TABLE OF CONTENTS

Document Sample
TABLE OF CONTENTS Powered By Docstoc
					DESIGN OF A RADIO FREQUENCY JAMMER AND SPOOFER


                         By


                   Ben Niemoeller
                   Larry Dietrick
                    Albert Rhee




          ECE 445, SENIOR DESIGN PROJECT

                    FALL 2005




                  TA: Brian Watson



                 03 December 2005


                    Project No. 4
                                              ABSTRACT

This project involves the design and implementation of a radio frequency (RF) jammer and spoofer
capable of manipulating a remote-controlled car at 49.86 MHz. When the device’s user is not
attempting to spoof the car, the device acts as a jammer and interferes with attempts to operate the car
from its intended controller. When a user tries to spoof the car, our device proves highly effective and
can successfully spoof from a distance several times further away than that of the controller intended to
operate the car. The device operates from a single +12V supply commonly found in mobile
environments.

A few key improvements can still be made to our design; most importantly, the antenna we used can be
enhanced to better radiate the available power. Other improvements are also discussed within.

Our project cost was much less than we had originally anticipated. Specifically, the power amplification
chips that we used were much less expensive than the ones we had originally researched for our initial
proposal.




                                                    ii
                                                          TABLE OF CONTENTS

ABSTRACT ................................................................................................................................................ ii
1    INTRODUCTION .............................................................................................................................. 1
  1.1      Purpose........................................................................................................................................ 1
  1.2      Functionality ............................................................................................................................... 1
     1.2.1      Device Specifications.......................................................................................................... 1
     1.2.2      System Block Diagram ....................................................................................................... 1
  1.3      Components/Subprojects ............................................................................................................ 1
     1.3.1      49.86 MHz Oscillator and Active Buffer ............................................................................ 2
     1.3.2      Voltage Regulators.............................................................................................................. 2
     1.3.3      Control Logic ...................................................................................................................... 2
     1.3.4      Active Buffer Switch .......................................................................................................... 2
     1.3.5      Gain Block and Final Amplifier ......................................................................................... 2
     1.3.6      Transmitting Antenna ......................................................................................................... 2
2    DESIGN .............................................................................................................................................. 3
  2.1      49.86 MHz Oscillator and Active Buffer .................................................................................... 3
  2.2      Active Buffer Switch .................................................................................................................. 7
  2.3      Voltage Regulators...................................................................................................................... 8
  2.4      Control Logic .............................................................................................................................. 9
  2.5      Gain Block ................................................................................................................................ 10
  2.6      Power Amp ............................................................................................................................... 11
  2.7      Transmitting Antenna ............................................................................................................. 111
3    VERIFICATION............................................................................................................................. 155
  3.1      Functional Tests and Measurements ......................................................................................... 15
     3.1.1      49.86 MHz Oscillator and Active Buffer .......................................................................... 15
     3.1.2      Voltage Regulators and Control Logic ............................................................................. 16
     3.1.3      Active Buffer Switch ........................................................................................................ 17
     3.1.4      Gain Block and Final Amplifier ....................................................................................... 17
  3.2      Overall Device Tests and Measurements .................................................................................. 18
  3.3      Graphs ....................................................................................................................................... 20
4    COST .............................................................................................................................................. 221
  4.1      Parts and Equipment List ........................................................................................................ 221
  4.2      Total Cost Calculation ............................................................................................................ 221
5    CONCLUSION ............................................................................................................................... 222
  5.1      Accomplishments .................................................................................................................... 222
  5.2      Uncertainties ........................................................................................................................... 222
  5.3      Future Work/Alternatives ....................................................................................................... 222
APPENDIX A – ORIGINAL TRANSMITTER SCHEMATIC ...........Error! Bookmark not defined.23
APPENDIX B - PICTURES ..................................................................Error! Bookmark not defined.24
APPENDIX C – FULL-PAGE SCHEMATICS ....................................Error! Bookmark not defined.27
REFERENCES ......................................................................................................................................... 33




                                                                            iii
                                           1    INTRODUCTION

1.1 Purpose

The purpose of this project was to learn about radio frequency communication, signal processing, power
amplification, and antenna fundamentals by designing a device that could both jam and spoof a remote-
conrolled car.

What piqued our interest in this specific project was its relation to similar devices that are useful in
military defense tactics. RF technology is being implemented in warfare situations such as terrorist
bombing. A device such as ours would be useful in protecting a large area from weapons that can be
detonated from a distance with a remote control. Having an RF jammer/spoofer would make it possible
to defuse a radio-frequency explosive without having to send in a bomb squad and risk human lives.
Additionally, RF technology is frequently being used to jam and intercept enemy communication lines
that could be useful for future offensive and defensive military tactics.

1.2 Functionality

1.2.1 Device Specifications

We carried out our design with the goal that the jammer/spoofer should be able to protect a much larger
area of space than the victim transmitter would be able to cover. Only with the victim transmitter very
close to the car should it be able to communicate with the car’s receiver. We expect that for the device to
be useful, the jammer needs to be able to jam the car’s receiver when the victim transmitter is up to 4
times closer to the car than the jammer is. For example, if the victim transmitter is 10 feet from the car,
the jammer must be able to jam the car from up to 40 feet away. The jammer/spoofer must also operate
from a single 12-volt supply and not consume too much power, since it will be used in a mobile or
portable environment.

1.2.2 System Block Diagram

The components in Figure 1 are summarized in Section 1.3:


     Control                49.86 MHz Oscillator
     Circuitry                and Active Buffer         A1           A2



                                Active Buffer
                                   Switch


Figure 1. Overall System Block Diagram


1.3 Components/Subprojects

The design of the RF jammer and spoofer was broken up into many interconnected circuits that each had
their own specific purpose. The individual components of the project were as follows:



                                                    1
1.3.1 49.86 MHz Oscillator and Active Buffer

Our oscillator provides the carrier frequency for the device. A common-collector amplifier is attached to
the output of the oscillator to allow for better matching to the 50 Ω input impedance of the gain block
(our first amplification stage).

1.3.2 Voltage Regulators

A voltage of +12 V DC, which can be found in most automobiles, is needed to power many components
of our device. However, two voltage regulators were created to make +5 V DC and +9 V DC power
sources available for specific parts of the project that required these different voltages. The entire device
thus shared a single +12 V power supply as well as a common ground. The regulators were included on
the same printed circuit board as the control logic (see below).

1.3.3 Control Logic

A 7400 NAND chip and a 7407 Hex Buffer chip were used to implement a logic circuit that would
select between the jamming and spoofing modes of operation. This circuitry also provided interfaces
between the TX2C ATS302T encoder chip (used to create the control signals corresponding to different
directions of movement for the car), the TTL logic gates, and the CMOS switch. This circuit was
assembled on a printed circuit board (“PCB”) manufactured by the ECE Electronics Shop.

