WIRELESS VILLAGE - Introduction to Railroad Telemetry

Video thumbnail (Frame 0) Video thumbnail (Frame 3617) Video thumbnail (Frame 4853) Video thumbnail (Frame 5946) Video thumbnail (Frame 7049) Video thumbnail (Frame 10948) Video thumbnail (Frame 12304) Video thumbnail (Frame 13456) Video thumbnail (Frame 14569) Video thumbnail (Frame 16290) Video thumbnail (Frame 17648) Video thumbnail (Frame 19319) Video thumbnail (Frame 20739) Video thumbnail (Frame 22069) Video thumbnail (Frame 26672) Video thumbnail (Frame 28029) Video thumbnail (Frame 29572) Video thumbnail (Frame 30958) Video thumbnail (Frame 32490) Video thumbnail (Frame 34293) Video thumbnail (Frame 36313) Video thumbnail (Frame 38245) Video thumbnail (Frame 39351) Video thumbnail (Frame 43277) Video thumbnail (Frame 47419) Video thumbnail (Frame 48718) Video thumbnail (Frame 58372) Video thumbnail (Frame 59716) Video thumbnail (Frame 60913) Video thumbnail (Frame 62268) Video thumbnail (Frame 64591) Video thumbnail (Frame 65837) Video thumbnail (Frame 67344) Video thumbnail (Frame 68526) Video thumbnail (Frame 73468) Video thumbnail (Frame 77054)
Video in TIB AV-Portal: WIRELESS VILLAGE - Introduction to Railroad Telemetry

Formal Metadata

WIRELESS VILLAGE - Introduction to Railroad Telemetry
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
North American railroads use several wireless systems for remote control, monitoring, and tracking of locomotives, railcars, signals, and other equipment. This talk will provide an overview of the systems in use, an in-depth look of two of them: The end-of-train (EOT) device contributed to the demise of the caboose 35 years ago, taking over one of its primary functions: monitoring brake pipe pressure. The EOT transmits pressure, its unique ID, and other data, encoded into AFSK packets, to a corresponding head-of-train (HOT) device in the locomotive. A secondary function is venting the line in an emergency braking event, under command of the HOT. BCH error correction is employed for reliability, but there are inherent security flaws. A SDR/GNU Radio/Python workflow for decoding and verifying packets will be demonstrated. Attempts at automatically identifying passing railcars were largely unsuccessful until the introduction of the Automatic Equipment Identification (AEI) system in the early 90s. This 900 MHz RFID system consists of passive tags on each locomotive and car and wayside readers at rail yard entrances and other locations of interest. The author's day job in environmental noise consulting led to a study of the feasibility of using AEI for rail noise studies. It had to be reverse-engineered first, of course. Using a repurposed commercial reader, Raspberry Pi, and cellular modem, a remote monitoring system gathered tag date for 5 weeks. Details of the protocol and monitoring system will be presented, along with video demonstrations.
Game controller Code Multiplication sign Control flow Planning Mereology Information technology consulting T-symmetry Wave packet Twitter Digital photography Mathematics Natural number Telecommunication System programming Wireless LAN Communications protocol
Slide rule Dataflow Game controller Remote administration Block (periodic table) Analogy Control flow Wave packet Power (physics) Disk read-and-write head Wave packet Power (physics) Sign (mathematics) Frequency Mechanism design Telecommunication Network topology Radio-frequency identification Telecommunication System programming System programming Species Communications protocol
Cylinder (geometry) Length String (computer science) System programming Control flow Momentum Pressure Wave packet Twitter
Trail Service (economics) Context awareness Functional (mathematics) Service (economics) Multiplication sign Control flow Line (geometry) Cartesian coordinate system Flow separation 2 (number) Wave packet Mathematics Digital photography Propagator Bit rate Cylinder (geometry) Hypermedia Steady state (chemistry) Pressure Pressure Condition number
Functional (mathematics) Duplex (telecommunications) Source code Execution unit Perturbation theory Mereology Mereology Disk read-and-write head Wave packet Disk read-and-write head Wave packet Frequency Telecommunication Personal digital assistant System programming System programming Information security Maß <Mathematik> Pressure
Axiom of choice Standard deviation Duplex (telecommunications) Multiplication sign 1 (number) Perturbation theory Price index Bit rate Shift operator Data transmission Variable (mathematics) Power (physics) Frequency Sign (mathematics) Phase transition Harmonic analysis Spacetime Office suite Position operator Block (periodic table) Digital object identifier Sequence Symbol table Frequency Phase transition Cycle (graph theory) Form (programming) Spacetime
Open source Real number Multiplication sign Streaming media Mereology Shift operator Wave packet Frequency Modem Module (mathematics) File format Projective plane Content (media) Bit Frame problem Hand fan Transmitter Type theory Process (computing) Software Telecommunication Network topology Transmissionskoeffizient Pattern language Modul <Datentyp> Quicksort Figurate number Communications protocol Window
Frame problem Trail Greatest element 40 (number) Execution unit File format 1 (number) Perturbation theory Field (computer science) Uniqueness quantification Flag Sampling (music) Message passing Pressure Condition number Data type Multiplication Moment (mathematics) Sampling (statistics) Code Bit Fehlererkennung Measurement Digital electronics Symbol table Type theory BCH code Synchronization Figurate number Cycle (graph theory) Block (periodic table) Pressure Row (database) Address space
Polynomial Code Execution unit Maxima and minima Generating function Distance Field (computer science) Number Natural number Information Series (mathematics) Gamma function Error message Pressure Form (programming) Graphics tablet Polynomial Information Validity (statistics) Binary code Model theory Electronic mailing list Code Bit Maxima and minima Binary file Sixty-six (card game) Distance Type theory Word Error message Personal digital assistant String (computer science) Calculation Order (biology) Quicksort Pressure
Polynomial Information Key (cryptography) Code Block (periodic table) Multiplication sign Code Bit Mereology Digital object identifier Transmitter Type theory Uniform resource locator Computer configuration Error message Personal digital assistant Order (biology) Quicksort Block (periodic table) Computer-assisted translation Reverse engineering Error message Information security Data type
Scripting language Module (mathematics) Parsing Demo (music) Source code Data storage device Special unitary group Digital object identifier Flow separation Field (computer science) Uniform boundedness principle Network socket Flowchart Right angle Task (computing)
Point (geometry) Laptop Computer file 40 (number) Moment (mathematics) Source code MIDI Water vapor Software testing Musical ensemble Line (geometry) Cartesian coordinate system
