spench.net

Balint:

== OFDM Mod GRC block ==

''packet_mod_X(ofdm_mod('''<options>'''))'' - argument is 'packet_source'

''packet_mod'':
grc/grc_gnuradio/blks2/packet.py
''packet_utils'':
<core>/python/gnuradio/packet_utils.py

=== packet_mod_X ===

* Default payload: 512 bytes (if supplied length is default 0, must be multiple of input stream size)
* Input signature: X
* Output signature: inherited from 'packet_source' stream #0 (complex for ofdm)

Starts packet encoder thread that packages incoming data into payload size and submits to 'packet_source' via 'send_pkt' call.

''packet_utils.make_packet'': preamble, access code, length of payload and CRC, (optionally whitened) payload with CRC-32, end byte.
* 'preamble' is fixed.
* 'access code' can be left as default (customisable preamble)

''ofdm_mod'':
<core>/python/gnuradio/blks2impl/ofdm.py

_pkt_input (ofdm_mapper_bcv) -> preambles (ofdm_insert_preamble) -> ifft (fft_vcc) -> cp_adder (ofdm_cyclic prefixer) -> scale (multiply_const_cc)

Padded preamble generation (for correlation in time domain):

* zeros_on_left = ceil((FFT length - occupied tones) / 2.0)
* ksfreq = take 'occupied symbols' length from known_symbols_4512_3 (randomly generated fixed list of 1/-1, 4512 items long (=4000+512 ?))
* Each item (offset by zeros_on_left) that has an odd index is zeroed.
* Padded preamble is FFT length, with zeros_on_left, then ksfreq hardcoded symbols, then remaining zeros on right.

''ofdm_mapper_bcv'': constellation based on modulation, message queue limit (default: 2), occupied tones, FFT length

''ofdm_insert_preamble'' (insert 'pre-modulated' preamble symbols before each payload): FFT length, padded preambles

''ofdm_cyclic prefixer'' (prefix output with CP length from end of input symbols): FFT length, symbol length (= FFT length + cyclic prefix length)

''''multiply_const_cc: 1.0 / sqrt(FFT length)

Balint: /* 4.59 MHz */

== General ==

* '''J'''indalee '''O'''perational '''R'''adar '''N'''etwork
** Emphasis on the ''Operational'', as OTH-B is [http://www.zmne.hu/tanszekek/ehc/konferencia/may/kovacsildiko.htm not an easy problem (a good summary)].

== On RFMap ==

The sites on the JORN [http://en.wikipedia.org/wiki/Jindalee_Operational_Radar_Network Wikipedia entry] can be found on RFMap.

* The four JORN transmitter and receiver sites are:

# [http://maps.spench.net/rf/#pos=-23.6571027,144.1476227&zoom=16&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=21325 the Queensland transmitter at Longreach, Queensland, with 90 degree coverage (Queensland Jindalee Tx Site, via, LONGREACH)]
# [http://maps.spench.net/rf/#pos=-24.2905914,143.1982303&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=21495 the Queensland receiver at Stonehenge, Queensland, with 90 degree coverage (Queensland Jindalee RX Site, STONEHENGE)]
# [http://maps.spench.net/rf/#pos=-28.3132529,122.8533294&zoom=14&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=42579 the Western Australian transmitter at Leonora, Western Australia, with 180 degree coverage (Jindalee Project WA Transmit Site, LAVERTON)]
# [http://maps.spench.net/rf/#pos=-28.3266382,122.0078484&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=66963 the Western Australian receiver at Laverton, Western Australia, with 180 degree coverage (Jindalee Project WA Receive Site, LAVERTON)]

* The research and development transmitter and receiver sites are:

# [http://maps.spench.net/rf/#pos=-22.9713952,134.4499033&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=5793 the Alice Springs transmitter at Harts Range, Northern Territory, with 90 degree coverage (Telstra/Defence Site, HARTS RANGE)]
# [http://maps.spench.net/rf/#pos=-23.5211938,133.6755609&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=86427 the Alice Springs receiver at Mount Everard, Northern Territory, with 90 degree coverage (Defence Site, Off Tanami Road, MT EVERARD)] (previous test site just SE of main site, also has high-bandwidth microwave links to Telstra Radio Terminal to the NE)

* The ionosondes are:

