One stormy night in 2007, I was listening to local FM stations while viewing a live spectrogram of the audio on the computer, through the radio's Line Out. Nearly all stations seemed to have a persistent sinusoid tone at 19 kHz, on the edge of human hearing. Turned out it's a pilot tone that the receiver uses to regenerate various subcarriers at their correct phases. The most prominent of these is the stereo subcarrier at 38 kHz, used to transmit the stereo difference signal.
But something else is also visible on the spectrogram, mirrored on both sides of the pilot tone. It's a quiet signal that has a strange repetitive pattern, almost like binary data of some sort. Let's listen to a gradual downconversion I made on an FM station, revealing how the mystery signal sounds. Here I tune the heterodyne from baseband to 19 kHz.
It definitely sounds like data. I knew FM station names are transmitted alongside the audio, and that it's called RDS (Radio Data System). Could this be the RDS signal? Why does it appear at 19 kHz when the specification says it should be on the third harmonic of the pilot tone, a 57 kHz subcarrier? Just a weird aliasing/mirroring artifact? It's so close to the audio band that it actually gets interfered by some of the highest audio frequencies. But the symbol rate indeed seems to be close to 1187.5 bps, which is the RDS baud rate.
How exactly did the data end up there from 57 kHz? It could be a complex mechanism. Afterall, what I'm getting out of Line Out is not the raw FM demodulated radio signal, because the sound would be monophonic. If I switch the radio to mono reception, the data disappears altogether. So the data is probably being leaked by the stereo decoder, and is somehow related to the way the decoder applies the difference signal to the monophonic main signal. The manufacturer just didn't want to go through the trouble of filtering the artifacts out, because they're near-ultrasonic and thus practically inaudible. The mono/stereo switch probably just switches the stereo decoder off and feeds the actual demodulated baseband audio to Line Out instead.
Being the signals geek that I am, I just couldn't leave it at that. I read the 160-page specification and wrote a complete RDS demodulator and decoder to solve this mystery. And I was right! Here's a station called YLE Radio Suomi, running Radioterapeutti. The data is being decoded live from the quiet artifacts in the Line Out audio.
But it's so much more than just a station name. There's RadioText that often contains a description for the currently running programme; there's a numeric station identifier that can be decoded from even faint signals; there's information about what's currently on on other stations and what are their frequencies; and so on. Also the traffic messages displayed by car GPS navigators are transmitted to cars over RDS. And there are options for pager systems, emergency messages, and whatnot.
All this led me to make modifications to my radio and also embed all this onto a Raspberry Pi.
This is so cool, I can't even explain!
ReplyDeleteI hope that's a good thing.
DeleteRDS is relatively-ish well-known. I know that SDR# decodes it in WFM mode. I didn't know it was so close as to actually interfere with the highest part of the audio passband, though!
ReplyDeleteThe real ticket is decoding the digital broadcasts over here in the States where it's "HD Radio" and everything is patent encumbered and terrible. I think there are DAB/DAB+ decoders already written for the rest of the world's standard, though.
It's not actually that close to the audio passband, it's just an artifact produced by my radio. The RDS subcarrier is at 57 kHz.
DeleteFor a little more bandwidth I wrote a little python ditty that grabs data from a scope and dumps it to baudline via stdin:
ReplyDeletehttp://www.urlme.net/blog/?p=2031
Great blog and excellently documented projects! Well done!
ReplyDeleteYour signal "geekiness" reminds me of a long-forgotten fun-project plan I had. Using a digital storage oscilloscope and a highly sensitive receiver with flat and wide selectivity in the 1-100 KHz range and an appropriate antenna, one can eavesdrop the electromagnetic waves emitted from keystrokes of any PS/2 (and not only) based keyboard. After sampling the signal, (the fun part) is to write a signal processing script that would decrypt the collected keystroke data. Sounds evil and must be used only for learning purposes of course :)
Here are some enthusiasts that have in fact done it: http://www.youtube.com/watch?v=AFWgIAgMtiA
So that's just a thought I've had long ago in my mind. Hope you don't get me wrong, it's only the technical side of that task that's intriguing. :)
Great blog! Loved the articles on DARC, RDS and the Atomic Powered Robot...
ReplyDeleteI have been playing with RDS lately, and posted some results here:
http://migblog.blog.com/2013/12/12/waterfall-display-for-fm-broadcast/
Regards, mig.
It might be because you are sampling with your soundcard, you are sampling at 44 khz approx? and that is too slow to see the spectrum at 57 khz, but because of an sampling effect, it does appear anyway, and since the data rate is slower than your sampling speed, it's perfectly fine to demod. it would be fun to know if you could sample faster and see if my theory is right, and it is interesting that the signal disappears when you go mono, it could be your explanation too.
ReplyDeleteIt's not about the sound card, I've tested that. It's the radio's stereo demux circuitry. It goes away if I switch off stereo demuxing.
DeleteI have an FM radio that I modified by removing all but one capacitor from the demodulator/low-pass filter. The cap I kept, filters out the 10.7 Mhz IF, but allows everything else to pass through. I built a Ramsey Kit PLL based SCA decoder kit, which I modified by adding better high-pass filtering. It easily tunes into the analog SCA signals on 67 and 92 Khz, but it can also detect data at 57 Khz, converting it unto audible frequencies. I haven't bothered to try to decode any of them, as I am more of an analog geek than a CPU coding geek. :) I'm positive that you're right about the stereo decoder of your radio creating that "image" of the RDS near the 19Khz pilot. Nice work! :)
ReplyDeletewhy are girls the best hackers? you fucking rock!! keep it up!
ReplyDeleteLooks like the RDS encoder output has become dirty, or possibly the pilot tone level is set too high and is over deviating. It would explain why the 19 KHz bandwidth is wider than normal.
ReplyDeleteIt's on every channel. It comes from the stereo decoder circuit.
Deletehttp://i.imgur.com/MeqjM9i.jpg
ReplyDeleteI reproduced this using MPX tool and software MPX signal generator. I noticed this phenomenon some time ago. It turned out to be the "MPX" bug - always present :) Though, some high end tuners with proper LPF filters don't let the RDS and pilot tone leak into the audio.
RDS is quite a topic in its self with so much information being sent in approximately 1200 baud. A reason why RDS is leaking into the audio has to do with its proximity to the upper sideband of the difference signal. FM stereo difference is a form of AM called DSBSC or double sideband suppressed carrier. The two sidebands are mirror images of each other with the upper sideband being accurate to the original audio. The highest audio frequency determines the highest modulating frequency which is actually 53 KHz resulting in a very narrow guard band between it and the RDS sub carrier which centers at 57 KHz. An earlier comment about the artifact being a mixing image is pretty accurate. 57 is a multiple of 19 which in this case means 19 KHz for the FM stereo pilot and by the way 38 is also a multiple of it too.
ReplyDelete