Proceedings of the 6th German Microwave Conference

Triggering UMTS User Equipment Inter-RAT Cell Reselection Using Noise Jammers
Markus Gardill, Stefan Zorn, Robert Weigel, and Alexander K olpin Institute for Electronics Engineering, Friedrich-Alexander University of Erlangen-Nuremberg, Cauerstr. 9, 91058 Erlangen, Germany

AbstractIn this work a strategy for triggering an interradio access technology cell reselection in UMTS user equipment is proposed. All mobile devices within the effective range of a transmitter radiating a noise-like RF signal on the UMTS downlink frequency bands are forced to leave the UMTS cells and camp on non-UMTS cells, such as e.g., GSM. This allows to use a GSM based localization technique even in areas with UMTS coverage. In contrast to classical RF communication jammers which focus on disrupting the communication link, our exclusive goal is to trigger the inter-RAT cell reselection to GSM. In particular we estimate the necessary jammer RF power by examining the cell reselection procedure running in the user equipment (UE) and using some exemplary geographical scenarios. We use a hardware system to proof the results. Index TermsUMTS, jammer, cell reselection

radiating a noise-like signal on the UMTS downlink frequency bands. The structure of this paper is as follows: Section 2 introduces the scenario for the proposed jamming strategy. In section 3 we examine the inuence of noise jamming on the cell reselection procedure. Section 4 provides simulation results for an exemplary scenario and in section 5 we present measurement results obtained using a hardware jamming system. II. JAMMING S CENARIO The intention of the jamming strategy proposed in the scope of this work is to allow using a GSM based localization technique for search and rescue scenarios [1] even in areas with UMTS coverage. The goal of the localization technique is to nd people trapped under collapsed buildings by spotting the positions of their mobile phones. Hence we consider a scenario as illustrated in gure 1.

I. I NTRODUCTION Nowadays the use of mobile communication devices is an integral part of the all-day life in industrialized countries. But besides offering mobile voice and data services to the masses, also a quite new eld of security related issues emerges from the prevalence of cellular communication devices. In particular, one recent approach focuses on localizing victims buried under a heap of ruins using their GSM mobile phones [1]. Whereas GSM is still the world wide most common standard for mobile communications, especially in urban areas third generation (3G) networks such as the Universal Mobile Telephony System (UMTS) are widely available and coexist with GSM. In those regions cellphones capable of 3G technology will not camp on GSM, but on the modern UMTS cells. Whereas this enables the mobile phone user to benet from high-speed data access and mobile multimedia services, a serious problem is introduced from the security-related point of view: the GSM based technique for localization remains useless if the target mobile devices are camped on UMTS. One solution to tackle this problem is to force all mobile devices camped on UMTS cells to leave the UMTS frequency bands and to select available GSM cells. This is referred to as an inter-radio access technology (RAT) cell reselection. A UE in idle mode autonomously performs the cell selection based on RF measurements, pilot channels, and system information broadcast by the cells within range [2]. Our proposed approach is to inuence those measurements and hence to trigger the inter-RAT cell reselection by using a mobile transmitter

GSM Target Area

10

0m

GSM

UMTS Jamming System

10

0m
UMTS

Fig. 1. Search and rescue scenario considered for the proposed jamming strategy.

We assume an urban or suburban region where several victims are buried under the debris of a collapsed building. The area of interest for localization, referred to as target area, is considered to exhibit a square shape with an edge length of about 100 m and is assumed to be covered by several UMTS as well as GSM cells of different network providers. Since the localization technique is based on GSM [1], it has to be ensured that all UE in the target area leave the UMTS cells they are camping on and reselect available GSM cells.

