) signal occupying the baseband range of 23 to 53 kHz. | ||
+ | |||
+ | **RDS** | ||
+ | |||
+ | The RDS sub-carrier transmits digital data at 1187.5 bps on a sub-carrier centered on 57 kHz, which is the 3rd harmonic of the 19 kHz FM stereo pilot tone, to minimize interference and intermodulation between the data signal, the stereo pilot and the 38 kHz DSB-SC stereo difference signal. The stereo difference signal extends up to 38 kHz + 15 kHz = 53 kHz, leaving 4 kHz for the lower sideband of the RDS signal. | ||
+ | |||
+ | **DARC** | ||
+ | |||
+ | <WRAP round info> | ||
+ | **DARC Primer**:\\ | ||
+ | http:// | ||
+ | \\ | ||
+ | **DARC Protocoll Specification: | ||
+ | [[http:// | ||
+ | </ | ||
+ | |||
+ | The final multiplex signal can contain a combination of the Main (Mono) Channel (L+R), the pilot tone, the stereo sub-channel (L−R), the RDS channel and the DARC channel. This composite signal then modulates the FM transmitter. | ||
+ | |||
+ | **Enough with the theory already, let's have a peek** | ||
+ | |||
+ | Now that we know what to expect, we can have a look at two different real world broadcasting stations in Munich, of course, our most probable candidate B5 Aktuell on 90.0 MHz where we suspect our DARC signal and some other reference station on 102.3 MHz, where we do not. | ||
+ | |||
+ | ==== Test-Setup ==== | ||
+ | |||
+ | In case you want to to re-verify the results or look through the bands where ever else you might live, here's a little documentation about the setup to have somewhat comparable results. | ||
+ | |||
+ | === Hardware === | ||
+ | |||
+ | **RTL SDR Sticks** | ||
+ | |||
+ | * Hama-Nano (E4K) as already described [[mission: | ||
+ | * [[http:// | ||
+ | |||
+ | **Antenna** | ||
+ | |||
+ | A DIY 3m dipole designed for 90.0 MHz (horizontal polarization) hacked out of 75 ohms TV coax and two 83cm legs of silver speaker wire, one connected to coax center and the other to the shield. The speaker cables are taped to a beam (wood), the coax leaves in the center, giving a T shaped configuration. Another set of extremely [[http:// | ||
+ | |||
+ | === Software === | ||
+ | |||
+ | All software used here is free and open-source, | ||
+ | |||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | <WRAP round tip> | ||
+ | When GNU Radio produces **choppy audio** with pulseaudio and logs a lot of **aUaUaUaU**' | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | <sxh text; toolbar: | ||
+ | [audio_alsa] | ||
+ | nperiods = 16 | ||
+ | period_time = 0.100 | ||
+ | </ | ||
+ | |||
+ | **Flowgraph of a quick hack in GRC to verify the DARC channel** | ||
+ | |||
+ | {{: | ||
+ | |||
+ | <WRAP round download> | ||
+ | **Download DARC-Hunter.grc File:**\\ | ||
+ | [[https:// | ||
+ | </ | ||
+ | ==== Negative reference stereo FM station ==== | ||
+ | |||
+ | This is the spectrum of our selected negative reference stereo FM broadcasting station on 102.3 MHz where we expect to find a full analog stereo WBFM set from 0-53 kHz and a digital RDS carrier centered at 57 kHz but nothing on the 4th harmonic at 76 kHz where DARC is supposed to be: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ^ kHz ^ H ^ Expected ^ Observed ^ Conclusion ^ | ||
+ | | 0-15 | - | Mono signal (L+R) | Mono signal (L+R) | | ||
+ | | **19** | ||
+ | | 23-37 | - | Stereo signal (L-R) -15kHz | Stereo signal (L-R) -15kHz | | ||
+ | | **38** | ||
+ | | 39-53 | - | Stereo signal (L-R) +15kHz | Stereo signal (L-R) +15kHz | | ||
+ | | **57** | ||
+ | | **76** | ||
+ | |||
+ | No surprise here. The spectrum lines up precisely according to our reference negative schema and shows exactly what we expected from a modern stereo FM broadcast station without a DARC signal. | ||
+ | ==== DARC signal candidate==== | ||
+ | |||
+ | This is the spectrum of our DARC signal candidate stereo FM broadcasting station on 90.0 MHz where we expect to find a full analog stereo WBFM set from 0-53 kHz, a digital RDS carrier centered at 57 kHz and the DARC signal on the 4th harmonic at 76 kHz: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ^ kHz ^ H ^ Expected ^ Observed ^ Conclusion ^ | ||
+ | | 0-15 | - | Mono signal (L+R) | Mono signal (L+R) | | | ||
+ | | **19** | ||
+ | | 23-37 | - | Stereo sideband (L-R) | Missing stereo sideband (L-R) | Mono signal | | ||