1.3.4 Active Buffer Switch

A CMOS inverter is implemented to turn the active buffer transistor (which is connected to the oscillator
output) on and off. This switch works by modulating the bias voltage of the base of the transistor, and its
output is simply the inverse of the control logic output, as described above. Since the control logic
output is the inverse of the desired binary output, the inverter’s output is in fact the desired binary
output. Through its connection to the active buffer transistor, the inverter can alternately allow and
disallow the oscillator output to pass through to the rest of the circuit (a logic ‘1’ means the oscillator
output is allowed to pass through, and vice versa), thereby accomplishing the on-off keyed modulation
necessary to communicate with the car.

1.3.5 Gain Block and Final Amplifier

Two circuits connected in series to the output of the active buffer were used to amplify our transmission
signal. The first amplifier, or “gain block,” which is denoted “A1” in Figure 1, is a WJ AG402-86 chip
that was tuned (via external passive components) to operate at around 49.86 MHz. This intermediate
power amplifier was able to give us a gain of about 15 dB. The second (final) power amplifier, which is
denoted “A2” in Figure 1, is a WJ AH101 driver amplifier chip that provides about 13 dB of gain.

1.3.6 Transmitting Antenna

Our transmitting antenna, represented by the star-shaped component attached to the output of “A2” in
Figure 1, is simply a long, thin wire used as a monopole. The optimum length of the wire was found to
be 7 ft, or about 1/3 of a wavelength.




                                                      2
                                                      2   DESIGN

2.1 49.86 MHz Oscillator and Active Buffer

The 49.86 MHz oscillator is necessary to provide the carrier frequency for our control signals to
ultimately be transmitted on. We did not foresee the need to build this oscillator at the time of the
Design Review, as we simply thought we could re-use the oscillator circuit from a second controller.
Only when we realized the difficulty of incorporating amplifier circuits and control logic into a pre-
existing board did we decide to completely reconstruct all the necessary circuit components.

Our oscillator design employs a piezoelectric quartz crystal used in the Common-Collector Colpitts
Oscillator topology. We considered reconstructing the same oscillator circuit shown within Appendix A,
Error! Reference source not found.Figure 12 (a diagram excerpted from the Actions Semiconductor,
Ltd. [1] datasheet for the TX2C control chip), but we were advised by Prof. Steven J. Franke of the
Department of Electrical and Computer Engineering at the University of Illinois at Urbana-Champaign
that the Common-Collector Colpitts Oscillator would provide a steadier frequency response and more
power output.

From the ECE 453 Lab 2 Notes [2], the general form of a Common-Collector Colpitts Oscillator is
shown in Figure 2 below. Note that an impedance-transformation buffer (i.e. “active buffer”) is shown
connected to the oscillator; this unit will be described shortly:
                                                                              0.01 uF


                          12 V DC


                                           R1


                                                          2N5179
                                                                         R4
                                                 C1
                             XTAL                                                       2N3013
                                           R2                      4pF                        0.01 uF
                                                          RE
                                                 C2                                     RE2
                                                                         R5




                                                                                                   Output



                                    Oscillator                                                Buffer



        Figure 2. General Form of Common-Collector Colpitts Oscillator with Impedance-Transformation Buffer


In Figure 2, labeled capacitor values are standard coupling and bypass values. The left half of the circuit,
going as far right as the 2N5179 transistor and the resistor RE, is the actual oscillator. According to
Franke [3], the transistor amplifies an initial thermal excitation in the circuit, and the piezoelectric quartz
crystal (“XTAL”) confines the output to an extremely narrow frequency range near 49.86 MHz. This
output is taken at the emitter of the 2N5179 transistor. Note that only an initial thermal excitation is
required to start oscillations; thus, no signal input is required and we need only a DC bias to turn on the
transistor.

The right half of the circuit in Figure 2 functions as an impedance-transformation buffer. From the ECE
453 Lab 2 Notes [2], a common-collector amplifier generally has low output impedance, but because of
the crystal, the first transistor amplifier’s output impedance is high. We thus add another common-

                                                           3
collector amplifier after this first one to lower the output impedance to 50 ohms. This second transistor
amplifier is commonly referred to as an “active buffer.”

From the notes, in designing the oscillator part of our circuit (i.e. the left half of the above), it is
common to present 6 V to the base of the transistor, and in order to assume that IB = 0 A, we need the
current draw by resistors R1 and R2 to be at least 0.3 mA. We know that a 6 V base voltage will require
R1 = R2 since the DC supply voltage is 12 V. Then:

                                         R1 = R2 = (6 V / .0003 A)                                         (1)
                                              R1 = R2 = 20 kΩ

Furthermore, to obtain a fairly high output power from the oscillator, we want the DC (“quiescent”)
collector current to be fairly high, and thus choose 6 mA as our target value. As above, we approximate
IB = 0 A, and thus the approximation IC = IE follows:

                                   IE = (VB – VBE) / RE = (6 V – 0.7 V) / RE                               (2)
                                      RE = (5.3 V / .006 A) = 883.3 Ω

We use the closest published resistor value that is smaller than or equal to this; in this manner, we will
obtain 6 mA or more for our quiescent collector current. The appropriate value is RE = 820 Ω.

Our piezoelectric quartz crystal is inductive in extremely narrow frequency ranges in the vicinity of
16.62 MHz and all odd multiples thereof, including 49.86 MHz (our desired oscillation frequency),
which is the third multiple of the fundamental frequency. The circuit’s oscillation frequency will thus be
near the lowest of these frequencies at which an appropriate shunt capacitance is presented to the crystal.
Harmonics of the main oscillation frequency will then be generated by the transistor as it becomes
partially saturated.

Our crystal is specified by the manufacturer to require an approximate 20 pF shunt capacitance to cause
oscillations at 49.86 MHz. Furthermore, from the preceding discussion, we know that we need to present
a shunt inductance to the crystal at 16.62 MHz to stop the circuit from oscillating at this lower
frequency. That same network that is inductive at 16.62 MHz then must be capacitive, with equivalent
capacitance of about 20 pF, at 49.86 MHz. Franke [3] notes that the conventional way to design and
place such a network is to begin with the components C1 and C2 as shown in Figure 2 and add reactive
components in parallel with C2 as needed; specifically, one inductor and one capacitor are often added
as a series branch in parallel with C2 and denoted C’ and L’. The overall combination of C1, C2, C’, and
L’ can be made to be inductive at 16.62 MHz and capacitive at 49.86 MHz. As a final constraint on this
shunt network, the ECE 453 Lab 2 Notes [2] specify that we want the capacitance C1 to be greater than
the combined equivalent capacitance of C2, C’, and L’ at our oscillation frequency of 49.86 MHz. The
reason for this is as follows: recalling that a capacitor’s impedance is inversely proportional to its
capacitance, we know that if we satisfy this constraint, we will have a larger small-signal impedance
(created by C2, C’, and L’) between the transistor emitter and ground than between the transistor base
and emitter (that impedance is created by C1). Thus, a relatively low small-signal voltage will need to be
presented to the base of the transistor to obtain a given small-signal voltage at the output of the oscillator
(i.e. between transistor emitter and ground). This low small-signal input voltage requirement avoids
driving the transistor too hard and results in a smoother, more sinusoidal waveform at the output.

