Generating Distorted GNSS Signals Using a Signal Simulator
By Mathieu Raimondi, Eric Sénant, Charles Fernet, Raphaël Pons, Hanaa Al Bitar, Francisco Amarillo Fernández, and Marc Weyer
INTEGRITY. It is one of the most desirable personality traits. It is the characteristic of truth and fair dealing, of honesty and sincerity. The word also can be applied to systems and actions with a meaning of soundness or being whole or undivided. This latter definition is clear when we consider that the word integrity comes from the Latin word integer, meaning untouched, intact, entire — the same origin as that for the integers in mathematics: whole numbers without a fractional or decimal component.
Integrity is perhaps the most important requirement of any navigation system (along with accuracy, availability, and continuity). It characterizes a system’s ability to provide a timely warning when it fails to meet its stated accuracy. If it does not, we have an integrity failure and the possibility of conveying hazardously misleading information. GPS has built into it various checks and balances to ensure a fairly high level of integrity. However, GPS integrity failures have occasionally occurred.
One of these was in 1990 when SVN19, a GPS Block II satellite operating as PRN19, suffered a hardware chain failure, which caused it to transmit an anomalous waveform. There was carrier leakage on the L1 signal spectrum. Receivers continued to acquire and process the SVN19 signals, oblivious to the fact that the signal distortion resulted in position errors of three to eight meters. Errors of this magnitude would normally go unnoticed by most users, and the significance of the failure wasn’t clear until March 1993 during some field tests of differential navigation for aided landings being conducted by the Federal Aviation Administration. The anomaly became known as the “evil waveform.”
(I’m not sure who first came up with this moniker for the anomaly. Perhaps it was the folks at Stanford University who have worked closely with the FAA in its aircraft navigation research. The term has even made it into popular culture. The Japanese drone-metal rock band, Boris, released an album in 2005 titled Dronevil. One of the cuts on the album is “Evil Wave Form.” And if drone metal is not your cup of tea, you will find the title quite appropriate.) Other types of GPS evil waveforms are possible, and there is the potential for such waveforms to also occur in the signals of other global navigation satellite systems. It is important to fully understand the implications of these potential signal anomalies. In this month’s column, our authors discuss a set of GPS and Galileo evil-waveform experiments they have carried out with an advanced GNSS RF signal simulator. Their results will help to benchmark the effects of distorted signals and perhaps lead to improvements in GNSS signal integrity.
“Innovation” is a regular feature that discusses advances in GPS technology andits applications as well as the fundamentals of GPS positioning. The column is coordinated by Richard Langley of the Department of Geodesy and Geomatics Engineering, University of New Brunswick. He welcomes comments and topic ideas.
GNSS signal integrity is a high priority for safety applications. Being able to position oneself is useful only if this position is delivered with a maximum level of confidence. In 1993, a distortion on the signals of GPS satellite SVN19/PRN19, referred to as an “evil waveform,” was observed. This signal distortion induced positioning errors of several meters, hence questioning GPS signal integrity. Such events, when they occur, should be accounted for or, at least, detected.
Since then, the observed distortions have been modeled for GPS signals, and their theoretical effects on positioning performance have been studied through simulations. More recently, the models have been extended to modernized GNSS signals, and their impact on the correlation functions and the range measurements have been studied using numerical simulations. This article shows, for the first time, the impact of such distortions on modernized GNSS signals, and more particularly on those of Galileo, through the use of RF simulations. Our multi-constellation simulator, Navys, was used for all of the simulations.
These simulations are mainly based on two types of scenarios: a first scenario, referred to as a static scenario, where Navys is configured to generate two signals (GPS L1C/A or Galileo E1) using two separate RF channels. One of these signals is fault free and used as the reference signal, and the other is affected by either an A- or B-type evil waveform (EW) distortion (these two types are described in a latter section).
The second type of scenario, referred to as a dynamic scenario, uses only one RF channel. The generated signal is fault free in the first part of the simulation, and affected by either an A- or B-type EW distortion in the second part of the scenario. Each part of the scenario lasts approximately one minute.
All of the studied scenarios consider a stationary satellite position over time, hence a constant signal amplitude and propagation delay for the duration of the complete scenario.
