~~SS~~

Hot Projects

DIY Food Hacking

Open Solar Power

picoReflow

DIY Reflow Soldering

PiGI

RasPi Geiger Counter

Wideband Antenna

Map everything!

Mission-Tags

~~TAGCLOUD:50~~

This is an old revision of the document!

The DARC side of Munich

[] When you live in Munich and use public transportation, especially Buses and Trams, you will have noticed that during the last couple of month a lot of new displays appeared at almost any station which had no real-time info display before. They obviously have no cables/connections and no visible antennas, so I kept wondering:

1. How do they get powered?
2. How do they get updated?
3. Can we access the data as well?
4. Is it possible to display other data?

What follows is a journey describing how it's possible to answer these questions and learn something completely new in just a couple of days with the help of the Internet and other kindred spirits who shared and published their research and results. Read on and you will learn how the system works and get detailed answers to those questions.

Call for Help:
If you see one of these Displays, please have a look at the top of the left side of the blue case, there should be a 4-digit numerical ID. Please drop

• the ID
• the name of the stop and the direction

in the PAD, a comment or on IRC.

Research

After a couple of fruitless runs through different search engines, to find out if anyone else might already have asked or even answered those questions, a post on the mikrocontroller.net board popped up. Not much in there, but enough to justify putting time into looking deeper into the FM Band and adjusting search keywords accordingly, which finally led to this german blog entry. Additionally there was also this radio board post which increased the level of perceived probability that there might be a signal on 90 MHz (B5 Aktuell) transmitted from Ismaning.

 Station BR/B5 Aktuell 90.0 MHz FM 25kW ERP Horizontal Ismaning 48.25147,11.75053

In another discussion on IRC, someone mentioned this talk @ 30c3 about FM and RDS. Supplied with the gained knowledge about the DARC system for buses and trams deployed in Helsinki another search turned up this MVG press release and at long last this datasheet.

The image in the datasheet is an actual picture of the displays we can find in Munich, so the probability increased even further. At least far enough to hack a crude a 3m dipole (aligned horizontally!), pick up an RTL-SDR/E4K stick and hack a receiver in GNU Radio to try to verify that the signal actually exists.

Verification

Let's compress all the information found above into a summarized system description:

The new infrastructure, tested by the MVG since 2011 and deployed since 2013, seems to be the Axentia iBus FM/DARC public transport information system. The units are battery powered (with a supposed 3 year cycle) and receive near real-time updates via Data Radio Channel (DARC), embedded into the signal of FM broadcast news radio station B5 Aktuell, transmitted from Ismaning. DARC is a digital 16 kbps LMSK component, centered on 76 kHz (4th harmonic of the 19 kHz stereo pilot tone), of the WBFM (Wide-Band Frequency Modulation) composite signal found on 90.0 MHz.

Thanks to codec, we have a revealing bootloop video:

The next logical step is to have a crash course in broadcast FM technology and then just observe the band itself, to verify the existence of the DARC signal and the current theory. In simple terms, we need to build a simple software defined receiver, tuned onto a broadcast radio station on 90 MHz and feed the output into a spectrum analyzer, which will draw a nice picture for us, thereby making invisible radio frequencies observable.

But how does it look, what do we have to expect when we see the spectrum?

Have a look at the following two images, which show the RF baseband spectral views in different sample sizes and different tools, both centered on 90 MHz with other broadcasting stations on 89.5 MHz and 90.6 MHz in the 2Msps view.

[] []

This looks fancy, but I don't know how to interpret it…

The spectrum chart shows what's going on right now, the waterfall gives you the same information, but as a sequence of spectrum chart slices stacked together over a period of time and observed from the top, which is an invaluable tool to actually watch and observe frequency ranges and modulations.

It's also interesting to note, how the spectrum of B5 on 90.0 MHz is clearly distinguishable from the other broadcasting stations in the RF baseband. There seem to be two signals 76 kHz left and right from 90.0 MHz

And where exactly is this DARC signal?

In order to determine the existence of the DARC signal we probably have to dig deeper (like opening another part of a matroska doll) and demodulate/decimate this WBFM signal down to 96 kHz and look at the spectrum again, especially around 76 kHz.