Point (geometry) Shift operator Block (periodic table) 40 (number) Model theory Binary code Data recovery Quadrilateral Function (mathematics) Tangible user interface Symbol table Frequency Uniform boundedness principle Logic Term (mathematics) Network socket Negative number output Website Cycle (graph theory) Spacetime
Functional (mathematics) Touchscreen Block (periodic table) Length Multiplication sign Binary code 1 (number) Function (mathematics) Sequence Frame problem Frequency Process (computing) Logic Network socket Buffer solution Flag Software testing PRINCE2 Social class Directed graph
Building Demo (music) Closed set Demo (music) Wave packet
Point (geometry) Dataflow Standard deviation Graph (mathematics) Demo (music) Direction (geometry) Moment (mathematics) Online help Audio file format Mereology Sequence Field (computer science) Power (physics) Wave packet Number Frequency Loop (music) Integrated development environment Hacker (term) Different (Kate Ryan album) Musical ensemble
Trail Electric generator Code 1 (number) Control flow Bit Schlüsselverteilung Mereology Digital object identifier Code Sequence Graph coloring 2 (number) Broadcasting (networking) Radio-frequency identification System programming Right angle Quicksort Musical ensemble System identification Information security Communications protocol Vulnerability (computing)
Component-based software engineering Slide rule Radio-frequency identification Charge carrier System programming Bit System identification Digital object identifier Power (physics)
Standard deviation Serial port Length Ferry Corsten Multiplication sign Range (statistics) File format 1 (number) Parameter (computer programming) Mereology Type theory Bit rate Different (Kate Ryan album) Computer configuration Website Error message Enterprise resource planning Scripting language Purchasing File format Building Closed set Data storage device Range (statistics) Parameter (computer programming) Maxima and minima Bit Mereology Control flow Digital object identifier 19 (number) Type theory Latent heat Arithmetic mean Interface (computing) Website Pattern language Thomas Bayes Trail Existence Maxima and minima Field (computer science) Power (physics) Wave packet Number Twitter Product (business) Frequency Latent heat Telecommunication Natural number Musical ensemble System programming Communications protocol Traffic reporting Polarization (waves) Addition Standard deviation Key (cryptography) Interface (computing) Video tracking Line (geometry) Cartesian coordinate system Power (physics) Transmitter Personal digital assistant Radio-frequency identification Calculation Charge carrier Musical ensemble Table (information) Communications protocol Window Traffic reporting
Noise (electronics) Trail Standard deviation Parsing Information Software developer Length Multiplication sign Computer file Projective plane Real-time operating system Field (computer science) Wave packet Number Googol Cross-correlation Software Telecommunication Software Noise control Software testing Process (computing) Thomas Bayes
Scripting language Noise (electronics) Trail Game controller Digital electronics Differential (mechanical device) Multiplication sign Projective plane Moment (mathematics) Function (mathematics) Thresholding (image processing) Digital electronics Vibration 2 (number) Wave packet Power (physics) Vibration Proof theory Category of being Propagator Integrated development environment Term (mathematics) Nilpotente Gruppe Geometry
Scripting language Metre Addition Digital electronics Remote administration Cellular automaton Cellular automaton Drop (liquid) Thresholding (image processing) Radical (chemistry) Cuboid Office suite Reading (process) Window Asynchronous Transfer Mode Modem
Metre Trail Statistics Greatest element Length Direction (geometry) Multiplication sign Data center Archaeological field survey 1 (number) Mereology Tracing (software) Wave packet Software bug Number Power (physics) Cross-correlation Term (mathematics) Queue (abstract data type) Energy level Position operator Exception handling Information systems Projective plane Electronic mailing list Line (geometry) Timestamp Database normalization Estimation Personal digital assistant Network topology ECos Website Pressure
Sensitivity analysis State observer Digital electronics Structural load Code 1 (number) Set (mathematics) Neuroinformatik Component-based software engineering Information Office suite Information security Control system Block (periodic table) Executive information system Structural load Bit Price index Connected space Category of being Type theory Googol Right angle Quicksort Information security Point (geometry) Web page Trail Vapor barrier Service (economics) Distance Number Wave packet Goodness of fit Internetworking Green's function System programming Codierung <Programmierung> Machine vision Video tracking Projective plane Code Planning Group action Cartesian coordinate system Electric power transmission Software Musical ensemble Window
i remind us i served in here and thanks for the face of wireless village for having me so. the names of her career i am i. i'm not sure how hundred to introduce myself to this crowd my work is not in anything i'm going to talk about today and a i teach and consultant acoustics annoys control but my education is like you're going to nearing have been a lifelong electronics not and train and. so look for ways occasionally to bridge those gaps although it's it's rare the those opportunities to work out over the advent of consumer s.t.r. devices in the last five years or so. i've been inspired to look at some of the wireless protocol said the roads use my. interest in this isn't to find ways to exploit them or break them it's really to figure out where the trains are so i can go and take pictures of them and things of that nature in part of a. a subculture people like to change trains around and iowa and photograph them to this is what this photograph was taken and apacs which is just a few miles north of your couple years ago. i'm a hand maybe one xo for the hymns in a room and down and then not on twitter but i've only ever tweeted four times into the more in the last forty eight hours so i was sent out some of the material from the us after i'm going to really some code as well so if you want to. why not stuff you can follow me and i hope i want to spoil it so i want to put this together and i wrote the abstract i plan to serve break this into three parts of first looking out a survey of of all the different wireless systems that railroads use in the united states and then look at to space. the protocols that i've spent a lot of time reverse engineering for no particular reason except to amuse and as learning tools for learning about s.t.r. getting radio and python and our id and and thing so. i decided to spend the time on those two things and not spend much time on the other protocols but just very quickly these are kind of major.
