[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]

..[ Phrack Magazine ]..
.:: Radio Hacking ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #62 | Release date : 2004-07-13 | Editor : Phrack Staff
IntroductionPhrack Staff
LoopbackPhrack Staff
LinenoisePhrack Staff
Phrack Prophile on scutPhrack Staff
Bypassing Win BO Protectionjamie butler & anonymous author
Kernel Mode Backdoor for NTfirew0rker
Advances in Windows Shellcodesk
Remote Execgrugq
UTF8 Shellcodegreuff
Attacking Apache Modulesandi
Radio Hackingshaun2k2
Win32 Portable Userland Rootkitkdm
Bypassing Windows Personal FW'srattle
A Dynamic Polyalphabetic Substitution Cipherveins
Playing Cards for Smart Profitender
Phrack World NewsPhrack Staff
Title : Radio Hacking
Author : shaun2k2
                           ==Phrack Inc.==

              Volume 0x0b, Issue 0x3e, Phile #0x0b of 0x10

|=---------------------=[ The basics of Radio ]=-------------------------=|
|=------------------=[ shaun2k2 <shaun at rsc dot cx>  ]=----------------=|

0 - Introduction
  0.1 - Technical Terms

1 - Radio Basics
  1.1 - Radio Waves
  1.2 - Carrier
  1.3 - (RF) Frequency Bands
  1.4 - Wavelength
  1.5 - Transmission
  1.6 - Receiving

2 - AM Radio
  2.1 - What is AM Radio?
  2.2 - Modulation
  2.3 - Demodulation
  2.4 - Circuits
      2.4.1 - Receivers
      2.4.2 - Transmitters

3 - FM Radio
  3.1 - What is FM radio?
  3.2 - Modulation
  3.3 - Demodulation
  3.4 - Circuits

4 - Misc
  4.1 - Pirate Radio
  4.2 - Wireless Telephone Tapping
  4.3 - Jamming

5 - Conclusion

6 - Bibliography

--[ 0 - Introduction

    Ever since our discovery of radio, in around 1902, we have proceeded
to utilise it for many different purposes -- from sending others short
messages, to transmitting large and critical data sequences to other
computer systems.  As time has gone on, as useful a technology as
radio is, it is barely noticed anymore.  When most people think of
'radio', they picture a small black device sitting in their car,
which they will use to listen to their local radio stations during car
journeys.  On the other hand, very few people realise the true
usefullness of radio, often forgetting that their cellphones,
televisions, satellite TV and alarm systems all too use radio to complete
their task on a very regular medium -- radio is not just that boring
old thing gathering dust in the corner.

    This article is divided up into four parts.  The first part describes
the basic theory of radio, and examples to illustrate some of the
common day uses of it.  In parts two and three, AM and FM radio
details are outlined showing various different circuits to illustrate
how these principles can be applied to real-life, functioning
circuits.  Section four is a misc. section, presenting some
miscellaneous interesting points.  Some electronics knowledge is
useful in radio, though not totally necessary.  Most circuits
presented here are quite rough, and can be greatly improved upon in
many ways.

----[ 0.1 - Technical Terms

Below is a description of technical terms used throughout the article:

RF          -- Any frequency within the radio spectrum, which can be
               used by to transmit and receive radio signals.

Modulation  -- A technique used to package data into a radio signal
               which is of use to the destination radio receiver.

AM          -- Amplitude Modulation.  This involves shifting the amplitude
               of a radio signal's carrier very slightly in sympathy with
               a modulating signal.

FM          -- Frequency Modulation.  FM modulation involves shifting the
               frequency of a radio wave's carrier very slightly in
               sympathy with a modulating signal.

Receiver    -- Any device which is capable of receiving radio signals
               sent by a radio transmitter.

Transmitter -- A device which can transmit radio waves into the
               surrounding environment.

Aerial      -- A medium to large piece of wire which is used by either a
               radio transmitter or receiver to propagate or detect an
               incoming radio signal.  In a radio receiver or transmitter,
               an aerial acts as one plate of a capacitor, whilst the other
               plate is taken place by the Earth.