Not really knowing the inner workings of broadcast FM won't make the job easier but the following chart seemed easy enough to understand and learn from. We basically just have to visually compare the spectrum to this chart and relate what we see at 19, 38, 57, and 76 kHz to identify each part of the multiplexed composite FM signal.

Mono

The (L+R) Main channel signal is transmitted as baseband audio in the range of 30 Hz to 15 kHz.

Stereo Pilot

A 19 kHz pilot tone, at exactly half the 38 kHz stereo difference signal's sub-carrier frequency and with a precise phase relationship to it. This is transmitted at 8–10% of overall modulation level and used by the receiver to regenerate the 38 kHz stereo difference sub-carrier with the correct phase.

Stereo Difference Signal

The stereo difference signal (L−R) is modulated onto a 38 kHz double-sideband suppressed-carrier (DSB-SC) signal occupying the baseband range of 23 to 53 kHz. A 19 kHz pilot tone, at exactly half the 38 kHz sub-carrier frequency and with a precise phase relationship to it, is also generated. This is transmitted at 8–10% of overall modulation level and used by the receiver to regenerate the 38 kHz sub-carrier with the correct phase.

RDS

The RDS sub-carrier transmits digital data at 1187.5 bps on a sub-carrier centered on 57 kHz, which is the 3rd harmonic of the 19 kHz FM stereo pilot tone, to minimize interference and intermodulation between the data signal, the stereo pilot and the 38 kHz DSB-SC stereo difference signal. The stereo difference signal extends up to 38 kHz + 15 kHz = 53 kHz, leaving 4 kHz for the lower sideband of the RDS signal.

DARC

The final multiplex signal can contain a combination of the Main (Mono) Channel (L+R), the pilot tone, the stereo sub-channel (L−R), the RDS channel and the DARC channel. This composite signal then modulates the FM transmitter.

Enough with the theory already, let's have a peek

Now that we know what to expect, we can have a look at two different real world broadcasting stations in Munich, of course, our most probable candidate B5 Aktuell on 90.0 MHz where we suspect our DARC signal and some other reference station on 102.3 MHz, where we do not.

Test-Setup

In case you want to to re-verify the results or look through the bands where ever else you might live, here's a little documentation about the setup to have somewhat comparable results.

Hardware

RTL SDR Sticks

• Hama-Nano (E4K) as already described here

Antenna

A DIY 3m dipole designed for 90.0 MHz (horizontal polarization) hacked out of 75 ohms TV coax and two 83cm legs of silver speaker wire, one connected to coax center and the other to the shield. The speaker cables are taped to a beam (wood), the coax leaves in the center, giving a T shaped configuration. Another set of extremely cheap industry produced FM antennas have been ordered and will be compared to it later.

Software

All software used here is free and open-source, of course:

When GNU Radio produces choppy audio with pulseaudio and logs a lot of aUaUaUaU's in the console, you can try the following fix, it helped here:

\$ vi ~/.gnuradio/config.conf

[audio_alsa]
nperiods = 16
period_time = 0.100


Flowgraph of a quick hack in GRC to verify the DARC channel

coming after cleanup

Negative reference stereo FM station

This is the spectrum of our selected negative reference stereo FM broadcasting station on 102.3 MHz where we expect to find a full analog stereo WBFM set from 0-53 kHz and a digital RDS carrier centered at 57 kHz but nothing on the 4th harmonic at 76 kHz where DARC is supposed to be:

kHz H Expected Observed Conclusion
0-15 - Mono signal (L+R) Mono signal (L+R)
19 1st Stereo pilot tone Stereo pilot tone
23-37 - Stereo signal (L-R) -15kHz Stereo signal (L-R) -15kHz
38 2nd Stereo center (2nd harmonic) Stereo center (2nd harmonic)
39-53 - Stereo signal (L-R) +15kHz Stereo signal (L-R) +15kHz
57 3rd RDS Center (3rd harmonic) RDS Center (3rd harmonic)
76 4th Nothing on 4th harmonic Nothing on 4th harmonic No DARC signal

No surprise here. The spectrum lines up precisely according to our reference negative schema and shows exactly what we expected from a modern stereo FM broadcast station without a DARC signal.