The first versions of Navys were specified and funded by Centre National d’Etudes Spatiales or CNES, the French space agency. The latest evolutions were funded by the European Space Agency and Thales Alenia Space France (TAS-F). Today, Navys is a product whose specifications and ownership are controled by TAS-F. It is made up of two components: the hardware part, developed by ELTA, Toulouse, driven by a software part, developed by TAS-F.
The Navys simulator can be configured to simulate GNSS constellations, but also propagation channel effects. The latter include relative emitter-receiver dynamics, the Sagnac effect, multipath, and troposphere and ionosphere effects. Both ground- and space-based receivers may be considered.
GNSS Signal Generation Capabilities. Navys is a multi-constellation simulator capable of generating all existing and upcoming GNSS signals. Up to now, its GPS and Galileo signal-generation capabilities and performances have been experienced and demonstrated. The simulator, which has a generation capacity of 16 different signals at the same time over the entire L band, has already been successfully tested with GPS L1 C/A, L1C, L5, and Galileo E1 and E5 receivers.
Evil Waveform Emulation Capabilities. In the frame of the ESA Integrity Determination Unit project, Navys has been upgraded to be capable of generating the signal distortions that were observed in 1993 on the signals from GPS satellite SVN19/PRN19. Two models have been developed from the observations of the distorted signals.
The first one, referred to as Evil Waveform type A (EWFA), is associated with a digital distortion, which modifies the duration of the GPS C/A code chips, as shown in FIGURE 1. A lead/lag of the pseudorandom noise code chips is introduced. The +1 and –1 state durations are no longer equal, and the result is a distortion of the correlation function, inducing a bias in the pseudorange measurement equal to half the difference in the durations. This model, based on GPS L1 C/A-code observations, has been extended to modernized GNSS signals, such as those of Galileo (see Further Reading). In Navys, type A EWF generation is applied by introducing an asymmetry in the code chip durations, whether the signal is modulated by binary phase shift keying (BPSK), binary offset carrier (BOC), or composite BOC (CBOC).
The second model, referred to as Evil Waveform type B (EWFB) is associated with an analog distortion equivalent to a second-order filter, described by a resonance frequency (fd) and a damping factor (σ), as depicted in Figure 1. This failure results in correlation function distortions different from those induced by EWFA, but which also induces a bias in the pseudorange measurement. This bias depends upon the characteristics (resonance frequency, damping factor) of the filter. In Navys, an infinite impulse response (IIR) filter is implemented to simulate the EWFB threat. The filter has six coefficients (three in the numerator and three in the denominator of its transfer function). Hence, it appears that Navys can generate third order EWF type B threats, which is one order higher that the second order threats considered by the civil aviation community. Navys is specified to generate type B EWF with less than 5 percent root-mean-square (RMS) error between the EWF module output and the theoretical model. During validation activities, a typical value of 2 percent RMS error was measured. This EWF simulation function is totally independent of the generated GNSS signals, and can be applied to any of them, whatever its carrier frequency or modulation.
It is important to note that such signal distortions may be generated on the fly — that is, while a scenario is running. FIGURE 2 gives an example of the application of such threat models on the Galileo E1 BOC signal using a Matlab theoretical model.
GEMS stands for GNSS Environment Monitoring Station. It is a software-based solution developed by Thales Alenia Space aiming at assessing the quality of GNSS measurements. GEMS is composed of a signal processing module featuring error identification and characterization functions, called GEA, as well as a complete graphical user interface (see online version of this article for an example screenshot) and database management.
The GEA module embeds the entire signal processing function suite required to build all the GNSS observables often used for signal quality monitoring (SQM). The GEA module is a set of C/C++ software routines based on innovative-graphics-processing-unit (GPU) parallel computing, allowing the processing of a large quantity of data very quickly. It can operate seamlessly on a desktop or a laptop computer while adjusting its processing capabilities to the processing power made available by the platform on which it is installed. The GEA signal-processing module is multi-channel, multi-constellation, and supports both real-time- and post-processing of GNSS samples produced by an RF front end.
GEMS, which is compatible with many RF front ends, was used with a commercial GNSS data-acquisition system. The equipment was configured to acquire GNSS signals at the L1 frequency, with a sampling rate of 25 MHz. The digitized signals were provided in real time to GEMS using a USB link.