We thus explored ways to modify the general form of the two-item shunt network in Figure 2 (which is
generally used when oscillations are desired at the lowest possible frequency) into such a four-item
network that could satisfy the above constraints and cause oscillations at higher frequency. The first few
strategies that we tried did not work. For instance, we designed the aforementioned shunt network by
                                                      4
noting that it is generally easy to make such networks inductive at lower frequencies and capacitive at
higher ones by simply making the L’ – C’ – C2 branch satisfy these constraints (this works because the
reactance of C1 is of low magnitude since C1 is required to be high; thus this contributes little to the
overall reactance of the four-item network). A branch of this form (C2 in parallel with the series
combination of C’ and L’) is inductive from:

                   1/(2*sqrt(L’*C’)) Hz     to   1/(2*sqrt(L’*((C’*C2)/(C’ + C2)))) Hz                  (3)

Thus, we chose high L’ and C’ so that the low end of the range in Eq. (3) would be well below 16.62
MHz, and noting that for high C’ and low C2, the quantity (C’*C2)/(C’ + C2) approaches C2, we chose
C2 so that the high end of the above range would be well above 16.62 MHz. For our choices of L’ = 3
μH, C’ = 0.1 μF, and C2 = 25 pF, the range in Eq. (3) becomes 0.3 MHz to 18.4 MHz, which
comfortably includes 16.62 MHz. To calculate C1, we then examined the following equation for the
reactance of the shunt network at frequency :

    Reactance = {[(*L’ – 1/(*C’))*(- 1/(w*C2))] / [(*L’ – 1/(*C’) - 1/(w*C2))]} – (1/w*C1)            (4)

                                   (where  = 2**49.86*10^6 rad/sec)

Eq. (4) indicates that the shunt network’s reactance is about -152.7 Ω (which, at 49.86 MHz, is
equivalent to 20.9 pF and is thus sufficiently close to the manufacturer specification) when C1 = 620 pF.
Our overall shunt network was thus: C1 = 620 pF, C2 = 25 pF, L’ = 3 μH, and C’ = 0.1 μF.

When we implemented this design, we observed no oscillations at the circuit output. Then, when we
touched an oscilloscope probe to the oscillator output, we observed oscillation at the first crystal
harmonic, i.e. 16.62 MHz. We concluded that we may not have had enough initial shunt capacitance to
cause oscillations at any frequency, since touching the oscilloscope probe to the circuit output (i.e. the
transistor’s emitter) adds a capacitance in shunt with L’ and C’. In other words, our shunt network may
have been too inductive. We tried to solve this problem by noting that we implemented the 3 μH
inductor (i.e. L’) with a 3.3 μH inductor, which was the closest commercially available component we
could find. To make the circuit less inductive, we replaced this inductor with two 1 μH inductors in
series (for a 2 μH total), but still observed the same results. We then tried using just one 1 μH inductor,
but again failed.

When we asked Prof. Franke for advice, he told us that C1 was likely too big and was causing the input
signal strength to the transistor base to be too low for proper operation. He advised us to try to make C1
about as big as C2 to start, and then increase C1 from there once we obtained working results. With this
new constraint in mind, we carried out new calculations using Eqs. (3) and (4) and arrived at the
following new shunt network component values: C1 = 51 pF, C2 = 51 pF, L’ = 1 μH, and C’ = 1 μF. We
calculated that these values should allow the network to be inductive between about 0.2 MHz and 22.3
MHz – a more comfortable range in terms of including 16.62 MHz. Furthermore, the overall network
would have an equivalent capacitance of 22.6 pF at 49.86 MHz, still sufficiently close to the specified
20 pF. When we implemented this shunt network, the oscillator worked, and to obtain a better sinusoid
at the oscillator output, we then changed the value of C1 to be about twice C2, or 100 pF. Our final shunt
network was C1 = 100 pF, C2 = 51 pF, L’ = 1 μH, C’ = 1 μF.

The only values left to account for in the circuit of Figure 2 are the three biasing resistors for the active
buffer. According to the ECE 453 Lab 2 Notes [2], the resistors R4 and R5 are commonly set equal to
one another so that the base voltage of the transistor is again 6 V. Furthermore, to make the
approximation that IB = 0 A for this transistor, it is necessary that these two resistors draw at least 2 mA

                                                      5
of current. This higher value of current is needed because the output of the first transistor (i.e. the
oscillator) is being fed directly into the base of this transistor, making it much harder to accurately
approximate IB as being equal to 0 A. We thus calculate R4 and R5:

                                           R4 = R5 = (6 V / .002 A) = 3 kΩ                                     (5)

             (note: R4 was ultimately changed and the reason for this will be described later)

Furthermore, the notes explicitly specify that in order to effectively drive a 50 Ω load, we want a
quiescent collector current of 60 mA. Since we have made the approximation that IB = 0 A, then we can
simply set the emitter current equal to 60 mA as well:

                                                  .060 A = (6 V – 0.7 V) / RE2                                 (6)

                                                       RE2 = 5.3 V / .060 A

                                                          RE2 = 88.3 Ω

We use the closest published resistor value that is smaller than or equal to 88.3 Ω so that we will obtain
at least 60 mA of quiescent collector current; thus, we choose RE2 = 82 Ω.

Our combined oscillator and active buffer circuit functioned well and showed a lowest oscillation
frequency of 49.86 MHz with harmonics at multiples of this frequency. (See Appendix B, Error!
Reference source not found.Figures 13 and Error! Reference source not found.14, for depictions of
the harmonic power levels at both the oscillator/active buffer output and the final amplifier output.)
Later in this report, we will describe our placement of a CMOS inverter between the R4 - R5 series
connection and the active buffer transistor, which will also cause our value of R4 to change. The
principle of the active buffer operation, however, will remain the same after that change; this inverter
will simply allow us to switch DC bias to the buffer on and off, and thus allow transmission of the 49.86
MHz sine wave from our oscillator – buffer board to turn on and off, thereby signifying changes
between the ‘1’ and ‘0’ control signal levels. The correct implementation of our oscillator – active buffer
circuit (without yet accounting for the CMOS inverter within the active buffer or the change in R4) is
thus:
                                                                                   0.01 uF


                          12 V DC


                                            20 kohm


                                                                 2N5179
                                                                                3 kohm
                                             100 pF
                         49.86 MHz                                                           2N3013
                                            20 kohm                       4pF                      0.01 uF
                                                         1 uF
                                                                      820 ohm
                                              51 pF                                          82 ohm
                                                          1 uH                  3 kohm




                                                                                                      Output



                                     Oscillator                                                  Buffer



                                     Figure 3. Oscillator – Active Buffer Circuit Design


                                                                  6
2.2 Active Buffer Switch

Our circuit needs to provide a means of modulating the binary data signal with an RF carrier wave. We
accomplished this by turning on and off the bias voltage to the base of the active buffer transistor. When
the base is DC biased to 6 V, the transistor is on; when the base is biased close to 0 V, VB < VBEON and
the transistor is off. A similar scheme is used by the victim transmitter to modulate the data signal [1].
The best way to accomplish this switching function is to use a transistorized switch.

