A Smart Jamming System for UMTS/WCDMA Cellular Phone Networks for Search and Rescue Applications

Stefan Zorn, Markus Gardill, Richard Rose, Alexander Goetz, Robert Weigel, Alexander Koelpin
Friedrich-Alexander University of Erlangen-Nuremberg Institute for Electronics Engineering Erlangen, Germany Email: zorn@lte.e-technik.uni-erlangen.de reachable if no BTS with the correct network color code is present in order to enable emergency calls. The jammer system presented in this paper together with [3] ensures that all mobiles in the area of interest have to connect to the I-LOV BTS (Fig. 1). No WCDMA networks will be apparent to them. After the MS logged on to the ILOV BTS a stable data channel between BTS and MS can be established. Now both strategies explained in [1], the eld strength measurement and the time difference of arrival (TDoA) approach, can be used to locate the victim. [4] - [5] show some possible approaches on GSM cell phone jamming, but for a search and rescue scenario with WCDMA capable MS a new design had to be developed. This paper shows the implementation of the basic principals proposed in [6].

Abstract Recent statistics show an increase in environmental disasters, a fact which is also perceivable to the public as reports of avalanches, earthquakes and landslides mount in media coverage. This paper introduces one part of the I-LOV project, endorsed by the German Federal Ministry of Education and Research. In this project partners from relief organizations, universities and industry investigate enhancements to disaster handling and victim rescue. One possible option is to take advantage of the fact, that a lot of people own a mobile phone today. To locate a person by his or her mobile phone requires to take over the phone by an own Base Transceiver Station (BTS). Jamming all other networks is one option to achieve that. This paper will introduce a new Field Programmable Gate Array (FPGA) based jamming system which disturbs only the absolute necessary parts of the WCDMA spectrum but reliably cuts all connections between mobile stations (MS) and existing BTS. The whole system including the signal generator and the front end will be discussed. Also measurement results will be shown. Index Terms wireless communication, jamming, search and rescue, FPGA, system engineering

Power

Jammer 3G

Frontend

I. I NTRODUCTION Nowadays the use of mobile communication devices is common in the all-day life in industrialized countries. But besides offering mobile voice and data services to the masses, also a quite new eld of security related issues emerges from the spread of cellular communication devices. In particular, one recent approach focuses on localizing victims buried under ruins of collapsed houses using their GSM mobile phones [1]. A survey made by the Federal Agency for Technical Relief, which is the most important partner in this project, shows that about 80% of buried victims carry their mobile phones with them. As shown in [1] full control of the MS to be located is needed. This is done by setting up a dedicated GSM basestation (BTS). According to the GSM protocol [2] the MS will not connect to the new BTS as long as it is able to stay connected to the network of its own network provider. The network color code of the respective carrier is stored on the Subscriber Identity Module (SIM). Of course the ILOV BTS could provide every network color code which is necessary, but not at the same time. Therefore the fact is used that a MS will connect to any GSM network
Frontend

PC

Jammer GSM

Frontend

Scanner

SDR BS

Fig. 1.

Simplyed schematic of the I-LOV BTS.

II. C ELL R ESELECTION P ROCEDURE To force a MS or UE (user equipment, used in WCDMA systems) to change from WCDMA to GSM it is necessary to trigger an inter-RAT (RAT: radio access technology) cell reselection. This cell reselection is executed if a certain cells primary common pilot channel (P-CPICH) energy per chip to interference ratio Ec /I0 (QQualmeas ) falls below a minimal value QQualmin [7] QQualmeas = 10 log10 CPICH Ec I0 . (1)