Antenna     -- See aerial.

Wireless    -- Refers to any technology which communicates data without the
               need for a wired connection.  Most wireless devices, such as
               cell phones, televisions, and others use radio, but several
               do use technologies such as infrared, which is not covered

Radio wave   -- A radio wave is an 'electromagnetic' wave, most commonly
                containing data to be received by a remote radio receiver.

Oscillator   -- Refers to an electronic circuit which 'oscillates', or
                'vibrates', to complete a certain task.  Oscillators are
                used in radio to transmit radio waves at a given
                frequency -- the rate at which the oscillator oscillates is
                the RF (see RF) at which the wave is transmitted.  Common
                oscillator circuits, also used in this paper, are LC
                oscillator circuits, and crystal-controlled oscillators.

oscillator   -- An oscillator circuit whos oscillation frequency is
                controlled by a 'crystal'. See oscillator.

LCoscillator -- An oscillator consisting of a capacitor and an inductor,
                whos frequency of oscillation is controlled directly by the
                capacitor, which is usually variable.  See oscillator.

Capacitor    -- Device which stores current as an electrical field.

Broadcast    -- A term used to describe transmitting radio waves into the

Wavelength   -- The physical distance between two waves on the same
                frequency, transmitted successively.

Bands        -- Frequency Bands are a range of frequencies used
                interchangeably or commonly for the same type of technology.
                For example, televisions often use the VHF band.

Frequency    -- Number of cycles per seconds. Frequency can be used to
                describe how often an oscillator oscillates.

Sidebands    -- When modulation of a carrier is applied, two extra
                bands are generated, both slightly higher and lower 
                than the carrier frequency, equating from the 'sum and 
                difference' of the carrier and audio
                frequency.  These two bands appear at either end of
                the RF carrier, hence the term 'sidebands'. 

--[ 1 - Radio Basics

----[ 1.1 -  Radio Waves

    Radio waves, otherwise referred to as 'radio signals', are simply
electromagnetic waves.  Radio waves are transmitted by devices called
'radio transmitters' or 'transmitters' for short.  Despite our wide and
many uses for radio waves as a whole, we actually known very little about
'radio'.  We do know, however, that radio waves are a form of energy, which
act exactly like they have been propagated as any other type of wave we
know of. For example, an audio wave.

    Radio waves are made up of three things; an electric field, a
direction, and a magnetic field.

    Despite our underlying ignorance of radio and its properties, we can
predict and use its properties to our advantage to undergo a wide variety
of different tasks -- and will probably do so for a long time to come.

----[ 1.2 - Carrier

    An 'RF carrier' can be thought of as the part of the radio wave which
can be modulated to 'carry' a data signal. An analogy to help with
understanding this is to think of turning on a flashlight and pointing it
towards a wall.  The light which is seen on the wall is the 'carrier'.

    Before and without modulation, the carrier of a radio wave contains no
data, and just contains peaks of an RF voltage.

                          peak voltage

                       ||\\    ///\    //\\
                       || \\  //  \\  //  \\
                       ||  \\\/    \\\/    \\

                             RF carrier

    Because sending radio waves with a carrier containing no data would be
almost useless, a carrier is 'modulated' to contain data. There are various
modulation schemes in wide use, but the two most common schemes are AM
(Amplitude Modulation) and FM (Frequency Modulation). These are discussed

----[ 1.3 - (RF) Frequency Bands

    As we can gather from listening to a variety of radio stations,
different forms of technology use an entirely different 'band' of radio
frequencies on which to send and receive their radio signals.

