GSM Activity Scanner

RS232 Protocol



RS232 Settings:

	19200, 8N1

	DTR=high or low, RTS=!DTR

Note: If DTR and RTS are the same level, the RS232 transciever will not function correctly. So make sure you are able to set the one low and the other on a high level.
If no data is returned from the device, please measure the power levels of RTS and DTR on the PC's RS232 port manually. One should be +12V and the other should be -12V


	



Format:	HHLLCC:AA



HH = ChannelID MSB

LL = ChannelID LSB

CC = ControlNumber

	WHERE 	08 is OK, ChannelID value can be used

	EE is explicit error

AA = Activity

	WHERE 	0x50 or 0x51 	indicated no activity

		0x95 or 0x96 	indicates activity

		0xA7 or 0xA8 	may indicate a synchronisation burst

		0xFF 		may indicate a base channel

		0x01 		is an error



Note: Valid RX frequenties are: 925-960Mhz and 1805-1880Mhz

	

	Obtaining the RX frequency from the channel ID:

		ChannelID <> 0x1b00 : (ChannelID + 0x0465)*200khz

	

Example 1: 1EDE08:50

	ChannelID = 0x1EDE

	ControlNumber = 08

	Activity = 0x50



	RX frequency = (0x1EDE + 0x0465) * 200khz = 1805.400 Mhz

	

	Activity == 0x50 -> No activity detected



Example 2: 170008:95

	ChannelID = 0x1700

	ControlNumber = 08

	Activity = 0x95



	RX frequency = (0x1700 - 0x0465) * 200khz = 952.600 Mhz

	

	Activity == 0x95 -> Channel was in use during scan

	

	



		

Example data:

		

;