2011 IMA e.V.

1416 March 2011, Darmstadt, Germany

The inter-RAT cell reselection should be triggered in all mobile devices using a transmitter radiating a noise-like RF signal on the UMTS downlink frequency bands, placed on an edge of the target area. Due to the close relationship to classical RF communications jamming, we refer to the transmitter as jamming system. III. JAMMING S TRATEGY A. Cell Reselection Procedure The UE in idle mode periodically executes the cell reselection procedure every discontinuous reception (DRX) cycle. This cell reselection procedure is based on ranking a set of cells using certain RF measurements. Depending on the RF measurements of the current cell, the UE includes inter- and intra-frequency UMTS cells or cells from another RAT in the cell reselection procedure [2]. The UE then scores all cells included in the ranking process using the RF measurement results. The cell which has been ranked highest for a certain duration of time will be selected to camp on. For evaluating the quality of UMTS cells, the UE shall measure the primary common pilot channel (P-CPICH) energy per chip to interference ratio Ec /I0 and the received signal code power (RSCP). Those measurements directly correspond to the cell quality parameter Qqualmeas [2] Qqualmeas = 10 log10 CPICH Ec I0 (1)

However, by degrading Qqualmeas below the minimum required value Qqualmin , the suitable criterion (3) is no longer fullled. This degradation is achieved by increasing the interference power density I0 from equation (1), and is realized by the noise jamming system injecting a sufcient amount of interference density into the UMTS downlink frequency bands. Note the two favorable results of this approach: rstly, as soon as the additional interference created by the jamming system is sufcient to reduce the quality of the strongest cell within range, simultaneously all weaker cells within range will be effectively jammed, since all Node B (the UMTS equivalent of GSM base transceiver station) of one network provider operate on the same frequency band and hence will be degraded by the noise jammer. Secondly, triggering the interRAT cell reselection is independent of the used jammer RF signal type, as long as enough in-band interference is created by the jammer to degrade Qqualmeas by a sufcient amount. In particular this allows the jamming system to be optimized for high output power, regardless of RF signal transmit quality. C. Estimating Necessary Noise Power By denition, the CPICH Ec /I0 is given by [4]

PNodeB LBT (rBT ) Ec = I0 BWB (Nth + INC + ISC )

(7)

and the cell RX level parameter Qrxlevmeas [2] Qrxlevmeas = 10 log10 (CPICH RSCP) . (2)

Only UMTS cells which fulll both of the cell selection criteria given by Squal = Qqualmeas Qqualmin > 0, Srxlev = Qrxlevmeas Qrxlevmin Pcompensation > 0, (3) (4)

where PNodeB is the Node B transmit power, is the pilot power fraction, i.e., the percentage of total power used for transmission of the CPICH, LBT (rBT ) is the path-loss between Node B and the target dependent on the distance rBT between Node B and target, and BWB is the UMTS channel bandwidth. The interference density I0 at the UE antenna is composed of thermal noise density Nth , interference density created by neighboring cells INC and interference density created by the same cell ISC , since all additional channels transmitted by the Node B act as interferes with respect to the P-CPICH. Under the inuence of a noise jammer, (7) is extended to Ec PNodeB LBT (rBT ) = , I0 BWB (Nth + INC + ISC + IJ ) (8)

are possible candidates for cell reselection and included in the ranking procedure. The minimum required quality Qqualmin and the minimum required RX level Qrxlevmeas in (3) and (4) are broadcast in the system information of every cell and have a valid range [3] 24 dB Qqualmin 0 dB, 115 dBm Qrxlevmin 25 dBm. (5) (6)

Pcompensation is an additional value for taking into account the maximum UE transmit power. B. Triggering inter-RAT Cell Reselection If either of the cell selection criteria given in (3) and (4) is violated for all UMTS cells within range, only GSM cells remain as possible candidates in the cell reselection procedure and the UE will perform an inter-RAT cell reselection to GSM. It is obvious that the criterion (4) cannot be inuenced externally, since the CPICH RSCP cannot be impaired using a jammer.

where IJ is the additional jammer interference density created at the UE antenna. By furthermore expressing the interference powers at the UE antenna due to the same cell, neighbor cell and jammer using transmit powers and path losses, an equation suitable for simulation of the expected Ec /I0 in various scenarios can be derived. Therefore, we replace the neighbor cell interference power BWB INC by BWB INC =
n=1

PNC,n LNT,n (rNT,n ).

