UHF-Satcom.com - Inmarsat Standard D+ paging                                                                                                 (10/08/2007 12:06:44 +0100)

Following the acquisition of an Inmarsat-D+ pager from eBay, work has progressed very well to disassemble the firmware and work out how the over the air protocol works. The JRC Inmarsat pager that was used for the reverse engineering is a JUE-610DT type. A Hitachi HI8-3H emulator was used to run the firmware code and to step through the data handling routines. Some pictures of the various modules are included below (Click the pictures to see higher resolution versions) :

Main CPU board based on Hitachi HI8-3H processor. (HI8-3H V1.0 Hitachi, Ltd. 1992)

GPS Module - serial output at 4800bps although it seems to be proprietary.

RF board with PSU, DDS etc

Patch antenna for Inmarsat TX/RX and GPS

PA / LNA and filters under antenna

Modem and antenna

S

Received signal overview screen (Tnx KJN)

TX busy screen (Tnx KJN)

Setup screen (Tnx KJN)


The main IC's in the Inmarsat-D pager are as follows:

H8/3040 - Main CPU

Inmarsat - ADSP-2166 - MFSK demod

Inmarsat - AD9831 - DDS for baseband

TC551001 - Static RAM

Atmel 1Mbit flash rom for firmware

 

There are 4 patents that are worth digesting :

STD-D1, STD-D2, STD-D3, STD-D4

 

A few common Inmarsat-D transceiver specifications are:

Apollo, PoleStar and DMR200.

From the initial examination of the firmware coupled with the over-the-air analysis of the data, the following facts have been compiled:

Modulation: 	32-tone MFSK running at 20bps and 40bps.
MFSK signal:	Tones are separated by 20Hz, and it is assumed that the lowest tone = 0, highest tone = 31.
Error coding:	Reed-Solomon with a block length of 31 and K=15.
Interleaving:	A complex interleaving table exists in the firmware.
Bit coding:	There also seems to be a lookup table or bit transcoding matrix in the firmware.
Tuning control:	Frequency tuning appears to work in a similar manner to that of Inmarsat-C.
RS-232 port:	The serial port runs 1200-8N2 - only CTRL+C & CTRL+E return any data.
		It is assumed that the serial port is only for message traffic and not diagnostics.

When the modem is powered on, it first tunes to a paging channel where the MFSK modem syncs on the 'idle tones'. Once synced, the serial data is available for examination. The Serial data is passed from the DSP to the CPU over a two wire bus - this runs at 1500bps and has a sync or start pulse on another pin. From this its possible to extract the demodulated MFSK frame before error correction / interleaving / bit coding:

    01110110100000001001010100001111000
    01110110100000001001010010110010000
    01110110100000001001010101011000000
    01110110100000001001010101000001000
    01110110100000001001010010111110100
    01110110100000001001010011000101100
    01110110100000001001010111001001000
    01110110100000001001010111111110000
    01110110100000001001010001111010100
    01110110100000001001010111100011000
    01110110100000001001010100110011000
    01110110100000001001010010100100100
    01110110100000001001010010110001100

MFSK frames - click for audio sample

Once the data has been passed through the error correction / interleaving 
/ bit coding steps, the following data is obtained - these are raw frames:
Sync-word 17 [AOR-W] (There is a large look-up table of what is presumed to be sync words)
01 - 000100001000001110111100000000000010010100010111000000000000000000000000000
02 - 000000100000000001111011000001111011000101100000000001111011000001111011000
03 - 000101110000000001111011000001111011000101010000000001111011000001110111000
Thanks to `r00t for the above data. Taking the frames of data from the paging / bulletin board channel, some channel numbers can be extracted - presumably this is to notify pagers of an imminent message broadcast on a traffic channel. (Note the traffic channel number is not correctly converted in the example below) 
021  CH: 1537.860 MHz [11144]
002  CH: 1539.780 MHz [11912]
021  CH: 1537.890 MHz [11156]
022  CH: 1539.780 MHz [11912]
023  CH: 1539.780 MHz [11912]
024  CH: 1539.780 MHz [11912]
003  CH: 1537.890 MHz [11156]
004  CH: 1537.890 MHz [11156]
005  CH: 1537.890 MHz [11156]
012  CH: 1537.890 MHz [11156]
022  CH: 1539.790 MHz [11916]
021  CH: 1537.900 MHz [11160]
021  CH: 1539.760 MHz [11904]
021  CH: 1539.750 MHz [11900]
021  CH: 1537.880 MHz [11152]
007  CH: 1539.770 MHz [11908]

The above data was obtained from the paging channel on 54W Inmarsat. The paging channels are thought to be those which stay up continuously. Many of the 'traffic' channels only transmit when a message is to be sent. A working Inmarsat-D+ modem shows channel "2C58" on the display as the "BB" presumably for the Bulletin board. According to the patent, the channel spacing for Inmarsat-D is 2.5KHz. 2C58 in decimal is 11352, X 0.0025MHz = 28.38MHz + 1510MHz base frequency = 1538.380 MHz which is the Bulletin Board from AOR-W.

53W		1538.380	ID 002 - MFSK slow rate data 20bd Inmarsat-D Bulletin Board
Inmarsat 4F2	1539.7575	ID 012 - MFSK slow rate data 40bd Inmarsat-D
		1539.765	MFSK slow rate data 20bd Inmarsat-D traffic channel
		1539.7675	MFSK slow rate data 20bd Inmarsat-D traffic channel
		1539.770	MFSK slow rate data 20bd Inmarsat-D traffic channel
		1539.7775	MFSK slow rate data 20bd Inmarsat-D traffic channel
		1539.7825	MFSK slow rate data 20bd Inmarsat-D traffic channel
		1539.785	MFSK slow rate data 20bd Inmarsat-D traffic channel
		1539.7875	MFSK slow rate data 20bd Inmarsat-D traffic channel
		1539.790	MFSK slow rate data 20bd Inmarsat-D traffic channel
		
15.5W		1537.870	ID 102 - MFSK slow rate data 20bd Inmarsat-D Bulletin Board
Inmarsat 3F2	1539.7625	MFSK slow rate data 20bd Inmarsat-D traffic channel - QRT?
		1539.7725	MFSK slow rate data 20bd Inmarsat-D traffic channel - QRT?
		1541.0175	MFSK slow rate data 20bd Inmarsat-D traffic channel
		1541.0275	MFSK slow rate data 20bd Inmarsat-D traffic channel 
		
64E		1537.995	MFSK slow rate data 20bd Inmarsat-D Bulletin Board
BTW if you have any technical info on the Inmarsat pager system, please send it to the contact email address on the front page - full credit will of course be given for any info used!