978-1-4673-1088-8/12/$31.00 2012 IEEE

WCDMA cells violating the cell selection criteria given by Squal = QQualmeas QQualmin > 0 (2)

an integer multiple of this chip clock as sample rate: 1 = 61.44 MHz. (4) s To further ease the requirements of the analog reconstruction lters at the DAC outputs a digital up-sampling by four is performed in the FPGA based signal generator and the minimum distance of the spectral repititions is increased to fs = 16 3.84 106 4 61.44 MHz 60 MHz = 185, 76 MHz. (5)

will no longer be considered as suitable cells to camp on. The minimum required quality QQualmin is broadcast in the system information of every cell and is in the range of [8] 24 dB QQualmin 0 dB. (3)

radio frames from PC software

If the criteria given in 2 is violated for all WCDMA cells in range, only GSM cells remain available and a reselection process to GSM is executed. As proposed in [6], QQualmeas can be degraded below QQualmin by increasing the inband interference power density I0 (1), which is achieved by injecting a sufcient amount of interference density into the WCDMA downlink frequency bands. A. Basic Concepts of the Jamming System The system is developed to work in Europe, where the WCDMA band I is used. Its spectrum has got a bandwidth of 60 MHz between 2110 MHz and 2170 MHz. The signal processing library together with the arbitrary waveform generator generates a complex baseband signal in the range of 30 MHz fBaseband 30 MHz (Fig. 2). Due to the fact that the baseband signal is complex its spectrum needs not to be symmetric and also negative frequencies can be used. Therefore a by half lower sampling frequency can be used or vice versa much lower requirements for the anti-aliasing lters are necessary. The fundamental principle of the jamming system is to create a jamming signal by continuously repeating a 10 ms frame of digital data. This is due to the fact that the WCDMA channels are based on 10 ms frames and the chip sequences of the synchronization and pilot channels are identical for each radio frame. Even though only noise signals are used at the moment, the jamming system is generally capable of generating much more complex RF signals conformal to the WCDMA standard requirements.
USB connection I/Q baseband signal RF signal

Fig. 3 shows a functional block diagram of the signal chain.

FPGA-based waveform player
loop

RF frontend cos(ct)

I 4

dig. LP

DAC

analog LP

dig. LP

DAC

analog LP

sin(ct)
loop

Fig. 3.

Functional block diagram of the jamming system.

III. RF F RONTEND As transmitter a direct IQ conversion architecture has been chosen. Fig. 4 shows the design. One advantage over a two step transmitter are the simpler requirements concerning the lter stages. The low pass reconstruction lters LP are self designed differential 5th order LC-lters with a cutoff frequency of 50 MHz, an insertion loss of 2.59 dB and an attenuation at the rst spectral repetition of the base band signal of 56 dB. The two band pass lters BP are B7750 SAW lters from EPCOS. Their passband range exactly covers the WCDMA frequency band I with an insertion loss of typically 2.6 dB. Those are used to cancel the out of band emissions of the mixer and of the intermodulation products of the PAs due to their nonlinearities. The cascade of PA1 , attenuator, and PA2 provides a variable gain between 8 dB and 39 dB. This way the proximating 20 W output-PA can be set to maximum gain while not overdriving it. Otherwise this would lead to strong intermodulation products at the output which would disturb all mobile communication bands. IV. M EASUREMNT S ETUP AND R ESULTS

Graphical User Interface

Signal Processing Library

FPGA-based Arbitrary Wafeform Generator

RF Frontend

Fig. 2.

Basic system concept.

Since WCDMA synchronization channels contain data at a chip rate of RC = 3.84 Mcps, the system design uses

Fig. 5 shows the measured RF jamming signal for one 5 MHz wide WCDMA channel at full gain. Also visible is the by 20 dB attenuated LO and the by 35 dB attenuated mirror signal. The complete measurement setup is pictured in Fig. 6. As Node B a CMU200 communication tester is used. It is capable of emulating a complete WCDMA Node B.

978-1-4673-1088-8/12/$31.00 2012 IEEE

Q LP LO BP LP I PA1

or the landscape.
61.44 MHz ext. clk. Rohde & Schwarz CMU 200: target Node B

XO

PLL

A PA2 BP
WCDMA front End

Synthesizer

PCPICH PSCH SSCH RF signal

combiner
-3 dB -3 dB

FPGA & DACs

PC-based debug software

RS232 connection protocol stack data

Power spectral density [dBm]

-10

Fig. 6.
-20

Measurement Setup.

