Tag: satellites

Reverse engineering Outernet: modulation, coding and framing

Outernet is a company whose goal is to ease worldwide access to internet content. They aim to provide a downlink of selected internet content via geostationary satellites. Currently, they provide data streams from three Inmarsat satellites on the L-band (roughly around 1.5GHz). This gives them almost worldwide coverage. The downlink bitrate is about 2kbps or 20MB of content per day.

The downlink is used to stream files, mostly of educational or informational content, and recently it also streams some APRS data. As this is a new radio technology to play with, it is starting to get the attention of some Amateur Radio operators and other tech-savvy people.

Most of the Outernet software is open-source, except for some key parts of the receiver, which are closed-source and distributed as freeware binaries only. The details of the format of the signal are not publicly known, so the only way to receive the content is to use the Outernet closed-source binaries. Why Outernet has decided to do this escapes me. I find that this is contrary to the principles of broadcasting internet content. The protocol specifications should be public. Also, as an Amateur Radio operator, I find that it is not acceptable to work with a black box receiver of which I can’t know what kind of signal receives and how it does it. Indeed, the Amateur Radio spirit is quite related in some aspects to the Free Software movement philosophy.

For this reason, I have decided to reverse engineer the Outernet signal and protocol with the goal of publishing the details and building an open-source receiver. During the last few days, I’ve managed to reverse engineer all the specifications of the modulation, coding and framing. I’ve being posting all the development updates to my Twitter account. I’ve built a GNUradio Outernet receiver that is able to get Outernet frames from the L-band signal. The protocols used in these frames is still unknown, so there is still much reverse engineering work to do.

Continue reading Reverse engineering Outernet: modulation, coding and framing

LilacSat-1 Codec 2 downlink

LilacSat-1 is one of the satellites that will form part of the QB50 constellation, a network of 50 cubesats built by different universities around the world that will conduct studies of the thermosphere. LilacSat-1 is Harbin Institute of Technology’s satellite in the QB50 constellation, and is expected to launch late this year. Incidentally, his “brother” LilacSat-2 launched in September 2015, and it has become a popular satellite because of its Amateur Radio FM repeater.

Apparently, LilacSat-1 will feature a very novel transponder configuration: FM uplink and Codec2 digital voice downlink. I have discovered this yesterday while browsing the last updates to the Harbin Institute of Technology gr-lilacsat github repository. In fact, there is no mention of digital voice in the IARU coordination page for LilacSat-1. According to the coordination, the transponder will be mode V/U (uplink in the 144MHz band and downlink in the 435MHz band). However, it seems that only downlink frequencies have been coordinated with IARU. Hopefully the uplink frequency will lie in the satellite subband this time. LilacSat-2 is infamous because of its uplink at 144.350MHz, which lies in the SSB subband in the Region 1.

Codec2 is the open source digital voice codec that is used in FreeDV. This makes LilacSat-1 very exciting, because Codec2 is the only codec for digital voice radio that is not riddled with patents. Moreover, it performs much better than its main competitor: the AMBE/IMBE family of codecs, which are used in D-STAR, DMR and Yaesu System Fusion. Codec2 can achieve the same voice quality as AMBE using roughly half the bitrate.

Harbin Institute of Technology has recently published a GNUradio decoder for the Codec2 downlink and an IQ recording to test the decoder. Here I take a quick look at this code and I talk a bit about the possibilities of using Codec2/FreeDV in satellites.

Continue reading LilacSat-1 Codec 2 downlink

AISAT and ATHENOXAT-1

It turns out that the satellites AISAT and ATHENOXAT-1 use the NanoCom U482C transceiver from GomSpace. This is the same transceiver that GOMX-1 uses, so the same decoder can be used.

I’ve added example flowgraphs and wav recordings to gr-ax100 and complete decoders to gr-satellites. Note that there is no telemetry parser yet, because I don’t have the telemetry format used by these satellites. Thanks to Jan PE0SAT for sending me an AISAT recording and to Roland PY4ZBZ for sending an ATHENOXAT-1 recording (note that this satellite is on a low inclination orbit, so it can only be received near the equator).

I’m on the lookout for any other satellites using the NanoCom U482C transceiver or the NanoCom AX100 transceiver (this is the transceiver that GOMX-3 uses), as it should be possible to decode them with gr-ax100.