# [http://maps.spench.net/rf/#pos=-28.3044358,122.8367731&zoom=13&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=42579&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Jindalee Project WA Transmit Site, LAVERTON (LAV)]
# [http://maps.spench.net/rf/#pos=-27.9423639,114.6854833&zoom=18&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=50345&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Defence Site, Ajana R/T, AJANA (AJA)]
# [http://maps.spench.net/rf/#pos=-24.898748,113.7098139&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=52851&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Defence Installation, CARNARVON (CAR)]
# [http://maps.spench.net/rf/#pos=-22.2212639,114.090275&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=43855&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Ionosonde Site, Learmonth Solar Observatory, Minilya-Exmouth Road, LEARMONTH (LEA)] 11.3 MHz, 30K0WXN (modulated by amplitude, angle, pulse), Ionospheric Prediction Service
# [http://maps.spench.net/rf/#pos=-20.4069798,118.5785338&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=31696&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Defence Installation South Hedland, PORT HEDLAND (SHD)]
# [http://maps.spench.net/rf/#pos=-17.6080427,123.823205&zoom=13&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=66600&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Curtin RAAF via, DERBY (CUR)]
# [http://maps.spench.net/rf/#pos=-17.4419337,130.8298322&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=24074&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Telstra Radio Terminal, KALKARINGI (KAL)]
# [http://maps.spench.net/rf/#pos=-13.8507623,136.4264487&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=54285&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Defence Installation, GROOTE EYLANDT (GRO)]
# [http://maps.spench.net/rf/#pos=-12.6559777,142.0877907&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=55451&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Scherger RAAF Installation, WEIPA (SCH)]
# [http://maps.spench.net/rf/#pos=-18.0231997,144.8716618&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=57024&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Defence, Lynd River Site, LYND RIVER (LYN)]
# [http://maps.spench.net/rf/#pos=-23.6573807,144.1477737&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=21325&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Queensland Jindalee Tx Site, via, LONGREACH (LON)]
# [http://maps.spench.net/rf/#pos=-34.7322764,138.6440427&zoom=16&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=25952&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Corner of Operations Road & Land Ave DSTO, SALISBURY (Coordination centre)] (a few other DoD HF sites in the vicinity)

* Common ionosonde frequencies (MHz): 10.5, 11.3, 21.5

[http://maps.spench.net/rf/#pos=-28.839778,133.702416&zoom=5&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&filter=%5B{%22site_desc%22%3A%22Ionospheric%22}%2C{%22client_name%22%3A%22Ionospheric%22}%5D&q=Ionospheric Overview of sites with assignments belonging to Ionospheric Prediction Service]

* DSTO ionosondes:

# [http://maps.spench.net/rf/#pos=-15.488474,128.1353243&zoom=13&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Wyndham, WA] (no HF matches)
# [http://maps.spench.net/rf/#pos=-17.3160831,123.6505706&zoom=14&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=66547&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Defence Site, DERBY]
# [http://maps.spench.net/rf/#pos=-12.4419079,130.9596515&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=28451&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz 11 Mile IPS Site, BERRIMAH]
# [http://maps.spench.net/rf/#pos=-17.5506806,133.539682&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz Elliott near Newcastle Waters, NT] (no HF matches)
# [http://maps.spench.net/rf/#pos=-23.7964146,133.7347873&zoom=16&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=5994 Joint Space Defence Research Facility, ALICE SPRINGS] (otherwise known as Pine Gap)

* Transponders (many on 20.125 MHz, 10 W, 100KFXN):

# [http://maps.spench.net/rf/#pos=-17.6957147,141.0750269&zoom=16&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=39330 Defence Installation, NORMANTON]
# [http://maps.spench.net/rf/#pos=-12.164382,136.7764342&zoom=13&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=54255 Defence Installation, NHULUNBUY]
# [http://maps.spench.net/rf/#pos=-14.2912545,126.6452112&zoom=16&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=44767 Kalumburu, NT] (no HF matches)
# [http://maps.spench.net/rf/#pos=-17.8983354,122.2590636&zoom=11&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=49931 Defence Installation, BROOME]
# [http://maps.spench.net/rf/#pos=-10.4406252,105.675143&zoom=12&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=68332 Defence Installation, CHRISTMAS ISLAND]
# [http://maps.spench.net/rf/#pos=-10.5909833,142.2914219&zoom=10&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=55610 Defence Installation, HORN ISLAND]
# [http://maps.spench.net/rf/#pos=-12.4419079,130.9596515&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=16&site=28451&filter=%5B%7B%22freq%22%3A25000000%2C%22freq_range%22%3A25000000%7D%5D&q=0-50mhz 11 Mile IPS Site, BERRIMAH]

== Clients ==

* DoD

* '''RLM Systems''' has been acquired by Lockheed Martin.
** Have two assignments at most TX/RX sites in the ~480 MHz range (no link specified).