(9)

It is obvious, that total neighbor cell interference power from (9) is a superposition of the transmit power PNC,n of the n-th neighboring cell times the path loss LNT,n (rNT,n ) from the n-th neighboring cell to the target position. Similarly, the same cell interference power BWB ISC is expressed using BWB ISC = LBT (rBT ) PNodeB , (10)

1000

NC

400 -10 300 -20 -30

800

600

400

JT

200

X: 350.4 Y: 50.05 Index: -11.22 dB

(-300,300)

y in m

y in m

SC
0 -200

(250,0)
0

target area

200

rNT,1

100

-40 -50 -60 -70 -80 -90

jammer

-100

(0,0) N W S E
X: 250.3 Y: -50.05 Index: -16.86 dB

-400

-600

N W E S

rJT

-200

rBT
target

-300

-800

-100 -200 -100 0 100 200 300 400

-1000 -1000

-800

-600

-400

-200

200

400

600

800

1000

-400 -400

-300

x in m
Fig. 2. Geographical scenario and denition of angles for simulation of energy per chip to interference ratio.

x in m
Fig. 3. Simulated Ec /I0 using a noise jamming system and neighbor cell interference taken into account.

where PNodeB is the total available transmit power of the Node B, is the fraction of currently used transmit power and LBT (rBT ) is the path-loss between Node B and target. Finally, the jammer interference power BWB IJ is expressed by BWB IJ = GJ (JT , J ) LJT (rJT ) PJ , (11)

antenna given by for 90 + J JT < 45 + J 3 dBi 7 dBi for 45 + J JT 45 + J GJ (JT , J ) = 3 dBi for 45 + J < JT 90 + J 13 dBi else and its RF power was set to PJ = 33 dBm. We furthermore placed another Node B 424 m northwest of the target Node B to account for neighbor cell interference. The simulation scenario is illustrated in gure 3. Both Node B were assumed to transmit overhead channels only, with a power setting given in table I. There was no dedicated trafc active in the cells. Due to the lack of radio propagation models between Node B, jamming system, and UE located in the target area, all radio propagation conditions were assumed to be given by L (r ) =

where PJ refers to the radiated in-band power of the jamming system and LJT (rJT ) to the path loss between jamming system and target. An antenna gain of the jamming system is taken into account by GJ (JT , J ), which is dependent on the orientation of the jamming system JT and the angle JT between jamming system and target. Figure 2 illustrates the denition of all angels and distances. IV. S IMULATIONS Several simulations were conducted to estimate the amount of RF power necessary to trigger an inter-RAT cell reselection in all UE located within the target area using (8), (9), (10), and (11). The complexity of this task is obvious, since the energy per chip to interference ratio at the UE antenna is dependent on a variety of parameters such as the Node B channel power settings, the active downlink trafc, the radio propagation conditions, and the neighbor cell interference. Nevertheless to get a rst impression of the Ec /I0 degradation evoked by the noise jammer, the results of one typical simulation scenario are discussed in the following. Without loss of generality we dened the target Node B to be at the origin of a coordinate system as illustrated in gure 2. The square shaped target area with an edge length of 100 m was placed at a distance of 250 m east of the Node B. The jamming system was situated in between Node B and target area, it was facing in eastern direction, it used a simplied model for a directional UMTS

4 r

(12)

TABLE I N ODE B C HANNEL P OWER S ETTINGS U SED FOR S IMULATION Power Relative to Pilot (dB) / -3 -5 -6 -5 4 4 Absolute Power in dBm 33 30 28 27 28 37 37 Absolute Power in Watts 2.000 0.100 0.063 0.480 0.006 0.500 0.500

Channel CPICH PSCH SSCH PICH AICH SCCPCHFACH SCCPCHPCH

Duty Cycle 100% 10% 10% 96% 1% 10% 10%

10 log10 (Ec /I0 )