EEEEEE:05

EEEEEE:0F

EEEEEE:01

EEEEEE:01

EEEEEE:00

EEEEEE:01

EEEEEE:00

EEEEEE:10

EEEEEE:04

EEEEEE:12

EEEEEE:0B

EEEEEE:07

EEEEEE:05

EEEEEE:11

EEEEEE:14

EEEEEE:13

EEEEEE:0F

EEEEEE:51

1EDE08:50

1EDF08:51

1EE008:50

1EE108:51

1EE208:50

1EE308:51





1FBD08:51

1FBE08:51

1FBF08:50

1FC008:51

1FC108:50

1FC208:51

1FC308:50

1FC408:51

1FC508:50

1FC608:51

1FC708:50

1FC808:51

1FC908:50

1FCA08:51

1FCB08:50

1FCC08:51

1FCD08:50

1FCE08:51

1FCF08:50

1FD008:51

1FD108:50

1FD208:51

1FD308:50

1FD408:51





1EDE08:51

1EDF08:51

1EE008:50

1EE108:51

1EE208:50

1EE308:51

1EE408:50

1EE508:51

1EE608:50

1EE708:51

1EE808:50

1EE908:51

1EEA08:50

1EEB08:51

1EEC08:50

1EED08:51

1EEE08:50

1EEF08:51

1EF008:50

1EF108:51

1EF208:50

1EF308:51

1EF408:50

1EF508:51





1FD308:51

1FD408:51

1FD508:50

1FD608:51

1FD708:50

1FD808:51

00300E:50

1FDA08:51

1FDB08:50

1FDC08:51

1FDD08:50

1FDE08:51

1FDF08:50

1FE008:51

1FE108:50

1FE208:51

1FE308:50

1FE408:51

1FE508:50

1FE608:51

1FE708:50

1FE808:51

1FE908:50

1FEA08:51





1F4E08:51

1F4F08:51

1F5008:50

1F5108:51

1F5208:50

1F5308:51

1F5408:50

1F5508:51

1F5608:50

1F5708:51

1F5808:50

1F5908:51

1F5A08:50

00300E:51

1F5C08:50

1F5D08:51

1F5E08:50

1F5F08:51

1F6008:50

1F6108:51

1F6208:50

1F6308:51

1F6408:50

1F6508:51





204308:51

204408:51

204508:50

204608:51

204708:50

204808:51

204908:50

204A08:51

204B08:50

204C08:51

204D08:50

204E08:51

204F08:50

205008:51

205108:50

205208:51

00300E:50

1EDE08:51

1EDF08:50

1EE008:51

1EE108:50

1EE208:51

1EE308:50

1EE408:51





1FC208:51

1FC308:51

1FC408:50

1FC508:51

1FC608:50

1FC708:51

1FC808:50

1FC908:51

1FCA08:50

1FCB08:51

1FCC08:50

1FCD08:51

1FCE08:50

1FCF08:51

1FD008:50

1FD108:51

1FD208:50

1FD308:51

1FD408:50

1FD508:51

1FD608:50

1FD708:51

1FD808:50

00300E:51





1F3D08:51

1F3E08:51

1F3F08:50

1F4008:51

1F4108:50

1F4208:51

1F4308:50

1F4408:51

1F4508:50

1F4608:51

1F4708:50

1F4808:51

1F4908:50

1F4A08:51

1F4B08:50

1F4C08:51

1F4D08:50

1F4E08:51

1F4F08:50

1F5008:51

1F5108:50

1F5208:51

1F5308:50

1F5408:51





201708:51

201808:51

201908:50

201A08:51

201B08:50

201C08:51

201D08:50

201E08:51

201F08:50

202008:51

202108:50

202208:51

202308:50

202408:51

202508:50

202608:51

202708:50

202808:51

202908:50

202A08:51

202B08:50

202C08:51

202D08:50

202E08:51





1F7708:51

1F7808:51

1F7908:50

1F7A08:51

1F7B08:50

1F7C08:51

1F7D08:50

1F7E08:51

1F7F08:50

1F8008:51

1F8108:50

1F8208:51

1F8308:50

1F8408:51

1F8508:50

1F8608:51

1F8708:50

1F8808:51

1F8908:50

1F8A08:51

1F8B08:50

1F8C08:51

1F8D08:50

1F8E08:51





16A908:51

16AA08:51

16AB08:50

16AC08:51

16AD08:50

16AE08:51

16AF08:50

16B008:51

16B108:50

16B208:51

16B308:50

16B408:51

16B508:50

16B608:51

16B708:50

16B808:51

16B908:50

16BA08:51

16BB08:50

16BC08:51

16BD08:50

16BE08:51

16BF08:50

16C008:51





169308:51

169408:51

169508:50

169608:51

169708:50

169808:51

00300E:50

167908:51

167A08:50

167B08:51

167C08:50

167D08:51

167E08:50

167F08:51

168008:50

168108:51

168208:50

168308:51

168408:50

168508:51

168608:50

168708:51

168808:50

168908:51





16A908:51

16AA08:51

16AB08:50

16AC08:51

16AD08:50

16AE08:51

16AF08:50

16B008:51

16B108:50

16B208:51

16B308:50

16B408:51

16B508:50

16B608:51

16B708:50

16B808:51

16B908:50

16BA08:51

16BB08:50

16BC08:51

16BD08:50

16BE08:51

16BF08:50

16C008:51





16A908:51

16AA08:51

16AB08:50

16AC08:51

16AD08:50

16AE08:51

16AF08:50

16B008:51

16B108:50

16B208:51

16B308:50

16B408:51

16B508:50

16B608:51

16B708:50

16B808:51

16B908:50

16BA08:51

16BB08:50

16BC08:51

16BD08:50

16BE08:51

16BF08:50

16C008:51





16A908:51

16AA08:51

16AB08:50

16AC08:51

16AD08:50

16AE08:51

16AF08:50

16B008:51

16B108:50

16B208:51

16B308:50

16B408:51

16B508:50

16B608:51

16B708:50

16B808:51

16B908:50

16BA08:51

16BB08:50

16BC08:51

16BD08:50

16BE08:51

16BF08:50

16C008:51





16A908:51

16AA08:51

16AB08:50

16AC08:51

16AD08:50

16AE08:51

16AF08:50

16B008:51

16B108:50

16B208:51

16B308:50

16B408:51

16B508:50

16B608:51

16B708:50

16B808:51

16B908:50

16BA08:51

16BB08:50

16BC08:51

16BD08:50

16BE08:51

16BF08:50

16C008:51





16A908:51

16AA08:51

16AB08:50

16AC08:51

16AD08:50

16AE08:51

16AF08:50

16B008:51

16B108:50

16B208:51

16B308:50

16B408:51

16B508:50

16B608:51

16B708:50

16B808:51

16B908:50

16BA08:51

16BB08:50

16BC08:51

16BD08:50

16BE08:51

16BF08:50

16C008:51





170008:51

170008:51

170008:50

170008:51

170008:50

170008:51

170008:50

170008:51

170008:50

170008:51

170008:FF

170008:FF

170008:A7

170008:A8

170008:A7

170008:A8

170008:A7

170008:A8

170008:95

170008:96

170008:95

170008:96

170008:95

170008:96



 f

; f

; f

Introduction

The goal of the GSM Activity Scanner project is to develop a low cost GSM Activity Scanner.. The GSM Activity Scanner project originated as feasibility study for the more advanced GSM Radar concept.