== Assignments ==

Common emission designators:

* 100HN0N - Unmodulated carrier, no modulating signal, no information transmitted
* 100KFXN - Frequency modulation
* 30K0P0N - Unmodulated sequence of pulses
* 40K0P0N

=== 4.59 MHz ===

* ~4.59 MHz has been found while listening on HF. As it happens it is a registered assignment for many of the DoD HF stations:

[[File:JORN_4.591MHz.jpg|800px|center|thumb|The relevant transmission is the strong one. Note the weak 'sweeping' of the spectrum just to the left of it - part of JORN too? This is usually what an ionosonde does.]]

* The matching assignment is 4.5905 MHz at 10 kW (3 kHz bandwidth)

Note that automatic site fetching has been disabled in the following links; if you wish to fetch other sites, please check the box in the top-right of the map.

# [http://maps.spench.net/rf/#pos=-12.6098453,131.2896064&zoom=15&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&site=16988&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Transmitter Site, HUMPTY DOO]
# [http://maps.spench.net/rf/#pos=-12.3605274,130.9840831&zoom=16&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Receiver Site, SHOAL BAY]
# [http://maps.spench.net/rf/#pos=-27.6470786,152.7216908&zoom=16&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&site=25283&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz RAAF Base, AMBERLEY]
# [http://maps.spench.net/rf/#pos=-35.1248577,146.9838466&zoom=15&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&site=27045&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Transmitter Site, LYNDOCH]
# [http://maps.spench.net/rf/#pos=-19.3375511,146.7647889&zoom=15&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&site=28487&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Site, North Ward, TOWNSVILLE (masts to the ESE)]
# [http://maps.spench.net/rf/#pos=-19.231798,146.7177649&zoom=15&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&site=28974&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Transmitter Site, BOHLE RIVER]
# [http://maps.spench.net/rf/#pos=-35.0175844,146.4204004&zoom=15&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&site=36568&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Receiver Site, MORUNDA]
# [http://maps.spench.net/rf/#pos=-32.7996633,151.8350412&zoom=18&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&site=37164&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Royal Australian Air Force, WILLIAMTOWN]
# [http://maps.spench.net/rf/#pos=-19.4629994,146.3361825&zoom=17&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=39548&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Receiver Site, SPEED CREEK]
# [http://maps.spench.net/rf/#pos=-21.904494,114.1347445&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=43863&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Transmitter Site, NORTH WEST CAPE]
# [http://maps.spench.net/rf/#pos=-22.332049,114.0513051&zoom=15&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=52649&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Receiver Site, NORTH WEST CAPE]
# [http://maps.spench.net/rf/#pos=-22.7104697,150.6643754&zoom=14&type=hybrid&auto_fetch=false&clustering=true&cluster_level=17&filter=%5b{%22freq%22%3A4591000}%5d&q=4.591MHz Defence Site (RAAF), ROCKHAMPTON (site has wrong position)]

== De-modulation ==

Some simple signal analysis reveals interesting features:

[[File:JORN_4.591MHz_DeMod.png|800px]]
[[File:JORN_4.591MHz_DeMod_Broader.png|800px]]
[[File:JORN_4.591MHz_FAC.png|800px]]

{{RF}}

Balint: /* Server */

== DFS with ath5k ==

* With a view to '''D'''ynamic '''F'''requency '''S'''election powered by RADAR PHY errors reported to the driver.
* ath5k aims to support the Atheros WiFi chipset on Linux.

=== Visualisation of RADAR activity ===

[[File:RADAR_ath5k_App.png|240px|thumb|Visualisation app]]

# Patched ath5k driver reports PHY error details to userspace via debugfs.
# Python daemon on Linux collects details, sweeps frequency ranges on-demand, and reports details to any connected client over the network.
# .NET GUI visualises legitimate WiFi packets and RADAR errors over frequency/time, plots histograms of pulse width, RSSI distribution, time between pulses, and draws time-series graphic to help uncover repetition rate within a sample of pulses.

