GPS jamming susceptibility
Given that this is an extremely sensitive topic and completely illegal
also, let me just state at the outset that I have no interest in
jamming anyone's GPS. A while back, I was looking at one of those
Chinese discount electronics websites, I'm sure we all have, and
noticed a GPS jammer for sale. I had been wanting to do some jamming
susceptibility testing for quite some time but had never got around to
building a generator to test with. The thing was cheap so I ordered
it. After it arrived, I opened it up, first thing, to see how it was
made. It has a dual 555 oscillator, a couple of analog switches, a 1.9
GHz VCO, a single amplifier. It doesn't look capable of putting out
more than 50 milliwatts or so into a 2 inch antenna. I was somewhat
dubious that it would do anything, so I took it to the bench where the
Z3801 lives and turned it on. Within 2 seconds, the holdover LED lit.
I immediately turned it off and within a few more seconds, the
holdover LED was back off. The GPS antenna is perhaps 35 feet away
with a cinder block wall, a brick wall, and a metal roof in between. I
also put a 15 Db attenuator between it and the antenna with almost the
same result. I am going to do more testing with it wired into the GPS
downfeed an an adjustable attenuator in line just to see how much
signal it takes. That way, there will be little danger of messing with
anyone's reception. It is just a simple sweeper so it must do its job
by brute force. I am amazed that it took so little to shut my Z3801
down. Has anyone here had any actual experience testing GPS receivers
for susceptibility?
John
Civillian GPS is extremely susceptible to jamming and interference. Which is why the LORAN shutdown puts the entire transportation infrastructure at risk.
Your jammer is probably derived from the one described in Phrack magazine where the theory was extensively discussed.
But in the real world there have been multiple instances of GPS jamming from malfunctioning hardware. A couple of cases in Monterey Bay which rendered several square miles of the bay area unusable for GPS for weeks were traced to malfunctioning TV antenna amplifiers from Radio Shack.
Scott
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: John Green wpxs472@gmail.com
Sender: time-nuts-bounces@febo.com
Date: Mon, 22 Nov 2010 11:43:12
To: time-nuts@febo.com
Reply-To: Discussion of precise time and frequency measurement
time-nuts@febo.com
Subject: [time-nuts] GPS jamming susceptibility
Given that this is an extremely sensitive topic and completely illegal
also, let me just state at the outset that I have no interest in
jamming anyone's GPS. A while back, I was looking at one of those
Chinese discount electronics websites, I'm sure we all have, and
noticed a GPS jammer for sale. I had been wanting to do some jamming
susceptibility testing for quite some time but had never got around to
building a generator to test with. The thing was cheap so I ordered
it. After it arrived, I opened it up, first thing, to see how it was
made. It has a dual 555 oscillator, a couple of analog switches, a 1.9
GHz VCO, a single amplifier. It doesn't look capable of putting out
more than 50 milliwatts or so into a 2 inch antenna. I was somewhat
dubious that it would do anything, so I took it to the bench where the
Z3801 lives and turned it on. Within 2 seconds, the holdover LED lit.
I immediately turned it off and within a few more seconds, the
holdover LED was back off. The GPS antenna is perhaps 35 feet away
with a cinder block wall, a brick wall, and a metal roof in between. I
also put a 15 Db attenuator between it and the antenna with almost the
same result. I am going to do more testing with it wired into the GPS
downfeed an an adjustable attenuator in line just to see how much
signal it takes. That way, there will be little danger of messing with
anyone's reception. It is just a simple sweeper so it must do its job
by brute force. I am amazed that it took so little to shut my Z3801
down. Has anyone here had any actual experience testing GPS receivers
for susceptibility?
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
Hi
There is very little signal hitting the ground from a normal GPS bird. Even a few mili watts close at hand is going to be an enormous overload. The typical GPS does not use a lot of bits in the front end A/D.
I suspect that if you tuned your little gizmo down to the FM broadcast band, it would take out your favorite FM station quite nicely. Same would be true of your cell phone if you tuned it there. Jamming from close by isn't all that hard to figure out, or to implement. There are switching power supplies that make wonderful jammers for low frequency signals. If it's RF, it can be jammed. The real question is can you jam it from a reasonable distance?
