Monday, April 21, 2008

Transmitter Fingerprinting

It is true that transmitters can be fingerprinted for positive identification. Unidentified repeater kerchunks or even jamming are some times hard to figure out with common transmitter hunting techniques because its hard to tell if one short transmission is the same as the next, more so if they aren't stationary.

Transmitter fingerprinting is very easy to do if you have an fancy service monitor/ with digital storage spectrum scope.

Keep in mind the easiest way to stop a jammer is to ignore him. never mention or threaten a jammer on the air. He wants to hear how much you hate him. Keep your mouth shut and the problem will likely disappear.  

But if it doesn't, hunt stealth style. And if common fox hunting techniques aren't working out, and you don't have access to a spectrum analyzer here is some info on software approaches:

The concept of transmitter fingerprinting was invented and patented decades ago by Phil Farrell K7PF of Seattle. He licensed his patent/technique to The Boeing Company and to Motron Electronics, which sells equipment for it. The Motron implementation (called TxID) consists of a card that plugs into the expansion slot of a PC, plus software running under DOS. The asking price is higher than most individuals are willing to pay ($700), but it is affordable for repeater clubs. There was a test and review of the system in Homing In for November 1994. The review explains the principles of fingerprinting and shows good and bad points, including comparison of some same-model transmitters. Since then, Motron has added features such as receiver frequency control and readout for remote operation. TxID will control a tape recorder for evidentiary purposes.

The former Motron website explained how it worked:
The MoTron TxID Transmitter FingerPrinting hardware identifies individual transmitters using a patented technique based on the principle that carrier operated radio transmitters exhibit a unique frequency versus time start-up characteristic before stabilizing on the operating frequency. Carrier operated radio transmitters exhibit a unique frequency versus time start-up characteristic before stabilizing on the operating frequency - even radios of the same make and model. This 'FingerPrint' can be captured, stored and analyzed. The TxID Software, which can automatically match and compare up to 256 FingerPrints, and the TxID-1 IBM/Compatible circuit board will help us to identify the abusers on the repeater. An onboard fast squelch starts the FingerPrinting process. The voltage on the receiver's discriminator is sampled, digitized and stored. The leading edge of the carrier is then captured, stored and displayed. Other information about the signal is also captured, including DTMF, CTCSS and DCS signals with separate peak deviation readings, and displayed with the FingerPrint. The TxID System can optionally control a tape recorder, capturing all or part of the transmission on audio tape along with the digitally encoded FingerPrint data. Deviation measurements and Spectrum Occupancy features further enhance the system. The TxID System works with the Receiver, the TxID-1 can also capture the frequency of operation, as well as set the frequency.

For more info see: Testing Motron's Transmitter Fingerprinter by Joe Moell, K0OV - 73 Amateur Radio Today Nov 1994

A few hams have developed similar fingerprinting systems. The first was "XMIT_ID" by Richard Rager KB8RLN. It used PC software and an 8-bit Soundblaster card. Richard no longer has a web page about this software, but here is a mirror complete with the C source code in case some one would care to port this to a more modern operating system.

I have played with Richard's DOS program and it does work. It has a small memory data base where you can tag and label the fingerprints for easier visual identification.

"Sherlock" by Malcolm Mallette WA9BVS also runs on a PC and uses its sound card with commercial oscilloscope software. 

From: Introducing "Sherlock" - A Hi-Tech Fox Hunting Tool by Malcom Mallette, WA9BVS - CQ-VHF Sept 1996
The Sherlock system is the modern equivalent of putting a scope across the discriminator. It consists of a simple AID converter, an audio amplifier, and software, and it captures the turn-on and turnoff so that the operator himself can draw his own conclusions. While not a clone of the commercial unit, or intended for commercial use, Sherlock also enables the operator to identify a transmission if he has previously captured, or later catches, the turn-on and turn-off of the same transmitter when the operator gives his callsign. This must be done manually. Sherlock's A/D converter is based on the Maxim MAX150 chip .

The newest version of Sherlock, which works with Windows XP and Vista, was detailed in a feature article by WA9BVS in the Winter 2006 issue of CQ VHF magazine.  It uses the the Virtins Sound Card Oscilloscope, instead of the original QuickBasic program.

XMIT_ID and Sherlock are intended for home experimentation only. Commercial production of any fingerprinting system based on the turn-on frequency changes of a transmitter may infringe on US patent 5,005,210.  

I thought this was neat: In the patent PDF there is assembly source code titled "S.R.G's New Repeater Controller 12/22/86 K7PF"

Seattle Repeater Group (SRG)'s highly computerized repeater is located "High atop Green Mountain" eight miles west of Bremerton, Washington on the Kitsap Penninsula. This repeater is owned by the Seattle Repeater Group and administered by Phil, K7PF. It is allocated the frequency pair 146.28/146.88.

The SRG repeater has several unique operating characteristics of which a user must be aware. A half second of audio silence is necessary to start the repeater. A weak signal may not start it, but can answer once the system is up. Any sub-audible tone will totally prevent startup. The repeater possesses a defense against Kerchunking.

The "courtesy" beep (at the end of each transmission") tells users that the repeater is available for use, and that all timers have been reset. It is actually not a tone but a direct FM data burst at 9600 bits per second which sounds like a tone, sometimes. If you have an IBM PC (or clone), with EGA or higher graphics, you, too, can read this data burst, identify users, and tell about the characteristics of each transmission. "

"Kerchunking" (keying up and immediately releasing the microphone button) the repeater momentarily may result in a CW "?" or a "Please Identify" voice message. Nothing will have been repeated.

The repeater is immediately put into AUTOVOX mode and remains there until the next even minute (every two minutes.) Further Kerchunks have no effect.

One must exceed the 2 KHz LOW DEVIATION threshold to start the repeater while it is in AUTOVOX mode. Successful starting cancels the AUTOVOX (until the next Kerchunk, of course.)

1 comment:

Mark GØNMY said...

Difficult to run in win7 upwards, but it can be done using the Dosbox0.74.exe

And mounting the xmit-id directory a virtual drive

I never did understand why the latest version of windows restricted the size of the cmd shell(dos)box.

Interesting post either way.
73 from Mark G0NMY