An exclusive interview with Jürgen Pielmeier, managing director, IFEN. For more exclusive interviews from this cover story, click here.
In which markets and/or applications do you specialize?
IFEN is offering RF simulation solutions for all GNSS markets, except the defense market with encrypted signals. The major market in recent years was the ‘New Space’ market, mainly focused to design and test PNT navigation solutions as part of (primarily) LEO satellite constellations using existing GNSS systems. With the many new players around the world, there are many market opportunities. To be successful in this ‘New Space’ market requires simulation support of all GNSS systems and signals, modelling LEO dynamics and environment and providing multiple RF-outputs (enabling systems with several GNSS antennas located on the satellite). With our latest ‘NCS NOVA+’ RF simulator, support of up to 4 RF-antenna simulations is possible. From basic RF system up to integrated SIL and HIL systems, the level of required solutions is very diverse by the different applications. The IFEN RF simulator is also offering a full ‘radio occultation’ simulation capability specifically for this market.
The second important market is the automotive/maritime PNT market requiring fully integrated HIL simulation solutions. Excellent integration capability into external environment simulation systems with a rich set of interfaces and short latencies are keys for this market. To further penetrate this market, IFEN will implement some major enhancements during this and next year within its RF simulator products.
How has the need for simulation changed in the past five years, with the completion of the BeiDou and Galileo GNSS constellations, the rise in jamming and spoofing threats, the sharp increase in corrections services, and the advent of new LEO-based PNT services?
Today, supporting all existing GNSS systems with all related signal components on all frequencies is a must have for all high-end RF simulators. Keeping the RF simulators up-to-date with the new and continuously evolving GNSS signals is required to be sustainably competitive. Specifically, beyond the L-band signals, we are also fully supporting the S-band signals of the NavIC constellation. The continuously increasing number of available GNSS satellites and signals requires that the RF simulator capabilities are fully scalable to provide sufficient resources to simulate all signal channels. Our new NCS NOVA+ simulator is our first RF simulator with strong scalability capabilities, to be further extended in the coming years.
In recent years, adding support for the simulation of jamming and spoofing threats was a major driver for the market. Our latest RF simulator generation ‘NCS NOVA+’ is fully supporting all types of jamming and spoofing, fully integrated into our RF simulators to enable coherent signal generation. With the coming ‘DFMC’ (SBAS/GBAS dual-frequency multi-constellation) based safety-of-life and automated driving applications, the need to support advanced jamming and spoofing simulation solutions will be a continuous driver also for the future.
Adding the ‘High Accuracy Service’ (HAS) PPP-correction capability on Galileo E6-B signal in our coming V2.9 release is driven by the increased request for PPP corrections services. We expect further improvements here in the coming years, especially to cover the emerging PPP-RTK market needs.
With the coming age of LEO-PNT services, this is the most important driver for the next five years, extending the signal frequencies beyond the current L- and S-band signals, seeing new modulations, two-way transfer and many more topics. This will require strong development efforts on the RF simulator side, to provide suited RF test tools in time to LEO-PNT system designers and developers, but also the related user terminal developers. IFEN is currently preparing to take this next major step in its RF simulator capability portfolio.
In particular, regarding some of the new PNT services being developed, how do you simulate them realistically without the benefit of recordings of live sky signals?
Facing the lack of live sky signals when developing RF simulator capabilities is a continuous challenge. It requires to a certain signal simulation flexibility designed into the receiver, good and theoretical understanding of specific implications of new designed signals. As soon as real signals are then available, simulation and real signals will be compared and if required the simulation fidelity will be adjusted to meet the real signals.
Are accuracy requirements for simulation increasing, to enable emerging applications?
Concerning the core accuracy parameters requested in recent years, we saw no increase in required accuracy, as the typical requested accuracy are anyway far beyond the real signals accuracy.
Are all your simulators for use in the lab or are some for use in the field? If the latter, for what applications and how do they differ from the ones in the lab? (For starters, I assume that they are smaller, lighter, and less power-hungry…)
Currently all our simulators are designed for usage within the laboratory. However, we recognize an increased request for in-field capable RF simulators, specifically to perform spoofing of real SIS to test deployed GNSS receivers in the field. Offering a portable in-field solution is in the mid-term planning, but not a current driver for our developments.
What are some of your recent successes?
The most important recent success is the Galileo 2nd generation Test User Receiver contract from the European Space Agency. Within this contract, the ‘NCS NOVA+’ simulator as RF test tool will be upgraded to full G2G signal generation capability. The new already implemented G2G signals enabling shorter TTFF, improved acquisition performance but also higher updates rates (e.g. for PPP-RTK). Up to end of the year the G2G signal will be fully implemented in our RF simulator, including the next generation of advanced authentication solutions.
Image: Safran Federal Systems (formerly Orolia Defense & Security)
As the number of constellations, satellites, and signals has grown in recent years — especially in the past few years, with the completion of the BeiDou and Galileo constellations — simulator manufacturers have been challenged to keep up. Threats of jamming and spoofing also increased. Then, a few companies began to develop new positioning, navigation and timing (PNT) constellations in low-Earth orbit (LEO).
Due to the limited space available in print, I was able to use only used a small portion of the interviews I conducted for our August cover story. For full transcripts of them see below:
Full interview with Tim Erbes, Technical Director, Safran Federal Systems (formerly Orolia Defense & Security).
Full interview with JulianThomas, Managing Director, Racelogic.
Full interview with Jürgen Pielmeier, Managing Director, IFEN.
Full interview with Mark Holbrow, VP of Product Development, Spirent Communications and Roger Hart, Sr. Director of Engineering, Spirent Federal Systems.
Spirent’s GSS6450 record and playback system (RPS) used to record live-sky signals in an urban environment for testing in the lab.(Image: Spirent Federal Systems)
These are interesting and challenging times for the makers of GNSS signal simulators.
For decades, developers and manufacturers of GNSS receivers have needed to simulate the satellites’ signals to test receivers in their labs and in the field. Meanwhile, users of GNSS receivers for critical missions — such as military operations and rocket launches — have needed to simulate the exact conditions (the number of satellites in line of sight, the positional dilution of precision, etc.) at specific points in time and space.
As the number of constellations, satellites and signals grew — especially in the past few years, with the completion of the BeiDou and Galileo constellations — simulator manufacturers were challenged to keep up. Threats of jamming and spoofing also increased. Then, a few companies began to develop new positioning, navigation and timing (PNT) constellations in low-Earth orbit (LEO). Now, it is common for simulators to require several hundred channels.
I discussed these challenges and the prospect for the simulation industry with representatives of five companies:
Tim Erbes, Technical Director, Safran Federal Systems (formerly Orolia Defense & Security
For the full transcripts of my interviews, click here. If you like this article, you will love the interview transcripts, which cover much more than I had room for here.
Legacy Constellations and New Ones
Simulator manufacturers cite a variety of challenges. According to Erbes, a big one is determining users’ requirements. “Often,” he said, “they can’t determine what the specs need to be. All they know is that they need it to work.” This is particularly true when mixing and matching receivers, IMUs, and components from different manufacturers, he pointed out.
For decades, there were only two GNSS constellations (GPS and GLONASS). A couple of years ago, two more came online (BeiDou and Galileo). Meanwhile, several regional augmentation systems were developed (SBAS, EGNOS, NavIC, QZSS and KASS), some of which may later grow into global systems. Now, new LEO-based systems are being developed. For simulator manufacturers, what was once clear “began to get fuzzy,” Erbes said. “If you ask members of our team right now how many constellations we support, you will not get a quick answer. We’re trying to be forward-looking and add everything that might be up there so lab users can develop and test.”
Multi-constellation simulation is a particularly challenging problem for groups that don’t have simulators, Erbes pointed out. “We have the advantage of having a software-defined architecture. We designed the software so that it is easy to add new constellations to it. Basically, once we’re given a proper interface control document (ICD), we’re only a couple of months away from a first draft implementation of that new signal. Then we iterate.”
In the past few years, said Thomas, Racelogic “had to suddenly invent 15 new signals.” It makes a record-and-replay system — “You put a box in a car, on a bike, in a backpack, or on a rocket, and you record the raw GPS signals,” Thomas said — and another system in which it simulates the satellites’ signals “from pure principles.” The latter, he noted, has been “15 times the original work we thought it would be. However, as we add each signal it tends to get a bit simpler until they add new ways to encode signals, and then it gets complex again.”
Spirent Communications’ technology, Holbrow said, focuses around “its dedicated SDR hardware platform and software simulation engine, which provide performance, scalability and flexibility, within an open accessible architecture. Close collaboration with our selected partners ensures the opportunity to support and integrate new and emerging PNT technologies through their tools, applications and hardware.” Two other aspects that have continued to grow in importance have been “increased realism and test automation,” Holbrow said. “Both are areas in which Spirent continues to prioritize and invest R&D dollars.”
Spirent “can enable the user with effectively an arbitrary waveform simulator or ‘sandbox’ to experiment with different modulation schemes, different chipping rates, codes, bandwidths and navigation data content,” Holbrow said. “The increasing number of signals that we can support multiplies the permutations and combinations of test cases that users can do,” Hart added.