uses of r.f. that the that the railroads use there is a voice communications these have been around forever they got narrowband a few years ago but it's their old still the in the same block of frequencies on p.t.c. and a.t.c. us are both flow of traffic control protocol. all species had a lot of press lately. of. distributed power d p is a remote control protocol for locomotives and then the two that i want to talk to you about today are the end of train ahead of china and tell him a tree system on the o.t.c. system and the automatic equipment identification system e.i. so to jump right into the o t. some first to really understand the purpose of the o t i'm going to spend a few slides on mechanical stuff and that's the the braking systems for our lives.
so if you have a locomotive or are set of locomotives and on a string of cars. but you have to have brakes on the independent on the individual cars or will never stop the train they would easily over overwhelming a locomotive so and the early days this was accomplished by having people run down the top of the train in turn wheels is very dangerous an inefficient you really have to plan ahead if you want to. stop the trend. and on. that went on until the late eighteen hundreds and just around eighteen sixty nine or so george westinghouse when he was twenty two came up with been patented the first railroad air bricks system which is very similar to what still used and the important in understanding.
about the way these breaks work is that their intended to be fail safe which just as to which is to say that the of the brake cylinders on the cars are actually waited by air that stored on each car and so to apply the brakes you actually reduce the pressure that you send to the cars from the and. and that's important in the context of of the devices were going to look at here this is how close together you have in the engine that the red stuff there a compressor a reservoir for air it's fairly high pressure and then there's a pipe that runs the whole length of the train and carries the air today.
each car which has a special valve called a triple valve a reservoir and then the i'm break cylinder and breakthrough in them that applies to the wheel. so they're there are three basic conditions that are important in the context of this discussion that kind of steady state condition is when the brakes are off the release condition and during that time is about ninety p.s. i have ever being supplied by the engine to the cars that charges up the. reservoirs on the cars so there are always being charged serve topped off and then if you want to slow down the train you do what's called a service application which means that you reduce gradually reduce the pressure from the engine the pressure in the reservoir on the car becomes higher than that in the break pipe and some of that then moves about. of and leaves off in applies the brakes. the other condition is called an emergency application that's one there's a car stuck in the tracks are something you stop the train right now and to do that you vent the break line to the atmosphere you dump the air so instead of reducing it slowly reduce it to zero media plea. and that applies of bricks very quickly. the item the propagation rates essentially limited by the speed of sounds of the service application propagation is about sixty six to seven hundred feet per second and emergency application gets up to about nine hundred feet per second but a train can be miles on so it takes a few seconds even emergency outlook. nation to get air all the way to get back to the train which means that the brakes on at the front but not a bat and the momentum of those cars are still pushing until that propagates to about it. so it's important for the engineer to know what the pressure is at the back of the train for several reasons when you start moving you need to know when the brakes are off you need to know that the brake pipe is intact that has been pulled apart and then if you actually moving in the trip a knuckle couple of breaks you want to know that the trainers and pulled apart. art so it's important monitor that pressure at the back of the train and for the first hundred ten years or so that was done by a human in a could lose this is one of the principal functions of the caboose was to monitor the great pressure and then in about nineteen eighty the caboose was no longer required the f.r.a. and they were.
quickly replaced by these eco two devices which is in the photo there so the o.t. hangs on a couple are on the back next to the break line monitors the pressure and radios the pressure back to the engine.
so the on the system is a a two part to a system full duplex system so frequency pair and the a t sense to elementary data forward and the engine has a couple commands that it can send back and i'll get to that just a second but his full duplex so if you want to hear both of them have to monitor. both frequencies.
but. so some some functions for the first one have talked about but it also provides a flashing red light on the back of the train which is required for night operations are and these are sometimes called fred's for flashing were and device and in that case the h o t says caldwell. a. had i and then the last function there is that an emergency stop situation the h o two the head and unit which sits in the engine can tell the o two to dump the air and that effectively dumps air from both ends of the train at once and applies various much more quickly. and this is a source of a security concern will talk about here.