To make a transistorized switch, a transistor is connected between the active buffer base and ground.
When the switching transistor is off, no current will flow from collector to emitter (or drain to source)
and the base voltage will remain at 6 V. When the transistor is saturated, the impedance from the
collector to the emitter (or drain to source) is low, causing the base voltage to be held low. To prevent
the RF signal from being shunted to ground, an indictor is placed between the active buffer base and the
switching transistor collector/drain. When the switch is off, the inductor forms an AC voltage divider
with the output impedance of the oscillator. A large (22uF) inductor value is needed due to the high
output impedance of the oscillator. Assuming that the active buffer transistor has a β of 100, the base
current is approximately:

                                           60mA
                                                 0.6mA.                                               (7)
                                            100

Our first idea for a switch was to use an open-collector buffer only. We soon realized that this scheme
would introduce a current loop between two of our boards, which had the potential to introduce a large
amount of noise into our signal path.

Our next idea and first implementation of the switch was to place an nMOS transistor locally on the RF
board. No steady-state current can flow from gate to drain or source, ensuring no new current loop could
form. Using this arrangement, we observed a high bias voltage of 4.938 V and a low bias voltage of
3.375 V. This ‘low’ voltage is not low enough to turn off the buffer transistor. We located a general
nMOS I-V diagram (Figure 4) and realized that when VDS = 0 V no drain current can flow through the
nMOS. Under this situation, we need lots of drain current to flow through the nMOS. We needed to
come up with another switch.

A CMOS switch is effective at switching voltages regardless of the currents involved. We built a CMOS
switch using discrete power nMOS and pMOS transistors. This switch is effective at turning off the
transistor – we measured a 20 dB difference on the spectrum analyzer between the low-strength and
high-strength carrier.

As seen in Figure 5, the base current must run through the pMOS transistor when the switch is turned
ON. According to the I-V diagram (Figure 4), a voltage drop from source to drain in the pMOS is
necessary to sustain a drain current. (This I-V diagram for an nMOS transistor can be used for a pMOS
as well by reversing the polarity of all voltages and currents.) Thus the bias voltage will be lower than
expected. To correct for this, the voltage at the node between R4 and R5 is raised by lowering the value
of R4 (more details on this process are included in Section 3.1.3).



                                                    7
It is also important to note that the CMOS switch inverts the control signal applied to its gate. This
necessitated an additional inverter after the primary control logic during development.




Figure 4. Idealized nMOS I-V diagram showing triode and saturation regions. [5]




Figure 5. Schematic for CMOS active buffer switch


2.3 Voltage Regulators

Because our circuit needs to operate in a mobile environment, we need to have the entire board operate
from a single +12 V power source. However, parts of our circuit require +5 V and +9 V supplies. We
created these voltages using two LM317T voltage regulators. We chose the LM317 because it is easy to
use, was capable of supplying our required currents and voltages, and is stable across a wide range of
output currents.




                                                           8
Figure 7. General LM317 Schematic



                                                          Figure 6. Close-up of heat sinks used for the
                                                          +5V (left) and +9V (right) regulators

Above, the output voltage Vout is given by the equation

                                                      R2 
                                    Vout = 1.25 * 1       R 2 * 0.1mA                                 (8)
                                                      R1 

In our implementation of the above, R2 is a fixed resistor in series with a 100 Ω trimpot. The trimpot
allows us to fine-tune the output voltage without having to try many resistor values. C1 is a 0.1µF
ceramic decoupling capacitor and C2 is a 1 µF tantalum capacitor which reduces the output ripple and
makes the output voltage more stable in response to transient currents.

The voltage regulator is not a transformer; the input current at 12 V is approximately the same as the
output current delivered to the load at 5 or 9 V. Therefore the LM317 chip will dissipate heat and
requires a heat sink. Our heat sinks are integral to the circuit board and consist of a 1.3 x 1.4” copper
area on the front and back sides of the circuit boards, giving a total copper area of 3.6 in2. This is larger
than the 2 in2 recommended by the manufacturer, and was made larger to enhance the device reliability
in hot environments. The front and back sides are connected by 8 vias for the +5 V regulator and 22 vias
for the +9 V regulator. The LM317 is attached to each heat sink using thermal paste and a #2 metal
screw. Because the metal tab on each LM317 carries the output voltage, the heat sinks are electrically
isolated from each other and from the rest of the board.

2.4 Control Logic

To select between the jamming and spoofing modes of operation, we needed to add control logic to our
circuit. We used additional buffers with this logic to properly interface the TX2C encoder chip and the
CMOS switch.

The TX2C, which we took from one of the original controllers we bought, encodes button presses into a
single stream of data. The TX2C also has a pin which can supply power to a transmitter. This power pin
goes low when no button is pressed in an effort to conserve power. When a button is pressed, the power
pin (pin 10) goes high and the encoded data is output on pin 8. When no button is pressed, pin 8 floats.

The logic circuit needs to accomplish two things: 1) when no key is pressed, allow constant transmission
of a full-strength jamming signal (a 49.86 MHz sine wave) by turning the active buffer ON and 2) when
a key is pressed, relay the data stream from pin 8 to the active buffer switch. Because the CMOS switch
                                                      9
is an inverter, the active buffer is turned on with a LO input and is turned off with a HI input. The truth
table for the logic circuit is given below:

Table 1. Truth table for logic function
Pin 8 (A) Pin 10 (B) Buffer            Buffer
    x         0        1                 0
    0         1        0                 1
    1         1        1                 0

Table 1 corresponds to the function Buffer = A  B = A B . We chose to implement this function using
a 7400 quad NAND gate, as this would give us the most flexibility in the event we needed to change our
logic function.

The TX2C is designed to use very little power, and as a result the logical HI voltage is only +3 V. We
used a 7407 hex open-collector buffer IC combined with 5 kΩ external resistors to bring the input HI
voltage level up to +5 V. These buffers also shield the logic from interference carried by the long signal
wires coming from the TX2C. We also used an open-collector buffer paired with a 1 kΩ external resistor
to drive the gate terminals of the CMOS switch. Using the 1 kΩ resistor allows the CMOS gate to be
charged more quickly, and using the buffer shields the logic from interference brought in from the
outgoing signal line.