=== Resources ===

* [http://madwifi-project.org/ madwifi]
* [http://madwifi-project.org/wiki/Chipsets Atheros Chipsets]
* [http://wireless.kernel.org/en/users/Drivers/ath5k ath5k on Linux Wireless]
* [https://lists.ath5k.org/pipermail/ath5k-devel/ ath5k-devel mailing list]
* [http://www.mail-archive.com/ath5k-devel@lists.ath5k.org/msg00266.html Enabling debugfs with ath5k]
* [http://www.mail-archive.com/ath5k-devel@lists.ath5k.org/msg04585.html (Low) power levels with AR5414]
* [http://wiki.freebsd.org/dev/ath_hal%284%29/RadarDetection Radar Detection notes on FreeBSD ath-hal]
* [http://www.google.com/patents/US6891496 Method and apparatus for physical layer radar pulse detection and estimation]

Wikipedia:

* [http://en.wikipedia.org/wiki/Radar_signal_characteristics Radar signal characteristics]
* [http://en.wikipedia.org/wiki/Pulse_compression Pulse compression]

=== Hardware ===

I use a Ubiquiti Networks SR4C (802.11a) with the ath5k driver in compat-wireless-2011-10-11.

It appears as:

ath5k phy0: Atheros AR5414 chip found (MAC: 0xa5, PHY: 0x61) version: 2

With some extra 'printk's, the full frequency range is revealed:

AR5K_EEPROM_HDR_11A: 0xa61 (min: 4920, max: 6100)

=== Important changes ===

There are some extra changes which enable the whole system to work. These are contained in the driver patch, and are described below.

==== Channel list ====

The patch enables all channels between 4.9 GHz and 6.1 GHz (depending on channel width), with 5 MHz spacing. A future improvement would be another mechanism where a specific frequency could be set that is ''not'' contained in the channel list that is constructed upon driver initialisation (i.e. currently, the setting of frequencies not in this list will fail).

all_channels: Default is 1

Take note of the follow changes:

<syntaxhighlight lang="c">
static unsigned int
ath5k_setup_channels(struct ath5k_hw *ah, struct ieee80211_channel *channels,
unsigned int mode, unsigned int max) // ATH_CHAN_MAX when !CHAN_DEBUG
{
unsigned int count, size, freq, ch;
enum ieee80211_band band;

switch (mode) {
case AR5K_MODE_11A:
/* 1..220, but 2GHz frequencies are filtered by check_channel */
size = 220 + (196-182+1) + 9+3 + 4+4;
band = IEEE80211_BAND_5GHZ;
break;
case AR5K_MODE_11B:
case AR5K_MODE_11G:
size = 26;
band = IEEE80211_BAND_2GHZ;
break;
default:
ATH5K_WARN(ah, "bad mode, not copying channels\n");
return 0;
}

count = 0;
for (ch = 1; ch <= size && count < max; ch++) {
if (ch <= 220)
freq = ieee80211_channel_to_frequency(ch, band);
else if (ch <= (220 + 15)) { // 5910 -> 5980 (15)
freq = 5000 + (ch - 221 + 182) * 5;
}
else if (ch <= (220 + 15 + 9+3)) { // 4920+2.5 -> 4985+2.5 but not whole (9)
int i = ch - (220 + 15);
freq = 49200;
do {
freq += 25;
if (((freq % 100) == 0) || ((freq % 100) == 50))
freq += 25;
} while (--i);
freq /= 10;
}
else if (ch <= (220 + 15 + 9+3 + 4+4)) { // 4990+2.5 -> 5000 (4)
freq = (49800 + (25 * (ch - (220 + 15 + 9+3)))) / 10;
}
else // Fallback
freq = ieee80211_channel_to_frequency(ch, band);

if (freq == 0) { /* mapping failed - not a standard channel */
printk("Not a standard channel: %d\n", ch);
continue;
}

/* Write channel info, needed for ath5k_channel_ok() */
channels[count].center_freq = freq;
channels[count].band = band;
channels[count].hw_value = mode;

/* Check if channel is supported by the chipset */
if (!ath5k_channel_ok(ah, &channels[count])) {
//if (ah->debug.level & ATH5K_DEBUG_DUMPBANDS)
printk("Channel NOT OK: %d %d\n", ch, channels[count].center_freq);
continue;
}

if (!modparam_all_channels &&
!ath5k_is_standard_channel(ch, band))
continue;

count++;
}
printk("Set up %d channels\n", count);
return count;
}
</syntaxhighlight>