Not every simulator user is equally interested in simulating all the existing and emerging constellations. Those in the U.S. military market do not use foreign signals, pointed out Clark. However, they may want to understand how those signals could impact their vehicle, platform, or individual receiver.
LEO-based constellations “have become a buzzword in the last year or so,” Clark said. Because CAST Navigation’s simulators are modular and use an FPGA-based design, “we can add different satellite constellations or satellite protocols to our system,” he said. “However, we don’t offer anything commercially yet due to a lack of an official ICD, or any kind of documentation that defines any of these new LEO-based signals.”
Today, said Pielmeier, all high-end RF simulators must support “all existing GNSS systems with all related signal components on all frequencies.” Additionally, to remain competitive, they must be kept “up-to-date with the new and continuously evolving GNSS signals.” He added: “Beyond the L-band signals, we are also fully supporting the S-band signals of the NavIC constellation.”
The increased request for precise point positioning (PPP) corrections service, Pielmeier pointed out, was the driver for IFEN to add the High Accuracy Service (HAS) PPP-correction capability on Galileo’s E6-B signal to its next release. “We expect further improvements here during the next few years, especially to cover the emerging needs of the PPP-RTK market.” The advent of LEO-based PNT services, he said, makes this “the most important driver for the next five years, extending the signal frequencies beyond the current L- and S-band signals, seeing new modulations, two-way transfer and many more topics.”
Jamming and Spoofing
Concern about jamming and spoofing has increased significantly over the past several years. These, however, are not new concepts for simulator manufacturers. “In a way, simulation is ahead of this state of the world,” said Erbes. “Spoofing is similar to simulation. So, we already know how to do that.” That could change, however. “If new requirements come up, such as higher data rates or wider bandwidth waveforms or different types of waveforms, then we would have to adapt and add support for that kind of stuff.”
“Because our systems record and replay, they’re used a lot to record real-world jamming,” said Thomas. Regarding spoofing, Racelogic has just improved its signal simulation. “We can do seamless takeover of a GNSS signal in real time. We can reproduce the current ephemeris and almanac. If we transmit a sufficiently powerful signal, we can completely take over that device.”
Over the past five years, most of CAST Navigation’s customers have become much more interested in being able to simulate jamming and spoofing, Clark said. “If you’re doing anything of any importance in a contested environment, you’re going to come up against some type of spoofing and/or jamming interference.”
Pielmeier agreed that simulation of jamming and spoofing threats has been a major market driver in recent years. “Our latest RF simulator generation, NCS NOVA+,” he said, “fully supports all types of jamming and spoofing and is fully integrated into our RF simulators to enable coherent signal generation. With the coming safety-of-life and automated driving applications based on DFMC (SBAS/GBAS dual-frequency multi-constellation), the need to support advanced jamming and spoofing simulation solutions will remain a continuous driver.”
IFEN’s rf signal generator technology, based on a modular and highly flexible Software Defined Radio (SDR) platform. (Image: IFEN)
Simulating What Does Not Yet Exist
The current GNSS constellations broadcast signals that can be recorded, played back, and used to generate accurate simulations. For systems still being developed, however, simulator manufacturers must rely on each system’s ICD, if and when it is available. Even for established systems, the live sky signals may diverge from the ICD. “Is the simulator supposed to match live sky,” Erbes wondered, “or is it supposed to match the intended final state of the constellation, according to the ICD? This is a huge topic for M-code, which is ever changing, and has a very large ICD that is released incrementally. We’re constantly having to make changes to the simulator to match those releases.”
A big challenge for simulator manufacturers is to keep pace with new and evolving ICDs. “There are more constellations than ever, and the technology makes it easier to change signal architectures,” said Erbes. “We’re going to start talking about signals that can be reprogrammed on the fly. That’s going to make simulation more and more challenging.”
Simulating signals for new systems that are not yet deployed is a matter of “pure signals simulation,” said Thomas. “You go through the ICD line-by-line and work out the new schemes. You are very much reliant on every single word in that ICD.”
New LEO-based systems are not the only ones to present this challenge to simulator manufacturers. “L1C is another one of those problem child signals that we have developed,” said Clark. “All we can do is buy all the makes and models of L1C receivers available for sale and utilize our simulator, along with those receivers, to see whether things are good. We’ve asked the government for an L1C code sample, but it will not be available until the satellite manufacturers launch the satellites in their final configuration. Until then, we’ll develop to the ICD that’s been released and defined, then cross our fingers.”
Spirent’s core simulation engine and SDR “are agnostic of the constellation and signal type that’s being generated,” Holbrow said. “So, the underlying principles of accuracy, range rate, pseudo-range control, and delay, together with the RF fidelity from Spirent’s SDR+ Sim engine, can be readily manipulated to simulate the wealth of emerging signals, including LEO.” Additionally, when an ICD is not available, the company can enable its customers to use its tools “to readily populate elements of that ICD themselves.”
In the Lab vs. In the Field
“All our systems can be carried in a backpack, on a push bike, in a car,” said Thomas. “We do that deliberately, because we come from the automotive side of things, so we have to keep everything very small and compact. Some of our customers have put them in rockets, recording the signal as it goes up, or in boats. We have people walking around with an antenna on their wrist connected to one of our systems, so that they can simulate smartwatches.”
CAST Navigation has simulator packages that range “anywhere from shoebox size to nine-foot-tall racks,” said Clark. “They are all modular, so you can add options and capabilities over time. We have simulators that are used in the field. Some of the testing groups with the U.S. armed forces have used our simulators in the back of a Humvee along with other proprietary equipment to conduct their own field experiments.”
Spirent supports in-the-field use cases: its portable simulator can test PNT resilience while the DUT is receiving live-sky signals, and their record-and-playback system takes real-world soundings in a wideband RF environment for playback in the lab.
Currently, Pielmeier said, all IFEN simulators are designed for lab use. However, “we recognize an increased request for field-capable RF simulators, specifically to perform spoofing of real SIS to test deployed GNSS receivers in the field. Offering a portable in-field solution is in our mid-term planning, but not a current driver for our developments.”
Testing vs. Mission Planning
How do simulators used by receiver manufacturers in their labs and in the field to tweak existing receivers or develop new ones differ from those used for mission planning? “In most lab simulations, they can just run with a default constellation for a given day,” Erbes explained. “They’ll run that scenario hundreds or thousands of times and never need to change it because they’re testing parts of the receiver that don’t care a whole lot about the specifics of what’s happening.”
Missions, by contrast, are time- and location-specific. Planners need to know which satellites will be overhead at an exact time and place. “When you’re doing real day mission planning, the big problem isn’t so much how to generate a signal, it’s how to find out what’s happening today.”
Increasing Accuracy Requirements
Like those for receivers, accuracy requirements for simulators are increasing to match those of emerging applications. “Everyone’s chasing the goal of getting smaller, faster, and more accurate systems,” said Thomas. “We do real-time simulators, and they want a smaller and smaller delay from when you input the trajectory to when you get the output. Luckily, we’re able to keep up on the hardware side as well, because much of our processing is done using software.”
As accuracy requirements rise, “Real-world testing has an incredibly important role to play,” said Holbrow. Additionally, as resilience testing places increasing demands on test equipment, Spirent Communications now supports “a multitude of vulnerability and corresponding mitigation/prevention test cases” to deal with jamming, spoofing, cyber-attack and CRPA
CAST Navigation’s simulators meet or exceed accuracy requirements, Clark said. “We have pseudo-range accuracy down to a millimeter, our phase coherence doesn’t wander, and we’re able to achieve 2.5 ps to 3 ps synchronization coherence during multi-element, phased-array antenna simulations. We see our customers interested in a higher performing simulator, and that is our commitment.”
Pielmeier had a different perspective on this: “We saw no increase in the required accuracy, as the typical requested accuracies are far beyond the real accuracy of the signals anyway.”
Recent Success Stories
Racelogic has developed a system to replace or augment GPS in tunnels, which often pass over each other or match the routes of surface streets. “We’ve been talking to many cities around the world that are building new tunnels,” said Thomas. “It requires installing repeaters every 30 meters along each tunnel and software that runs on a server and seamlessly updates your position every 30 meters.”
Clark pointed out that CAST Navigation’s “bread-and-butter” for the past few years has been “larger systems that can drive phased array antennas, along with inertial units, and full high-dynamic aircraft, in real-time environments.” He added that “the smaller systems, which used to be popular, have mostly gone by the wayside.”
As a recent success, Holbrow cited Spirent Communications’ release of a Xona simulator, in partnership with Xona Space Systems, as well as the addition of “many realism-related capabilities, including simulating the vibration and temperature effects of inertial systems;” a cloud-based software application called Foresight that enables users to understand the GNSS coverage they would expect at a particular time, location and trajectory based upon accurate 3D scenes; and a simulation test solution for the Galileo Open Service Navigation Message Authentication (OSNMA) mechanism. Finally, he stressed Spirent’s increasing support for automation.
Pielmeier cited the Galileo second generation Test User Receiver contract that IFEN received from the European Space Agency as its most important recent success. “Within this contract, the NCS NOVA+ simulator as RF test tool will be upgraded to full G2G signal generation capability. The new already implemented G2G signals enable shorter time to first fix (TTFF) and improved acquisition performance but also higher updates rates (e.g., for PPP-RTK). Through the end of the year, the G2G signal will be fully implemented in our RF simulator, including the next generation of advanced authentication solutions.”