2.5 Gain Block

Our intermediate amplifier is a reference design using the WJ Communications AG402-86 gain block
IC. This IC is rated to provide 15 dB of gain and an output level of +16.6 dBm at 1 dB of compression.
The AG402-86 is essentially a Darlington pair amplifier designed for use in a 50 Ω RF system. DC bias
is provided through the output pin, and an external resistor is needed to limit the bias current to 60 mA.
The value of this resistor is determined by the equation:
                                                                 12  4.8
                             R10 = (Vsupply – Vdevice) / Ibias =          = 120 Ω [8]                    (9)
                                                                   .06
Blocking capacitors C6 and C7 are used block the DC voltages present at the input and output pins of the
IC, as shown in Figure 8. Capacitor C8 is used to decouple the supply, or to pass high-frequency
transients to ground so they do not interfere with circuit operation. The inductor L1 is used to prevent the
RF output from being shorted to ground through C8. These capacitor and inductor values were chosen
using the manufacturer’s recommendations for 50 MHz operation [6].




Figure 8. Schematic for gain block, close-up of grounding/heatsinking technique




                                                           10
The ground plane on the underside of the RF board is used as a heat sink for the AG402-86. The IC is
thermally and electrically connected to the ground plane using four vias made of 22ga wire. These vias
can be seen in Figure 8. Using multiple vias also provides a low impedance path to ground, which is
crucial in RF circuits.

2.6 Power Amp

Our final amplifier is a reference design using the WJ Communications AH101 medium power amplifier
IC. This IC is rated to provide 13 dB of gain and an output level of +27.0 dBm (one-half watt of power)
at 1 dB of compression. The internal amplifier circuit is a proprietary design which draws up to 200 mA
of current and requires a +9 V power source. With no input, the AH101 will dissipate 9 V * 0.2 A = 1.8
W of heat [9], which means that heat sinking is of primary importance. The AH101 is thermally and
electrically connected to the ground plane using five vias, as many as our board will allow, made of
22ga solid wire. One of these vias is beneath the device, as per manufacturer’s recommendation [9].
Using many vias provides a low impedance path to ground, which is                                crucial in
RF circuits.




Figure 9. Schematic for power amp, close-up of grounding/heatsinking technique



Blocking capacitors C9 and C10 are used block the DC voltages present at the input and output pins of
the IC, as shown in Figure 9. Capacitor C11 is used to decouple the supply, or to pass high-frequency
transients to ground so they do not interfere with circuit operation. The inductor L2 is used to prevent the
RF output from being shorted to ground through C11. These capacitor and inductor values were chosen
using the manufacturer’s recommendations for 50 MHz operation [7]. No bias resistor is required in this
circuit.

2.7 Transmitting Antenna

Our device’s transmitting antenna is connected to the 50 Ω output of the final amplifier. Our initial plan
for implementation of a transmitting antenna, as specified in the Design Review, involved the use of one
of the monopole whip antennas that came with the victim remote controller for our car, along with an
appropriate impedance matching network. In order to have something to compare our matching
network’s performance to, we tested the range of our final device without a matching network, i.e. with
the antenna connected directly to the final amplifier. We observed a smooth operating range of about 40
feet.

The wavelength of a 49.86 MHz signal is:

                          = c / ν = (3.0 * 10^8 m/s) / (49.86 * 10^6 Hz) = 6.02 m                     (10)

In our Design Review, we specified our monopole’s impedance to be about 50 - j*160 Ω. This
measurement had been made on an HP Vector Network Analyzer (“VNA”) by soldering a wire from the
                                                11
VNA input port to the antenna base. When we met with Prof. Franke to discuss the oscillator design, he
told us such a measurement method was invalid for a monopole antenna because it failed to provide an
appropriate ground plane to “complete” the other half of the antenna. Upon talking about the correct
way to measure this type of antenna, we were warned by Prof. Franke that accurate measurement of our
antenna’s impedance on the VNA would be difficult because of: (1) the antenna’s short length, which
introduced a large capacity for impedance variation over small distances along the antenna (thus making
it critical that, during measurement, we establish an electrical connection at precisely the same point at
which the circuit would later connect in to the antenna) (2) the nature of its feed-point: the antenna
connected to the rest of its transmitter circuit via a brass screw built in to the base that was very difficult
to solder a good electrical connection to for this measurement, and (3) the lack of a good, large ground
plane beneath the base of the antenna, which is necessary for accurate measurements of monopole
impedance as discussed above.

According to Prof. Jennifer T. Bernhard of the Department of Electrical and Computer Engineering at
the University of Illinois at Urbana-Champaign, a quarter-wavelength monopole antenna (which would
be about 1.5 m in this case) has a radiation resistance of approximately 50 Ω, and negligible reactance.
According to Prof. Franke, monopole antennas shorter than this (such as ours) tend to have lower
radiation resistance and a capacitive reactance. Our antenna’s length was about 14 in, or 0.36 m, so we
would expect to see those impedance characteristics after an accurate VNA measurement.

Our decided-upon measuring procedure involved soldering the antenna (inside a small container into
which the brass screw was connected) onto the same RF board trace it would be soldered to in our final
circuit, disconnecting all other components from that RF board trace, and connecting a coaxial cable
from the VNA to this trace (with the center coaxial conductor soldered to the trace, and the outer
conductor soldered through to the ground plane on the back of the board). This configuration did not
effectively solve any of the above problems: the sensitivity of the impedance measurement to the point
of connection to the antenna could not be overcome, we could not make a direct electrical connection to
the antenna and had to instead make a common connection to the RF board trace the antenna was on,
and the ground plane of the RF board was too small.

Not surprisingly, our VNA measurements were shaky and implausible. The average value of antenna
impedance that we observed over a period of time was 1400 + j*300 Ω. This radiation impedance is far
greater than 50 Ω, which we did not expect, and the antenna’s reactance is inductive, not capacitive.

We decided to try to build a matching network to this antenna anyway, in order to see if we could get
some improvement over the device range that we had observed without a matching network. Our general
strategy involved resonating out the inductive reactance using an appropriate capacitor, and then
matching 1400 Ω to 50 Ω. To resonate out the inductive reactance, we required a capacitor with
reactance –j*300 Ω at 49.86 MHz:

                                             -j*300 = -j/(*C)                                             (11)

                                    where  = 2**49.86*10^6 rad/sec

                                           C = 1/(300*) = 10.6 pF

We thus used the closest available capacitor value (11 pF) in series with the antenna to resonate out its
supposed inductive reactance.