DARC signal candidate

This is the spectrum of our DARC signal candidate stereo FM broadcasting station on 90.0 MHz where we expect to find a full analog stereo WBFM set from 0-53 kHz, a digital RDS carrier centered at 57 kHz and the DARC signal on the 4th harmonic at 76 kHz:

kHz H Expected Observed Conclusion
0-15 - Mono signal (L+R) Mono signal (L+R)
19 1st Stereo pilot tone Nothing on 1st harmonic Mono signal
23-37 - Stereo sideband (L-R) Missing stereo sideband (L-R) Mono signal
38 2nd Stereo center Nothing on 2nd harmonic Mono signal
39-53 - Stereo sideband (L-R) Missing stereo sideband (L-R) Mono signal
57 3rd RDS Center RDS Center
76 4th DARC Center Digital Signal DARC signal candidate

The big surprise here is that B5 seems to be a mono signal, all stereo components are missing in the multiplex mix. However, on the 4th we can clearly see a digital signal that matches the characteristics we would expect from a DARC signal. Let's see how it looks when we get even closer:

Decoding

At this point, it's reasonable to say, that we could verify the existence of the DARC signal, now we just have to decode the LMSK in order to get the infos. Windytan's crazy hack was to actually use sox and a couple of pipes to form the base of an FSK decoder in order to, albeit non-coherently, decode the LMSK of DARC. Now, when I observe something like this, it tell's me, that she really knows what she is doing. If you are able deeply abstract and really understand a concept, you can start to simplify and apply other means to it as well. That is the difference between learning to repeat “facts” or learning to gain deeper understanding.

A quick preliminary test with darcdec was rather unstable (it will mess up your machine, yo! :)) and didn't yield any usable results yet, but we're obviously on the right track, considering the decoded network name:

BIC2 info:10b0 3040 9700 a704 8f20 af00 9f40 bf80 8401 e080 1c80  crc:212c (synd=302a)
parity:01ab202b801d2a0a2753f0 (synd=28481ff07a891dd2cef55)  uncorrectable
SI/LCh: 0x8 Service Channel (SeCH)
Dup: 0
CID: d
Type: 0 Channel Organization Table (COT)
Network ID: 12
Block #0

????

BIC2 info:1cb6 3804 116c 8531 5c04 117c 8411 3c04 317c a410 0000  crc:1df5 (synd=14b9)
parity:0384f0b87ae8413110b6f8 (synd=12d73a3f61b8bcd9413a1)  uncorrectable
SI/LCh: 0x8 Service Channel (SeCH)
Last Fragment
Dup: 0
CID: d
Type: 6 Synchronous Channel Organization Table (SCOT)
Network ID: 12
Block #1
Service Message (errs 11) [[
ECC: 02
TSEID: 74
Message Length: 256 bytes
Channel Organization Table (COT)
ServID  Scrambl  Avail
e508      [ ]     [ ]
f101      [ ]     [ ]
f500      [ ]     [ ]
f900      [X]     [ ]
0108      [ ]     [X]
8001      [X]     [X]
3800      [ ]     [X]
2022      [ ]     [ ]
3628      [ ]     [X]
8c0e      [X]     [ ]
880f      [X]     [ ]
880f      [ ]     [ ]
2023      [ ]     [ ]
3e09      [ ]     [X]
0800      [ ]     [ ]
]]

BIC2 info:14aa 3007 4050 8306 a242 ecf1 30b6 6ee2 0020 0000 4000  crc:22ef (synd=3b60)
parity:018d89d2d944f1b5bd2f30 (synd=0585b36cdf39bc91e4a9a)  uncorrectable
SI/LCh: 0x8 Service Channel (SeCH)
Last Fragment
Dup: 0
CID: 5
Type: 5 Time and Date Table (TDT)
Network ID: 12
Block #0
Service Message (errs 1) [[
ECC: e0
TSEID: 01
Message Length: 10 bytes
Time and Date Table (TDT)
Time: 2014-08-23 16:22:01
Network name: "mvG"
]]

???? 

