Aircraft ADS-B enumeration
SUMMARY
Automatic Dependent Surveillance Broadcast (ADS-B) is a radio technology used by aircraft to broadcast flight information about altitude, speed, position, heading, etc. It is a fundamental part in modern surveillance and air traffic control monitoring networks. This write-up summarizes how to capture ADS-B signals and gain some intelligence about the local air traffic with two tools: first, outdoors with a portable HackRF One + PortaPack SDR; and second, with SDRangel software and the HackRF One running in standalone mode.
KEYWORDS
Secondary Surveillance Radar (SSR), Air Traffic Control (ATC), Mode S transponder, ADS-B, 1090ES, UAT, VDL Mode 4, SIGINT, HackRF One + PortaPack, SDRangel.
REFERENCES
Skolnik, Merrill. Radar handbook. 3rd Edition. New York: McGraw-Hill, 2008. ISBN 978-0-07-148547-0
https://pilotteacher.com/what-is-an-aircraft-transponder-what-does-it-do/
http://www.spilve.lv/library/law/Annex%2010%20Volume%20III.pdf
https://en.wikipedia.org/wiki/Aviation_transponder_interrogation_modes
https://www.flightradar24.com/data
https://www.adsbexchange.com/api/aircraft/v2/docs
INTRODUCTION
Secondary Surveillance Radar (SSR)
Nations constantly monitor their airspace with a network of primary radars. They are called primary because they are the first step in the air surveillance system. These radars are RF transceivers that emit a front of waves at a certain frequency, when the waves find a flying object, they bounce off its surface and the radar detects the reflected emission. Afterwards, doing calculations based on the delay of the returned wave and its incoming direction, it is possible to determine the position and distance of the flying object.
After the primary radar determines something is flying nearby, the next step is to identify that object. Normally, in the field of civil Air Traffic Control (ATC) this is done using secondary radars (SSR) and transponders. Transponders are onboard avionics designed to receive a signal, called interrogation, at a determined frequency and send a reply at a different frequency. Basically, the secondary radar codifies a signal (interrogation) and radiates it at 1030 MHz and when aircraft transponders detect the interrogation signal, they automatically send the reply at 1090 MHz.
The information provided in this reply depends on the type of interrogation received. In short, the interrogations are just a train of pulses, and depending on the delay between these pulses, the information requested is different.
These types of interrogation are also called "modes". Initially, there were two modes used in civil aviation: Mode A and Mode C.
Mode A. This interrogation requests the aircraft transponder to reply with its squawk code. This is a 4-digit code provide by the Air Traffic Control (ATC) to the pilots when the aircraft enters the geographical zone under their control. Pilots are contacted by radio and provided with the 4-digit squawk code, and then they must enter this code in their transponders. When the the ATC radar sends a Mode A interrogation, they see in their display all the squawk codes belonging to the aircraft in the control zone.
Mode C. This interrogation requests the aircraft transponder to emit its pressure altitude. The onboard transponder takes this information from the plane sensors.
There is a problem affecting large airports or congested areas. If the ATC wants to interrogate an specific plane it will send an interrogation but, since all transponders in the area will automatically reply, the radio spectrum will get saturated with emissions that may clutter radar displays and degrade performance. These unwanted signals are called "fruit" in the aviation jargon. To solve this problem a new Mode S was created.
Mode S
In Mode S (selective) each aircraft is assigned an ICAO 24-bit address (also called Mode S address) by the civil authority during its registration. When the ground SSR wants to interrogate a specific plane, it adds this address in the interrogation so only the selected transponder sends a reply, suppressing unwanted emissions from other aircraft. This address is coded in the Mode S transponders and is not supposed to be modified during the aircraft's life unless the equipment is removed and installed in another aircraft (something common during aviation maintenance). In this case, it is mandatory to update the transponder address in the new aircraft where it is going to be installed. Therefore, Mode S transponders should support address modification.
In addition to this, Mode S was designed to be a data link between ground control and onboard equipment. More information than just squawk codes and altitude can be sent in Mode S, such as heading, position, origin, destination, flight number, speed, etc.