In our 11th annual Simulator Buyers Guide, we feature simulator tools, devices and software from 11 prominent companies that aid GNSS receiver manufacturers in product design.
Alternative RF Navigation Simulator (Photo: Spirent Federal Systems)
New Alternative RF Navigation Simulator. Authorized users of Spirent’s alternative PNT simulation system can generate alternative RF navigation signals individually or concurrently with GNSS signals.
GSS9000. The GSS9000 Series multi-frequency, multi-GNSS RF constellation simulator is Spirent’s most comprehensive simulation solution. It can simulate signals from all GNSS and regional navigation systems and has an unrivaled update rate of 2 kHz (0.5 ms), enabling ultra-high-dynamic simulations with accuracy and fidelity. The GSS9000 supports M-code, Y-code, alternative PNT and non-GNSS sensors, and comes with built-in jamming, spoofing and flex power.
SimMNSA. Spirent Federal has the first fully approved MNSA M-code simulator. Authorized users of the GSS9000 series of simulators will be able to utilize the advanced capabilities of SimMNSA to create robust military GPS user equipment (MGUE) solutions.
Spirent GSS9000 Series constellation simulator (Photo: Spirent Federal Systems)
CRPA Test System. The CRPA Test System is scalable, testing antennas from 4 to 16 elements and beyond. More than 1,000 independent GNSS, jamming and spoofing signals can be generated/simulated across a phase-calibrated precise wavefront.
SimINERTIAL. Supporting the leading embedded GPS/inertial systems (EGI) and inertial measurement units (IMU), SimINERTIAL enables the controllable generation of inertial sensor outputs, synchronous with simulated GNSS, to test integrated GPS/inertial systems in the lab.
Anechoic Chamber Testing. Spirent’s GSS9790 multi-output, multi-GNSS RF constellation wavefront simulator system can be used in both conducted (lab) and radiated (chamber) conditions.
Mid-Range Solutions. Spirent offers solutions for every application and price point. The GSS7000 multi-constellation simulator provides an easy-to-use solution for GNSS testing that can grow with users’ requirements. The GSS6450 RF record-and-playback system enables replay of real-world GNSS tests in the lab.
Based on the Skydel GNSS Simulation Engine, Orolia’s advanced and essential GNSS simulators offer a wide breadth and depth of tools to test mission-critical positioning, navigation and timing (PNT) applications and scenarios.
Skydel Simulation Engine. The highly flexible, high-performance Skydel Simulation Engine transmits GNSS signals in real time to many kinds of software-defined radios. Skydel uses graphics processing units (GPUs) to compute the digital GNSS signal of all simulated satellites, easily scaling from simple to complex use cases. Skydel simulates civil signals from global and regional navigation satellite systems with a 1000-Hz update rate, many kinds of GNSS receiver trajectories with high dynamics, and advanced jamming and spoofing. The Skydel ecosystem also includes features such as open-source plug-ins and API, and the ability to create custom signals. The custom-signal feature allows users to experiment with new signals, such as navigation from low-Earth-orbit satellite systems.
GSG-8. A scalable software-powered turnkey simulation solution, GSG-8 is configurable to meet virtually any testing requirements. It can support multi-constellation, multi-frequency and hundreds of signals with a 1000-Hz iteration rate. This advanced hardware platform is suitable for space trajectories, custom PNT signals, hardware-in-the-loop, multi-antenna simulation, and more. Encrypted EU signals will be available soon.
Skydel CRPA Testing. With self-calibration, integrated advanced jamming and spoofing, and the ability to generate thousands of signals, Skydel CRPA test systems provide everything needed to test CRPA systems, with a focus on ease of use and the testing experience from the user point of view. Two flexible configurations, Skydel Anechoic and Skydel Wavefront, have been carefully designed to provide the advanced simulation features required for CRPA testing in a well-thought-out package. Both provide COTS hardware benefits: configuration flexibility and cost-effectiveness.
GSG-5 and GSG-6. Orolia’s essential simulation platform is a proven, cost-effective simulation solution. Combined with the freely available StudioView software, these simulators provide high-end capabilities in a standalone, portable system that allows operation via a front panel interface. GSG-5 and GSG-6 are available with support for multi-frequency and multi-constellation GNSS signal simulation, pre-built scenarios and test packages, and the features neded to integrate it into ATE systems.
BroadSim 4U, Advanced NAVWAR simulations, MNSA and Y-Code (Photo: Orolia)
Advanced GNSS Simulation for Government & Defense
BroadSim
Powered by the Skydel Simulation Engine, BroadSim provides superior NAVWAR performance, sharing the same benefits and key features of its software-defined platform.
Key Applications
BroadSim Solo: Multi-GNSS simulations on the desktop. (Photo: Orolia)
MNSA M-Code. BroadSim offers a fully flexible implementation of the Modernized NavStar Security Algorithm, giving you full control over scenario settings with the real encryption used on the M-code signal. Any aspect of your scenario can be changed, such as time, date, location, constellation, downlink data, signal configuration, and visible satellites. It is security-approved by SMC Production Corps and shipping as soon as today.
CRPA Testing. BroadSim leverages Skydel’s CRPA testing solution to up the ante for demanding NAVWAR scenarios. BroadSim Anechoic allows you to test an entire system as-is. Skydel auto- calibrates the system, maps the antennas, and is designed to streamline chamber setup and reduce hardware. Broadsim Wavefront tests the antenna electronics, prioritizing the ability to have dynamic trajectories and allowing you to model any scenario with an unlimited number of interferences. The system is scalable from 4 to 16 elements, is phase coherent, performs real-time automated phase calibration, and has built-in jamming and spoofing.
BroadSim Wavefront: Phase-aligned NAVWAR simulator for CRPA (Photo: Orolia)
Advanced Jamming and Spoofing. With Advanced Jamming, users can add ground- and space-based emitters to scenarios, generate an unlimited number of jamming signals on 1 RF output, and simulate flight profiles where interference power levels at the UUT dynamically change depending on the scenario motion. With Advanced Spoofing, users can simulate multiple spoofers simultaneously. Each spoofer can generate any GNSS signal and has an independent trajectory and antenna pattern. Signal dynamics between each spoofer and receiver antenna are automatically determined so no time is wasted.
More Features. Inertial and alternative RF navigation, built-in Flex Power, real-time performance with ultra-low latency of 5ms, high dynamics, terrain modeling, and RMF STIG compliance.
Test Anywhere with LabSat 3 Wideband and SatGen Simulation Software
LabSat 3 Wideband. The LabSat 3 Wideband is a compact yet powerful multi-constellation and multi-frequency GNSS testing solution. The easy-to-use, one-touch record-and-replay function provides an efficient way to test and develop GNSS-based technology without the cost and limitations of live-sky signals.
It is lightweight and portable, enabling easy collaboration with colleagues by sharing scenario files over the internet, and making it a suitable test partner for remote working. Additionally, the removeable solid-state drive (SSD) of up to 7 terabytes and a two-hour runtime provided by an internal battery is ready for field testing in any environment.
LabSat 3 Wideband can record and replay up to three different channels at 56-MHz bandwidth across all major constellations and signals, including:
GPS: L1/L2/L5
Galileo: E1/E1a/E5a/E5b/E6
GLONASS: L1/L2/L3
BeiDou: B1/B2/B3
NavIC: L5/S-band
QZSS: L1/L2/L5
L-band correction services including SBAS
2x CAN and 4x digital input channels tightly synchronized with GNSS data
future signal launches are also supported, including L2C, L5 and L1C
SatGen Simulation Software. SatGen software allows users to quickly create bespoke, accurate scenarios with their own time, location and trajectory that can be replayed via a LabSat GNSS simulator.
The latest version of SatGen can be used to create a single scenario containing all the upper and lower L-band signals for GPS, Galileo, GLONASS, BeiDou and NavIC.
When getting the job done right the first time — and every time — matters, CAST Navigation’s suite of simulator solutions delivers precision, accuracy and repeatability. From simple integration testing to complex mission simulations, CAST Navigation solutions scale to meet user requirements.
Powered by multi-frequency, multi-constellation GNSS and interference signal-generation technology, CAST Navigation simulators provide coherent, highly accurate and fully programmable signals. Advanced, configurable vehicle trajectory capabilities meet project requirements ranging from antenna testing to simulations of squadrons maneuvering in contested environments.
Intuitive Graphical Interface. A comprehensive and intuitive graphical interface unifies all simulator capabilities so users can configure complex simulation scenarios quickly. For example, CAST Navigation simulators can model many vehicle types with static and dynamic motion profiles: airborne, terrestrial, aquatic or space-based. Using configured scenario profiles or vehicle truth data, CAST Navigation simulators create high-dynamic, 6-DOF real-time trajectories.
High-Fidelity Simulations of Real-World Conditions. CAST Navigation solutions can reproduce terrain, sea-state and atmospheric effects to simulate missions with high fidelity. Jamming capabilities recreate natural, urban and hostile interference to produce precisely controlled waveforms with high output power and exceptionally low intermodulation noise.
Multi-Frequency, Multi-Constellation Simulations. The GPS/GNSS simulators generate accurate, programmable signals to each antenna element with up to 16 satellites in view from as many as four constellation types. GPS simulations can generate any positioning signal (C/A-code, P-code, Y-code, SAASM, M-code AES and M-code MNSA).