==== Regulatory domain ====

There are other changes, but these main ones open up all the channels for use:

<syntaxhighlight lang="c">
#define ATH5K_ALL REG_RULE(4920-10, 6100+10, 20, 0, /*23*//*0*/40, /*NL80211_RRF_PASSIVE_SCAN*/NL80211_RRF_DFS)

static const struct ieee80211_regdomain ath_all = {
.n_reg_rules = 2,
.alpha2 = "99",
.reg_rules = {
ATH5K_ALL,
}
};

static const struct ieee80211_regdomain *ath_default_world_regdomain(void)
{
/* this is the most restrictive */
return &/*ath_world_regdom_64*/ath_all;
}
</syntaxhighlight>

==== Additional module arguments ====

default_bwmode:
0: 20MHz
1: 10MHz
2: 5MHz

default_countrycode:
Values from CTRY_* enum.

=== Kismet compatability ===

This patched driver works well with Kismet. Just use one of the following 'channellist's:

All channels:
channellist=ath5k_all:4920,4922,4925,4927,4930,4932,4935,4937,4940,4942,4945,4947,4950,4952,4955,4957,4960,4962,4965,4967,4970,4972,4975,4977,4980,4982,4985,4987,4990,4992,4995,4997,range-5000-6100-20-5
Normal channels (not '''P'''ublic '''S'''afety):
channellist=notps:range-5000-6100-20-5
Only '''P'''ublic '''S'''afety:
channellist=ps:4920,4922,4925,4927,4930,4932,4935,4937,4940,4942,4945,4947,4950,4952,4955,4957,4960,4962,4965,4967,4970,4972,4975,4977,4980,4982,4985,4987,4990,4992,4995,4997,5000

=== Files ===

==== ath5k Linux kernel driver patch ====

* [http://spench.net/drupal/files/compat-wireless-2011-10-11.radar-h4x.patch.bz2 compat-wireless-2011-10-11.radar-h4x.patch.bz2]

This is a diff against compat-wireless-2011-10-11. I had to apply some additional patches/fixes to enable it to compile against my existing kernel (2.6.26 x86):

* '''022-atomic64_backport.patch''' is in the root directory in case you need it too (but is not applied by my driver patch).

My config.mk:

<syntaxhighlight lang="diff">
diff compat-wireless-2011-10-11.orig/config.mk compat-wireless-2011-10-11/config.mk
224c224
< # CONFIG_ATH5K_DEBUG=y
---
> CONFIG_ATH5K_DEBUG=y
615c615
< # CONFIG_ATH_DEBUG=y
---
> CONFIG_ATH_DEBUG=y
</syntaxhighlight>

'''NOTE''': Debug mode is necessary for the information to be passed to userland via debugfs!

Also add to fstab:

none /sys/kernel/debug debugfs

And make sure debugfs is enabled in your kernel!

To ready the interface:

sudo iwconfig wlan0 mode Monitor
sudo ifconfig wlan0 up

You can optionally (manually) set a frequency if you want to watch ''/sys/kernel/debug/ieee80211/phy0/ath5k/radar'':

sudo iwconfig wlan0 freq 5800M

To specify alternate channel width:

sudo modprobe ath5k default_bwmode=[0: 20MHz, 1: 10MHz, 2: 5MHz]

To remove it for restart:

sudo modprobe -r ath5k ath mac80211 cfg80211 compat

==== Python ====

Two types:

# TCP server for GUI
# Stand-alone for console

They have plenty of command-line arguments, so remember to check them with '-h'.

Both scripts rely on knowning how to decode the RADAR error struct passed down from the kernel. If this is different for you from the default, make sure you update these scripts!

The RADAR queue length must match the driver's one (2048 by default, can be change as command-line argument).

And

<syntaxhighlight lang="c">
struct ath5k_radar_error {
u32 tsf;
u8 rssi;
u8 width; // 0 for WiFi frame
u8 type; // 0: WiFi frame (no error), 1: RADAR PHY error
u8 subtype; // For type 0: 0; type 1: rs_rate
};
</syntaxhighlight>

must match:

<syntaxhighlight lang="python">
sizeof_radar_error = 4+1+1+1+1
</syntaxhighlight>

and

<syntaxhighlight lang="python">
item = struct.unpack("Icccc"...
</syntaxhighlight>

(and also the way it is used by the '''radar_error''' class).