                                                      12
Franke [3] notes that the general circuit shown in Figure 10 can be used to losslessly (ideally) match a
resistance R1 to a resistance R2 by using two reactive components:

                                           j*Xs




                                                        j*Xp
                                                                         R1




                                R2


                            Figure 10. General Form of a Lossless Matching Network


In the circuit of Figure 10, Franke [3] further notes that we must satisfy R1 > R2; thus, R1 = 1400 Ω and
R2 = 50 Ω. Furthermore, two possible matching network topologies exist: low-pass and high-pass. A
low-pass network provides a perfect match at the frequency for which it is designed, a perfect mismatch
at infinitely high frequency, and a reasonable match at low frequencies and DC. A high-pass network
exhibits the opposite behavior with respect to frequency extremes. We decided to use a low-pass
network in order to attenuate the higher harmonics of 49.86 MHz that were produced by the oscillator’s
transistor. The equations for Xs and Xp of a low-pass matching network are as follows:

                                        Xs = sqrt(R2*(R1-R2))                                         (12)
                                      Xp = -R1*sqrt(R2/(R1-R2))                                       (13)

For R1 = 1400 Ω and R2 = 50 Ω, Eqs. (12) and (13) give:

Xs = +259.808; at 49.86 MHz, this is a 0.83 μH inductor (we used 1 μH, the closest available value)
Xp = -269.430; at 49.86 MHz, this is an 11.8 pF capacitor (we used 12 pF, the closest available value)

We implemented this matching network in front of the resonating capacitor, and also included a “corner
reflector” behind our antenna. Our simple corner reflector, discussed in our Design Review, consisted of
two pieces of cardboard bent at a 90 angle to one another and covered in aluminum foil, and was
positioned (at the direction of Prof. Bernhard) about 1/4  (i.e. about 1.5 m) behind our monopole
antenna. The aluminum foil causes reflections of RF signals and thus can amplify the transmitted signal
strength in front of the antenna (i.e. in the direction toward the car). This overall strategy, however,
seemed to make our circuit performance worse (maximum smooth operating range dropped from 40 ft to
about 30 ft).

Our second matching attempt involved using the theoretical impedance for a short monopole given by
Walden [4]:

                                        R = 40***((h/)^2)                                          (14)
                                X = -60*[ln(h/(2*a))-1]/(tan(2**h/))                                (15)

where we measured ‘h’, the height of our antenna, to be 14 in or .3556 m, and ‘a’, the antenna radius, to
be 1.5 mm. From above,  = 6.02 m. Plugging these parameters into Eqs. (14) and (15) gives:


                                                     13
R = 1.4 Ω
X = -579.9 Ω


To resonate the antenna’s capacitive reactance, we found the following inductance requirement:

                           +j*579.9 = j**L     where  = 2**49.86*10^6 rad/sec                       (16)

                                         L = 1.85 μH at 49.86 MHz

We thus utilized available inductor values and placed two 1 μH inductors in series with the antenna, for
a resonating inductance of 2 μH - close to the above specification.

Then, we designed a matching network to create a 1.4 Ω to 50 Ω match. In doing so, however, we
decided to use a high-pass implementation this time in order to be sure we had eliminated all DC offset
to our output, especially since we had concluded that the presence of higher oscillation harmonics would
not harm our device’s performance. The reactance equations for a high-pass network are simply Eqs.
(12) and (13) with their overall signs reversed, and thus our required network is:

Xs = -8.25; at 49.86 MHz, this is a 27.07 nH inductor (we used four 100 nH inductors in parallel here
for a total inductance of 25 nH)

Xp = 8.48; at 49.86 MHz, this is a 387 pF capacitor (390 pF is closest available value, but when we
measured each 390 pF capacitor on the VNA, we found that each had a capacitance of about 800 pF at
49.86 MHz, so we used two of these capacitors in parallel for a total capacitance of 400 pF)

This matching strategy, again coupled with the corner reflector, still failed to give us an improvement in
our operating range as compared to what we obtained by simply connecting the antenna directly to the
final amplifier.

At this point, we decided to simply use a long piece of wire as our antenna (with one end soldered to the
feed point at the final amplifier output and the other end sticking up in the air) and customize its length
to find the antenna size that gave us the best range. We found that a 7 ft long antenna accomplished this
task, and our results will be described in the testing section that follows. For now, note that 7 ft
corresponds to 2.13 m, or about 1/3 of a wavelength. We expected that a 1/4 wavelength monopole
would give us a 50 Ω antenna, so it is reasonable that we observe the best match with a 1/3 wavelength
piece of wire. We also omitted the corner reflector because of the difficulty in making one that would
work effectively with such a tall antenna. Thus, while our final antenna implementation did not match
that specified in the Design Review, we still obtained satisfactory results.




                                                    14
                                               3     VERIFICATION

Our testing procedure involved the quantification of individual component performances, as discussed in
the Design Review. After quantifying individual components, we then made measurements of our
device’s overall performance, including range quantification and analysis of the results of competition
between our device and the victim controller.

3.1     Functional Tests and Measurements

3.1.1 49.86 MHz Oscillator and Active Buffer

After constructing our oscillator and verifying proper performance on the laboratory HP Spectrum
Analyzer, we obtained the following quantitative results:

Table 2. Oscillator Quantitative Measurements
            Measurand                                            Condition                              Measurement
Oscillator’s peak output frequency
                                                   100 Hz RBW on Spectrum Analyzer                      49.8596 MHz
 (device’s operating frequency)
  Active buffer power output at
                                                      Logic ‘1’ being transmitted                          -3.8 dBm
   oscillator’s peak frequency

The oscillation frequency is, for all practical purposes, what we want it to be. Additionally, oscillator
drift was extremely small and inconsequential; the frequency did not drift below 49.859 MHz or above
49.860 MHz using the above RBW on the Spectrum Analyzer.




          Figure 11. Frequency-domain analysis of final amplifier output (scaled-up version of oscillator output)




                                                            15
A time-domain view of the oscillator output (obtained from a laboratory oscilloscope) is shown in Plot 1
below:




            Plot 1. Time-Domain Analysis of Output from Active Buffer (corresponding to logic ‘1’)



3.1.2      Voltage Regulators and Control Logic

Multimeter measurements showed the following DC output voltages from each of the regulators:

Table 3. Voltage Regulator Quantitative Measurements
             Measurand                                       Condition                           Measurement
        +5 V Regulator Output                                  None                               +5.002 V
        +9 V Regulator Output                                  None                               +9.003 V

To verify proper control logic functionality, we connected the controller to the control circuitry, pressed
one of the buttons, and checked for the proper square wave at the output. Note that Plot 2 below was
obtained before we inverted the control logic output so that it could be righted by the CMOS switch (i.e.
Plot 2 should show a non-inverted square control wave):




                                                        16
                        Plot 2. Output of Control Logic (Non-Inverted) With Button Pressed


3.1.3     Active Buffer Switch

We began our implementation of the active buffer switch by connecting the source of the pMOS
transistor to the junction of R4 and R5. This junction was to serve as the “supply” for the inverter since it
would be at about 6 V DC (because R4 = R5). As described in the design of the active buffer switch, a 6
V supply voltage was needed to ensure that a logic ‘1’ transmitted out of the inverter would be at 6 V
and thus present the base of the active buffer transistor with the same bias voltage for which it was
designed. When the bias voltage fell to 4 or 5 V, the buffer’s heat sink would get too hot to touch and
the output magnitude would decrease. Not good!

