Frequency Hopping Jammer Detection

[gefa]

Hi, As promised here's the python code (compiled gnuradio flowgraph) for a sneakier jammer: lte_frequency_hopping_narrowband_jammer.zip

Note that the attached file will run in gnuradio 3.7 environment. I suggest one of you run this jammer on a third machine (e.g. laptop) to preclude confusing mix of gnuradio 3.7 (pythion2) and gnuradio 3.8 (python3) on the lab machines. If you have trouble running gnuradio 3.7 please do let me know - I can provide you with docker image you can just run.

This jammer code is based on the undergrad project from WPI: https://digital.wpi.edu/concern/student_works/hm50tv580?locale=en

This jammer will break LTE demo connection between srsenb and srsue as shown below:

--------Signal-----------|-----------------DL-----------------|-----------UL-----------
 cc  pci  rsrp   pl   cfo | mcs  snr  iter  brate  bler  ta_us | mcs   buff  brate  bler
  0    1   -52   52   23m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -52   52 -8.5m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -52   52  8.2m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -52   52   51m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -52   52   39m |  15   38   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -53   53   43m |  15   38   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -53   53   48m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -53   53 -8.7m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -53   53   26m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -53   53   78m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
  0    1   -53   53   15m |  15   37   1.0    840    0%    0.5 |  15    0.0   4.4k    0%
---------Signal-----------|-----------------DL-----------------|-----------UL-----------
 cc  pci  rsrp   pl   cfo | mcs  snr  iter  brate  bler  ta_us | mcs   buff  brate  bler
  0    1   -49   49   -30 |   0   21   4.0    0.0  100%    0.5 |  22    0.0   4.1k    0%
  0    1   -44   44   -26 |   0    3   0.0    0.0    0%    0.5 |  30     81    120   63%
  0    1   -44   44  -6.3 |   0    3   0.0    0.0    0%    0.5 |   0    169    120    0%
  0    1   -44   44  -2.6 |   0    3   0.0    0.0    0%    0.5 |   8     89   1.7k    0%
  0    1   -44   44   -87 |   0    3   1.0     56    0%    1.6 |  14     89   4.3k    0%
  0    1   -45   45    89 |   0    3   0.0    0.0    0%    1.6 |  19     89   4.4k   25%
  0    1   -44   44    22 |   2    3   1.0    774    0%    1.6 |  19     89   4.3k   50%
  0    1   -44   44   7.7 |   0    3   0.0    0.0    0%    1.6 |  23     89   4.3k   20%
  0    1   -44   44  -9.2 |   0    3   0.0    0.0    0%    1.6 |  18     89   4.4k    0%
  0    1   -44   44    53 |   0    3   0.0    0.0    0%    1.6 |   0    177    0.0    0%

Note that the DL-downlink bitrate drops first (from 840 to 0) and UL-uplink bitrate doesn't drop right away but drops gradually (from 4.4k to 0). This somewhat makes sense because the jammer jamms downlink frequency only. Specifically, the jammer outputs a narrowband tone (single frequency spike) randomly in the frequency range between 2.6775GHz and 2.6825GHz (check this in the provided code). Operating DL-downlink frequency of the LTE end-to-end demo is shown when srsenb starts. By default it is 2680MHz (see below).

==== eNodeB started ===
Type <t> to view trace
Setting frequency: DL=2680.0 Mhz, UL=2560.0 MHz for cc_idx=0 nof_prb=50
Starting plot for worker_id=0
Creating plot window 'srsENB PCI 1'...
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'

Dead LTE connection due to this frequency hopping narrowband jammer will show up in GUI as follows:

The bottom left graph shows the frequency range around 2680.0 Mhz - that is the downlink channel as received by srsUE. Note that there's a spike in this graph. Please try to run this yourself and see how the spike wiggles around throughout the frequency range in real-time (for a little while until the connection drop completely dead).

TODO: Can you detect this jammer? Could you differentiate this narrowband frequency hopping jammer from constant/barrage jammer?

[MaxEllsworth]

Hi @gefa ,

I had issues with installation of the correct version of Python uhd / gnuradio libraries which weren't resolved after a couple of hours of troubleshooting.

If it's convenient for you, could I get that Docker image? If not, no worries.

Thank you!

[gefa]

Hi @MaxEllsworth, Sure thing, here: https://github.com/gefa/cv2x-docker-grc3.7

1. git clone
2. cd cv2x-docker-grc3.7
3. build docker -t ImageName . ...this may take an hour or few. Replace ImageName with grc3.7 for example. Built image can be listed with: 'docker images'
4. ./run-over-network ImageName inside running docker you can run: gnuradio-companion &

Let me know how it goes.

[MaxEllsworth]

Thank you @gefa ! Taking a look at this now.

[MaxEllsworth]

Thank you again for the instructions / Docker image -- I got the jammer working on the "Monitor A" computer