Modular, Scalable Solutions. Proprietary synchronization technology lets CAST Navigation configure customer solutions with multiple simulator capabilities — GPS/GNSS, inertial, jamming, and CRPA — to meet specific project needs. As those needs evolve, these solutions do not become obsolete. Rather than replace a functioning system, customers can rely on modular architecture to meet their new requirements.
The NCS NOVA GNSS simulator is a high-end, powerful and easy-to-use satellite navigation testing and R&D device. It is fully capable of multi-constellation and multi-frequency simulations for a wide range of GNSS applications. It is one of the leading solutions on the market, providing multiple GNSS frequencies in one box.
Because of the modern and flexible software-defined radio (SDR) design of this simulator, testing requirements will be met with the minimum of equipment, facilitating logistics and reducing the cost of ownership. The innovative multi-constellation and multi-frequency simulation capability sets new standards in the field of GNSS simulation in terms of fidelity, performance, accuracy and reliability. Designed to deliver maximum flexibility, users are no longer faced with configuration limitations.
The NCS NOVA GNSS simulator is also able to coherently generate GNSS RF signals on two independent RF outputs simultaneously. The user may freely allocate GNSS signals and RF channels to each of the RF outputs. This feature allows simulation of GNSS signals at two antenna locations simultaneously (this could be two antennas on a vehicle, two separate vehicles maneuvering independently, or a static location plus a mobile unit).
A new key enhancement to the NCS NOVA GNSS simulator is comprehensive support of new Galileo OS signal message improvements on E1B. By enabling real-time simulation of the Galileo OS message improvements, the NCS NOVA expands a user’s Galileo signal capability.
In the future, the NCS NOVA also will fully support the new Galileo E1B OS Navigation Message Authentication (OS-NMA) and Galileo E6B High Accuracy Service (HAS) capabilities.
The NCS NOVA GNSS simulator is the first choice in signal simulation for a wide range of applications including space, aviation, automotive (including autonomous driving testing) and many others.
About IFEN. IFEN is a leading provider of GNSS navigation products and services. Its technology portfolio includes GNSS RF-signal simulators, GNSS software receivers, simulation and data processing tools. IFEN’s outstanding satellite navigation expertise is provided to customers for services including GNSS system studies, research and development of navigation and integrity algorithms, design and development of GNSS software and hardware, on up to engineering of turnkey facilities and systems.
The MGSE product family creates a versatile GNSS test and simulation environment that improves the development, qualification and certification process of GNSS receivers within development phases and for validation and certification in end-to-end tests.
MGSE enables mobile and stationary interference monitoring, for example, for protecting critical infrastructures. It can be used for interference mitigation if combined with TeleOrbit’s GNSSA-6E (six-element antenna array) or its GNSS DCP (dual circularly polarized)antenna.
With MGSE REC-REP 2.0 users can, among other tasks, record Galileo PRS signals in a real user environment and replay them for Galileo PRS receiver testing.
MGSE SIM-REP supports the development of software-defined radios/receivers or specialized algorithms by creating a simulation environment that provides the possibility and flexibility to use synthetically generated GNSS data and recorded real-world samples.
For jamming and spoofing test and evaluation, TeleOrbit offers a sophisticated solution based on the MGSE simulation, recording and replaying product family. For spoofing mitigation, the GOOSE-OSNMA receiver platform is available.
Technical Background
The multi-band RF front-end (MGSE REC) receives the GNSS RF signals in different frequency bands simultaneously to obtain digital IF data, which can be used for GNSS multi-system signal analysis and comparison. All GNSS L-band frequencies and the NavIC S-band are supported.
The MGSE Replay Unit includes a flexible multi-band RF replay device that streams simulated and recorded raw IF data to a digital baseband output or to an analog RF signal. Up to two independent RF channels and up to four GNSS signals (L1, E1, B1, G1) can be provided.
GOOSE is a powerful yet compact GNSS receiver lab and the rapid prototyping solution for leading-edge GNSS receiver development.
The GNSSA-DCP (dual circularly polarized antenna) receives RHCP and LHCP signals simultaneously (full L-band). It clearly detects signals which have been corrupted by diffraction and reflections.
WORK Microwave’s Xidus is well-known for meeting all requirements regarding multi-GNSS; for its multi-frequency and multi-RF signal generation; for its innovative Signal Extension and Enhancements (SEE) technology; for its advanced customization and configurability; and for world-class remote support with updates, training and even scenario execution.
Xidus Signal Module
Compact and powerful, the Xidus Signal Module provides new capabilities of signal generation. Users can perform rigorous and extensive testing of present and future positioning systems when conducting navigation research or developing products.
Possible applications: pseudolite generation, massive multipath or navigation signal generation on various orbits.
Extensive increase of supported channels: >250.
Unlimited number of multipath channels with delay >3,000km.
Interference signal generation on up to four independent frequencies.
Acts as a software-defined radio (SDR) to replay signals.
Xidus-648 (Photo: Work Microwave)
Xidus Hardware Series
Xidus-424 GNSS Simulator
Up to 4 signal modules
2 RF outputs
Wide dynamic power range
Xidus-648 GNSS Simulator
Up to 8 signal modules
4 RF outputs
1,000 Hz update rate
Xidus-Studio Client Software
Xidus-Studio provides a user-friendly graphical interface to configure any GNSS scenario. Its advanced and outstanding features include:
QA707 is the cutting-edge solution for global threat GNSS awareness and management. It is a GNSS simulator specifically designed to test cyber-attacks and authentication, and includes the simulation of GNSS interference, deception, jamming, spoofing and advanced cyber-threats such as data- and code-level attacks.
The high flexibility in the creation of the scenarios and the definition of the type of attacker allow cyber-threat and vulnerability testing for several applications,These applications may include, for example, autonomous driving and vehicle tracking, aeronautics and high dynamics applications, space GNSS receivers and timing.
OSNMA Support. The Galileo Open Service Navigation Message Authentication (OSNMA) simulation is an opportunity to test the new Galileo data protected service against several known vulnerabilities in GNSS applications. The OSNMA simulator is also available as a standalone tool, allowing the generation of OSNMA data that can be used with third party simulators.
PC-capable. QA707 runs on a standard PC. It is compatible with several third-party hardware RF up-converters, including National Instruments’ USRP. Additionally, it can support customer-specific hardware through the hardware API interface.
QA707 Main Features
Multi constellation (currently GPS L1, GALILEO E1, SBAS L1)
Galileo OSNMA
RF simulation, binary file dump, signal record and replay
Support to SDR platforms and open API for custom RF upconverters
Runtime streaming of scenario information over UDP (motion, channel data)
Data level cyber-attacks
Accurate spoofing signals control, trajectory spoofing, signal replay attacks
Narrow band, wide band, frequency modulated jamming
Integrity threats (on request): evil waveform, erroneous ephemerides, code/carrier divergence, low satellite signal power, excessive range acceleration
The StellaNGC all-in-one testing platform. (Photo: M3 Systems)
High-end multi-constellation and multi-frequency GNSS Simulator and Record & Playback
M3 Systems offers a fully integrated all-in-one testing solution for GNSS. Thanks to a versatile SDR approach, StellaNGC provides on a single HW platform GNSS simulation and GNSS record & playback functionalities. It answers user challenges from aerospace, defense, ground transportation and telecommunication fields when testing the PNT functions of their GNSS-based systems.
StellaNGC Plug & Play. This fully scalable and customizable simulator is based on a layered architecture to provide PNT data to the user at different levels (RF, IQ, GNSS raw data, trajectory).
Based on COTS platforms from National Instruments (NI), StellaNGC P&P allows the simulation of civil signals from GNSS as well as ground-based and satellite-based augmentation systems. It covers terrestrial, aerial and spatial trajectories (including high dynamics). It also enables assessment of GNSS solution robustness with jamming, meaconing and spoofing capacity.
Multi-antenna (CRPA applications) and multi-trajectories
Jamming and spoofing simulation
Cm-level positioning
Low latency HIL simulation
SBAS and RTK augmentation systems
3D multipath generation
IMU sensors modelization
Configuration of all scenario parameters
Signal control during run-time
Intuitive and easy to use GUI
StellaNGC Record & Playback. As a complement to simulation, StellaNGC RP allows test and validation of PNT functions through high-fidelity record-and-playback of GNSS signals. It allows recording by selection of a center frequency (65 MHz–6 GHz) or with a predefined list of GNSS frequencies for each of its 4 RF channelw, with a bandwidth of up to 120 MHz.
StellaNGC R&P Main Features
Multi-bands record & playback
Programmable center frequency and bandwidth
Single or multi-channel (up to 4) simultaneous records
The 18-channel miniature full-constellation CLAW GPS Simulator is a fully self-contained, low size, weight, power and cost (SWaP-C) miniature GPS simulator. It is very popular in manufacturing environments as well as R&D applications that require consistent and repeatable local GNSS signals at low price points.
The CLAW simulator does not require external computers for processing and control — it works fully self-contained by simply applying power, and storing location/time/date data in internal non-volatile memory, or by storing complex vector data to simulate highly dynamic scenarios. The CLAW also can be used to transcode NMEA or SCPI position/velocity/time (PVT) data into GPS RF signals. For 2022, JLT added driver support for a large number of additional GNSS front-end receivers when using the hardware-in-the-loop (transcoding) feature of the unit to, for instance, transcode from one GNSS system to another.