===== Server =====

* [http://spench.net/drupal/files/radar_server.py.bz2 radar_server.py.bz2]

Usage: radar_server.py: [options]

Options:
-h, --help show this help message and exit
-P PORT, --port=PORT server port [default=5256]
-l QUEUE_LENGTH, --queue-length=QUEUE_LENGTH
radar error queue length [default=2048]
-d DEV, --dev=DEV device [default=wlan0]
-p PHY, --phy=PHY device [default=phy0]
--progress show progress [default=False]

All frequencies are in MHz (e.g. 5500). Sweep range can go backwards.

Simple plain-text line-based protocol:

FREQ <freq>

Thresholds (as in driver, see patch for details, or [http://wiki.freebsd.org/dev/ath_hal%284%29/RadarDetection/AR5212 here] (AR5212 radar detection notes on FreeBSD ath-hal)):

FIRPWR <pwr>
RSSI <rssi>
PHEIGHT <height>
PRSSI <rssi>
INBAND <threshold>

START [start freq: 4920] [end freq: 6100] [freq step: 5] [sampling interval in seconds, can be floating point: 1]
STOP

To continually scan one frequency, use same start and end frequency.

To terminate (will stop active sweep):

QUIT or EXIT

or just disconnect.

Details are sent back as:

DATA <freq> <Base64 encoded list of RADAR error structs>

===== Stand-alone console =====

* [http://spench.net/drupal/files/radar.py.bz2 radar.py.bz2]

Usage: radar.py: [options]

Options:
-h, --help show this help message and exit
-s START, --start=START
start freq [default=4920]
-e END, --end=END end freq [default=6100]
-S STEP, --step=STEP freq step [default=5]
-d DEV, --dev=DEV device [default=wlan0]
-p PHY, --phy=PHY device [default=phy0]
-i INTERVAL, --interval=INTERVAL
sample interval [default=2]
-c, --current don't change current WiFi settings [default=False]
--short show statistics in short form [default=False]

Will scan and output statistics to console (see Python script for output format). Also dumps various histograms to disk (CSV files).

Excerpt from output:

...
5620 MHz: -
5625 MHz: -
5630 MHz: 0039 in 1063604 us - RSSI: 20.4 +/- 7.2 [015-030], Width: 1st: 0000 #0000, 2nd: 0000 #0000 [imm: 0039, unk: 0000 (0.0 +/- 0.0 [256--01]), Time Diff: 1st: 3004 #0004, 2nd: 1006 #0002 (27989.6 +/- 79650.4 [994-382388])
5635 MHz: 0006 in 135130 us - RSSI: 28.8 +/- 4.3 [021-035], Width: 1st: 0004 #0004, 2nd: 0011 #0001 [imm: 0000, unk: 0000 (5.3 +/- 2.6 [004-011]), Time Diff: 1st: 3010 #0001, 2nd: 12014 #0001 (27026.0 +/- 39315.9 [1502-105082])
5640 MHz: -
5645 MHz: -
...

==== GUI ====

* [http://spench.net/drupal/files/Radar.zip Radar.zip]

The GUI runs under .NET and uses ZedGraph (reference DLL included). You will need to run the Python server on your Linux box with the WiFi card and be able to connect to it over your network.

Screenshots may be seen below.

Pre-compiled binaries are included in the download, so you don't need to compile the source. However, if you decide to compile the project, you will have to point the ZedGraph and TehLib.NET references to the DLLs in the '_References' directory.

=== Monitoring RADAR detection in the console ===

Type:

watch -n 1 "cat /sys/kernel/debug/ieee80211/phy0/ath5k/radar"

to get:

Every 1.0s: cat /sys/kernel/debug/ieee80211/phy0/ath/radar

RADAR detection enabled: 1
RADAR PHY error filter: 0

Filter output power threshold: 44 (44)
Pulse height threshold: 28

RADAR RSSI threshold: 15
Pulse RSSI threshold: 58

In-band threshold: 9

RADAR error queue usage: 0/2048 (start: 0, overflows: 0)