So we either have to hack around in darcdec and find out why it's not putting out anything or we build something like a gr-darcdec module which can be used as a functional block in gnuradio (preferable).

Since this particular signal can only be received in Munich, here are some dump files to download, for smart, creative or bored minds anywhere else, who may enjoy the challenge to go after it too. If you need more or other tools/parameters, just drop a note.

 Tool Parameters GRC (DARC-Hunter-MK5) GRC (DARC-Hunter-MK5) 960k 90M Full RF Baseband 192k 90M Demodulated FM 820 MB 661 MB 5e65cb085e24624d1a63f096fc8f202b 6f6e525fb843b5594efa8743fd46b2c6 Download Download

Discussion

, 2016/02/01 09:18

Hello Chrono, have you be able to use the DARC GNU Radio block implementation by chris in a GNU project ? Do you have an example project, where I can see, how these blocks can be used ?

Klaus

, 2016/02/04 09:31

Sorry, as of now, there are no ready-to-use downloadable examples yet :( I guess I'll have to create some or write a new mission-log about how to use the DARC stack, so that it's easier for others to work with.

, 2017/09/25 15:18

Hi, are you aware of Oona's look at this same iBus system in 2013? http://www.windytan.com/2013/11/decoding-radio-controlled-bus-stop.html

, 2017/09/25 15:21

uhm, have you actually read the post? :)

, 2017/09/25 22:43

I did! Just not well enough, whoops! I was even scanning for reference to it just stopped short of a CTRL+F. Anyway this whole process has been helpful as I notice the github repo also!

, 2019/06/07 07:57

Hello Chrono,

Do you know what DARC FM decoders and encoders are used for this (chips/modules)? For the end devices and for transmition encoders?

BR, Ilya.

, 2019/06/07 08:57

Hi Ilya, Rohm(Sanyo)produces the decoders https://www.onsemi.com/PowerSolutions/search.do?searchType=others&query=DARC however you won't be able to get those anyway, because you need a licence agreement with the broadcast company…. As long as you can receive/sent the FM MPX signal you can use a SDR receiver/transmitter setup to play with VICS/DARC…..

Klaus

, 2019/06/07 10:11

Hello Klaus,

Thanks for information. On the decoder side I got the point. But what about encoders? Are there any companies which make them? I have googled only Meguro encoders but they are restricted for Japan VICS data.

And what do you mean by license agreement with broadcast company? Should I go to any FM radio station and sign agreement with them and then go to Sanyo?

Currently I just want to evaluate the technology. But it seems that it would be quite difficult without encoder or/and FM radio station which transmit the DARC signal.

BR, Ilya.

, 2019/06/07 11:40

Hi Ilya, Theoretically you could use all RDS transmitter ICs, which are capable of creating a 76KHz subcarrier - of course you need to generate the needed MSK-modulation somewhere somehow. So it's much easier to use a Software Defined Radio Tranceiver application. You can use the GNU radio on the USRP from “Ettus researh” or equivalent hardware. Also check out the Pothos/Labview SW platform. There is plenty of material out in the net to play around. Depending on how deep you want to dive and to learn you can spend more or less money, but anyway it's possible to do some fancy things with a few Euro.

DARC/VICS is only “professionally” broadcasted by NHK in Japan to distribute Traffic Information - so this is an automotive business “use-case”. If you would want to sell car radios which are able to receive DARC/VICS meassages, then you would need to pay them (NHK) a license fee for every car radio with a DARC/VICS decoder.

So I used a Red Pitaya to generate ,play & receive the above SDR recordings with the Pothos SW platform.

Klaus

PS: Axentia produces a professional DARC encoder called TSE760.

, 2019/06/07 11:59

Thank you Klaus. There is much information to work with :)

I shall try to get through possible solutions. But I consider that might take a while.

Anyway thanks for the directions.

BR, Ilya.

Enter your comment. Wiki syntax is allowed:
   ____   ____   ____  ____    ___
/  _/  / __/  / __/ / __ \  / _ )
_/ /   _\ \   / _/  / /_/ / / _  |
/___/  /___/  /_/    \____/ /____/