JLT offers an easy-to-use, highly configurable and cost-free SimCon Windows application program that is downloadable from the JLT website. SimCon allows random scenario generation and is thus usable to simulate leap-second events, Week 1023 rollover events, or any other GPS live-sky scenarios, including highly complex yet easy-to-create dynamic vector simulations.
For authorized U.S. government users, a version that does not have altitude and velocity limitations is popular for low-Earth-orbit (LEO) simulations. Multipath simulation allows use of the entire 18-channel simulator capability.
The unit can be field-upgraded with an easy-to-use in-field software upgrade feature. The CLAW is also very useful in GNSS receiver sensitivity testing for R&D or mass-production assembly lines as it allows accurate control of RF output power ranging from –100 dBm to less than –130 dBm with 0.1-dB resolution and typically better than 1-dB accuracy over the controllable power range.
The CLAW GPS Simulator also has a built-in RF signal generator with sweep, CW and random noise functions that are useful in simulating GNSS jamming scenarios, as well as GPS spoofing scenarios. The simulator comes in an FCC-certified metal desktop enclosure with numerous accessories.
The CLAW firmware has been updated to allow live-sky almanac and ephemerides to be automatically uploaded from various externally connected GNSS receivers. This makes simulations using real-time live-sky constellations (such as used in simulating spoofing attacks) an easy task. A free firmware update is available from JLT.
High-end GNSS simulation solutions for R&D, integration and product testing
Syntony GNSS specializes in GNSS/PNT software-defined receiver (SDR) technologies, operating from receivers to test and measurements solutions. Its products and solutions address multiple markets and use cases in the space, defense and transportation industries.
Constellator. (Photo: Syntony)
Constellator GNSS Simulator. Scalable, cost-effective, and high-fidelity SDR software-based platform supporting multi-constellation signals and frequencies (open, restricted and custom), hundreds of signals at 1-kHz iteration rate at zero effective latency, space trajectories and high dynamics. Multiple upgradable hardware configurations are available.
Constellator CRPA. Synchro-phase SDR by design, advanced jamming and spoofing, thousands of signals, 4 to 16 elements.
Echo. (Photo: Syntony)
Echo Recorder & Replayer. High-fidelity record-and-replay devices characterizing group-delay, scintillation, and jamming and spoofing interference, from space to ground market segments.
3 RF channels of 200Mhz sampling rate
16 bit I/Q
Up to 1.6 GB/s write/read speed.
SubWAVE manager. (Photo: Syntony)
SubWAVE GNSS/GPS Coverage Extension. Universal and seamless GPS/GNSS coverage extension for rail, road and mining infrastructures. SubWAVE signals are natively compatible with every GNSS-enabled device, and the solution uses existing telecom infrastructure to broadcast GNSS signals.
New Galileo OS SIS ICD V2.0 is now fully supported by IFEN’s NCS Nova GNSS simulator
Photo: IFEN
IFEN GmbH, a manufacturer of GNSS navigation test products and services, announced that its NCS Nova GNSS simulator now fully supports the simulation of Galileo Open Service (OS) signal improvements based on the new Galileo OS SIS ICD V2.0.
The NCS Nova GNSS simulator is a high-end, powerful and easy-to-use satellite navigation testing and R&D device. It is fully capable of multi-constellation and multi-frequency simulations for a wide range of GNSS applications. It provides multiple GNSS frequencies in one box.
A key enhancement to the NCS Nova GNSS simulator is comprehensive support of new Galileo OS signal message improvements on E1B. By enabling real-time simulation of the Galileo OS message improvements, the NCS Nova GNSS Simulator expands the user’s Galileo signal capability.
The NCS Nova GNSS simulator will, in future, also fully support the new Galileo E1B OS-Navigation Message Authentication (OS-NMA) and Galileo E6B High Accuracy Service (HAS) capabilities.
The GNSS simulator enhancements were developed through ESA’s Navigation Innovation and Support Programme (NAIVSP) Element 2, within the project STX2G.
“Through a simple software update, NCS Nova GNSS Simulator customers can automatically generate the new Galileo signal capabilities,” said Günter Heinrichs, head of Client Solutions at IFEN. “Adding Galileo OS signal improvement support to our NCS Nova GNSS simulator comes at the perfect time given the recent release of the Galileo OS SIS ICD V2.0 specification.”
IFEN GmbH’s Titan GNSS simulator has up to 256 channels (and 1024 multipath channels) and up to 4 RF outputs per chassis, providing flexibility and outstanding performance, according to IFEN.
The extra complexity and cost of using multiple signal generators is avoided, improving reliability without compromising on functionality, IFEN said in a news release.
The innovative design of the NCS Titan allows users configure channels for any GNSS signals and allocate those channels to any of the RF outputs fitted. This flexibility enables the same simulator hardware to be used for an extensive range of tests, for all types of GNSS applications.
The NCS Titan GNSS simulator by IFEN.
The NCS Titan sets new standards in the field of GNSS Simulation, in terms of fidelity, accuracy, dynamics, iteration rates and reliability, the company said.
“The launch of our brand new NCS Titan GNSS Simulator represents another milestone for our NCS GNSS simulator products,” explained Günter Heinrichs, head of customer applications at IFEN. “This shows clearly once again our commitment to ongoing product enhancement and dedication to providing our customers with best GNSS test equipment on the market.”
The NCS TITAN GNSS Simulator has been developed in cooperation with WORK Microwave GmbH, Germany.
“Prepare for Tomorrow: Find Vulnerabilities Today” was the title of our wide-ranging webinar in July that focused on GNSS signal simulation for jamming and spoofing scenarios. We did not have time to address all the questions posed by the audience, so we return to them here.
Q: While testing receivers, realistic scenarios for jamming and spoofing are very important. What is the typical approach to set the number of interference sources, their type and main signal parameters?
Two different approaches are common, those involving the use of an anechoic chamber and those which are lab-based. Each approach has its limitations and merits. Each approach must address the number of significant interferers, their signal powers and the waveforms of the interference signals. Each must also consider the geometric arrangement of these interferers relative to the antenna under test and relative to the simulated constellations under test.
Changes in signal phase, signal Doppler and signal power are as important for the interference signals as they for the wanted GNSS signals. These changes are caused by the simulated motion of the vehicle and potentially the motion of the interferers. These changes should also include the impact of terrain surrounding the vehicle and the interferers, and also the gain and phase patterns of the receive antenna on the vehicle and the transmit antennas on the interferers. Some interferers might be discounted from the significant set due to their signals being masked from the vehicle by the terrain or antenna patterns or by them being too far from the vehicle to have an impact. These interference signals may become significant as the scenario progresses due to vehicle or interferer motion.
Simulator graphical user interface. (Image: Spirent Federal Systems)
Q: In GNSS navigation systems for commercial applications, what emphasis of design effort should be on anti-jamming/anti-spoofing over improving the navigation accuracy?
Commercial applications is a broad area, so it will depend on the particular application as to whether it needs more accuracy or more resiliency against AJ/AS, but in general, the accuracy of GNSS is fairly mature. Standard GNSS offers accuracies on the order of ~1 meter. Centimeter accuracy can be achieved with differential or real-time kinematic (RTK). Multi-constellation use can increase availability in areas with limited sky view such as urban canyons. Multi-frequency can aid in the reduction of multipath and improve accuracy. If the application needs accuracy, these features are readily available.
However, integrity and resiliency are growing needs in commercial applications, especially ones that are in critical operations. Much more can be done to detect jamming and spoofing than what is in standards GNSS receivers today. In our systems, we include an additional software layer called BroadShield, which monitors internal state variables of the receiver, and will alarm on detection. Additional sensors combined with the GNSS receiver such as an inertial measurement unit (IMU), magnetometer, odometer, or even the much stronger Satellite Time and Location (STL) signal offer augmentation during periods of GNSS denial, or in the case of spoofing, authentication of the navigation solution.
While both jamming and spoofing are intentional attacks, they are highly different in their set-up and serve very different purposes. Due to their simplicity, most jamming attacks can be mitigated thanks to adaptive filtering or pulse blanking. On the other hand, spoofing is a malicious attack, highly complicated, and requires knowledge of the GNSS signal structure as well as precise timing and positioning.
The question is thus whether one should emphasize navigation accuracy over the ability to output a position (jamming case) or the possibility to output a completely erroneous position (spoofing case). The answer lies, obviously, in the end application and the coupling of GNSS receivers with other systems. High-precision non-life-critical applications should emphasize navigation accuracy while implementing simple jammer filtering strategies. Life-critical applications, being often coupled with other systems, should ensure the reliability of the solution even if that means being unable to compute a position due potential threats.
Q: Do you have GPS/inertial navigation system (INS) test capabilities?
The CAST-3000 EGI integration system produces GPS RF signals commensurate with simulated IMU sensor data to provide repeatable testing in the integration laboratory for a wide range of military and government applications.