From the acquired samples, GEMS performed signal acquisition and tracking, autocorrelation function (ACF) calculation and display, and C/N0 measurements. All these figures of merit were then logged in text files.
Several experiments were carried out using both static and kinematic scenarios with GPS and Galileo signals.
GPS L1 C/A. The first experiment was intended to validate Navys’ capability of generating state-of-the-art EWFs on GPS L1 C/A signals. It aimed at verifying that the distortion models largely characterized in the literature for the GPS L1 C/A are correctly emulated by Navys.
EWFA, static scenario. In this scenario, Navys is configured to generate two GPS L1 C/A signals using two separate RF channels. The same PRN code was used on both channels, and a numerical frequency transposition was carried out to translate the signals to baseband. One signal was affected by a type A EWF, with a lag of 171 nanoseconds, and the other one was EWF free. Next, its amplified output was plugged into an oscilloscope. The EWFA effect is easily seen as the faulty signal falling edge occurs later than the EWF-free signal, while their rising edges are still synchronous. However, the PRN code chips are distorted from their theoretical versions as the Navys integrates a second-order high pass filter at its output, meant to avoid unwanted DC emissions. The faulty signal falling edge should occur approximately 0.17 microseconds later than the EWF-free signal falling edge.
A spectrum analyzer was used to verify, from a spectral point of view, that the EWFA generation feature of Navys was correct. For this experiment, Navys was configured to generate a GPS L1 C/A signal at the L1 frequency, and Navys output was plugged into the spectrum analyzer input. Three different GPS L1 C/A signals are included: the spectrum of an EWF-free signal, the spectrum of a signal affected by an EWF type A, where the lag is set to 41.1 nanoseconds, and the spectrum of a signal affected by an EWF type A, where the lag is set to 171 nanoseconds. As expected, the initial BPSK(1) signal is distorted and spikes appear every 1 MHz. The spike amplitude increases with the lag.
EWFA, dynamic scenario. In a second experiment, Navys was configured to generate only one fault-free GPS L1 C/A signal at RF. The RF output was plugged into the GEMS RF front end, and acquisition was launched. One minute later, an EWFA distortion, with a lag of 21 samples (about 171 nanoseconds at 120 times f0, where f0 equals 1.023 MHz), was activated from the Navys interface.
FIGURE 3 shows the code-phase measurement made by GEMS. Although the scenario was static in terms of propagation delay, the code-phase measurement linearly decreases over time. This is because the Navys and GEMS clocks are independent and are drifting with respect to each other.
The second observation is that the introduction of the EWFA induced, as expected, a bias in the measurement. If one removes the clock drifts, the bias is estimated to be 0.085 chips (approximately 25 meters). According to theory, an EWFA induces a bias equal to half the lead or lag value. A value of 171 nanoseconds is equivalent to about 50 meters.
FIGURE 4 represents the ACFs computed by GEMS during the scenario. It appears that when the EWFA is enabled, the autocorrelation function is flattened at its top, which is typical of EWFA distortions. Eventually, FIGURE 5 showed that the EWFA also results in a decrease of the measured C/N0, which is completely coherent with the flattened correlation function obtained when EWFA is on.
Additional analysis has been conducted with Matlab to confirm Navys’ capacity. A GPS signal acquisition and tracking routine was modified to perform coherent accumulation of GPS signals. This operation is meant to extract the signal out of the noise, and to enable observation of the code chips. After Doppler and code-phase estimation, the signal is post-processed and 1,000 signal periods are accumulated. The result, shown in FIGURE 6, confronts fault-free (blue) and EWFA-affected (red) code chips. Again, the lag of 171 nanoseconds is clearly observed. The analysis concludes with FIGURE 7, which shows the fault-free (blue) and the faulty (red) signal spectra. Again, the presence of spikes in the faulty spectrum is characteristic of EWFA.
EWFB, static scenario. The same experiments as for EWFA were conducted for EWFB. Fault-free and faulty (EWFB with a resonance frequency of 8 MHz and a damping factor of 7 MHz) signals were simultaneously generated and observed using an oscilloscope and a spectrum analyzer. The baseband temporal signal undergoes the same default as that of the EWFA because of the Navys high-pass filter. However, the oscillations induced by the EWFB are clearly observed.
