A particular entity used two-tone paging for life-critical voice paging across a county-wide area. They wanted a backup paging system that could work in a standalone fashion without any other infrastructure. In case of a major system/telecom failure, they could still send coded one-way broadcasts to key agencies. They had been sold a system using a mobile two-way radio in a suitcase with antenna, which transmitted to other two-way radios tied into each paging base station to control the powerful paging transmitter.
Upon hearing of the frustration that the backup just didn’t work reliably, after a cursory examination I could immediately see why this system worked poorly under real life conditions. Part 1 of this case study details qualitatively what was wrong, and Part 2 will quantitatively verify my assertions via simulation in GNU Radio.
Original, Poorly Working Paging Backup
Every connection on the diagram except the antennas is wrong. I gathered up all the items except the paging transmitter back to the office. Let’s go from right to left in the diagram above, exploring what needs improvement.
Use of speaker audio
They needed to use speaker audio to get enough amplitude to go into the 600 ohm line input of the transmitter. They used a resistive voltage divider where an 8 ohm resistor was connected across the speaker output, and each side of that 8 ohm resistor went through something like a 1000 Ohm resistor to each side of the line transformer.
- This was not impedance matched and so could screw up the frequency response of the main line connection as well as the paging backup.
- If you turned the volume control, the paging levels from the backup would be screwed up.
The carrier squelch receiving CM200 would hear all signals on the UHF frequency. The only thing stopping anyone from blasting out messages across the whole county was the fact that no one else was silly enough to send tone remote controls across the air. The non-flat audio meant that when you had the 2175 Hz and 1950 Hz control tone levels OK, the low frequency two-tone paging would be too low.
- Don’t send sensitive control tones across the air, the dynamic range of a radio channel isn’t wide enough and the interference rejection (capture ratio) isn’t high enough with the insufficient dynamic range
- Don’t do critical functions across a carrier squelch link!
- Don’t use non-flat audio for links, it’s hard enough to get the levels right with flat audio
The transmit CM200 at least complimented the settings of the receive CM200: carrier squelch, preemphasized audio. We would reprogram this radio to suit a more stable, secure system in the next section of this case study.
Hacked tone remote
The Zetron tone remote was hacked up a bit, adding a PTT relay and cutting down the audio level to feed a microphone input on the CM200. This should have been left factory, and use a tone remote interface on the transmitting CM200.
The engineering issues starting with the most severe were:
Sending level sensitive tones over a link with insufficient SNR.
The SNR of a narrowband commercial radio is about 35-40 dB. The dynamic range of the control tones is 30dB, as follows. +10dBm 2175Hz, 0dBm 1950Hz, then -20dBm of 2175Hz for the duration of the transmission. A POTS line also has an SNR in the 35dB regime for a good signal, limited by the ADC/DAC PCM conversion and hardware. You can get apparent SNR seemingly higher than 35-37dB by compressing the audio, but a careful test will show the actual instantaneous SNR when PCM is involved as in any modern POTS line won’t be higher. So why didn’t the radio link with 35dB max SNR work when the POTS line at 35dB max SNR works all over 24/7/365? The POTS line does not experience nearly the same impairments that a typical radio channel does. The tone remotes are designed to withstand oddities of POTS behavior, NOT radio link behavior. Consider the deviation level if we put the +10dBm 2175Hz tone to have 70% modulation, that is, +/- 1.75kHz deviation in a 12.5kHz bandwidth (+/- 2.5kHz max deviation) system (the current FCC standard for commercial two-way analog FM). We don’t want to go any higher than that because the deviation limiter of the radio starts to kick in, making the tones non-linear. Then the other tones will have deviation as in the following table.
|Tone level (dBm @ 600 ohms)||Deviation (+/- kHz)||Tone freq (Hz)|
The last row of should set alarm bells off. 32 Hz of deviation is an extremely low level, a level of perturbation that easily comes about from noise and interference. Beat notes from another FM transmitter on the same channel can create energy in bins near the 2175Hz guard tone that false the decoder and cause the paging system to stop transmitting. Part 2 will show a simulation of this effect; it’s immediately apparent. On modern POTS lines crosstalk isn’t so much an issue anymore, and you don’t get beat frequencies either. The tone remote systems weren’t designed to tolerate this.
Inappropriate use of carrier squelch
Using a carrier squelch system for a critical system backbone function is very inappropriate. We should use some type of signaling qualification at least as secure as other elements of the system, even if it is security through obscurity.
non-flat audio on backhaul
Sending non-flat audio is begging for more trouble with level-sensitive signaling. It makes low frequency paging tones have low SNR, which is then repeated out the paging transmitter as a degraded signal, causing poor coverage for jurisdictions using low audio frequency two-tone pages. Preemph/deemph is to help fading radio channels have less of a hissing sound, it’s not beneficial for what should be relatively strong signal links. It doesn’t help co-channel interference.
no impedance match
The impedance matching problem was not helping frequency response of two-tone paging either.
The Cure for Remote Two-Tone Paging Woes
As always I thought of systems models and security. Here is what I did for each problem noted in the last section respectively.
- Use standard radio signaling techniques (simultaneous subaudible modulation, tone burst at start of transmission) to act as the authentication. This was no worse than what the rest of the system used. The risk of intercept was small, and if an adversary had the equipment to get the radio codes, they could have simply gotten the radio codes for the rest of the system with less effort. This meant that there would no longer be tone remote 2175,1950,1850 Hz signaling going on over the air, and the two-tone paging would be set for 66% modulation (+/- 1.65kHz deviation) allowing maximizing SNDR (noise + distortion). This was enabled by using a Vega DSP-223 tone remote panel between the Zetron and the CM200 radio.
- This solution ties in with number one, +/- 300Hz deviation subaudible digital signaling was used continuously during the transmission, along with a brief ANI burst of +/- 1.5kHz. An ANI validation module managed this qualification on the receiving end. The system will work without ANI, it will just be less secure against others keying up the system.
- It was easy to reconfigure the system to use flat audio, it’s just a programming selection and use of appropriate 16-pin connector pins.
- Since the paging transmitter had a second local PTT & audio connection, we didn’t connect to the 600 ohm line used by the main consoles. We used an audio transformer to isolate the radio from the paging transmitter, and the signaling decoder provided a relay output to key the paging transmitter. The two-tones were sent from the Zetron after a delay long enough to allow for link receiver decoding (subaudible + ANI + paging transmitter keyup).
Part 2 will explore the quantitative radio link vs. POTS, showing the clear deficiency of the old design.