CAST GNSS/INS simulators generate high-fidelity signals required for emulating the legacy GPS signals as well as those used by next-generation navigation technologies. This is because our sole business focus is supplying GNSS simulators, GNSS/INS test equipment, and GNSS/INS support services to government and military avionics laboratories, prime contractors, and GNSS receiver manufacturers. For 35 years we have provided off-the-shelf products to both the government and U.S. major defense contractors.
CAST EGI integration tools are used by Northrop Grumman and Honeywell and are now also being used in integration laboratories worldwide. Our equipment supports system integration in major weapons platform labs and development at major military contractor labs. CAST simulators produce high-quality, accurate signals that are used in government, military and commercial labs around the globe.
Our NCS TITAN GNSS simulator is able to emulate the presence of IMUs and micro electro-mechanical systems (MEMS) sensors with the optional available real-time IMU/Sensor Emulation Package (SEP). The SEP upgrades the TITAN to support the simulation of inertial sensors, which nowadays are implemented as MEMS, among others, and of other common aiding sensors. To obtain more accurate positioning for location-based services and navigation, GNSS chipset and receiver manufacturers as well as system integrators combine more and more GNSS navigation with such sensor fusion or signals of opportunity.
The optional SEP enables controlled and progressive testing of sensor-fusion algorithms when used with NCS Control Center operating software. This software supplies the SEP with an internally- or externally-generated center-of-gravity (CoG) trajectory for the device under test.
The various sensor models to be emulated by the SEP run within the Control Center software. The device under test (vehicle) input trajectory at the CoG passes through the sensor model, which in turn generates the appropriate sensor output, by taking into account the corresponding error model for each sensor defined.
We have added the capability to emulate INS/IMU data in addition to GNSS signals to our Constellator simulator, to offer to the customers a complete testing platform. Constellator can simulate up to six gyrometers and six accelerometers. The attitude of each sensor is defined with respect to the vehicle axes. Deterministic errors can be configured to simulate the axis misalignment and scale factors, and biases can be defined in order to simulate realistic sensors. Stochastic error models are also available such as random walk or Gauss-Markov models for each sensor (gyrometer or accelerometer) to improve the sensor emulation fidelity.
Q: Do you have detailed scenarios for jamming and spoofing in timing use of GNSS receivers, that is, involving time synchronization for telecommunications companies?
The simulated jammer’s signal specification must be very flexible in order to faithfully simulate real-world jamming events. For example, the jammer’s spectral shape should be flexible enough to simulate a Blue Force electronic attack (BFEA) on a GNSS receiver.
Also, the simulator should be able to simulate dynamic scenarios by varying the power of the jammers as a function of their trajectories and as a function of different antenna patterns.
Sometimes when testing receivers, the simulated jammers should replicate pre-recorded waveforms from real world. The ability to play back the pre-recorded IQ-baseband signal in conjunction with GNSS signals is another powerful feature of a simulator. Simulation of spoofing attacks on a GNSS timing receiver is only possible when the GNSS simulator provides fine-grained control of transmitted signal. This includes controlling the offsets on the pseudoranges with additive ramps, as well as individual signal power levels at very precise points in time.
Also, the GNSS simulator must be able to synchronize itself with the live sky’s GNSS signal. Another way to achieve realistic spoofing is to use two simulators controlled independently (that is, full control on constellation, navigation message, propagation time offset, power and so on).
FIGURE 1. Real-world jamming simulation must take into account key factors such as varying jammer power, as a function of their trajectories and antenna patterns. (Image: Skydel)
Q: Please discuss how to simulate a smart spoofer that would generate a replica of a constellation (or all constellations) and then produces two full RF transissions: one that is the true signal, and a strong spoofed signal that pulls the receiver to a false location. Can you simulate the two full multi-band RF ensemble?
Two artificial synchronized scenarios could be created using SatGen signal generator software that can reproduce the GNSS signals from a number of constellations. The user could create two separate signal streams, both starting at exactly the same position and time and using the same constellations, chosen by the user.
The second scenario could then be set to diverge away in position from the first scenario, while staying perfectly synchronized in time. The signal-to-noise ratio of each scenario could be adjusted independently of each other to simulate a spoofing situation where the spoofing signal is much stronger than the real signal. A file containing this twin scenario can be replayed using a LabSat Wideband with two separate RF outputs, each synchronously replaying the two different scenarios. This would closely simulate the actions of a smart spoofer, but in a completely repeatable, and controllable manner.
This could be accomplished by either combining the output of two of our CLAW GPS simulators, or by combining the output of a single CLAW simulator with live-sky signals using passive industry-standard splitters/combiners. The CLAW is able to receive a custom ephemeris download in RINEX format to match either the spoofed live-sky constellation, or to generate a synthesized constellation in the case where two CLAW simulators are being used.
The simulator has a wide RF power adjustment range of over 45-dB, allowing the spoofing signal to be gradually introduced to the primary GPS constellation RF signal. This spoofing simulation could be accomplished with better than 0.5 meter peak-to-peak positioning accuracy and better than 5-ns real-mean-squared (rms) typical UTC (GPS) offset unit-to-unit, allowing the victim receiver to be pulled off of its true (live-sky) position with very high accuracy. Typically, GPS receivers are spoofed easily as long as the UTC timing synchronization is 500-ns or better between the live-sky and spoofed signals.
Timing synchronization to the spoofed victim GPS signal to within nanoseconds is achievable through the external 1PPS reference input, the simulator accepting a position, navigation and timing (PNT) fix in real time via its NMEA serial and 1PPS inputs. This allows capturing a moving victim receiver by estimating its momentary position, then ramping up the spoofer power, and then presenting the victim receiver with alternate position information as required (see Figures 2 and 3).
High position and timing accuracy between the spoofed and live-sky signal is important to prevent and mitigate spoofing detection via UTC phase or position jumps that could happen when the receiver gradually or quickly switches over to the spoofed satellite signals.
FIGURE 2. Spoofing attack on a GPS receiver using a CLAW simulator to spoof a live-sky antenna signal. Initially the spoofer was phase- and frequency-synchronized to UTC(GPS), then spoofer RF power is ramped up, and once the victim GPS receiver is captured, a frequency offset is added to UTC(Spoofer), which pulls the system off-phase. (Figure: Jackson Labs)FIGURE 3. Simulating a spoofing attack on a timing application where the spoofer does not know the exact victim antenna location with certainty. The resulting antenna position offset error (50 meters in this simulation) still allows the victim receiver to be captured, and then causes a time error as satellites move in and out of view even with the spoofer being synchronized to UTC(GPS) at all times. This error is clearly visible in the resulting UTC(Spoofer) output from the victim receiver equipment. (Figure: Jackson Labs)
Q: We want to correctly model and simulate effectiveness of various anti-jamming (AJ) and anti-spoofing (AS) solutions to make informed decisions about which AJ/AS solution is most effective for a specific mission and interference scenario. How can you help?
Live-sky testing on a jamming/spoofing range provides a wealth of data, and reassurance that the system under test does work as intended. Record and playback systems (RPS) under live-sky conditions can allow further evaluation back in the lab, after the live-sky tests are complete. Performance parameters of the RPS may degrade the validity of the signal when played back; signal bandwidth and bit-depth are absolutely key, for example. Recordings that use too few bits will degrade the dynamic range of the recorded signals, so significant care should be taken when selecting an RPS.
Either way, under live-sky or with recorded live-sky, you get what you get. It is extremely difficult to predict what the test parameters actually are. It is perilous to attempt to alter the test parameters after the event. Lab-based or anechoic chamber-based systems have their limitations, but they are repeatable, predictable and tweakable. Again, performance parameters of the simulation system play a key role in the validity of the testing. The ability to calibrate the simulation system to give a repeatable, predictable performance is as important as the realism of the simulation. Carrier-phase accuracy/repeatability among antenna elements and signal timing accuracy are important parameters when evaluating AJ and AS systems.
Q: We had a receiver where the time stamp for any location report would drift off progressively, up to an hour off of the known true location. What might contribute to this? We do not believe this was an intentional threat, but an artifact of nearby electronics or other system conditions. It actually occurred on a pivot irrigation arm in motion, with substantial vibration. The receiver was electrically isolated. The results were repeatable on the pivot arm, but not on our vibration table.
Interesting problem with no obvious answer. Even the worst oscillator will take many months to drift off by up to an hour with no GNSS, even under horrible vibration conditions, so this is an unlikely cause. Is it drift or a jump in error? Nearby electrical noise could cause GNSS denial (jamming), but not erroneous data. That requires spoofing. If you have no reason to believe that it is intentional, that makes spoofing unlikely, but still possible. Is a GNSS repeater or a record/playback GNSS tester operating in the area? These are spoofers, even if they are unintentional.
If this is a precision agriculture application, then an RTK reference station transmitting erroneous data could be the cause. What time-stamping format is used: local time or UTC? An unlikely but possible scenario is the unit is changing time zones so local time jumps an hour. Is there a processor/software app between your output and the actual GNSS receiver? This could introduce errors. What is the position output indicated when the time drift occurs? The best way to diagnose this is to record the time and position output as log files using a laptop PC connected to the serial data.
Q: Do your simulators work as well for testing handheld, consumer-grade GPS? Please discuss the differences in testing techniques or approaches for high-precision vs. mass-market receivers?