RADAR errors: 0
PHY errors: 0
Other errors: 0
Frames: 0

Width:
0: 0
1-50: 0
51-100: 0
101-150: 0
151-200: 0
201-250: 0
251-254: 0
255: 0

=== Manually setting RADAR detection parameters ===

For example (adjust depending on your interface index):

echo "firpwr -60" > /sys/kernel/debug/ieee80211/phy0/ath5k/radar
echo "rssi 1" > /sys/kernel/debug/ieee80211/phy0/ath5k/radar
echo "pheight 1" > /sys/kernel/debug/ieee80211/phy0/ath5k/radar
echo "prssi 1" > /sys/kernel/debug/ieee80211/phy0/ath5k/radar
echo "inband 31" > /sys/kernel/debug/ieee80211/phy0/ath5k/radar

=== Spectrum Sweep ===

==== 20 MHz channel width ====

* Notice how RADAR errors are reported either side of a legitimate WiFi channel:

[[File:RADAR_ath5k_Count20.png|800px|thumb|center|Counts vs. Frequency]]
[[File:RADAR_ath5k_RSSI20.png|800px|thumb|center|RSSI vs. Frequency]]

==== 10 MHz channel width ====

* No WiFi operating at this channel width:

[[File:RADAR_ath5k_Count10.png|800px|thumb|center|Counts vs. Time]]
[[File:RADAR_ath5k_RSSI10.png|800px|thumb|centerthumb|center|RSSI vs. Frequency]]

==== 5 MHz channel width ====

* Some WiFi operating at this narrow channel width:

[[File:RADAR_ath5k_Count5.png|800px|thumb|center|Counts vs. Frequency]]
[[File:RADAR_ath5k_RSSI5.png|800px|thumb|center|RSSI vs. Frequency]]

=== Kurnell Weather RADAR ===

* Registered as a Bureau of Meteorology Weather RADAR: http://www-cluster.bom.gov.au/inside/oeb/radar/sydney.shtml

* Registered on [http://maps.spench.net/rf/#pos=-34.0127168,151.2241832&zoom=14&type=hybrid&auto_fetch=true&clustering=true&cluster_level=17&site=11386&filter=%5B%7B%22freq%22%3A5500000000%2C%22freq_range%22%3A600000000%7D%5D&q=4.9-6.1ghz RFMap]:
** 5.625 GHz (1.1 MHz bandwidth at 250 kW)

<html>
<div class="center"><div class="thumb tnone"><div class="thumbinner" style="width:642px;">
<a href="http://gallery.spench.net/v/BorAir/IMG_0124.JPG.html" target="_blank">
<img src="http://gallery.spench.net/main.php?g2_view=core.DownloadItem&g2_itemId=20553&g2_serialNumber=4" /></a>
<div class="thumbcaption"><div class="magnify">
<a href="http://gallery.spench.net/v/BorAir/IMG_0124.JPG.html" target="_blank" class="internal" title="Enlarge">
<img src="/skins/common/images/magnify-clip.png" width="15" height="11" alt="" /></a></div>
Photo taken from the air while flying down Victor One</div>
</div></div></div>
</html>

* Following data was received on ~5500/~5600 MHz

* One can infer the rotation rate of the RADAR by examining the difference in time, especially in the 'Counts' (number of reported RADAR PHY errors) over time:

[[File:RADAR_ath5k_Kurnell_TimeCount.png|800px|thumb|center|Counts vs. Time]]

* Average RSSI decreases a little in each 'transmission section' (separated by the pause in-between), however decrease is most noticable in the maximum value per sample-group:

[[File:RADAR_ath5k_Kurnell_TimeRSSI.png|800px|thumb|center|RSSI vs. Time]]

* Not sure why the distribution of widths changes later (was this when my laptop was knocked off its perch by the wind?!):

[[File:RADAR_ath5k_Kurnell_TimeWidth.png|800px|thumb|center|Pulse width vs. Time]]

* Whatever the change above, it is also reflected here:

[[File:RADAR_ath5k_Kurnell_TimeTime.png|800px|thumb|center|Time between pulses vs. Time]]

* 1kHz PRF
** You can see that the five highest bins (which hold counts for the distinct times between detected RADAR pulses) have values of ~1000. The time-series plot shows the regular repetition:

[[File:RADAR_ath5k_Kurnell_PRF1000.png|800px|thumb|center|Time-series plot of pulses]]

* 5kHz PRF
** As above, however this time it's ~5000:

[[File:RADAR_ath5k_Kurnell_PRF5000.png|800px|thumb|center|Time-series plot of pulses]]

* This is also reflected in the time-between-pulses histogram:

[[File:RADAR_ath5k_Kurnell_HistoTime5000.png|800px|thumb|center|Histogram of time between pulses]]

=== ISM ===

* Indoors, the sweep looks quite different:
** Notice the significant response at 5800MHz. Could this be DECT nearby?