+ | | **38** | ||
+ | | 39-53 | - | Stereo sideband (L-R) | Missing stereo sideband (L-R) | Mono signal | | ||
+ | | **57** | ||
+ | | **76** | ||
+ | |||
+ | The big surprise here is that B5 seems to be a mono signal, all stereo components are missing in the multiplex mix. However, on the 4th we can clearly see a digital signal that matches the characteristics we would expect from a DARC signal. LMSK modulation would need a pilot tone for synchronization but as this is a mono signal there is no pilot tone. According to ETSI EN 300 751 DARC will just simply be MSK modulated. Let's see how it looks when we get even closer: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | |||
+ | === Decoding === | ||
+ | |||
+ | At this point, it's reasonable to say, that we could verify the existence of the DARC signal, now we just have to decode the LMSK in order to get the infos. Windytan' | ||
+ | |||
+ | http:// | ||
+ | http:// | ||
+ | https:// | ||
+ | |||
+ | A quick preliminary test with darcdec was rather unstable (it will mess up your machine, yo! :)) and didn't yield any usable results yet, but we're obviously on the right track, considering the decoded network name: | ||
+ | |||
+ | < | ||
+ | BIC2 info:10b0 3040 9700 a704 8f20 af00 9f40 bf80 8401 e080 1c80 crc:212c (synd=302a) | ||
+ | parity: | ||
+ | SI/LCh: 0x8 Service Channel (SeCH) | ||
+ | Dup: 0 | ||
+ | CID: d | ||
+ | Type: 0 Channel Organization Table (COT) | ||
+ | Network ID: 12 | ||
+ | Block #0 | ||
+ | |||
+ | ???? | ||
+ | |||
+ | BIC2 info:1cb6 3804 116c 8531 5c04 117c 8411 3c04 317c a410 0000 crc:1df5 (synd=14b9) | ||
+ | parity: | ||
+ | SI/LCh: 0x8 Service Channel (SeCH) | ||
+ | Last Fragment | ||
+ | Dup: 0 | ||
+ | CID: d | ||
+ | Type: 6 Synchronous Channel Organization Table (SCOT) | ||
+ | Network ID: 12 | ||
+ | Block #1 | ||
+ | Service Message (errs 11) [[ | ||
+ | ECC: 02 | ||
+ | TSEID: 74 | ||
+ | Message Length: 256 bytes | ||
+ | Channel Organization Table (COT) | ||
+ | ServID | ||
+ | e508 [ ] [ ] | ||
+ | f101 [ ] [ ] | ||
+ | f500 [ ] [ ] | ||
+ | f900 [X] [ ] | ||
+ | 0108 [ ] [X] | ||
+ | 8001 [X] [X] | ||
+ | 3800 [ ] [X] | ||
+ | 2022 [ ] [ ] | ||
+ | 3628 [ ] [X] | ||
+ | 8c0e [X] [ ] | ||
+ | 880f [X] [ ] | ||
+ | 880f [ ] [ ] | ||
+ | 2023 [ ] [ ] | ||
+ | 3e09 [ ] [X] | ||
+ | 0800 [ ] [ ] | ||
+ | ]] | ||
+ | |||
+ | BIC2 info:14aa 3007 4050 8306 a242 ecf1 30b6 6ee2 0020 0000 4000 crc:22ef (synd=3b60) | ||
+ | parity: | ||
+ | SI/LCh: 0x8 Service Channel (SeCH) | ||
+ | Last Fragment | ||
+ | Dup: 0 | ||
+ | CID: 5 | ||
+ | Type: 5 Time and Date Table (TDT) | ||
+ | Network ID: 12 | ||
+ | Block #0 | ||
+ | Service Message (errs 1) [[ | ||
+ | ECC: e0 | ||
+ | TSEID: 01 | ||
+ | Message Length: 10 bytes | ||
+ | Time and Date Table (TDT) | ||
+ | Time: 2014-08-23 16:22:01 | ||
+ | Network name: " | ||
+ | ]] | ||
+ | |||
+ | ???? | ||
+ | </ | ||
+ | |||
+ | So we either have to hack around in darcdec and find out why it's not putting out anything or we build something like a gr-darcdec module which can be used as a functional block in gnuradio (preferable). | ||
+ | |||
+ | === Downloads === | ||
+ | |||
+ | Since this particular signal can only be received in Munich, here are some dump files to download, for smart, creative or bored minds anywhere else, who may enjoy the challenge to go after it too. If you need more or other tools/ | ||
+ | |||
+ | ^ Tool | osmocom_fft | | ||
+ | ^ Parameters | 960k 90M Full RF Baseband | | ||
+ | ^ Size | 936 MB | | ||
+ | ^ md5Sum | f64774af1915dda736a5f97e12831fa7 | | ||
+ | ^ File | **[[https:// | ||
+ | |||
+ | ^ Tool | GRC (DARC-Hunter-MK5) | GRC (DARC-Hunter-MK5) | | ||
+ | ^ Parameters | 960k 90M Full RF Baseband | 192k 90M Demodulated FM | | ||
+ | ^ Size | 820 MB | 661 MB | | ||
+ | ^ md5Sum | 5e65cb085e24624d1a63f096fc8f202b | 6f6e525fb843b5594efa8743fd46b2c6 | | ||
+ | ^ File | **[[https:// | ||
+ | |||
+ | **L/MSK Links:** | ||
+ | |||
+ | [[https:// | ||
+ | [[http:// | ||
+ | [[http:// | ||
+ | [[http:// | ||
+ | |||
+ | [[http:// | ||
+ | [[http:// | ||
+ | |||
+ | ===== Updates ===== | ||
+ | |||
+ | * [[https:// | ||
+ | * [[mission: | ||
+ | |||
+ | {{tag> | ||
+ | |||
+ | {{keywords> | ||
+ | |||
+ | ~~DISCUSSION~~ |