We have a range of simulators suitable for all levels of GNSS testing. If you don’t need the high fidelity and wide bandwidth of the LabSat Wideband, then the entry level LabSat 3 will also work with any GNSS device including handheld consumer-grade products.
To fully explore the performance of high-precision receivers, including multipath effects and P-code reception, a wider bandwidth and a greater number of bits would be required to capture and replay all of the available signals. For these applications, we recommend a bandwidth of 56 MHz and at least 4 bits of resolution.
For testing of consumer-grade, handheld devices with simpler RF front ends, we recommend a much reduced bandwidth of around 9 MHz and only 2 bits of resolution. This smaller bandwidth and fidelity will easily reproduce the majority of real-world conditions, and the resulting data files will be much easier to handle.
FIGURE 4. Simulator graphical user interface. (Image: Racelogic)
Q: How many GNSS signals can a software-defined radio produce?
The theoretical limits of a software-defined radio (SDR) are based on four distinct characteristics of the SDR: the digital-to-analog converter’s (DAC’s) bit resolution, the maximum sampling rate, the bandwidth and the number of RF outputs. With most SDRs, available bandwidth is defined by the sampling rate.
With a 16-bit DAC, there is enough dynamic range to generate up to 50 GNSS signals and hundreds of multipath echos (with more than 60 dB of range to accommodate different signal power levels) per RF output.
For example, with a sampling rate of 50 MSps, a 40-MHz wide signal — combining GNSS constellation signals such as GPS L1 C/A, Galileo E1, GLONASS G1 — can be generated. Nowadays, SDRs can have two or more RF outputs and are able to operate with sample rates of 100 MSps or higher. By distributing the GNSS signals across different RF outputs, the entire GNSS spectrum can be covered at a relatively low cost in terms of hardware.
A handful of SDRs can easily be synchronized to form multiple RF output systems. In such cases, the complete range of GNSS signals for all visible satellites can be generated at the same time.
Q: In a dual-frequency receiver would it be possible to still use L1 spoofed/jammed with L2 clean to get an accurate position? Is it possible to do a combination between the two signals in order to save the spoofed/jammed L1?
In principal, it is still possible to use L1 spoofed/jammed with L2 clean in a dual-frequency receiver to get an accurate position. Such receivers are available as off-the-shelf products. These receivers use a special algorithm to detect if a GNSS frequency band is spoofed/jammed and automatically switch over to the clean frequency band. However, this principle can only be applied if the entire GNSS spectrum is not completely jammed. Whether a dual-frequency receiver can still use L1 spoofed/jammed with L2 clean to get an accurate position is therefore finally basically dependent on the overall bandwidth of the interferer/jammer.
With IFEN’s TITAN simulator, it is possible to easily create the corresponding simulation scenarios for the real-time simulation of realistic test scenarios to test the robustness of GNSS receivers against interference/jamming and also spoofing. In doing so, various static and dynamic interference/jamming sources are supported by the simulator’s software.
It is possible to achieve a PNT solution using L2 signals only. This requires reception and decoding of either the military L2 P(Y) signal, or reception of the new but still pre-operational L2C commercial signal. Codeless or semi-codeless commercial L1/L2 receivers rely on tracking the carrier phase on L2 to be able to mitigate effects such as solar flares and ionospheric errors; however, they are not capable of generating a PNT solution with L2-only reception as would be the case under this spoofing/jamming scenario.
P(Y) signal reception on L2 typically requires reception of the coarse acquisition (C/A) signal on L1 prior to tracking P(Y) unless the receiver has its own internal (atomic) time-base synchronized to UTC to the sub-microsecond level.
On-Demand Webinars
Simulation against Jamming and Spoofing: With cyber attacks on the rise, it is more critical now than ever to thoroughly test GPS and GNSS systems against jamming and spoofing.
IFEN GmbH has launched its new NCS Titan GNSS simulator. The NCS Titan has up to 256 channels (and 1024 multipath channels) and up to 4 RF outputs per chassis, providing flexibility and outstanding performance, according to IFEN.
The extra complexity and cost of using multiple signal generators is avoided, improving reliability without compromising on functionality, IFEN said in a news release.
The innovative design of the NCS Titan allows users configure channels for any GNSS signals and allocate those channels to any of the RF outputs fitted. This flexibility enables the same simulator hardware to be used for an extensive range of tests, for all types of GNSS applications.
The NCS Titan GNSS simulator by IFEN.
The NCS Titan sets new standards in the field of GNSS Simulation, in terms of fidelity, accuracy, dynamics, iteration rates and reliability, the company said.
“The launch of our brand new NCS Titan GNSS Simulator represents another milestone for our NCS GNSS simulator products,” explained Günter Heinrichs, head of customer applications. “This shows clearly once again our commitment to ongoing product enhancement and dedication to providing our customers with best GNSS test equipment on the market.”
The NCS TITAN GNSS Simulator has been developed in cooperation with WORK Microwave GmbH, Germany.
Dr. Günter Heinrichs, head of customer applications for business development at IFEN, talks about the new features of Ifen’s GNSS simulator at ION GNSS+ 2015.
The newly released software version 3.0 offers the following new features:
Real‐time P‐code generator and P‐code aiding for GPS L1/L2 cross‐correlation
Full dual‐antenna support for SX3 Black Edition
KML file output for Google Earth real‐time visualization
better performance through switch from 32-bit to 64-bit version
support of new SX3 RF front‐end with up to 12 IF streams
IFEN’s SX3 multi‐GNSS software receiver now tracks all known and in future upcoming GNSS signals in view in real‐time on a standard laptop (up to 1,000 channels in parallel on a core i7 desktop PC). The included RF front‐end offers four RF frequency chains with 50 MHz bandwidth each, covering the entire GNSS L‐band spectrum.
The USB 3.0 interface enables high‐speed data transfer with up to 8 bit quantization. Customers can fully concentrate on their applications instead of dealing with potentially obscure code when using open source. The professional support is specifically dedicated to sophisticated applications as well as SX3’s capability for additional customizations. This makes IFEN’s SX3 GNSS software receiver a powerful tool for research and development, IFEN said.
In addition a dual‐antenna input RF front‐end (SX3 ‘Black Edition’) has been released in February 2015. This system can for example be used for heading determination, reflectometry and other applications requiring the synchronized input from two antennas.
The GPS World Galileo Product Showcase, from the April 2015 issue, features the latest products from seven top companies.
GPS/GLONASS/Galileo Receiver
Septentrio AsteRx3 Photo: Septentrio
The AsteRx3 is a multi-frequency GPS/GLONASS/Galileo receiver is designed for demanding industrial applications. AsteRx3 features simultaneous high-quality GPS, GLONASS and Galileo tracking and a range of innovative features, such as the patented Galileo AltBOC tracking, the advanced multipath mitigation algorithm APME, LOCK+ tracking for exceptional tracking stability under high vibration conditions, RTK+ for extended RTK baselines and faster initialization, and AIM+, Septentrio’s Advanced Interference Mitigation technology, offering centimeter-level measurement quality for high-precision positioning, even in challenging environments.
The IFEN SX3 multi-GNSS software receiver Photo: IFEN
IFEN’s SX3 multi-GNSS software receiver tracks all known GNSS signals in view, including Galileo signals, in real time on a standard laptop now and in the foreseeable future (up to 1,000 channels in parallel on a core i7). The included RF front end offers four RF frequency paths with 50-MHz bandwidth each, covering the entire GNSS L-band spectrum. The USB 3.0 interface enables high-speed data transfer with up to 8-bit quantization. An optional dual RF input front end can be used for attitude determination, reflectometry and other applications requiring the synchronized input from two antennas. An optional built-in shock and vibration robust OCXO reference oscillator (MIL-STD 202G) is available, which replaces the standard high-quality TCXO normally used.
The SX3 software lets users configure the data processing, including changing loop bandwidths, integration times and the main processing rate, and choosing between different correlation types. The software includes a multi-correlator providing a two-dimensional (code and Doppler) correlation function visualization in real-time. The receiver comes with several powerful processing algorithms like vector tracking, to improve the tracking of weak signals in degraded environments.
The NEO-M8L Automotive Dead Reckoning (ADR) module by u-blox has integrated motion, direction and elevation sensors. The module integrates gyro and accelerometer with u blox’ GNSS platform M8 to achieve high indoor/outdoor positioning performance for road vehicle and high-accuracy navigation applications.
The module is able to track all visible GNSS satellites including GPS, GLONASS, BeiDou, QZSS and all SBAS, with Galileo to be supported in a future firmware version. Concurrent reception of two GNSS systems is supported. The NEO-M8L module can output a position up to 20 times per second.
In addition to accessing the integrated module’s gyro and accelerometer data, accident reconstruction systems can provide the location of an accident to facilitate insurance claims even if a collision occurs in a tunnel or park house. High-end navigation devices are able to guide drivers through tunnels of several kilometers because of the accuracy of u-blox’ ADR system. Stolen vehicles can be located instantly due to continuous monitoring of sensor data and storage of location in non-volatile memory.
The NovAtel FlexPak6D enclosed GNSS receiver is a flexible dual-antenna solution for application developers seeking a high-precision heading-capable positioning engine for space-constrained applications.