The ICAO Volume 10 Annex III specifies the format of the Mode S interrogation messages, called Uplink Formats (or UF). On the other hand, the reply messages are called Downlink Format (or DF). Transponders take flight information from all kind of avionics systems and sensors such as Flight Management System (heading, destination, waypoint, flight number, tail number, etc.), Inertial Navigation System (airspeed, altitude), GPS (position), and stores in 56-bit memory called BDS registers. Depending on the UF message received, the transponder will supply the corresponding DF reply containing data taken from one of the BDS registers.
There is one special type of reply, the DF11. This is normally sent when an UF11 interrogation is received; however, it is also automatically sent each 5 seconds. It contains the 24-bit Mode S address and is called "acquisition squitter", because it is aimed at broadcasting the aircraft address so anyone can send interrogations to it.
Another special DF message is the DF17, which is also automatically transmitted every second. Its size is 112-bit, larger than the 56-bit DF11 and, in addition to the Mode S address, it contains extended information taken from the BDS registers. Due to its extended size it is called "extended squitter" and is the origin of the ADS-B technology.
In fact, there are several similarities between Mode S data link and computer data links such as Ethernet.
Protocol
Ethernet
GICB
Network ID
48-bit MAC address
24-bit ICAO address
Address broadcast
ARP
DF11/DF17
Network packages
Ethernet frames
Uplink/Downlink Formats (UF, DF)
Data sent
Personal data, computer data, etc.
Heading, position, airspeed, flight number, squawk code, etc.
Information storage
File system, databases, etc.
Transponder BDS registers
ADS-B technologies
Initially there were two surveillance levels depending on the data provided by Mode S transponders.
Elementary Surveillance (ELS). Provides basic aircraft information for identification and collision avoidance purposes.
Enhanced Surveillance (EHS). Provides additional information such as heading, speed, vertical intention and track and turn report to support improved ATC systems.
Both of them, EHS and ELS, are based on Mode S and therefore in an interrogation-reply scheme.
Automatic Dependent Surveillance Broadcast (ADS-B) was conceived to be based on automatic transmissions eliminating the need to previously interrogate the planes, but letting them to transmit the information every second, such as airborne/surface position, emergency status, identification, type or airborne velocity.
Initially, only Mode S transponders supported ADS-B by means of DF17 extended squitters broadcasting. Today this standard is called 1090ES.
Nowadays, there are other avionics equipment that supports ADS-B apart from Mode S transponders. UAT stands for Universal Access Transceiver, it is a communication system working at 978 MHz and is used mainly in the United States especially for aircraft operating below 24,000 feet. Also, VHF Data Link (VDL) radios support ADS-B by means of the Mode 4 data link.
Identification Friend-Foe (IFF)
The IFF (Identification Friend-Foe) is an identification technology applied to military aircraft to know if the flying object is friendly or hostile. The concept is very similar to civil SSR interrogations.
Basically, in military aircraft there are five interrogation modes. Modes 1 and 2 are not used. Mode 3 is similar to civil Mode A, and modes 4 and 5 are encrypted.
In Mode 4 the IFF decrypts the interrogation using locally stored key and supply an encrypted answer which essentially indicates the aircraft is friendly. On the other hand, Mode 5 is more like an encrypted data link for military aircraft, similar to Mode S data link in civil aircraft. The Mode 5 Lethal interrogation is a feature that serves as a final challenge to confirm the identity of the target before weapons are released.
In summary:
Secondary surveillance radars are used to monitor air traffic by means of an interrogation/reply scheme operating in the 1030 MHz/1090 MHz frequencies.
The different types of interrogations are called "Modes". Information is not send automatically, only when an interrogation is received, and only the required data is included in the reply.
Mode S is a data link that permits selective aircraft interrogation. Replies provide all kind of navigation information from the aircraft. EHS and ELS are two Mode S surveillance modes, the main difference lies in the amount of information transmitted in each case.
ADS-B is a technology used to automatically emit information automatically without the need of a previous interrogation. It is implemented in Mode S DF17 112-bit extended squitters (1090ES), UAT and VDL Mode 4.
There are several codes that uniquely identify an aircraft:
Squawk code. A temporal 4-digit code assigned by ground control traffic to any flight approaching the control zone. It is communicated to the pilot by radio and may change as the aircraft travels through different areas.
