discuss-gnuradio
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Discuss-gnuradio] question about using FSK on noise

From: abhinav narain
Subject: Re: [Discuss-gnuradio] question about using FSK on noise
Date: Tue, 7 Jun 2016 11:08:46 -0400
Dear Marcus,

On Tue, Jun 7, 2016 at 6:05 AM, Marcus Müller <address@hidden> wrote:
Hi Abhinav,

Cool research, with lots of security implications :) !
Out of curiosity: as there are a lot of different power supply topographies, which one are you concentrating on? What does one find in "normal" laptop power supply "bricks"? Is it the "classical" fixed-frequency PWM buck, where the frequency modulation is really an effect of the different lengths of the duty cycle, modulating the spectrum's sinc shape in amplitude and spacing of side lobes, or is it the newer "adaptive frequency" kind of control? Or are there, like for class-D amplifiers, spread-spectrum modulators for the switching currents? (if not spread) What are the "typical" switching frequencies under "normal" load of these astonishingly small supplies?

I think they are due to different duty cycle, when there is a loop running vs when the process is sleep(). 
 
So: your question is pretty impossible to answer without you explaining the model you have:
How does your input (the program) influence the emissions? What's the mechanism behind that?

I have observed a change in the frequency of EM emission when the processor is idle(running the OS) vs when I run a busy loop. So, I wrote a simple code(attached in last email) that sleeps when the message bit is 1,
and runs a busy computing an exponential value when the message bit is 0.
What exactly is your measurement setup?
Measurement setup:- 
I have analog filter and laptop plugged in adjacent power-plugs and I sample the first 500 kHz of the frequencies on powerline.


As an input on "scientific methods": I think your whole research hinges on your power supply do different things under different load, right? So maybe I'd start with a much much reduced testcase: A complete laptop running something as non-deterministic as a wait loop in Python under a fully fledged operating system with a CPU that might do things like voltage scaling, a lot of buffering of energy in on-board capacitors and a screen with a fully fledged high-voltage SMPS might be a bit hard to get to do things 100% repeatably at first.
You are close to what I described. I haven't tried using the screen to draw power, but that sounds like a good direction to move forward.
 
Do you have already decoded something simple, like your power supply just heating a 10Ω resistor, and you then connecting a second one in parallel, maybe using a mosfet, just to get a "clean as possible" idea of how you can decode "simple" load changes? I think a lot of the energy between your 60kHz "blips" really is just due to the fact that your laptop varies its power consumption much faster than that, or actual EMI emissions of the SMPSes (there should be dozens!) inside the laptop itself. It's a bit hard to guess from your specgram what part of the signal is relevant.

I am trying to decode the message I transmitted using this flowgraph:- http://postimg.org/image/fkwdlyhyp/
 
With a clear idea of how the power supply reacts, I'd actually look at the cleaned-up (i.e. filtered) time domain signal. I'd expect to see some kind of pulse shape there. I think you can already guess from the spectrogram: _Switch_ mode power supplies will modulate things with rectangular waveforms, which have sinc shape in spectrum, and hence, a lot of side lobes. That would imply the best-guess matched filter would be a moving average – but I don't quite believe that; in fact, the power supply's job is to give a clean, constant voltage, so there's going to be quite some low pass filtering on the output, and the properties of that will most likely have an influence on the spectrum of the emitted pulses.


That's a great starting point - Rectangular match filter.
I have bandpass filtered the signal and kept 40-70kHz as shown in the flowgraph attached, but I wasn't clear on the next step to filter. I am sure you will have more thoughts on the flowgraph.

I have the sample file with the captured IQ samples, if you would like to have a look:
http://sites.noise.gatech.edu/~abhinav/tmp/plc_message_500kHz.dat

Also you forgot to attach your flowgraph, it seems ;)

 
http://postimg.org/image/fkwdlyhyp/


Thank you,
Abhinav
 
Best regards,
Marcus


On 07.06.2016 07:35, abhinav narain wrote:
Hi all,
I am trying to make a covert communication channel using SMPS noise generated by the processor as a part of my research.

I see a change in frequency emitted by the processor when I run the following loop (http://pastebin.com/uRghLuLm) with message variable containing the message, and see the spectrogram (http://postimg.org/image/g0ec0nvqj/full/), with fluctuating red points ~60kHz, indicating the change due to a loop and sleep executed on the processor. 

I want to decode the bits and I think I should use FSK, although I lack understanding to configure the details.
The following is the current flowgraph where I have used bandpass filter to narrow down the signal to ~60kHz and using quadrature block to demodulate.

Since the entity of interest is actual SMPS noise of the laptop adapter instead of a sinosoid, I have no clue how to write a clear decoder after looking at some tutorials of GNU Radio to know the symbol rate etc for the clock recovery algorithm.

I would be grateful, if someone can guide me on how to proceed


Thanks,
Abhinav



_______________________________________________
Discuss-gnuradio mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/discuss-gnuradio


_______________________________________________
Discuss-gnuradio mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/discuss-gnuradio


reply via email to
[Prev in Thread] Current Thread [Next in Thread]