Decoding GOMX-1 telemetry

GOMX-1 is a 2U cubesat from GomSpace that was launched in November 2013 into a sun-synchronous orbit. As far as I know, it was the first satellite with an ADS-B receiver payload. It transmits telemetry on the 70cm Amateur band, including some data from the ADS-B receiver, as GOMX-3 does. Some Amateurs, including me, had tried to decode its telemetry on several occasions, without success. GOMX-3 will decay in about 4 weeks, as it was launched from the ISS on October 2015. Therefore, it now becomes more interesting to decode GOMX-1, which is in a longer term orbit. After one more serious try, I’ve been able to decode the telemetry. This is the first time that an Amateur decodes telemetry from GOMX-1 completely. The decoder code can be found in gr-satellites and gr-ax100, including an example wav file in gr-ax100/examples/gomx-1.wav.

Continue reading Decoding GOMX-1 telemetry

Some notes on BEESAT and Mobitex-NX

The family of BEESAT satellites from the TU Berlin transmit telemetry on the Amateur bands using the Mobitex-NX protocol. Some of the BEESAT satellites also include a digipeater using this same protocol. There is a GNUradio implementation from TU Berlin of a software TNC for these satellites. This software has some shortcomings (for instance, FEC decoding wasn’t working properly). I’ve made my own fork where I’ve fixed some of the problems. Here I’ll talk about various aspects of the Mobitex-NX protocol and the GNUradio implementation.

Continue reading Some notes on BEESAT and Mobitex-NX

A brief try at decoding HORYU-4 1k2 AFSK telemetry

In the previous post I’ve talked about HORYU-4 CW telemetry. Here I report my findings when trying to decode 1200baud AFSK telemetry. Since the satellite transmits digital telemetry only over Japan, the recordings I’ve analysed have being kindly provided by Tetsurou JA0CAW. There is a telemetry format document from Kyutech, but as it is the case with the CW document, it is rather incomplete and lacks several important details.

Continue reading A brief try at decoding HORYU-4 1k2 AFSK telemetry

HORYU-4 CW telemetry format

HORYU-4 is a small satellite from Kyushu Institute of Technology (Japan) designed to test a high voltage solar array in space and observe the effects produced by the charge on the spacecraft due to the high voltage. It transmits telemetry on the 70cm and 13cm amateur bands. It has a CW beacon at 437.375MHz, a 1200baud AFSK telemetry downlink at 437.375MHz and a 100kbaud BPSK telemetry downlink at 2400.3MHz. The digital telemetry downlinks are only active over Japan and use a custom packet format. Here we take a brief look at the format of the CW telemetry.

Continue reading HORYU-4 CW telemetry format

Introducing gr-satellites

This post is to present my gr-satellites project. The goal of this project is to make a collection of GNUradio decoders for the telemetry of different satellites. The decoders support submitting telemetry in real time to the PE0SAT telemetry server. Another goal is that the decoders are as easy to use as possible, to try to make more people interested in receiving digital telemetry from satellites and collaborating in online telemetry submission.

The decoders can be used with the Gqrx SDR software, using its UDP audio streaming capabilities. This is the easiest way to use the decoders. It is also possible to use the GNUradio frontends in the companion project gr-frontends. These support several different SDR hardware, WAV and IQ recordings, and conventional receivers connected through a soundcard. They are design to be flexible and to allow its use in headless and automated receiving configurations.

The long-term goal of this project is to provide an alternative software chain to the UZ7HO soundmodem, AGW packet engine and DK3WN telemetry forwarder. The use of GNUradio makes these decoders more configurable and flexible and eases programming decoders for non-AX.25 satellites, which usually employ strong forward error correction.

Currently, the satellites supported by gr-satellites are 3CAT-2, AAUSAT-4 and GOMX-3. I plan to continue adding support for more satellites in the future.

Telemetry format of 3CAT-2

The team from the NanoSat Lab in Universidad Politècnica de Catalunya have published a telemetry analyser for 3CAT-2. This analyser is designed to connect to a TCP server and get the AX.25 frames in KISS format.

The telemetry format is rather simple, as one can see by looking at the PrintBeacon() function in 3cat2_telemetry.c. As I imagined, the contents of each beacon are just the numerical values of several telemetry channels written in ASCII. For example:

3 7781 0245 07 06	1 0 3.5e-01 2.5e-01 1.6e-01 6.8e-09 1.2e-09 1.8e-08

All the fields are separated by a space, except the 5th and 6th fields, which are separated by a tab. The content of the first 7 fields is as follows:

  1. Mode. Possible values: 1 survival mode, 2 sun-safe mode, 3 nominal mode, 4 TX communication incoming (data downlink), 5 RX communications (command uplink), 6 and 7 payload mode.
  2. Battery voltage in mV. In the example 7.781V.
  3. Current consumption in mA. In the example 245mA.
  4. EPS temperature (probably in ºC). In the example 7ºC.
  5. Antenna temperature (probably in ºC). In the example 6ºC.
  6. Status of the ADCS system. 0 means detumbling enabled. 1 means SS-nominal.
  7. Control flag of the ADCS routine. Possible values: 0 automatic, 1 manual

The next 3 fields are floating point numbers. If detumbling is enabled, they correspond to magnetomer values in nT for the axes X, Y and Z respectively. If detumbling is not enabled, they correspond to the sun vector, axes X, Y and Z.