The GSM Activity Scanner will be able to indicate the amount of phone traffic in the region where it is operational. Since the device is low-cost, it will be possible to place them on several places and since the devices are connected to a PC the information can be gathered on a central website.

Possible applications are detecting popular providers and/or detecting peaks in phone traffic related to public events.

The current design is based on a modified GSM and some glue logic to enable interfacing the modified GSM with a PC over RS232. The GSM Activity Scanner is operational and some results are available in the Scanner Results section. Information on ordering one of these GSM Activity Scanners can be found in the Order Scanner section.

A future design replaces the simple glue logic with a more advanced FPGA, which allows to connect multiple modified GSM's to the same GSM Activity scanner and to scan faster. The interface of this design with the host PC will be USB.

GSM Activity Scan Results

Some preliminary scan results are available. These results where obtained by connecting a prepared GSM to the RS232 Prototype. The Waveforms and Tuning data where captured on a PC using the data acquisition board.

900Mhz results during a 6 hour scan. Some channels jump out and vary during time. Please note that 932.2 Mhz shows almost no variation

900 Mhz, broadcast channels filtered out

1800 Mhz results during a 6 hour scan. Some channels jump out and vary during time.

1800Mhz, grouped by provider (frequency source: http://www.scannersitefrl.nl/)

Order RS232 Scanner

The first batch of RS232 Scanners has arrived, the hardware is functioning OK and the firmware of the PLD is stable.

To prevent disappointment, please note that the GSM Activity Scanner will only be able to indicate the amount of traffic on Basestation frequencies (see Scanner results). The devices operates by continuously monitoring the tuning sequences and the received GMSK waveform while the GSM is performing its internal "Network/Provider scan".

It is not possible to decode any data since the device does not demodulate the GMSK bursts. Even if the received GMSK bursts are demodulated on a PC with the appropriate algorithm and you succeed in decrypting the data, the use is limited since the number of back-to-back received GMSK bursts is too small.

If you still interested read on ...

To summarize, you require:

A Philips Savvy Dual Band phone, prepared as described in the PDF file "Adding a GS M Interface to a Philips Savvy DB GSM"
The GSM Activity scanner hardware, which you can order on this page

As service I will provide a MC74HC08AD when you order a RS232 based GSM Activity Scanner. The other stuff is standard material.

The price of an assembled board is 50 Euro + P&P. Shipment is in principal only in the Netherlands, but this can be extended to some selected countries in Europe (depends on shipment policies).

You can indicate your interest in one of the assembled boards by email.

Stock information:
Number of bare boards: 6
Number of component sets : 0
Number of assembled boards: 2

Lab Hardware

Synchronous (0-30Mhz 8bits) data acquisition PCI board

Dual Channel 40 Mhz Oscilloscope

Spartan III FPGA Starter Kit [JPG] incl. JTAG Parallel Programming cable [JPG]

WISP628 PIC Programmer

GSM Activity Scanner Hardware

GSM Scanner

Based on a Xilinx PLD and a Microchip Microcontroller

Specifications

PLD:

type: XC9536 XL
firmware: version 1.0 (preprogrammed)

Microcontroller:

type: PIC 16F88
bootloader: version 1.0 (preprogrammed)
firmware: version 1.0 ((preprogrammed). Reprogrammable over RS232

Interfaces:

I_RS232, see RS232 Protocol
I_GSM, see GSM Interface
Power (Standard DC power jack plug, 7.5-12 Volt >=500 mA)

Ordering information

Development/Prototyping hardware:

"Prepared GSM": A Philips Dual Band Savvy with an mounted connector providing an GS M Interface (see picture on the right, click to enlarge)

"RS232 Prototype" aka proto2: RS232 connected dual PIC/PLD Based GSM Activity Scanner Prototype - operational

"USB Scanner": USB connected FPGA/PIC Based GSM Activity Scanner - in conceptual design stage

RS232 Scanner / USB Scanner (future) functional design:

Interface diagram of the RS232 Scanner (top) and the USB Scanner (bottom). Both use the GSM Interface (I_GSM) and provide an RS232 (I_RS232) or USB (I_USB)interface on their connectors.