According to the MOS I-V diagram (Figure 4), a voltage drop from source to drain in the pMOS is
necessary to sustain a drain current. Thus, with R4 = R5 the bias voltage of the inverter fell below 6 V.
We remedied this situation by reducing R4 until a multimeter measurement showed 6 V at the point
between R4 and R5. Table 4 summarizes the progression of R4 values we tried:

                           Table 4. Variation of Active Buffer Bias Voltage with R4 Value
                    R4 Value            Bias Voltage to Active Buffer Transistor Base
                      3 kΩ                                  4.5 V
                     2.4 kΩ                                 5.6 V
                     2.2 kΩ                                 5.9 V

Satisfied with a 5.9 V bias voltage, we used the corresponding R4 = 2.2 kΩ. This value yielded a ‘high’
output power of -3.8 dBm and a significantly cooler heatsink.

3.1.4     Gain Block and Final Amplifier

We verified proper operation of the amplification components of our system by comparing the power
levels at 49.86 MHz at the outputs of the active buffer, gain block, and final amplifier. They were as
shown in Table 5:

Table 5. Power Levels at Output of Oscillator, Gain Block, and Final Amplifier
           Measurand                                         Condition                       Measurement
  Active buffer power output at
                                                    Logic ‘1’ being transmitted               -3.8 dBm
   oscillator’s peak frequency
 Approximate output power from
                                                    Logic ‘1’ being transmitted               + 11 dBm
     “gain block” amplifier
 Approximate output power from
                                                    Logic ‘1’ being transmitted               + 24 dBm
          final amplifier

Power levels in Table 5 were measured on the Spectrum Analyzer. The increase in power from -3.8
dBm to +11 dBm within the gain block reflects the approximate 15 dB power gain that this element
should provide, and the increase in power from +11 dBm to +24 dBm within the final amplifier reflects
the approximate 13 dB power gain it should provide.

A time-domain view of the output from the final amplifier is shown in Plot 3. Note that the peak-to-peak
voltage of the 49.86 MHz sine wave has increased from 494 mV at the output of the active buffer (as
seen in Plot 1) to 10.19 V at the output of the final amplifier:
                                                      17
              Plot 3. Time-Domain Analysis of Output from Active Buffer (corresponding to logic ‘1’)



We observed that the power amplifier drew less current as the input signal got stronger and the amplifier
was being driven closer to full power. The amplifier dissipated much less heat under these conditions,
and went from being hot to the touch at no input to barely warm at full input. We noticed these same
phenomena when the load impedance approached 50 ohms real. Thus, during the debugging of our
oscillator and antenna, we used the measured current draw and the temperature of the amp chip as a
rough indicator of our circuit’s success or failure.

3.2    Overall Device Tests and Measurements

Operating specifications for our overall device are as follows:

                                 Table 6. General Device Operating Information
                       Required DC supply voltage                                   +12 V
                         Maximum current draw                                      340 mA
                      Maximum power consumption                                    4.08 W
               Maximum range of smooth control over car (with
                                                                                     80 ft
                     no same-frequency competition)
               Maximum range of sporadic control over car (with
                                                                                     115 ft
                     no same-frequency competition)

Note that the supply voltage and maximum current draw in Table 6 were read from the laboratory DC
power supply that our device operated off of, and the maximum power consumption is simply the
product of these two numbers. The range characterizations were performed in the 2nd floor east-west
hallway of Everitt Laboratory, and were done while trying to control the car without competition from
the original controller. The 80 ft smooth operating range compares to 35 ft for the original controller
(without any competition), and the 115 ft sporadic operating range compares to 45 ft for the original
controller (without any competition). Note that we did not implement the corner reflector for the
antenna, as suggested in the Design Review, because of the antenna’s far-larger-than-anticipated size.
Additionally, we did not perform a Tolerance Analysis with the antenna matching network, which we

                                                        18
also suggested in the Design Review, because our final antenna design did not include a lumped-element
matching network.

We now describe our device’s range and performance during competition with the victim by first
showing the observed results for a representative setup during which our device is placed 40 ft from the
car (half of its maximum smooth, no-competition operating range), and then using this information to
construct simulated results for other setups that we might choose to investigate:

                                 Table 7. Device Performance at 40 ft from Car
                                  Condition                                      Measurement
        Minimum distance of victim controller from car to prevent our
                                                                                       8 ft
            device from spoofing (when it is in spoofing mode)
        Minimum distance of victim controller from car to still be able
                                                                                       5 ft
                     to control it when our device is on

Note that the first measurement in Table 7 represents the configuration at which the devices mutually
jam each other. The second measurement represents the configuration at which the victim is still able to
operate without harmful interference from our device. We can simulate the expected range
characterizations for any positioning of our jammer/spoofer by estimating that the received signal level
(at the car) from each of the two sources is the same when our device is 40 ft away and the victim is 8 ft
away, since the above data shows that to be a scenario for mutual jamming.

We then measured the logic ‘1’ power output from the victim circuitry (i.e. just before the antenna feed-
point), and found it to be -13 dBm; for simplicity, we will assume that the victim antenna has been
perfectly matched to the rest of the circuit by the manufacturer and that it is lossless and of unit
directivity. This assumption allows us to use -13 dBm as our victim transmitter output power. We then
convert -13 dBm to a linear power measurement of 50.12 μW, and convert 8 ft to 2.44 m. Thus, the logic
‘1’ power that the car receives from the victim (and thus from our device) in this setup can be calculated.
Note that received power decays inversely with the square of distance from its source, and we have
estimated the car’s receiving antenna to have perfect efficiency and a directivity of 1:

  Logic ‘1’ power level received at car (from each source) = 50.12 μW / (2.44 * 2.44) = 8.42 μW         (17)

Converting 40 ft to 12.2 m, we then have a transmitted power level from our device antenna of:

                        8.42 μW * 12.2 * 12.2 = 1.253 mW (or +0.98 dBm)                                 (18)

The fact that this transmitted power level does not equal +24 dBm, which is the logic ‘1’ power level
seen at the output of the final amplifier, can be attributed to our approximation of a perfect match,
perfect radiation efficiency, and unit directivity in the manufacturer’s antenna, our approximation of a
perfect radiation efficiency and unit directivity in the car’s antenna, and to the lack of a perfect match
and lack of perfect radiation efficiency and unit directivity in our own antenna. Nonetheless, with this
transmitted power level and a -13 dBm transmitted level from the victim controller, we have the tools
we need to complete the characterization tasks laid out in the Design Review; that is, to estimate and
graph relative received power levels and SNR for any configuration that we want.