it says of occasions this is the frequency pair i mentioned earlier the are of power the a tease two watts the intent is a terrible position it's you know block the polecat end of a real car. so the reception is actually much better any place but the engine. it's easy to monitor these things. the ob modulation is a continuous face fast frequency. shifting also called minimum shifting and the mark in space frequencies it's a twelve hundred baht signal mark in space for groceries or twelve hundred and eight eighteen hundred hurts and the way that scare f.f.s. k. works is that you have one cycle of.
if your. home. symbol is either one cycle of the lower frequency or one and a half cycles of the higher frequency and the benefit to this is that the phases continuous every time you get to zero crossing you don't have a distant could discontinuity so it doesn't create a lot of harmonic know. choice of what you can use a very narrow transmission channel for this to work you have to have either marker space frequency that equals the broader eight and so what i've plotted here is a zero one zero one a sequence and you can see that you have for the ones a full cycle. have told haaretz and for the zeros one and half cycles eighteen and it hurts the phases arbitrary it's dependent on the previous symbols of you look at every other sign a waiver every other one the phases office so it's the frequency it matters not the face.
so. frequency shifting of or faster he has to shift king of this type is a type of a a a s k audi of frequency shifting which means that it's a sort of two part modulation demolishing process so to modulating essential you take a bit stream and you generate audio and that audio may never be heard or civil added. day but if it becomes an audio signal and then you can transmit that through an audio channel or of journalists and that's on design for a voice communication so the early days of a data modems that that was the type of. but transmitter that was available so you see a lot of this an older protocol so if the us and then on the other end to do the opposite you can be modulates the audio in and then be marginally the bits stream and i'll show you that processing unit radio. the part so i'm this.
the tree packets have been used for a long time by real fans people like trains to a m. the to tell when a train is coming you know if you're out waiting for a train that you want to see you start here these charts plummeting chirps. that's how you know there's a train approaching but i was wondered what they're actually saying and so that was sort of. the motivation for this project and the there. is a windows software called soft doty that does this but it's not open source and i really wanted to go into it and understand it so the first clue i got was this figure from a patent the pattern was from some proposed improvement or something probably and go anywhere but their this figure in their the has the packet format. so they have up at the top the a bit saying can the frames and can know what's in the actual packet and so starting with the us i was able to do some additional research and come up with what i think it is the packet contents for a modern.
doty this is involved a bit over the last four years as of the technologies gotten better. the important things here though are the unit id and the pressure and then there are some other flags for things like battery condition whether the rear and light is flashing a lot of these units now are powered by a turbine that leads some air off the brake line to charge the batteries to give them running. of indefinitely. and so these fields are all clear you can if you know where to look and inside the packet you can get the data. they are validated though by a set of eighteen checked that's using b.c.h. error correction no explain have been about that moment but here's a first attempt at decoding the us i just record in an audio sample off of of radio scanner what may choose or something.
and this is i'd ask a day which everyone who works and not as to ours is seen in many demonstrations says is called owner bought it if you record at forty eight killer its sampling rate every symbols forty cycles or forty a samples so. if you get lost kind of going through the us looking for whether it's one cycle and one and a half you can just measure forty samples and kind of figure out where you are so i put a comment track down the bottom there are two actually and went through the whole thing and just type zero one zero one and then. correlated that to what i knew those fields were and what i knew the unit id for this unit the unit ideas are all printed on the side of the o.t.c. if you can see it you can get the unity from there and i discovered that it was all the multi bit of a field.
olds are little indians and you have to reverse them to before you convert them to a decimal but this is unit one o six o three and the pressure was sixty six.
by the b.c.h. code if you just want to know what the data you know contains and you can just look at these fields if you want to actually validate the packet you need to be ch gazza b.c.h. goes to a type of c.r.c. for her correction. how to actually calculate the generator polynomials is another lectures and i'm not qualified to give but i'll give you an example of how to calculate the czech that's if you know the generator polynomials in this is similar to have any c.r.c. calculations of this this example is is the simplest will. one day you can use the seven for code and what that means is that there are seven bets in a code word and four of those are actual information the other three are the the checks on a. and technically you take the information and the czech someone can carry them to come up with a chequered or a code word so here's an example of calculating that. the first step is to take the the order of the pollen the generator polynomials which is the third order. a generator polynomials one zero one one in binary form and then you pad your information with the same number of zeros as the as the order of the polynomials which ends up being the number of bits in the pollen o'neal minus one. and then you just model that so we don't care the ocean as we just care about the remainder and the remainder is the checks are the checkpoints as the czech that's so in this case we take two zero one one because we know it's three bets and you can't make that was one zero one zero and that's our code or so there are hundred twenty said. one possible all seven bet binary numbers but only sixteen of them are valid ballots code words you notice here that any code word any valid code word if you rotate it that's also a valid code or so that's the sort of cyclical nature of this. have done to sort linear list of a valid code words and and not valid code words which is a gross oversimplification because what you're really after his the hemming distance which is the the number of bits that you would have to change in of invalid codeword to get to a valid codeword and for that for this code it's it's very small you can only correct way. one error in this code has a heavy distances like three or. minimum of three it but in the a m.