Designed for efficient and rapid integration, the compact receiver tracks Galileo as well as GPS, GLONASS and BeiDou. Antenna placement is flexible: the antenna baseline can be set according to space available on a vehicle and heading accuracy required. The modular OEM6 firmware enables users to configure the receiver for unique application needs. Scalable for sub-meter to centimeter-level positioning, the FlexPak6D delivers NovAtel’s ALIGN precision heading and relative heading firmware, as well as its GLIDE firmware for smooth decimeter-level pass-to-pass accuracy and RAIM for increased GNSS pseudorange integrity.
The GNSS simulator in the vector signal generator R&S SMBV100A Photo: R&S
The GNSS simulator in the vector signal generator R&S SMBV100A is designed for development, verification and production of GNSS chipsets, modules and receivers. The simulator supports all possible scenarios, from simple setups with individual, static satellites up to flexible scenarios generated in real time with up to 24 dynamic Galileo, GPS, GLONASS, BeiDou and QZSS satellites. The simulator also supports Assisted GNSS (A-GNSS) test scenarios, including generation of assistance data for Galileo.
The simulator offers real-time simulation of realistic constellations with up to 24 satellites and unlimited simulation time. Flexible scenario generation includes moving scenarios, dynamic power control and atmospheric modeling. Users can configure realistic user environments, including obscuration and multipath, antenna characteristics and vehicle attitude.
The all-in-one TRIUMPH-LS by JAVAD GNSS combines a high-performance 864-channel GNSS receiver, all-frequency GNSS antenna, and a modern featured handheld. The 864 all-in-view channels include Galileo E1/E5A/E5B, GPS L1/L2/L5, GLONASS L1/L2/L3, QZSS L1/L2/L5, BeiDou B1/B2 and SBAS L1/L5.
The TRIUMPH-LS offers GUIDE data collection, Visual Stake-out (VSO), navigation, six parallel RTK engines, more than 3,000 coordinate conversions, advanced CoGo features, and rich attribute tagging on a high-resolution, bright, 800 x 460 bright display. Two 3-megapixel cameras enable recording of images along with GNSS data.
With VSO, the virtual location of a point to be staked can be seen by a “flag” shown on the Triumph-VS camera image. This visual aid helps users navigate quickly to a point and makes stakeout jobs fast and easy. VSO can be used as a convenient way to get close to a target point before switching to the regular stakeout mode to perform precise measurements.
More than 100 channels are dedicated to continuous interference monitoring. The Triumph-LS monitors and reports interference graphically and numerically with patent-pending interference protection. Interference awareness allows safe GNSS operation in a city, airport and military environment.
The unit can serve as base or rover. It has a GSM modem, UHF transmit and receive, and an internal high-performance geodetic antenna.
The TRIUMPH-LS automatically updates all firmware when connected to a Wi-Fi Internet connection.
TeleOrbit’s software-defined radio receiver and GNSS interference monitoring tool receives and processes all available Galileo signals. Signals that are not yet transmitted and interference sources can be simulated and processed within the software tool.
Within a software-defined radio framework, the analog-to-digital converter is moved as close as possible to the antenna to perform most of the signal processing in software. This leads to adaptable solutions with lower hardware costs that can be easily extended to new signals and systems with only a software update.
The GNSS Software Defined Radio Receiver (GSDR2X) developed by TeleOrbit’s sister company TeleConsult Austria can track most readily available signals from Galileo, GPS and SBAS. By utilizing input from TeleOrbit’s GNSS multi-system performance simulation environment (GIPSIE), even signals not yet transmitted by satellites can be tracked and processed by the GSDR2X. Furthermore, input data can be read from various radio frequency front-ends, either directly or from file.
The modular GSDR2X framework enables new capabilities, such as the GNSS Interference Monitoring Tool (GIMT), which enables the GSDR2X to detect and classify interfering and jamming signals (see figure).
GPS World will host a webinar this Thursday, March 19, on the merits of using simulated jamming, spoofing and interference scenarios to prepare GNSS receivers for the brave new world of coping with adverse signal effects. It’s clear that users need to still operate commercially and individually, even when they get hit by extraneous interference — intended or otherwise — in a world where cigarette-lighter jammers, engineering “lash-up” spoofers, and badly designed commercial gear can ruin a person’s day.
Recently, I had a conversation with Guy Buesnel, market segment manager, GNSS Vulnerabilities, at Spirent Communications. He wanted to alert me to the concept that jamming and spoofing is at a stage where Internet hacking was many years ago. Hacking has progressed from the typical loan student in his bedsit or studio apartment pounding on a keyboard to break down banking or other institutional firewalls, to nowadays, where focused groups mount hacking attacks on targeted agencies or companies lasting days, weeks, even months. Huge effort is currently being applied to defending against these and future focused attacks.
Buesnel’s point is that organized attacks on GNSS may be coming, and coming soon. Individuals and groups are already self-jamming to prevent detection — organized car and truck thieves wanting to avoid location of stolen assets, or truck drivers wanting to prevent their employers knowing their whereabouts — using easily obtained “personal cigarette lighter” or even professional-looking jammers (see figure below). Jamming GPS L3 at 1381.05MHz might awaken U.S. Department of Defense (DOD) interest as it’s used by the Nuclear Detonation (NUDET) Detection System Payload (NDS), and L4 at 1379.913 MHz is currently only used for studies on additional ionospheric corrections.
But Buesnel warns that organized spoofing could soon start to happen, and happen frequently. And it could be argued that spoofing is more dangerous than jamming, because a user or someone monitoring a user might not know for some time that their position information has been compromised. Long enough, perhaps, for an unwary user to get into potentially serious trouble, especially in a higher speed, fuel-restricted application like an aircraft or a small boat running some distance offshore.
GNSS is already embedded into the critical infrastructure of utility providers, and also telecoms, financial and transport sectors for timing/synchronization or positional data, and the growth in vehicle automation will soon see GNSS being used for even more safety-critical applications. The security of GNSS is already of huge importance and a “GNSS hacking attack,” like those experienced by Internet users, could achieve significant disruption across a host of operational segments. Precise GNSS timing is already essential for time stamping some transactions and used extensively for cell-site synchronization, so significant damage could occur if timing information were to be compromised.
While an intentional spoofing attack has yet to be confirmed — except under conditions such as that drone spoofing demonstration and then the White Rose luxury yacht spoofing trials, both by University of Texas/Cockrell School of Engineering graduate students — unintentional spoofing has indeed been reported. GNSS repeaters radiating at higher power levels than actual GNSS signals can be the source of such spurious signals. The result can be that GNSS receivers may acquire and track the higher power repeater signals, and the receiver position becomes that of the repeater. Use of GPS repeaters in unsuitable locations, such as for production tests in an open workshop, have been reported. The risk is that GNSS signals could extend outside the building and affect users, so GPS receivers could be spoofed and tricked into reporting an incorrect position.
White Rose 213-foot luxury yacht. Photo: Tony Murfin
For more than 20 years, the information security community has debated publishing the methods used by hackers and others to expose and attack vulnerabilities within products. Initially, things were kept hidden and were only shared between groups of hackers or IT administrators. However, online hacker forums quickly distributed knowledge — often including sample code. This allowed everyone from security researchers and IT administrators to hackers to learn about the vulnerabilities of applications and critical systems. It would seem that both researchers and hackers alike have broken the spell, and now it’s easy to spread the word about backdoors and weaknesses in firewalls, critical applications and the like.
Fast forward, and we are now in the age of mass-market access to jammers of all kinds through offshore websites — even if it’s illegal to operate such devices. However, it’s also illegal to hack the Department of Defense, but that has not prevented hackers in the past from assaulting and penetrating all sorts of secure DoD computing facilities. So, let’s just assume that the individuals who get a kick out of creating mayhem may eventually turn to something new — and the age of jamming and spoofing for fun may be upon us.
All is not lost, however. Just as applications for finding and killing viruses have become more robust, and new “antidotes” and warnings are now automatically downloaded to your PC even as they are created, and huge amounts of effort are now being applied to creating the most robust firewalls, so the designers of GNSS receivers are working hard to immunize their systems against anticipated attacks. And simulator/replay manufacturers such as Spirent Communications, IFEN, Spectracom and Racelogic are developing and fielding ready-made spoofing and jamming capabilities and scenarios with which manufacturers can test and qualify their receivers — which you may well hear about during the coming GPS World webinar on March 19.
Nevertheless, some people in the industry are urging members of the GNSS community to act more cooperatively and report spoofing and jamming incidents/attacks for their own good. It seems that the industry only collaborates in the face of a major common threat — take the ultra wideband and LightSquared episodes where the response was virtually unanimous. While most GNSS manufacturers in the meantime tend to maintain a very proprietary cover to their field experience and technological solutions, this still leaves customers exposed to product vulnerabilities. The GNSS community now has the advantage that the information security community has been working through these hurdles for the past two decades. Lessons learned include the following:
Controlled, responsible disclosure and cooperation allows everyone to monitor the threat and how it is being dealt with.
Without restricted disclosure and preventive solutions, attacks will always take advantage of weaknesses.
Eventually, disclosure of product vulnerabilities will result in more respect and confidence in manufacturers by users.
Rapid resolution of issues is essential.
The GNSS community has an opportunity to come together, learn from the information security community, and adopt best practices to secure and protect its customers.
(With grateful thanks to Guy Buesnel and David DeSanto of Spirent Communications!)