Mode S address. It is a 24-bit address used for selective interrogation. It is assigned to each aircraft worldwide by the ICAO and it is not supposed to change.
Registration number. Similar to car plates, it is a code assigned by national authorities where the plane is going to be registered. It is usually called "tail number" because it is painted on the rear fuselage.
SIGNAL TRACKING WITH HACKRF ONE
The are several SDR software and ADS-B decoders, first we will focus on message interception with the HackRF application.
First, you need an antenna in the 1 GHz band. You can buy an antenna specifically designed for ADS-B; however, a WiFi antenna in the 2.4 GHz band also works. The equipment used for this signal interception was this.
It should be easy to capture ADS-B signals in a big city or near an airport provided the right antenna is being used. ADS-B signals emitted by aircraft are freely propagated in the atmosphere without obstacles and there is a massive amount of traffic nowadays, so just move outdoors and adjust gain controls until you have a good signal quality.
Soon, you will see the list of captured emissions is populated with the data of the planes flying nearby. The application identifies each aircraft by "ICAO/Call", which is the 24-bit Mode S address transmitted in the DF17 squitters.
Let's choose a couple of ICAO address and get more plane details such as call signs and position. If you have an SD card installed containing the aircraft and ICAO databases, the application also shows registration numbers, airline, model and manufacturer data.
Here we see a couple of Lufthansa and KLM airliners.
It is interesting to notice that military planes in peacetime are also obliged to fly with their transponders switched on and sending information. Here we see an RCAF Globemaster III.
SIGNAL INTELLIGENCE
The HackRF ADS-B RX application provides limited information, but at least we have disclosed several unique identifiers such as Mode S ICAO addresses, registration plates and call signs. In order to gain intelligence on these airplanes we have several databases available on the internet.
Flightradar24 is a well-known site with live flight information and tracking maps. It provides an open database where we can find our two airliners; however, the Canadian transport lifter is not found. Also, it provides an API that needs registration.
Another good option is ADS-B Exchange, a site that looks quite similar to Flightradar24. It provides a live tracking map and two APIs, a paid enterprise API and a lite version for personal use. Both needs registration.
Investigating a bit more we find ADSB.lol, it provides a live tracking map and a database where, just entering the 24-bit Mode S ICAO address, we find our Lufthansa and KLM airliners and, in addition, the military Gobemaster III.
Using this database we are able to make a table with quite good aircraft data.
C2B3EB
Boeing C-17A Globemaster III
Canadian Air Force
177703
50187
17 years
Long Beach (US)
3C66AB
Airbus A320-200
Lufthansa
D-AXAQ
6423
10 years
Hamburg (DE)
484161
Boeing 737-800
KLM
PH-BXH
29597
24 years
Renton (US)
SIGNAL TRACKING WITH SDRANGEL
SDRangel is an SDR software compatible with HackRF. It provides an ADS-B decoder plugin that is useful to track flights.
For this, we have to use the HackRF One + PortaPack in HackRF mode and connected to a computer USB port. In this mode the HackRF One SDR is logically disconnected from the PortaPack allowing use as SDR hardware. We lose the portability (unless you are able to take your laptop outdoors) but take advantage of the SDRangel features.
Connect the HackRF One to a USB port and select "HackRF" mode in the Mayhem menu.
Now run the SDRangel software and create a new workspace. Click on the "Add Rx device" button and select the HackRF as sampling device.
In the workspace, click on the "Add channel" button and select the "ADS-B demodulator".
Now, adjust the frequency to 1090 MHz and click on "Run" to start capturing signals, if you have a good reception ADS-B data is captured. SDRangel allows downloading ICAO and airline databases so the aircraft data is automatically presented.
WRAPPING UP
We have learned about air traffic surveillance technologies based on SSR radars such as Mode S data link and ADS-B. We have been able to capture aircraft data outdoors using an HackRF One + PortaPack and with the HackRF One connected to a laptop in HackRF standalone mode. The unique identifiers captured are sufficient to enumerate additional aircraft information such airline, model, age or place of production.
Last updated