Bob
On Nov 22, 2010, at 12:43 PM, John Green wrote:
Given that this is an extremely sensitive topic and completely illegal
also, let me just state at the outset that I have no interest in
jamming anyone's GPS. A while back, I was looking at one of those
Chinese discount electronics websites, I'm sure we all have, and
noticed a GPS jammer for sale. I had been wanting to do some jamming
susceptibility testing for quite some time but had never got around to
building a generator to test with. The thing was cheap so I ordered
it. After it arrived, I opened it up, first thing, to see how it was
made. It has a dual 555 oscillator, a couple of analog switches, a 1.9
GHz VCO, a single amplifier. It doesn't look capable of putting out
more than 50 milliwatts or so into a 2 inch antenna. I was somewhat
dubious that it would do anything, so I took it to the bench where the
Z3801 lives and turned it on. Within 2 seconds, the holdover LED lit.
I immediately turned it off and within a few more seconds, the
holdover LED was back off. The GPS antenna is perhaps 35 feet away
with a cinder block wall, a brick wall, and a metal roof in between. I
also put a 15 Db attenuator between it and the antenna with almost the
same result. I am going to do more testing with it wired into the GPS
downfeed an an adjustable attenuator in line just to see how much
signal it takes. That way, there will be little danger of messing with
anyone's reception. It is just a simple sweeper so it must do its job
by brute force. I am amazed that it took so little to shut my Z3801
down. Has anyone here had any actual experience testing GPS receivers
for susceptibility?
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
On 11/23/2010 12:19 AM, Bob Camp wrote:
Hi
There is very little signal hitting the ground from a normal GPS bird. Even a few mili watts close at hand is going to be an enormous overload. The typical GPS does not use a lot of bits in the front end A/D.
I suspect that if you tuned your little gizmo down to the FM broadcast band, it would take out your favorite FM station quite nicely. Same would be true of your cell phone if you tuned it there. Jamming from close by isn't all that hard to figure out, or to implement. There are switching power supplies that make wonderful jammers for low frequency signals. If it's RF, it can be jammed. The real question is can you jam it from a reasonable distance?
There are a few reports and articles going into the susceptibility of
civilian receivers to jammers. Some public texts have also been written,
so the field is not completely covered only on green paper.
A CW jammer will basically grab the AGC and as it gains down the CW the
GPS reception is gained down with it. In particular 1-bit receivers is
susceptable to this effect. 1,5-bit receivers with separate AGC
detection was developed and was able to combat the CW jammer situation.
The relative time when the code can control the bits quickly becomes
just a fraction since a sine spends long times in the extremes far away
from detection limits.
Next thing to attack is lack of supression in the C/A code, and list of
offset-frequencies which is more susceptible can be found.
Noise jammers is also possible.
Things like these alongside the weak signal makes civilian receivers
quite sensitive, so quite a bit of line-of-sight distance can be jammed
with a fairly low output.
Cheers,
Magnus
The Phrack article's jammer attacks the offset frequencies.
Phrack.org/issues.html?issue=60&id=13
This article shows just how vulnerable L1 GPS is
Scott
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Magnus Danielson magnus@rubidium.dyndns.org
Sender: time-nuts-bounces@febo.com
Date: Tue, 23 Nov 2010 01:29:56
To: time-nuts@febo.com
Reply-To: Discussion of precise time and frequency measurement
time-nuts@febo.com
Subject: Re: [time-nuts] GPS jamming susceptibility
On 11/23/2010 12:19 AM, Bob Camp wrote:
Hi
There is very little signal hitting the ground from a normal GPS bird. Even a few mili watts close at hand is going to be an enormous overload. The typical GPS does not use a lot of bits in the front end A/D.
I suspect that if you tuned your little gizmo down to the FM broadcast band, it would take out your favorite FM station quite nicely. Same would be true of your cell phone if you tuned it there. Jamming from close by isn't all that hard to figure out, or to implement. There are switching power supplies that make wonderful jammers for low frequency signals. If it's RF, it can be jammed. The real question is can you jam it from a reasonable distance?
