UHF-Satcom.com - Inmarsat Standard D+ paging (10/08/2007 11:59:17 +0100)
Following the acquisition of an Inmarsat-D+ pager from eBay, work has progressed very well to disassemble the firmware and work out how the over the air protocol works. The JRC Inmarsat pager that was used for the reverse engineering is a JUE-610DT type. A Hitachi HI8-3H emulator was used to run the firmware code and to step through the data handling routines. Some pictures of the various modules are included below (Click the pictures to see higher resolution versions) :
 Main CPU board based on Hitachi HI8-3H processor. (HI8-3H V1.0 Hitachi, Ltd. 1992) |
 GPS Module - serial output at 4800bps although it seems to be proprietary. |
 RF board with PSU, DDS etc |
 Patch antenna for Inmarsat TX/RX and GPS |
 PA / LNA and filters under antenna |
 Modem and antenna |
 SReceived signal overview screen (Tnx KJN) |
 TX busy screen (Tnx KJN) |
 Setup screen (Tnx KJN) |
 |
The main IC's in the Inmarsat-D pager are as follows: H8/3040 - Main CPU Inmarsat - ADSP-2166 - MFSK demod Inmarsat - AD9831 - DDS for baseband TC551001 - Static RAM Atmel 1Mbit flash rom for firmware
There are 4 patents that are worth digesting : STD-D1, STD-D2, STD-D3, STD-D4
A few common Inmarsat-D transceiver specifications are: |
From the initial examination of the firmware coupled with the over-the-air analysis of the data, the following facts have been compiled:
Modulation: 32-tone MFSK running at 20bps and 40bps. MFSK signal: Tones are separated by 20Hz, and it is assumed that the lowest tone = 0, highest tone = 31. Error coding: Reed-Solomon with a block length of 31 and K=15. Interleaving: A complex interleaving table exists in the firmware. Bit coding: There also seems to be a lookup table or bit transcoding matrix in the firmware. Tuning control: Frequency tuning appears to work in a similar manner to that of Inmarsat-C. RS-232 port: The serial port runs 1200-8N2 - only CTRL+C & CTRL+E return any data. It is assumed that the serial port is only for message traffic and not diagnostics.
When the modem is powered on, it first tunes to a paging channel where the MFSK modem syncs on the 'idle tones'. Once synced, the serial data is available for examination. The Serial data is passed from the DSP to the CPU over a two wire bus - this runs at 1500bps and has a sync or start pulse on another pin. From this its possible to extract the demodulated MFSK frame before error correction / interleaving / bit coding:
01110110100000001001010100001111000
01110110100000001001010010110010000
01110110100000001001010101011000000
01110110100000001001010101000001000
01110110100000001001010010111110100
01110110100000001001010011000101100
01110110100000001001010111001001000
01110110100000001001010111111110000
01110110100000001001010001111010100
01110110100000001001010111100011000
01110110100000001001010100110011000
01110110100000001001010010100100100
01110110100000001001010010110001100
|
MFSK frames - click for audio sample |
Sync-word 17 [AOR-W] (There is a large look-up table of what is presumed to be sync words) 01 - 000100001000001110111100000000000010010100010111000000000000000000000000000 02 - 000000100000000001111011000001111011000101100000000001111011000001111011000 03 - 000101110000000001111011000001111011000101010000000001111011000001110111000Thanks to `r00t for the above data. Taking the frames of data from the paging / bulletin board channel, some channel numbers can be extracted - presumably this is to notify pagers of an imminent message broadcast on a traffic channel. (Note the traffic channel number is not correctly converted in the example below)
021 CH: 1537.860 MHz [11144] 002 CH: 1539.780 MHz [11912] 021 CH: 1537.890 MHz [11156] 022 CH: 1539.780 MHz [11912] 023 CH: 1539.780 MHz [11912] 024 CH: 1539.780 MHz [11912] 003 CH: 1537.890 MHz [11156] 004 CH: 1537.890 MHz [11156] 005 CH: 1537.890 MHz [11156] 012 CH: 1537.890 MHz [11156] 022 CH: 1539.790 MHz [11916] 021 CH: 1537.900 MHz [11160] 021 CH: 1539.760 MHz [11904] 021 CH: 1539.750 MHz [11900] 021 CH: 1537.880 MHz [11152] 007 CH: 1539.770 MHz [11908]
The above data was obtained from the paging channel on 54W Inmarsat. The paging channels are thought to be those which stay up continuously. Many of the 'traffic' channels only transmit when a message is to be sent. A working Inmarsat-D+ modem shows channel "2C58" on the display as the "BB" presumably for the Bulletin board. According to the patent, the channel spacing for Inmarsat-D is 2.5KHz. 2C58 in decimal is 11352, X 0.0025MHz = 28.38MHz + 1510MHz base frequency = 1538.380 MHz which is the Bulletin Board from AOR-W.
53W 1538.380 ID 002 - MFSK slow rate data 20bd Inmarsat-D Bulletin Board Inmarsat 4F2 1539.7575 ID 012 - MFSK slow rate data 40bd Inmarsat-D 1539.765 MFSK slow rate data 20bd Inmarsat-D traffic channel 1539.7675 MFSK slow rate data 20bd Inmarsat-D traffic channel 1539.770 MFSK slow rate data 20bd Inmarsat-D traffic channel 1539.7775 MFSK slow rate data 20bd Inmarsat-D traffic channel 1539.7825 MFSK slow rate data 20bd Inmarsat-D traffic channel 1539.785 MFSK slow rate data 20bd Inmarsat-D traffic channel 1539.7875 MFSK slow rate data 20bd Inmarsat-D traffic channel 1539.790 MFSK slow rate data 20bd Inmarsat-D traffic channel 15.5W 1537.870 ID 102 - MFSK slow rate data 20bd Inmarsat-D Bulletin Board Inmarsat 3F2 1539.7625 MFSK slow rate data 20bd Inmarsat-D traffic channel - QRT? 1539.7725 MFSK slow rate data 20bd Inmarsat-D traffic channel - QRT? 1541.0175 MFSK slow rate data 20bd Inmarsat-D traffic channel 1541.0275 MFSK slow rate data 20bd Inmarsat-D traffic channel 64E 1537.995 MFSK slow rate data 20bd Inmarsat-D Bulletin BoardBTW if you have any technical info on the Inmarsat pager system, please send it to the contact email address on the front page - full credit will of course be given for any info used!