4 42 m

X: 250.3 Y: 50.05 Index: -16.86 dB

Using the equations derived in section III-C, the Ec /I0 of the considered scenario was computed. The simulation results illustrated in gure 3 reveal an Ec /I0 at the target zone near end of about -16.8 dB and at the far end an Ec /I0 of about -11.22 dB. Assuming a Qqualmin setting of -12 dB, the simulation indicates the jammer RF power being sufcient to trigger the inter-RAT cell reselection in most of the UE located in the target area. However, under worst case conditions such as a low Qqualmin setting and a target area located close to a Node B, a high-power noise jamming system may be necessary to ensure that all target UE leave the UMTS frequency bands and select available GSM cells. V. M EASUREMENTS Measurements were conducted to examine the inuence of additional interference created by the jamming system onto the cell reselection procedure and to evaluate that the inter-RAT cell reselection is triggered as soon as (3) is violated. Therefore, the measurement setup illustrated in gure 4 was used. The RF port of a Rohde & Schwarz CMU 200 communication tester emulating a UMTS cell was combined with the output of our jamming system using a 3 dB power combiner. The compound RF signal was then connected to a standard UMTS mobile phone using the devices external antenna port. To get an insight into the cell reselection procedure, a radio protocol stack debug software was connected to the mobile device under test using a RS232 serial connection. The measurement setup is illustrated in gure 4.
jamming system power combiner UE CMU 200 ext. ant.
Fig. 4.

TABLE II CMU C HANNEL P OWER S ETTINGS U SED FOR E VALUATION Power Relative to Pilot (dB) / -3 -5 -6 -5 4 4 Absolute Power in dBm -58 -61 -63 -64 -63 -54 -54 Absolute Power in nW 1.584 0.079 0.050 0.382 0.005 0.398 0.398

Channel CPICH PSCH SSCH PICH AICH SCCPCHFACH SCCPCHPCH

Duty Cycle 100 % 10 % 10 % 96 % 1% 10% 10%

Hence, for a minimum Qqualmin of -24 dB and the Node B power settings from table II the inter-RAT cell reselection is expected to be triggered in the UE under test using a jammer power of PJ 34 dBm. This result could be validated during several repeated measurements, where a jammer power in between -38 dBm and -35.5 dBm lead to ranking the emulated cell as unsuitable. By changing the Qqualmin of the emulated cell to -15 dB, as expected 9 dB less jammer RF power was necessary to violate the cell suitable criterion. VI. C ONCLUSION A possibility to trigger an inter-RAT cell reselection in UMTS UE using a noise jammer was proposed and examined. It was shown how additional in-band interference created by a jamming system inuences the cell reselection procedure, and when the UE will decide to reselect a cell from another RAT to camp on. A simulation was performed to estimate the necessary jammer RF power for an exemplary scenario. Finally, the behavior of the cell reselection process under the inuence of additional interference was examined on a practical basis. The use of a noise jammer was revealed to provide a simple but effective method to trigger an inter-RAT cell reselection in UMTS UE. However, the major drawback of this approach is that an exact estimation of necessary jammer RF power is hardly feasible, since it depends on a variety of factors such as the Node B channel power settings, the active downlink trafc, the radio propagation conditions, and the neighbor cell interference. In a worst case scenario, a highpower noise jamming system may be required to generate a sufcient amount of additional interference at the UE antenna. In a next step, eld tests should examine the usability of the noise jamming approach under more realistic conditions. R EFERENCES
[1] S. Zorn, R. Rose, A. Goetz, and R. Weigel, A novel technique for mobile phone localization for search and rescue applications, in 2010 International Conference on Indoor Positioning and Indoor Navigation (IPIN), Sep. 2010, pp. 1 4. [2] User Equipment (UE) procedures in idle mode and procedures for cell reselection in connected mode, 3rd Generation Partnership Project Std. TS 25.304, Rev. 9.0.0, 2009. [3] Physical layer - Measurements (FDD), 3rd Generation Partnership Project Std. TS 25.215, Rev. 9.0.0, 2009. [4] S.-F. Su, The UMTS air-interface in RF engineering: design and operation of UMTS networks. Mcgraw-Hill Professional, 2007.

protocol stack debug software rs232

Measurement setup

The CMU was set up with the power settings given in table II and emulating a cell on UTRA absolute radio frequency channel number (UARFCN) 10562. The UE under test was camping on the emulated cell in idle mode. Bandlimited noise ltered by the UMTS transmit lter response and centered around UARFCN 10562 was generated by the jamming system. For this single-cell scenario the required jamming power can be approximated by neglecting the thermal noise from (8) PJ 10(Qqualmin /10)

PNodeB LBT PSC LBT , LJT

(13)

which can be further simplied to PJ 10(Qqualmin /10) PNodeB PSC , (14)

since the path losses, corresponding to the attenuation of the connecting cables, were identical for jamming system and Node B.