of b.c.h. code for the o t packets we have a lot more tech that's so we can correct though it were errors however there are two ways to validate a packet one has to actually do they are a correction in the other one is to just recalculate the what you know the cheque but should be and make sure they're the same so in a non-critical apple. location like this one certainly knows that's a much easier way to do it so he basically just you know user generated polynomials monnet would the data and see if the bits you received at the same as the bits you calculated at least that's what i assumed would be the case of it turns out it's not quite the case for less. so the b.c.h. code in in the had to pack it is a sixty three forty five types of their forty five but some information and then eighteen bets of check bets.
and this took this protect the longest time of any of us to a figure out. they actually first reversed the order of the whole data block and then they calculate the i'm and they calculate the i checked that's here the b.c.h. check that's and then for some reason they extort that with a a of eighteen but string. i think there's probably some technical reason for that i don't have a sense it's a security reason but because obviously you could just if you know the right answer you can just like sort with what you haven't get the key so i don't think it's a security i'm thinking maybe one of you have some an idea about why they do that anyway then they take the encrypted i hesitate to use that word. check that's and cat if those with the original packet not the reversed packet so this took a lot of thoughts and around to figure out but once i got it i could reliably read recreate the czech that's and compare them to validate my packets the price of the decoder that i put together is in two parts the first part.
it is going to radio and in getting ready i'm going to take the i.q. data from the nasty r. and d. modulating to audio and then take the audio and the module he thought to be extreme and then the sun that to z. m q socket and then in a separate python script which could be. low store any were going to grab that the in kew pubs a socket and. parse out the data fields compute the check some invalidate the packet.
so here's the whole flowchart it's very simple i tried to keep everything very simple here i'm going to zoom in on this but that's that's the whole thing so basically are rough stuff on the top and audio stuff and the bottom and so the upper right or left corner i have become source their task.
water drops it to for killer hurts band with which is still more than we need to squelch which i actually haven't been using. we'll explain why a moment and then moving over i have to resign player to get down to forty eight kill a killer hurts audio and that's way more than when we need for this application but i wanted this to also be able to read away file so i just did everything up.
forty a caesarean away file in for testing and actually if you feed us source and audio source of from the laptop microphone into the us and just put a radio next to it it will decode the packets it's a pretty slow dater a pretty robust foreman. audience think if you want to hear it and then there's the line that goes back across as audiotape this point.
then i go into free frequency translating a fight our filter and what i'm doing here is shifting this the center to a point that's halfway between the mark in space frequencies so the zero point now the zero hurts point is used to be fifteen under hurts and what that does is it makes the space. see positive and the mark frequency negative and so the complex output that that creates goes into the quad richard d. model block and in simple terms of quantity modern output is proportional to the frequency of the input or that the instantaneous frequency. the input so if you've shift the input such that you have positive and negative frequencies relative to that midpoint it's very easy for the quantity my block to figure out the whether it's a marker space essentially the two samples amusing for but even that's more than we need. the mark frequency is. the lower frequency site to invert logic which is why i'm multiplying by negative one and then i every sampling that down most moving at resembling a down to force us cycles per symbol instead of forty so just divided by ten.
and then talk recovery binary slicer in the sea into pubs socket and or pubs think they'll put a binary slicer is bites so there's a bite that represents each bet so effectively increases the date or eight by eight and the bites are like xerox. zero zero zero s. or one so they're not ask is their own one their actual text their own it.
just a to quickly show you the the steps and that's graphically this is just that same zero one zero one test signal that i showed the earlier in green and then the output of the m. the choir to the mob lock is blue so you can see one the frequencies twelve hundred it goes down the kind of psychosocial so goes down and when it's eighteen honor goes up and then the binary data that's after its after the us slicing and the logic spun her. did so it's very clean and dumb to see pretty reliable.
i don't think you'll be able to read this but i'm this up and get have this. this is the routine that essentially to and connects to the socket. and what's coming in is arbitrary chunks of ones and zeros so it might be one bite and might be twenty bites and if we have time it can show you that what's coming through so what i'm doing is that i'm putting each of the new blocks that comes and that i read one bite at a time into attack that has a fine. and at length that's more than i need more than the packet length and then every time i put a bite and i take the whole thing put in a buffer and see if my frame sink sequences out the top of the buffer if it is another might have a packet and so i go then into a. it's a class that parses out the data and does all the acrobatics to figure out the checks on the check some checks out at such a flag and then the main function prince it calls into their function of printed to the screen which will show this would be easier to see if it's in front of you but but that's a process that may be more efficient way. to handle that but i'm not going to pass on to this is a. but it works it seems to work reliably are so here's a field test and i.
i'm going to work. so are the. it's going to have audio for this is not important but it makes it more dramatic. the. i. so there are two packets arriving there's no reason to be this close to the train you can be a mile away in fact i was testing this morning my hotel room on the other side of the strip and i was getting packets from a train going by no problem inside the building so it's you can you can receive the six pretty far away. heights want to do a live demo.
i have loaded up here on my.
hacker f. with poor pack audio files that are packets and this is going to transmit them amusing one of the ham bands the four forty seven percent of your hand and so that we don't transmit on the actual robert frequencies and i can id and all that keep this legal. so really they're just two parts of us are going to play on the flow graph here and then i'm going to run once it's up and you know what to get settled here i'm going to go over here and run this helps.