There are a few reports and articles going into the susceptibility of
civilian receivers to jammers. Some public texts have also been written,
so the field is not completely covered only on green paper.
A CW jammer will basically grab the AGC and as it gains down the CW the
GPS reception is gained down with it. In particular 1-bit receivers is
susceptable to this effect. 1,5-bit receivers with separate AGC
detection was developed and was able to combat the CW jammer situation.
The relative time when the code can control the bits quickly becomes
just a fraction since a sine spends long times in the extremes far away
from detection limits.
Next thing to attack is lack of supression in the C/A code, and list of
offset-frequencies which is more susceptible can be found.
Noise jammers is also possible.
Things like these alongside the weak signal makes civilian receivers
quite sensitive, so quite a bit of line-of-sight distance can be jammed
with a fairly low output.
Cheers,
Magnus
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
Hi
If you run through the article the author claims that he's getting a few hundred feet of range with a few hundred mw of power into a good antenna.
Your cell phone and FM broadcast radio are equally susceptible under typical conditions.
Bob
On Nov 22, 2010, at 8:24 PM, scmcgrath@gmail.com wrote:
The Phrack article's jammer attacks the offset frequencies.
Phrack.org/issues.html?issue=60&id=13
This article shows just how vulnerable L1 GPS is
Scott
Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: Magnus Danielson magnus@rubidium.dyndns.org
Sender: time-nuts-bounces@febo.com
Date: Tue, 23 Nov 2010 01:29:56
To: time-nuts@febo.com
Reply-To: Discussion of precise time and frequency measurement
time-nuts@febo.com
Subject: Re: [time-nuts] GPS jamming susceptibility
On 11/23/2010 12:19 AM, Bob Camp wrote:
Hi
There is very little signal hitting the ground from a normal GPS bird. Even a few mili watts close at hand is going to be an enormous overload. The typical GPS does not use a lot of bits in the front end A/D.
I suspect that if you tuned your little gizmo down to the FM broadcast band, it would take out your favorite FM station quite nicely. Same would be true of your cell phone if you tuned it there. Jamming from close by isn't all that hard to figure out, or to implement. There are switching power supplies that make wonderful jammers for low frequency signals. If it's RF, it can be jammed. The real question is can you jam it from a reasonable distance?
There are a few reports and articles going into the susceptibility of
civilian receivers to jammers. Some public texts have also been written,
so the field is not completely covered only on green paper.
A CW jammer will basically grab the AGC and as it gains down the CW the
GPS reception is gained down with it. In particular 1-bit receivers is
susceptable to this effect. 1,5-bit receivers with separate AGC
detection was developed and was able to combat the CW jammer situation.
The relative time when the code can control the bits quickly becomes
just a fraction since a sine spends long times in the extremes far away
from detection limits.
Next thing to attack is lack of supression in the C/A code, and list of
offset-frequencies which is more susceptible can be found.
Noise jammers is also possible.
Things like these alongside the weak signal makes civilian receivers
quite sensitive, so quite a bit of line-of-sight distance can be jammed
with a fairly low output.
Cheers,
Magnus
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.
John Green wrote:
jamming anyone's GPS. A while back, I was looking at one of those
It doesn't look capable of putting out
more than 50 milliwatts or so into a 2 inch antenna
The GPS antenna is perhaps 35 feet away
with a cinder block wall, a brick wall, and a metal roof in between. I
also put a 15 Db attenuator between it and the antenna with almost the
same result.
down. Has anyone here had any actual experience testing GPS receivers
for susceptibility?
OK... typical received signal at a GPS receiver (L1) is on the order of
-130dBm. Thermal noise floor (assuming noiseless receiver and no
losses) is -114 dBm in 1 MHz BW.
Remember, the typical GPS is a single bit quantizer, which works just
fine considering the signal is 20dB below the noise floor.
So, let's do a little link calculation: 32+20log10(1500)+20log10(.010)
between isotropic antennas (which is not a bad starting point for your
jammer and the GPS)..