V. C ONCLUSION
-30

-40

-50

-60

2.12

2.13

2.14

2.15

2.16

Frequency [Hz]
Fig. 5. RF jamming signal for one channel.

2.17 x 10 9

In this paper a new approach for a WCDMA jamming system has been shown. The current conguration can produce jamming signals for any channel of the WCDMA band I, but with little changes also the bands II, IV, V, and VI can be jammed. Those bands have a bandwidth of equal to or less than 60 MHz. With the help of a WCDMA channel sniffer it forces automatically all UE in range to switch to GSM. Here a GSM jammer [3] can block all remaining connections and control can taken over all MS in the area by the I-LOV BTS [1]. ACKNOWLEDGMENT The authors would like to express their gratitude to the German Federal Ministry of Education and Research, which made all this possible by funding project I-LOV. R EFERENCES
[1] S. Zorn, R. Rose, A. Goetz, and R. Weigel, A novel technique for mobile phone localization for search and rescue applications, in Proc. Int Indoor Positioning and Indoor Navigation (IPIN) Conf, 2010, pp. 14. [2] 3rd Generation Partnership Project (3GPP), Ps based emergency call in rel-5, 3GPP, Tech. Rep. 11, 2001, tS 11.21 V 8.8.0. [3] S. Zorn, M. Maser, A. Goetz, R. Rose, and R. Weigel, A power saving jamming system for e-gsm900 and dcs1800 cellular phone networks for search and rescue applications, in Proc. IEEE Topical Conf. Wireless Sensors and Sensor Networks (WiSNet), 2011, pp. 3336. [4] N. K. Mishra, Development of GSM - 900 mobile jammer: An approach to overcome existing limitation of jammer, in Proc. Fifth IEEE Conf. Wireless Communication and Sensor Networks (WCSN), 2009, pp. 14. [5] S. W. Shah, M. I. Babar, M. N. Arbab, K. M. Yahya, G. Ahmad, T. Adnan, and A. Masood, Cell phone jammer, in Proc. IEEE Int. Multitopic Conf. INMIC 2008, 2008, pp. 579580. [6] M. Gardill, S. Zorn, R. Weigel, and A. Koelpin, Triggering umts user equipment inter-rat cell reselection using noise jammers, in Proc. German Microwave Conf. (GeMIC), 2011, pp. 14. [7] 3rd Generation Partnership Project (3GPP), User equipment (ue) procedures in idle mode and procedures for cell reselection in connected mode, Tech. Rep. TS 25.304, 2009. [8] 3rd Generation Partnership Project (3GPP), Physical layer - measurements (fdd), Tech. Rep. TS 25.215, 2009. [9] B. Razavi, RF Microelectronics. Prentice Hall, 1997.

Among others the CMU allows to specify the scrambling code, the used channel number, and the power settings of the downlink channels. Also the broadcasted information can be set. This allows to dene the QQualmin criteria (compare section II 2) used by the UE for the cell reselection procedure. In this test the power of the pilot channel PCPICH was set to -55 dBm which indicates a very close Node B. The Node B signals are combined with the upconverted jamming signal and fed to the UE. Its reactions have been observated via a debug software which allowed a deep insight into the cell reselection procedure the UE performs. Several iterations of the test have been accomplished. With QQualmin = 24 dB, an average jammer power of -37 dBm was necessary to execute the cell reselection procedure. When QQualmin was reduced to -15 dB the necessary jammer power also reduced by 9 dB. Hence using an PA with a gain of 43 dB as additional output stage, and a transmit antenna with a gain GT of 7 dBi, assuming free space path loss [9], a jammed area of = 280 m (6) d= PR PT GT GR 20 4 10 can be estimated. Of course this is very dependent on the scenario, e.g. the distance between Node B and UE or additional path loss in the area of interest caused by houses

978-1-4673-1088-8/12/$31.00 2012 IEEE

ext ant.

Fig. 4.

Schematic of the frontend.

USB connection

I/Q baseband signal