a pipe go to eat up i i wrote all the stuff and python three because it's twenty eight team but of course the radio still python to so you can have to earn them separately at the moment but hopefully in the future that will look you can get integrated and i'm just going to play. i'm just a loop here. i just a kind of demo sequence that has a number of packets and now i'm h t on here so you can hear the you hear that europe's. and we're not at all the packets was a noisy environment or go. put it anywhere on this and oppression how because either three different packets their kind of flowing in there and what i am i just pick some interesting fields to display this isn't all of them but i have the id and the pressure and whether the trains moving whether the market lights on its earth and. one of the things about another thing about going to stop this one. i do think that that detail might be helpful in this is that our cars the couple are is all have slackened them are there and gearboxes someone the engine starts moving the first car starts moving and then the second car starts moving in that you never be able to start a two mile train if it were all rigid so this helps the engine. here though some motion marker helps the engineer know when the back of the train is actually started moving and some of the more advanced ago tease use discretionary data actually tell the direction to that's why they're at their kind of you know the standard came out in nine different companies cannot use different discretionary fields to do different things. no go back to power point here.
so security have a talk much about the the h o t part of the us a standard us to commands for the h o t one is a status request that unity broadcasts its. the data every minute give or take ten seconds but if they chose he hasn't heard from it for a while it can request status of the other commanders that emergency breaking can the on their scary this built into this is sort of to prevent a rogue h o t from initiating. during an emergency stop for any o.t. so there's an arm in sequence where you press a button on the o.t. and then you press a button on a charity and then it acknowledges and then that a charity is allowed to send the emergency signal the problem though is that. there's no way for the o two to know if that actually came from the h o two so forty years ago that wasn't really a big concern but now as and this is something this is not i didn't discover this is known about in the industry for years there's a paper from two thousand and five from the general conference in tokyo where. sir paul and steven craven who are soon to be related of wrote about the vulnerability of spoofing the single and provided some recommendations for a key exchange stars and no that's never been done so the code that i'm putting up on. but how does not deal with the h o two all it de code's the o.t. and that's a dozen generate packets for either it doesn't even because the hiv it's not especially interesting to look at the age of eighty it rarely broadcasts and the chances of catching that emergency back in a very small and for that reason a replay attack isn't really a bit concerned. because it's such a rare event. right so the other on the other protocol that i want to have talked about and were right at four thirty six go to a half were given a second. a. i'm is the automatic equipment identification system a.p.i. system and this is an arthur id system that's use for identifying equipment as it passes a reader such like the sos back in the sixty's the rail industry started looking for a way to do automatic equipment. identification and what they came up with initially was one of the first are codes this is a system called kart track on star let me put this.
make it back here since it. come on and it's. art kart track which is a barcode color barcode that one on the side of the cars and. they worked really well until the dirty and they don't work at all so the whole thing the whole mess was a band in a nineteen seventy seven and then through the eighty's they try to come up with another way to do this and unsettle and are afraid he was so by ninety ninety four ninety ninety one this the mandate went out and buy ninety nine.
for every rail car engine in the us had an ear i tag on this isn't actually i tag here so it's a bit of our id tag. and some of these slides i made for less technical crowd so.
all go through them quickly but essentially in any at any hour of id system you have a reader and a tag on the tag is usually a passive i sometimes that battery assisted but essentially the idea is that the reader sons out r f power and that powers the tag which then spits backs of data and.
another couple of different broadly a couple of different types of our id the lower frequency ones were in tennis would be impractical a very long are inductive lee coupled so most of the axis a door access systems and things of that nature you have a coil in the tag and you have a coil in the reader you get them close together in a couple like a transfer. four. at higher frequencies its practical to have a tennis that are no reasonable relative to the size of a reader and so you can do some long range stuff we actually send the power out pretty far in and get back to a common application is tolling for example you know high speed tolling. the system we're going to look at his in the nine hundred megahertz i have some band and dumb but also i have here a long range it's better now. there are two standards that apply to a e.i. one is a science so one of three seven for which is an old. you know antiquated by any other standard than the outside of the hell industry. their interface protocol the error error interface protocol essentially defines the exchange the way the data is exchanged and the format of the of the id the data comes back in this case it's one hundred twenty eight debts and so then whatever your application is you decide what those hundred twenty eight bits mean. and so the a r s nine eighteen a.a.r.c. american association of american roads as nineteen protocol or a standard than defines what those hundred twenty eight bits mean and where the tag should go on the car and things of that nature. we think that's been replaced now bite s. ninety two or three eight and then and then by s. six thousand nine but i don't have copies of the so i don't know for sure. s. nine eighteen is pretty old but nothing's changed in on this. here the fields that the tag contains there's the type of equipment whether it's an engine or a car or there are others trailers you know some other special types of equipment the reporting mark which is a four letter identifier that tells you who owns it. so if it's u p i would just be a p you pacific if it's a company that is an actual railroad but so up to four letters of is an actual railroad but leases equipment then it would be there be an exit the end so lucky eighty x. is not a common. carrier but they own equipment so there are reporting marks assigned to anyone who owns rail cars and then you have the a a. which side you're looking at theirs to tax on each car and that's related to the end that has the handbrake looking from the and that has a him break the length of the vehicle the car engine how many axles that has what type of barings that has they're all roller bearings number but back in the early ninety's there are still some friction bearings. and then there are a number of additional equipment dependents parameters like engines have slightly different data then cars and then there are actually some is provisions in there for active tags that would tell you things like how much fuel is left in the engine or are things like that as far as i know those don't exist. but they are in the standard. so the different the performance depends on basically two things the effective radiated power of the reader and the speed at the train so you get more your p.c. by narrowing the. the polar pattern of the antenna but then you have less time to read as the train goes by within that window now typically i'm seeing you know dozens of tag rates for a two for each tag as it goes by so it's pretty fast the maximum i was able to get was about. twenty feet for seventy mile an hour on track train and that was at thirty two watts your pity using it as to what radio but a very high gain a tenant of the r.p. calculation is an example if you have a two hour trends matter and nine t.d.i. antenna but it's to watch. times tend to the nine over time so you end up with about sixteen watts your piece if you go up to. the eleven t.b.i. antenna or told b b i intend to heal double that again. there are a couple different readers on the market. and ended the clear i'm not doing this and i'm going to radio that's possible but the seeds might still have also. we went for a commercial reader on e bay essentially so i'm there are two types you can get one is a kind of low power one watt and the others a high power to watts and the one was a part fifteen device which means anyone can use it without licence but for a railroad application of the very close to the train and some likely that you could get that close. most not be dressed as a so the low power option this kind of off the table on the high power it or you can run it two watts and attaching the antennae you want and for commercial application you a good part ninety license from the i.c.c. which is a site specific licence if i did my experiments using miami. to radio license privileges so. so amateurs can operate up to fifteen or watson nine hundred hurts band i operated to so no big deal and i found that i could id by toggling radio using morse code and toggle in the radio in the device to to keep it all legal.