                                                      19
3.3          Graphs

Two sample configurations and their results are as follows:

      1. With victim controller 15 ft from car with jammer/spoofer’s distance variable, we obtain:

   160                                           20
                                     Power
   140
                                     Received    15
   120                               from
   100                               Victim
                                                 10
    80                               (uW)
                                                                                         SNR (dB)
    60                               Power        5
    40                               Received
    20                               from Our
                                     Device       0
     0                                                0          50          100
                                     (uW)
         0            50      100                -5


Plot 4. Received power from each                      Plot 5. SNR at the car’s receiver,
transmitter as a function of our                      expressed in dB (signal is our
device’s distance from car                            device’s output, noise is victim’s
(x-axis = distance in ft). Power                      output). (x-axis = distance in ft) SNR reaches
received from our device becomes                      0 dB at jammer/spoofer distance of 75 ft.
equal to that received from victim
when our device is 75 ft away.

      2. With victim controller 5 ft from car and jammer/spoofer’s distance variable, we obtain:

   160                                           10
                                     Power
   140                                            8
                                     Received
   120                               from         6
   100                               Victim
    80                               (uW)         4
                                                                                         SNR (dB)
    60                               Power        2
    40                               Received
                                     from Our     0
    20
     0
                                     Device      -2 0            20           40
                                     (uW)
         0            20       40                -4


Plot 6. Received power from each                      Plot 7. SNR at the car’s receiver,
transmitter as a function of our                      expressed in dB (signal is our
device’s distance from car                            device’s output, noise is victim’s
(x-axis = distance in ft). Power                      output). (x-axis = distance in ft) SNR reaches
received from our device becomes                      0 dB at jammer/spoofer distance of 25 ft.
equal to that received from victim
when our device is 25 ft away.




                                                          20
                                               4   COST

4.1 Parts and Equipment List

We originally thought we would have to buy a $1,000 RF amplifier, but obtained free samples from WJ
Communications; these constituted some of our largest savings. We also did not pay for some
components and services that we obtained free during the construction process, but the prices for all of
these items are included below to show the total real-world cost of our project:

Table 8. Parts and Equipment List
                    Item                            Unit Cost        Quantity        Total Item Cost
  Remote-controlled car kit and batteries             $32.31            2                $64.62
Package of crystals for 49.86 MHz oscillator
                                                      $17.10            1                 $17.10
   (only one needed, but ordered extras)
 Corner Reflector Aluminum Foil & Duct
                                                       $6.66            1                 $6.66
                    Tape
            Trim Potentiometers                        $1.60            2                  $3.20
                 Resistors*                            $0.10           35                  $3.50
                Capacitors*                            $0.25           50                 $12.50
                  Inductors                            $1.00           20                 $20.00
                   SN7400                              $0.81            1                  $0.81
                   SN7407                              $0.22            1                  $0.22
              WJ AG402-86*                             $1.50            2                  $3.00
                WJ AH101*                             $10.50            2                 $21.00
                   LM317                               $0.47            2                  $0.94
          MTP10N10EL (nMOS)                            $1.16            1                  $1.16
            MTP12P10 (pMOS)                            $1.94            1                  $1.94
                  2N5179*                              $1.50            1                  $1.50
                  2N3013*                              $1.50            1                  $1.50
             Solder and wick*                          $8.00            1                  $8.00
                    Wire*                              $5.00            1                  $5.00
                RF Boards*                            $20.00            3                 $60.00
 Printed Circuit Board for Control Logic*             $50.00            1                 $50.00
      Mounting Board and Hardware*                    $15.00            1                 $15.00
                    Total                                                                $297.65
   * = obtained free; listed price is approximate price if bought commercially

4.2 Total Cost Calculation

Using the following equation, we were able to obtain the total cost it would take for another group to
recreate our exact design. Note that we worked a total of 180 combined hours:

        Total Cost = Parts Cost + (Ideal Hourly Salary  Hours Spent  2.5)
                   = $297.65 + ($50/hr  180 hr  2.5)
                   = $22,797.65

                                                   21
To recover this amount, we would need to sell approximately 76 units, each at twice the total cost of our
parts (i.e. at $595.30 each). In our Project Proposal, we estimated our entire cost to be approximately
$30,000, and thus posted a substantial savings from this amount.
                                            5 CONCLUSION

5.1 Accomplishments

Our device worked as expected: our oscillator functioned at about 49.86 MHz, and when its output was
correctly controlled and amplified, we could send out control signals that were clearly intelligible (to the
car) from up to 80 ft away. Since the original controller was only able to send out a clear signal to about
35 ft, we were well above the original distance and could safely protect a given area. This fact can easily
be viewed graphically from Plots 4-7 in Section 3.3. Thus, our device effectively jammed the original
controller’s signal when it was plugged in, even when we were not trying to take control of the car.
When we did try to take control, the spoofing was successful. Overall, we achieved the objectives that
we set forth for ourselves at the beginning of the semester, and we were very pleased with the results of
our final design.

5.2 Uncertainties

Our main uncertainty involves the ability to construct and measure a monopole antenna accurately. We
know from the calculations in Section 3 that our wire antenna, while sufficient for our purposes, still
introduced a significant amount of mismatch and/or loss. Further work on the antenna is suggested as an
improvement below.

We also believe it would be interesting to further raise the radiated power of our system. This would
involve investigating the feasibility of using higher-power RF amplifiers and/or high efficiency/high
gain antennas.

5.3 Future Work/Alternatives

There are a few key recommendations and improvements that can be made from our final design. Most
importantly, a more efficient antenna should be developed that is correctly matched using a matching
network to the output of the power amplifier. A greater power output will further increase the range and
effectiveness of the jammer. A matched 50 ohm antenna will be more efficient in its output than our
crudely matched monopole. Similarly, a directional antenna may be more effective in certain situations
than our monopole which radiates in all directions.

Additionally, although this device can be easily hooked up to a +12 V DC power supply that can be
found in most motor vehicles, it would be nice to connect a battery pack so that it can be placed in any
given area even if no power source is available. The voltage regulators added onto the circuit board
would make this improvement very easy to implement since only a +12 V DC power source is needed
instead of three differing power sources at +12, +9, and +5 V DC.

Finally, if this device were to be mass-produced for commercial use, an encasement should be created
that will place the entire board in a small compact space with the control buttons on the outside. If this
jammer/spoofer could be made into a small handheld device, its ease of use would be greatly increased.

Again, however, we have achieved the results that we set out to, and it will be interesting to see what
further enhancements may be made to this design in the future!


                                                    22

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:5/20/2012
language:
pages:25