The spectrum distortion induced by the EWFB at the L1 frequency is amplified around 8 MHz, which is consistent with the applied failure.
EWFB, dynamic scenario. Navys was then configured to generate one fault-free GPS L1 C/A signal at RF. The RF output was plugged into the GEMS RF front end, and acquisition was launched. One minute later, an EWFB distortion with a resonance frequency of 4 MHz and a damping factor of 2 MHz was applied. As for the EWFA experiments, the GEMS measurements were analyzed to verify the correct application of the failure. The code-phase measurements, illustrated in FIGURE 8, show again that the Navys and GEMS clocks are drifting with respect to each other. Moreover, it is clear that the application of the EWFB induced a bias of about 5.2 meters on the code-phase measurement. One should notice that this bias depends upon the chip spacing used for tracking. Matlab simulations were run considering the same chip spacing as for GEMS, and similar tracking biases were observed.
FIGURE 9 shows the ACF produced by GEMS. During the first minute, the ACF looks like a filtered L1 C/A correlation function. Afterward, undulations distort the correlation peak.
Again, additional analysis has been conducted with Matlab, using a GPS signal acquisition and tracking routine. A 40-second accumulation enabled comparison of the faulty and fault-free code chips. FIGURE 10 shows that the faulty code chips are affected by undulations with a period of 244 nanoseconds, which is consistent with the 4 MHz resonance frequency. This temporal signal was then used to compute the spectrum, as shown in FIGURE 11. The figure shows well that the faulty L1 C/A spectrum (red) secondary lobes are raised up around the EWFB resonance frequency, compared to the fault-free L1 C/A spectrum (blue).
Galileo E1 CBOC(6, 1, 1/11). In the second part of the experiments, Navys was configured to generate the Galileo E1 Open Service (OS) signal instead of the GPS L1 C/A signal. The goal was to assess the impact of EWs on such a modernized signal.
EWFA, static scenario. First, the same Galileo E1 BC signal was generated using two different Navys channels. One was affected by EWFA, and the other was not. The spectra of the obtained signals were observed using a spectrum analyzer. The spectrum of the signal produced by the fault-free channel shows the BOC(1,1) main lobes, around 1 MHz, and the weaker BOC(6,1) main lobes, around 6 MHz. The power spectrum of the signal produced by the EWFA channel has a lag of 5 samples at 120 times f0 (40 nanoseconds). Again, spikes appear at intervals of f0, which is consistent with theory. The signal produced by the same channel, but with a lag set to 21 samples (171.07 nanoseconds) was also seen. Such a lag should not be experienced on CBOC(6,1,1/11) signals as this lag is longer than the BOC(6,1) subcarrier half period (81 nanoseconds). This explains the fact that the BOC(6,1) lobes do not appear anymore in the spectrum.
EWFB, static scenario. The same experiments as for EWFA were conducted for EWFB. Fault-free and faulty (EWFB with a resonance frequency of 8 MHz and a damping factor of 7 MHz) signals were simultaneously generated and observed using the spectrum analyzer. The spectrum distortion induced by the EWFB at the E1 frequency was evident. The spectrum is amplified around 8 MHz, which is consistent with the applied failure.
EWFA, dynamic scenario. The same scenario as for the GPS L1 C/A signal was run with the Galileo E1 signal: first, for a period of one minute, a fault-free signal was generated, followed by a period of one minute with the faulty signal. GEMS was switched on and acquired and tracked the two-minute-long signal. Its code-phase measurements, shown in FIGURE 12, reveal a tracking bias of 6.2 meters. This is consistent with theory, where the set lag is equal to 40 nanoseconds (12.0 meters). GEMS-produced ACFs show the distortion of the correlation function in FIGURE 13. The distortion is hard to observe because the applied lag is small.
A modified version of the GPS signal acquisition and tracking Matlab routine was used to acquire and track the Galileo signal. It was configured to accumulate 50 seconds of fault-free signal and 50 seconds of a faulty signal. This operation enables seeing the signal in the time domain, as in FIGURE 14. Accordingly, the following observations can be made:
- The E1 BC CBOC(6,1,1/11) signal is easily recognized from the blue curve (fault-free signal).