so the one that i bought on e bay was a singer at id fifty one hundred syrup was a really great company and three and botham and scuttled the whole thing but this product was it's about this bag in it was designed for tolling and like parking garage access applications it happens to support. i s o one of three seven four although you have to find somebody who can install that key for you i found a former syrian employee who is able to do it and dumb. can use it has a built in antenna or you can use an external antenna i used to ninety be a yagi. for my experiments because it's less obvious than this big panel thing and dumb. it is a pretty robust of ice it runs linux internally and you can upload over t.c.p. python or javascript scripts and has internal storage so you can have it do logging on its own all needs his power as g.p.o. i g.p. iowa lines it has a serial.
port most a communications over ether not so it's really cool device have never seen another one on e bay since i bought this one so you might have trouble finding one but. but what i got out of it is one hundred twenty eight bets so then i took the a our standard which i usually found in a google search and took those fields and wrote python to parse them out so i could make it readable. so this this is actually the first test.
which one unusually well. some of that software that does the parsing. this is an track about seventy miles an hour and you can see the tag data populating the cars get lot of thank you. that's very kind banks and so the fields going across to the time stamp down to no second and then you know. track the car number or engine number of whether it's a car or an engine are looking out of and and what side we're looking at so you can tell which way the trains going from the side because the engines either facing left or right and then the length of each car how many axles that hasn't cetera. so wanted to mention earlier that my work as a noise control and i do real noise occasionally so the pretence that i used to get information on this to do this project was that i wanted to try to correlate noise data with a high tech equipment that.
which creates a noise and then it turned out to be a viable research projects are one hundred it so i wanted to logging long term so i found some i found a property owner who is school when the that was very close to the tracks but not on the right property and i've got to do this you really want to do triggering because you don't want to spew. the thirty two watts of square wave all the time in any environment session i assumed and so the reference to this with will flange detectors. can do that to be asleep can touch the track so use ground vibration this is a seismic geo phone to phones like a microphone the variant and outputs essentially audio but there's nothing above a couple hundred hertz and we use these for measuring the propagation of vibration through the ground but i put this one as close as i. i could get to the tracks and i wanted to make sure that the ground way of that precedes the train would arrive soon enough to get the radio turned on to get the first tax so this was a this is the way filed down here and essentially i have about one second warning at seventy miles an hour so it was plenty of time so. that was the kind of proof of concept this will circuit i built to do the actual triggering says a it's just a dual op and on the left sides a differential amplifier the output of the things differential about seventy was its pacific lee seventy three d. b. again which is arbitrary this side is just a comparative or.
and then i have a a a threshold control the that's the other side of the comparative are so you basically set this up with the nellie d. and just turn up the threshold until it stopped linking under normal conditions and then when the train goes by will trigger so this goes into the g.p.o. g.p.i. online on the reader. and i have a python script running on the reader that looks at that and nine toggles the power that radio you could put a firm stand by into active moment and vice versa here's a video that.
the little circuits down in the left corner there was this is playing whips. want to play this city. i guess it is planned ok so the circuits down the left corner there you'll see the light start to blink. the. so and then the top terminal window which you probably can't read says that that went into active mode in its reading the tags and then after the ground by british and drops below the threshold in the comparative or the script drops back into a passive note. and if it goes an active mode when a truck goes by doesn't really matter in our can lose any data and or or cause a significant amount of our pollutions so that work pretty well so i put this box out there with the reader in the box surrey can see that the reader in the box and.
then i have anything out of and to a cellular modem unrest very posh and the sound level meter and essentially is about thirty miles from my office i could i just had their eyes for a pied are reversed been a lot to additional ocean droplet know i could get to it. from there and experiment with it remotely and also it's also the remote control the radio which is important for a richer privileges and the readers just logging all of the data us a lot for about five weeks. this is the yagi so in an old shed about fifteen feet from the rail.