The last 3 fields correspond to the control voltages for axes X, Y and Z, regardless of whether detumbling is enabled or not.

Of course, the telemetry format is so easy that it can even be parsed with a “one-line” awk script:

 strings sats/3cat2-20160824-pe0sat.kiss | awk '{if ($1==1) printf "Survival"; if ($1==2) printf "Sun-safe"; if ($1==3) printf "Nominal"; if ($1==4) printf "TX"; if ($1==5) printf "RX"; if ($1>=6) printf "Payload"; printf "  %.2fV  %dmA  EPS: %2dºC  Ant: %2dºC  ", $2*1e-3, $3, $4, $5; if ($7==0) {printf "ADCS auto  "} else {printf "ADCS manual  "}; if ($6==0) {printf "Detumbling  (%f,%f,$f) nT", $8, $9, $10} else {printf "SS-nominal  Sun: (%.2f,%.2f,%.2f)", $8, $9, $10}; printf "  Control (%.1e,%.1e,%.1e)V\n", $11, $12, $13}'

which shows the following output:

Nominal  8.26V  233mA  EPS:  4ºC  Ant:  8ºC  ADCS auto  SS-nominal  Sun: (0.49,0.42,1.00)  Control (6.9e-09,1.7e-09,1.7e-08)V
Nominal  8.28V  221mA  EPS:  5ºC  Ant:  8ºC  ADCS auto  SS-nominal  Sun: (0.16,0.87,0.57)  Control (6.7e-09,1.4e-09,1.7e-08)V
Nominal  8.29V  245mA  EPS:  5ºC  Ant:  8ºC  ADCS auto  SS-nominal  Sun: (0.26,0.96,0.46)  Control (6.7e-09,1.4e-09,1.7e-08)V
Nominal  8.30V  257mA  EPS:  5ºC  Ant:  8ºC  ADCS auto  SS-nominal  Sun: (0.62,0.78,0.42)  Control (6.7e-09,1.4e-09,1.7e-08)V
Nominal  8.30V  257mA  EPS:  5ºC  Ant:  9ºC  ADCS auto  SS-nominal  Sun: (0.64,0.72,0.49)  Control (6.7e-09,1.4e-09,1.7e-08)V
Nominal  8.30V  245mA  EPS:  5ºC  Ant:  9ºC  ADCS auto  SS-nominal  Sun: (0.64,0.66,0.59)  Control (6.8e-09,1.5e-09,1.7e-08)V
Nominal  8.30V  245mA  EPS:  5ºC  Ant:  9ºC  ADCS auto  SS-nominal  Sun: (0.60,0.60,0.71)  Control (6.8e-09,1.5e-09,1.7e-08)V
Nominal  8.30V  245mA  EPS:  5ºC  Ant:  9ºC  ADCS auto  SS-nominal  Sun: (0.54,0.54,0.86)  Control (6.8e-09,1.6e-09,1.7e-08)V
Nominal  8.29V  245mA  EPS:  5ºC  Ant: 10ºC  ADCS auto  SS-nominal  Sun: (0.45,0.49,1.00)  Control (6.9e-09,1.7e-09,1.7e-08)V
Nominal  8.28V  245mA  EPS:  5ºC  Ant: 10ºC  ADCS auto  SS-nominal  Sun: (0.32,0.44,1.00)  Control (6.9e-09,1.7e-09,1.7e-08)V

The KISS file in question was obtained from the recording on 24/08/2016 at 10:54 by PE0SAT that I mentioned at the end of a previous post.

Many thanks to Juan Fran Muñoz and the rest of the NanoSat Lab team for publishing the telemetry analyser and sharing details about the satellite and the operations.

How hard is it to decode 3CAT-2?

In a previous post, I looked at the telemetry packets transmitted by the satellite 3CAT-2. This satellite transmits 9600bps AX.25 BPSK packets in the Amateur 2m band. As far as I know, it is the only satellite that transmits fast BPSK without any form of forward error correction. LilacSat-2 uses a concatenated code with a (7, 1/2) convolutional inner code and a (255, 223) Reed-Solomon outer code. The remaining BPSK satellites transmit at 1200bps, either using AX.25 without FEC (the QB50p satellites, for instance), or with strong FEC (Funcube, for example). Therefore, I remark that 3CAT-2’s packets will be a bit difficult to decode without errors. But how difficult? Here I look at how to use the theory to calculate this, without resorting to simulations.

Continue reading How hard is it to decode 3CAT-2?