LaForge's home page (Posts about satellite)https://laforge.gnumonks.org/blog/tags/satellite.atom2022-06-21T07:49:57ZHarald WelteNikolaCellular re-broadcast over satellitehttps://laforge.gnumonks.org/blog/20170216-cellular_rebroadcast_over_sat/2017-02-16T00:00:00+01:002017-02-16T00:00:00+01:00Harald Welte<p>I've recently attended a seminar that (among other topics) also covered
RF interference hunting. The speaker was talking about various
real-world cases of RF interference and illustrating them in detail.</p>
<p>Of course everyone who has any interest in RF or cellular will know
about fundamental issues of radio frequency interference. To the
biggest part, you have</p>
<ul class="simple">
<li><p>cells of the same operator interfering with each other due to too
frequent frequency re-use, adjacent channel interference, etc.</p></li>
<li><p>cells of different operators interfering with each other due to
intermodulation products and the like</p></li>
<li><p>cells interfering with cable TV, terrestrial TV</p></li>
<li><p>DECT interfering with cells</p></li>
<li><p>cells or microwave links interfering with SAT-TV reception</p></li>
<li><p>all types of general EMC problems</p></li>
</ul>
<p>But what the speaker of this seminar covered was actually a cellular
base-station being re-broadcast all over Europe via a commercial
satellite (!).</p>
<p>It is a well-known fact that most satellites in the sky are basically
just "bent pipes", i.e. they consist of a RF receiver on one frequency,
a mixer to shift the frequency, and a power amplifier. So basically
whatever is sent up on one frequency to the satellite gets
re-transmitted back down to earth on another frequency. This is abused
by "satellite hijacking" or "transponder hijacking" and has been covered
for decades in various publications.</p>
<p>Ok, but how does cellular relate to this? Well, apparently some people
are running VSAT terminals (bi-directional satellite terminals) with
improperly shielded or broken cables/connectors. In that case, the RF
emitted from a nearby cellular base station leaks into that cable, and
will get amplified + up-converted by the block up-converter of that VSAT
terminal.</p>
<p>The bent-pipe satellite subsequently picks this signal up and
re-transmits it all over its coverage area!</p>
<p>I've tried to find some public documents about this, an there's
surprisingly little public information about this phenomenon.</p>
<p>However, I could find a slide set from SES, presented at a
Satellite Interference Reduction Group: <a class="reference external" href="http://data.satirg.org/wp-content/uploads/2015/11/2011a-GSM-re-Broadcast.pdf">Identifying Rebroadcast (GSM)</a></p>
<p>It describes a surprisingly manual and low-tech approach at hunting down
the source of the interference by using an old nokia net-monitor phone
to display the MCC/MNC/LAC/CID of the cell. Even in 2011 there were
already open source projects such as airprobe that could have done the
job based on sampled IF data. And I'm not even starting to consider
proprietary tools.</p>
<p>It should be relatively simple to have a SDR that you can tune to a
given satellite transponder, and which then would look for any
GSM/UMTS/LTE carrier within its spectrum and dump their identities in a
fully automatic way.</p>
<p>But then, maybe it really doesn't happen all that often after all to
rectify such a development...</p>