and then there's also this a microphone on a stand its logging the sound level meters long the data from now so this is what comes out of the reader raw tagged eighty s. and one hundred twenty eight that tag ideas and then i can translate into into something like this so this is a single train. and you see locomotive at the top and then all the stats in the eco to actually has its own eighty i tag so at the bottom you see that you tea tag was it's one of the possible devices so we have locomotive car park or a cardio to it. and cent of the length of the train and i know the time stamp second actually calculate the speed also so if got the length of the terrain and the speed and then i can see in most cases can surmise that direction from the direction the engines point. then i can take that and turn it into a list of trains so this is a list of trains were i have a time stamp and then the number of engines plus the number of cars which direction it was going how long it was how many axles and how fast it was going in. the only a few of them have your t. zero tale he has a tag on one side so it was going the other way your katchit the railroads have readers on both sides of the track so they can for redundancy but they can also catch if there's a missing tag or whatever so i didn't catch all the o two but you see those one. training here that's like eight thousand feet on so it's very long train and this is a new england we don't get a lot of eight thousand foot turns out he was an exception part so here's a an automatic correlation of sound data down on the bottom so these are one minute ellie queues one minute average levels. and then each blue dot is a train from the idea to see that line up very well every time there's a spike in a some pressure level there's a train and we can do some interesting things like him look at eastbound amtrak trains versus westbound you see the. the westbound ones are much louder and that's because there are trees over here not over here from the microphone position and you can look at all anomalies like that one at the end of the red traces lower than the others it was a slow or or something so it's going slower than usual. it's a lot of interesting data from the s. and my conclusion was that this is pretty useful for noyce surveys when you need to know what the equipment as you know instead of having an intern with a clipboard writing down everything you can log the stuff. magically but the problem is that uses a lot of power which is you know you can overcome the out but also you need a site license it's not a license for the thing that's a license for the thing at the place it's going to go so for short term project doesn't make any sense but it doesn't work so it was that it was an interesting turned into. an interesting research project that started as just you know trying to see if i could do it.
security the out there is nothing on these taxes and also painted on the side of the car you know the number in the owner and all that stuff so you could conceivably do this with machine vision or an observer or videotaping it in writing stuff down. and so i don't really think there's any meaningful security concern with us the there's no indication of the type or presence of the load in the car so we don't know if it's any things in it at all what might be but there is a sensitivity in the industry to private readers which i think it's just kind of knee jerk. reaction. a lot of that i really flamed up about five years ago in this company called clicker data. bought thirty readers and rented people's backyards longer airlines with an internet connections and they were going to aggregate the data and sell it back to the shippers or something some sort of commodities thing and be honest i have found a couple of the readers and flipped out and the the end of the story was that. that clip or data had only apply for s.e.c. leiser been granted that's easy license for one of the thirty and which i think was just a misunderstanding but they got find a quarter million dollars but the f.c.c. from the other twenty nine so the whole project got put to rest and but this is actually what got me thinking that maybe i could do. this because i always assumed it was you know it's kind of a proprietary thing that the railroads had to have walked down but there are actually very few things like that have learned in the last three years. and then. finally if you're going to try this to make sure you have a license of some sort whether it's a commercial license for this application or an amateur license with privileges actually any amateur licenses privileges and in this band and make sure you're not railroad property that's really important for any of the stuff. i'm showing it today railroads denali trespassers and they will prosecute. so i'm not a an attorney certainly to do any of the set your own risk but i recommend those to use those as a starting point are starting points for any kind of experimentation for and that's about it here some resources the out the pitino t. software that i demo.
road is up and get have and posted here a couple of windows applications that do railroad of poetry decoding one is soft o.t. which i mentioned earlier which takes in an audience signal so you have to have a radio external to the computer and decode zero team. these the other one that's interesting as a t.c.s. monitor eighty see us as one of those traffic control systems and things like signals and switches and other devices spit out data with their status and if they're also controlled with the arra flank and there are people all over the place that. for these things and and the data get aggregated it's sort of like the latest the stuff for planes and numb. you can use a to c. monitor sorry eighty c.m.'s monitor to look at a panel for example las vegas you can look at one hundred miles north of here and see this aspect of every signal whether it's right or green and were which blocks of tracker occupied makes it very easy to find trains but we don't have this a new england so ever. really done much work with that but it's pretty cool. and then if you want to read more about p.c.h. code. i'm competing a page is a good starting point they're also couple of good article so you'll find the right at the top of a google search pretty interesting stuff. and that's all i've got so thanks for your kind of tension. there's a couple minutes if there are any questions you. or. yet. yeah so the question is if you i think if you stand behind an existing reader can you read the taga and the answer is not i'm not sure i tried that in my office a little bit but there aren't any readers that i have access to coverage you know that are out there so i would have to set up one in and. i just haven't done that exercise but it is something that i played around with little bit because obviously is a much less intrusive way to do this. oh yeah. so. so. of crossing signals generally use track circuits so essentially those the train shots the rails and then there is a the fancy ones use like t.v. are to figure out the distance in the last year the train so faster train them get to get on sooner as far as i know that stuff. it doesn't have a wireless component to it if it's anything it would be that eighty c.m.'s data but i haven't really going to them out. the. oh yeah that's the important point so this is all it really only of that year to stuff is only for eight and so no passenger trains have come to electrical connections all the way through so they don't need it. as far as late real that would be really specific to the if there's no interchange service with other rural roads then there's no requirement to comply with the with the a.b.i. tagging for example i know that some of the light rail systems have their own are fighting systems for tracking whether there are compatible i don't know. i haven't to have played with them. right wealth of. it also would be happy to you need to return to for to make any sense so it's a little there's a higher barrier to entry but i can put up their to it. great officer much for.