- The EWFA effect is also seen on the BOC(1,1) and BOC(6,1) parts. The observed lag is consistent with the scenario (five samples at 120 times f0 ≈ 0.04 chips).
- The lower part of the BOC(6,1) seems absent from the red signal. Indeed, the application of the distortion divided the duration of these lower parts by a factor of two, and so multiplied their Fourier representation by two. Therefore, the corresponding main lobes should be located around 12 MHz. At the receiver level, the digitization is being performed at 25 MHz; this signal is close to the Shannon frequency and is therefore filtered by the anti-aliasing filter.
The power spectrum densities of the obtained signals were then computed. FIGURE 15 shows the CBOC(6,1,1/11) fault-free signal in blue and the faulty CBOC(6,1,1/11) signal, with the expected spikes separated by 1.023 MHz.
It is noteworthy that the EWFA has been applied to the entire E1 OS signal, which is B (data component) minus C (pilot component). EWFA could also affect exclusively the data or the pilot channel. Although such an experiment was not conducted during our research, Navys is capable of generating EWFA on the data component, the pilot component, or both.
EWFB, dynamic scenario. In this scenario, after one minute of a fault-free signal, an EWFB, with a resonance frequency of 4 MHz and a damping factor of 2 MHz, was activated. The GEMS code-phase measurements presented in FIGURE 16 show that the EWFB induces a tracking bias of 2.8 meters. As for GPS L1 C/A signals, it is to be noticed that the bias induced by EWFB depends upon the receiver characteristics and more particularly the chip spacing used for tracking.
The GEMS produced ACFs are represented in FIGURE 17. After one minute, the characteristic EWFB undulations appear on the ACF.
In this case, signal accumulation was also performed to observe the impact of EWFB on Galileo E1 BC signals. The corresponding representation in the time domain is provided in FIGURE 18, while the Fourier domain representation is provided in FIGURE 19. From both points of view, the application of EWFB is compliant with theoretical models. The undulations observed on the signal are coherent with the resonance frequency (0.25 MHz ≈ 0.25 chips), and the spectrum also shows the undulations (the red spectrum is raised up around 4 MHz).
Navys is a multi-constellation GNSS simulator, which allows the generation of all modeled EWF (types A and B) on both GPS and Galileo signals. Indeed, the Navys design makes the EWF application independent of the signal modulation and carrier frequency.
The International Civil Aviation Organization model has been adapted to Galileo signals, and the correct application of the failure modes has been verified through RF simulations. The theoretical effects of EWF types A and B on waveforms, spectra, autocorrelation functions and code-phase measurements have been confirmed through these simulations.
For a given lag value, the tracking biases induced by type A EWF distortions are equal on GPS and Galileo signals, which is consistent with theory.
Eventually, for a given resonance frequency-damping factor combination, the type B EWF distortions induce a tracking bias of about 5.2 meters on GPS L1 C/A measurements and only 2.8 meters on Galileo E1 C measurements. This is mainly due to the fact that the correlator tracking spacing was reduced for Galileo signal tracking (± 0.15 chips instead of ± 0.5 chips). (Additional figures showing oscilloscope and spectrum analyzer screenshots of experimental results are available in the online version of this article.)
This article is based on the paper “Generating Evil WaveForms on Galileo Signals using NAVYS” presented at the 6th ESA Workshop on Satellite Navigation Technologies and the European Workshop on GNSS Signals and Signal Processing, Navitec 2012, held in Noordwijk, The Netherlands, December 5–7, 2012.
In addition to the Navys simulator, the experiments used a Saphyrion sagl GDAS-1 GNSS data acquisition system, a Rohde & Schwarz GmbH & Co. KG RTO1004 digital oscilloscope, and a Rohde & Schwarz FSW26 signal and spectrum analyzer.
MATHIEU RAIMONDI is currently a GNSS systems engineer at Thales Alenia Space France (TAS-F). He received a Ph.D. in signal processing from the University of Toulouse (France) in 2008.
ERIC SENANT is a senior navigation engineer at TAS-F. He graduated from the Ecole Nationale d’Aviation Civile (ENAC), Toulouse, in 1997.
CHARLES FERNET is the technical manager of GNSS system studies in the transmission, payload and receiver group of the navigation engineering department of the TAS-F navigation business unit. He graduated from ENAC in 2000.