[[File:RADAR_ath5k_Room_RSSI.png|800px|thumb|center|RSSI vs. Frequency]]

* Examing the time-series plot of RSSI for 5800MHz clearly shows a regular, repeating group of pulses (not as apparent due to the colouring on the width plot as the pulse widths seem to be changing moreso, however the time-between pulses is identical):

[[File:RADAR_ath5k_Room_PRF.png|800px|thumb|center|Time-series plot of pulses]]

=== 5140 MHz ===

* No idea what this is, however it appears rather regular (also note the regular pauses between groups of RADAR errors):

[[File:RADAR_ath5k_5140_TimeCount.png|800px|thumb|center|Counts vs. Time]]
[[File:RADAR_ath5k_5140_TimeRSSI.png|800px|thumb|center|RSSI vs. Time]]
[[File:RADAR_ath5k_5140_TimeWidth.png|800px|thumb|center|Pulse width vs. Time]]
[[File:RADAR_ath5k_5140_TimeTime.png|800px|thumb|center|Time between pulses vs. Time|]]

{{RF}}

Aviation Mapper, the Australian Geo RF Map and Software Defined Radio at Dorkbot Sydney
spench.net @spenchdotnet (twitter.com Balint Seeber and Matt Robert discuss what you can do with Software Defined Radio at the Dorkbot Sydney 2011 Finale (dorkbotsyd.boztek.net This is the shortened version of the presentation I gave at Ruxcon 2011: "Hacking the wireless world with Software Defined Radio" www.youtube.com Includes: * RFMap maps.spench.net @ 02:18 * AvMap will go live early next year: spench.net * Real-time web-streaming 2D/3D visualisation of Sydney airspace with Google Maps/Earth @ 23:39 Also check out: * OP25: sedition.org.au and Ruxcon 2011 presentation: www.youtube.com From: balint256 Views: 58 1 ratings Time: 31:09 More in Science & Technology

Michaela Davies vs Elvis Presley
Dorkbot Sydney 13/12/2011 michaeladavies.net From: balint256 Views: 103 1 ratings Time: 02:26 More in Science & Technology

Ruxcon 2011: APCO P25 Security Revisited: The Practical Attacks
OP25 project: sedition.org.au @mattrobert80 @stiabhang (Steve Glass) This is my good Software-Defined friend Matt presenting at Ruxcon 2011. From: balint256 Views: 633 8 ratings Time: 53:45 More in Science & Technology

Ruxcon 2011: Hacking the wireless world with Software Defined Radio
spench.net @spenchdotnet [Note: TOC (time links) below!] twitter.com 00:00 - 01:23 Intro 01:23 - 06:34 RFMap (maps.spench.net 06:34 - 11:37 Pagers 11:37 - ... Modez: spench.net 23:26 AvMap in 2D & 3D: www.youtube.com ... - 32:36 Modez 32:36 - 45:30 Satellite Communications 45:30 - 48:23 Gedanken 48:23 - End. Questions & Live demo From: balint256 Views: 1075 5 ratings Time: 53:34 More in Science & Technology

Balint: AvMap

{| class="wikitable" border="1"
|+ Port Allocations
|-
! Type || Number || Usage
|-
| TCP/UDP || 25662 || NetAudio (user-switchable between TCP & UDP modes)
|-
| TCP/UDP || 25699 || NetVideo (TCP control, UDP streaming)
|-
| TCP/UDP || 28888 || [[BorIP]] (TCP control, UDP streaming)
|-
| TCP || 13155/13145 || ACARS decoder server (port depends on frequency)
|-
| TCP || 13111 || ACARS raw feed combiner
|-
| TCP || 10900 || Modez
|-
| TCP || 10901 || AvMap
|-
| TCP || 25652 || Console
|-
| TCP || 8001 || SBS-1 raw feed sharing
|}

This is what you get when you blutac a GPS receiver to your window when going for a domestic flight. Altitude is colour coded.

Taking off from Sydney:

Here, speed is colour coded:

You can download the YMML-YSSY trip: YMML-YSSY