32+64-40 -> a link loss of 56 dB.. you're radiating +17dBm, so let's
call it -40dBm into the GPS.. Yep, jamming is almost assured..
But at that kind of power, you'd jam almost ANY receiver that's trying
to receive a signal at -130dBm. 90dB instantaneous dynamic range is
pretty good when you can't use a filter to remove the interfering signal
(e.g. a HF receiver has a narrow band filter in the IF to solve this
problem).
realistically, you need about, say, 10 dB J/S so you'd need -120 dBm
into the receiver from the jammer. A microwatt 10 meters away would do
it nicely. Inverse square helps a bit.. if you were 1 km away, your
interfering 50mW signal would be down another 40 dB.. -80dBm.
10km away, your jammer is down into the area where it probably won't jam
all the time.
Obviously, real radios that need reliable GPS reception do things to
make life easier. Aside from using 1.5-2 bit detection, or signal
excisers, etc. There are also techniques that rely on looking at the
post correlation signal (where the interferer is suppressed to a certain
extent): with modern signal processing, you can correlate against all
possible phases of the code in one shot, for instance.
scmcgrath@gmail.com wrote:
The Phrack article's jammer attacks the offset frequencies.
Phrack.org/issues.html?issue=60&id=13
This article shows just how vulnerable L1 GPS is
I'm not very impressed by design...
That old Freescale/Motorola MC145151 PLL, and using a separate
prescaler? That's a 1970s-1980s design out of some old ap note. Can you
even buy a 145151 anymore? I suppose you can, there's probably millions
of them out there in all manner of radios.
Why not get an eval board for one of the plethora of MMIC PLLs out there
that has VCO, dividers, etc. all on one die. Heck, NS has a whole
webbench application that will basically design the thing for you.
On a related note... What about a GPS signal simulator.. Yes, there are
commercial vendors out there who will be happy to sell you one for many
tens of $k.. how about something simpler? Seems it should be easy to
have a FPGA programmed up to generate all the PN codes and nav messages,
and just run it out to a mixer with a 1575 MHz LO (generated by one of
the aforementioned $100 NatSemi eval boards)..
Or is it too much of a pain to do the doppler? That would take
something like an DDS to create a reference for each S/V simulator, with
the DDS programmed for the required doppler. So it would take N
channels to do N S/Vs in view. Yeah... the multi $10k starts to seem
reasonable now..
I was sort of hoping, in the back of my mind, that some grad student out
there had created some FPGA code to run on a Xilinx eval board (or a USRP2)
On 23/11/10 16:12, jimlux wrote:
scmcgrath@gmail.com wrote:
The Phrack article's jammer attacks the offset frequencies.
Phrack.org/issues.html?issue=60&id=13
This article shows just how vulnerable L1 GPS is
I'm not very impressed by design...
That old Freescale/Motorola MC145151 PLL, and using a separate
prescaler? That's a 1970s-1980s design out of some old ap note. Can you
even buy a 145151 anymore? I suppose you can, there's probably millions
of them out there in all manner of radios.
Why not get an eval board for one of the plethora of MMIC PLLs out there
that has VCO, dividers, etc. all on one die. Heck, NS has a whole
webbench application that will basically design the thing for you.
On a related note... What about a GPS signal simulator.. Yes, there are
commercial vendors out there who will be happy to sell you one for many
tens of $k.. how about something simpler? Seems it should be easy to
have a FPGA programmed up to generate all the PN codes and nav messages,
and just run it out to a mixer with a 1575 MHz LO (generated by one of
the aforementioned $100 NatSemi eval boards)..
Should not be impossible.
Or is it too much of a pain to do the doppler? That would take something
like an DDS to create a reference for each S/V simulator, with the DDS
programmed for the required doppler. So it would take N channels to do N
S/Vs in view. Yeah... the multi $10k starts to seem reasonable now..