Detailed RS232 Prototype information:

detailed external interface diagram of the RS232 based Prototype Board (including debug and programming interfaces)

internal interfaces of the RS232 based Prototype board


Tested interfaces

Synchronous:

I_SYNC_GSM-PC_SLAVE, passed
I_SYNC_GSM-PLD_SLAVE, passed
I_SYNC_PLD-PICB, passed :tussen de PLD en de PIC kan serieel (synchroon) 16 bits bursts met 13Mhz worden getransporteerd
I_SYNC_PC_PLD, passed: synchrone communicatie tussen PLD en PC (met PC als slave or master)
I_SYNC_GSM_PLD, passed: synchrone communicatie tussen GSM en PLD (met GSM als master)
I_SYNC_GSM_(PLD)_PC, passed: synchrone communicatie tussen GSM en PC via de PLD (met GSM als master)
A-Synchronous:

I_ASYNC_GSM-PC_27Mhz, passed
I_ASYNC_GSM-PLD, failed: asynchrone communicatie tussen GSM en PLD. Verdere ontwikkellingen voorlopig gestaakt/prosponed. Needs FIFO's / dual port RAM / FPGA
I_ASYNC_PIC_A-PC, passed
I2C:

I_I2C_PIC_B-PIC_A_MASTER, passed
I_I2C_PIC_B-PC_MASTER, passed
Analog:

I_A_GSM-AD, passed
I_A_GSM-PIC_B, passed
I_D8_AD-PLD, passed

Functional Tests
Test_X_PC_SYNC – PLD - X_GSM_D, passed
Test_X_PC_SYNC – PLD, AD - X_GSM_A, passed
Test_X_PC_I2C – PIC_B, AD - X_GSM_A, passed
Test_X_RS232_ASYNC - PICA, PICB, AD -X_GSM_A, passed
Test_X_RS232_ASYNC –PICA,PICB, PLD - X_GSM_D.Tune, current work
Test_X_RS232_ASYNC –PICA,PICB, PLD - X_GSM_D.IQ, possible future work

Tests to perform for the future USB Scanner:

Dual GSM interface and active frequency scanning - todo
Dynamic FPGA reconfiging using microcontroller - passed

GSM Interface

The I_GSM interface is the interface with the modified Philips Savvy Dual Band. The GSM is modified by soldering small wires to certain via's and combining the signals using a small AND-port IC. This reduces the number of signals to transport and the IC provides some buffering of the signals. The resulting signals are available on the connector shown on the picture (click picture to enlarge).

The signals are available during all operations of the GSM, which means: during power-up, during scanning the available networks, during logging on to the network, during standby, during an outgoing call, during an incoming call etc.

The "scanning the available networks" phase is used by the GSM Activity Scanner. Nice to know is that this phase is never completed when there is no SIM card in the GSM, this means that the phone will keep on scanning and an connected GSM Activity scanner will be able to keep on processing the results :-)

The IQ data provided on the I_GSM interface is for the receive path only, so only GMSK burst from basestation to the GSM are available on the interface.

Signals on the 10 pins header:

IQ_CK: Clock signal for IQ waveform samples
GSM_D: combined tuning data and IQ sample data
GSM_E: combined tuning Enable and IQ Framing signal (active low)
F_CK: Clock signal for tuning data
RESERVED: One pin on the connector is reserved
GND: 5 pins are grounded to provide shielding during transport from GSM to the device connected to it

A Step-by-Step description can be found in the file "Adding a GSM Interface to a Philips Savvy DB GSM" [PDF]

Extract of the step-by-step description:
Location of the via's and pads:

Notes:
- P_GND, P_VCC are situated on the pads of the EEPROM
- GND is situated anywhere on the edge
- IQ_D, IQ_CK, F_D, F_CK, F_E are situated on via’s
- IQ_FS is situated on a SMD/SMT resistor

Schematic modifications:

Example Data:

Tuning cycle. Area I: rest, Area II & III: tuning sequences, Area IV: rest

IQ sample. Area I: rest, Area II: I Data (15 bits), Area III: Q Data (15 bits), Area IV: I data next sample, etc.

Example Waveforms:

Visualised I and Q Waveforms of a GMSK Burst. Click picture to enlarge

[TXT] IQ sample values for two GMSK bursts (in ascii format)

See also: [wanted: Philips Savvy Dual Band GSM's]

GSM Activity Scanner - background