RAPHAEL PONS is currently a GNSS systems engineering consultant at Thales Services in France. He graduated as an electronics engineer in 2012 from ENAC.
HANAA AL BITAR is currently a GNSS systems engineer at TAS-F. She graduated as a telecommunications and networks engineer from the Lebanese Engineering School of Beirut in 2002 and received her Ph.D. in radionavigation in 2007 from ENAC, in the field of GNSS receivers.
FRANCISCO AMARILLO FERNANDEZ received his Master’s degree in telecommunication engineering from the Polytechnic University of Madrid. In 2001, he joined the European Space Agency’s technical directorate, and since then he has worked for the Galileo program and leads numerous research activities in the field of GNSS evolution.
MARC WEYER is currently working as the product manager in ELTA, Toulouse, for the GNSS simulator and recorder.
• Authors’ Conference Paper
“Generating Evil WaveForms on Galileo Signals using NAVYS” by M. Raimondi, E. Sénant, C. Fernet, R. Pons, and H. AlBitar in Proceedings of Navitec 2012, the 6th ESA Workshop on Satellite Navigation Technologies and the European Workshop on GNSS Signals and Signal Processing, Noordwijk, The Netherlands, December 5–7, 2012, 8 pp., doi: 10.1109/NAVITEC.2012.6423071.
• Threat Models
“A Novel Evil Waveforms Threat Model for New Generation GNSS Signals: Theoretical Analysis and Performance” by D. Fontanella, M. Paonni, and B. Eissfeller in Proceedings of Navitec 2010, the 5th ESA Workshop on Satellite Navigation Technologies, Noordwijk, The Netherlands, December 8–10, 2010, 8 pp., doi: 10.1109/NAVITEC.2010.5708037.
“Estimation of ICAO Threat Model Parameters For Operational GPS Satellites” by A.M. Mitelman, D.M. Akos, S.P. Pullen, and P.K. Enge in Proceedings of ION GPS 2002, the 15th International Technical Meeting of the Satellite Division of The Institute of Navigation, Portland, Oregon, September 24–27, 2002, pp. 12–19.
• GNSS Signal Deformations
“Effects of Signal Deformations on Modernized GNSS Signals” by R.E. Phelts and D.M. Akos in Journal of Global Positioning Systems, Vol. 5, No. 1–2, 2006, 9 pp.
“Robust Signal Quality Monitoring and Detection of Evil Waveforms” by R.E. Phelts, D.M. Akos, and P. Enge in Proceedings of ION GPS-2000, the 13th International Technical Meeting of the Satellite Division of The Institute of Navigation, Salt Lake City, Utah, September 19–22, 2000, pp. 1180–1190.
“A Co-operative Anomaly Resolution on PRN-19” by C. Edgar, F. Czopek, and B. Barker in Proceedings of ION GPS-99, the 12th International Technical Meeting of the Satellite Division of The Institute of Navigation, Nashville, Tennessee, September 14–17, 1999, pp. 2269–2271.
• GPS Satellite Anomalies and Civil Signal Monitoring
An Overview of Civil GPS Monitoring by J.W. Lavrakas, a presentation to the Southern California Section of The Institute of Navigation at The Aerospace Corporation, El Segundo, California, March 31, 2005.
• Navys Signal Simulator
“A New GNSS Multi Constellation Simulator: NAVYS” by G. Artaud, A. de Latour, J. Dantepal, L. Ries, N. Maury, J.-C. Denis, E. Senant, and T. Bany in Proceedings of ION GPS 2010, the 23rd International Technical Meeting of the Satellite Division of The Institute of Navigation, Portland, Oregon, September 21–24, 2010, pp. 845–857.
“Design, Architecture and Validation of a New GNSS Multi Constellation Simulator : NAVYS” by G. Artaud, A. de Latour, J. Dantepal, L. Ries, J.-L. Issler, J. Tournay, O. Fudulea, J.-M. Aymes, N. Maury, J.-P. Julien , V. Dominguez, E. Senant, and M. Raimondi in Proceedings of ION GPS 2009, the 22nd International Technical Meeting of the Satellite Division of The Institute of Navigation, Savannah, Georgia, September 22–25, 2009, pp. 2934–2941.