It would not be too expensive actually. Just as you do N channels of
PN-code generation you do N channels of doppler carrier and chip-rate
DDS within the FPGA. One needs some form of doppler calculator that
updates the doppler offsets in real-time and then you would need some
application cooking up N channels of NAV-data, but it should not be
prohibitively expensive. Adding things like multi-path simulation on a
per channel basis is more expensive, as it would be a bunch of FIR taps
spread out and in need of updates. Also would a filter for ionospheric
and tropospheric simulation be needed, which parmeters also needs
changes as time goes by... and some added thermal noise unless the
noise-level of the system does not match up with reality. :)
I was sort of hoping, in the back of my mind, that some grad student out
there had created some FPGA code to run on a Xilinx eval board (or a USRP2)
It's not that different from a FPGA based receiver.
Cheers,
Magnus
Hi
The same basic equations apply (as you point out) to any receiver. Lay down
enough on channel noise power and the receiver doesn't have much of a
chance. Nothing magic or terribly hard to figure out. Easy to do wideband at
"I could use a baseball bat" to "I could use a bow and arrow" type ranges.
Because it's easy to do, it happens all the time. Fire up some hair dryers
at close range and they do a fine jamming job. Some of the jamming is
electrical, some of it is the fact you can't hear anything over the noise
they are making.
An axe (or good sling shot) is a fine way to take out a cell site and you
can get them just about anywhere. Jamming GPS isn't even going to make them
drop a call for at least a day or more. It won't make airplanes drop from
the sky either.
Taking out cell sites one at a time isn't a real big deal. It's a rare area
that's covered by only one site. They go in and out of service now and then,
it mostly goes un-noticed. If it is noticed, it's by a small number of
people. I have a nasty suspicion that sites that fail don't get fixed as
fast as they might for just those reasons.
The timing setups are indeed fragile. They could be improved quite a bit.
They aren't so fragile that they melt down immediately when a single fault
occurs. Lots of axes (or a big hurricane) are by far the more likely source
of full system failure.
Bob
-----Original Message-----
From: time-nuts-bounces@febo.com [mailto:time-nuts-bounces@febo.com] On
Behalf Of jimlux
Sent: Tuesday, November 23, 2010 9:37 AM
To: Discussion of precise time and frequency measurement
Subject: Re: [time-nuts] GPS jamming susceptibility
John Green wrote:
jamming anyone's GPS. A while back, I was looking at one of those
It doesn't look capable of putting out
more than 50 milliwatts or so into a 2 inch antenna
The GPS antenna is perhaps 35 feet away
with a cinder block wall, a brick wall, and a metal roof in between. I
also put a 15 Db attenuator between it and the antenna with almost the
same result.
down. Has anyone here had any actual experience testing GPS receivers
for susceptibility?
OK... typical received signal at a GPS receiver (L1) is on the order of
-130dBm. Thermal noise floor (assuming noiseless receiver and no
losses) is -114 dBm in 1 MHz BW.
Remember, the typical GPS is a single bit quantizer, which works just
fine considering the signal is 20dB below the noise floor.
So, let's do a little link calculation: 32+20log10(1500)+20log10(.010)
between isotropic antennas (which is not a bad starting point for your
jammer and the GPS)..
32+64-40 -> a link loss of 56 dB.. you're radiating +17dBm, so let's
call it -40dBm into the GPS.. Yep, jamming is almost assured..
But at that kind of power, you'd jam almost ANY receiver that's trying
to receive a signal at -130dBm. 90dB instantaneous dynamic range is
pretty good when you can't use a filter to remove the interfering signal
(e.g. a HF receiver has a narrow band filter in the IF to solve this
problem).
realistically, you need about, say, 10 dB J/S so you'd need -120 dBm
into the receiver from the jammer. A microwatt 10 meters away would do
it nicely. Inverse square helps a bit.. if you were 1 km away, your
interfering 50mW signal would be down another 40 dB.. -80dBm.
10km away, your jammer is down into the area where it probably won't jam
all the time.
Obviously, real radios that need reliable GPS reception do things to
make life easier. Aside from using 1.5-2 bit detection, or signal
excisers, etc. There are also techniques that rely on looking at the
post correlation signal (where the interferer is suppressed to a certain
extent): with modern signal processing, you can correlate against all
possible phases of the code in one shot, for instance.
time-nuts mailing list -- time-nuts@febo.com
To unsubscribe, go to
https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
and follow the instructions there.