    The entire range in which radio signals are transmitted extends from
around 30KHz, up to about 30GHz.  This whole range of available RFs
(Radio Frequencies) is known as the 'radio spectrum'.  The radio
spectrum's range of frequencies, and their concurrent uses are shown
in the below table.

| Frequency         | Uses                       | Name                |
| 30KHz-300KHz      |   Long-wave radio, useful  | Low Frequency (L.F) |
|                   |   for long distance        |                     |
|                   |   communications           |                     |
| 300KHz-3MHz       |   Medium wave, local radio | Medium Freq (M.F)   |
|                   |   distant radio stations   |                     |
| 3MHz-30MHz        |   Short wave radio         |  High (H.F)         |
|                   |   Communications           |                     |
|                   |   Amateur radio            |                     |
| 30MHz-300MHz      |   FM Radio                 |  Very High (V.H.F)  |
|                   |   Police radio             |                     |
|                   |   Meteorology Comms        |                     |
| 300MHz-3GHz       |   Air Traffic Control      |  Ultra High (U.H.F) |
|                   |   TV                       |                     |
| 3GHz-30GHz        |   Radar Comms              |  Microwaves (S.H.F) |
|                   |   Satellites               |                     |
|                   |   Telecommunications (TV & |                     |
|                   |   telephone)               |                     |

    Since certain frequency bands are used to accomodate important
communications, such as the VHF band, it became illegal to transmit
radio waves at certain frequencies without a license. It was made so
because transmission of radio signals at important frequencies could
interrupt critical communication, such as communication between police
officers with their radio transmitter devices.

    All frequencies within the radio spectrum are invisible to humans.
Light frequencies which are visible to humans, i.e frequencies which
are present in the light spectrum, operate at *much* lower

----[ 1.4 - Wavelength

    Wavelength is the physical distance between a peak in one radio wave,
to the peak in another radio wave transmitted successively -- on the same
RF.  As a general analogy, the wavelength can be thought of as the distance
that the peak in a given wave will have travelled in the space of time for
one cycle. This can be calculated using the below simple formula.

|\ = V / F

* |\ = lamda
  V  = Velocity
  F  = Frequency

    Using this formula, the wavelength for an example scenario can be
calculated, when the RF is 27MHz.  The speed of light is 300 million
meters/second, which is therefore the velocity of the electromagnetic

|\ = 300,000,000 / 27,000,000

= 11.11r

    Looking at the above calculation, what can be gained? It seems that the
wavelength for waves transmitted in the example scenario is 11.11
(recurring) meters, so from this, it can be gathered that a peak in a
particular radio wave will have travelled 11.11r meters in the time it
took for one oscillation of the transmitting oscillator. But how can we
know how long this oscillation period takes? We can calculate this
using the formula '1 / f'.

1 / 27,000,000 = 0.0000000370r

    This means that within the miniscule time frame of 0.0000000370
(recurring) seconds, the peak within the radio wave should have travelled
approximately 11.11 (recurring) meters.

    Wavelength might seem quite a useless thing to calculate on its own,
but it comes in very useful when it comes to calculating suitable aerial
lengths for both radio transmitters and radio receivers. As a rule of
thumb, an ideal length for a radio aerial is around 1/2 of the signals
wavelength. This can be calculated very easily.

11.11 / 2 = 5.555 (roughly)

    From this calculation, we can gain the knowledge that a near ideal
radio transmitter/receiver aerial can be constructed to be of around 5.5
meters. Exact precision is not generally critical to the overall operation
of the radio transmitter/receiver. For example, where portability of
equipment is more of a concern than great efficiency, 1/4, 1/8 or even 1/16
of the wavelength in meters is often used for the length of the radio aerial.

11.11 / 4 = 2.7775
11.11 / 8 = 1.38875
11.11 / 16 = 0.694375

    From this little experiment we can see that we can turn a length which
is considerably out of question due to portability desires, into a length
which is much more suitable, yet efficiency is not affected too much.

    This technique is very commonly employed to calculate sensible lengths
for radio aerials.  However, other techniques are also employed, especially
in the case of satillite TV.  Notice how TV satillite dishes house tiny
holes in the body of the dish? These holes are specially sized to ensure
that radio waves with wavelengths less than that associated with the
desired RFs (3GHz-30GHz) do not create an electrical current in the aerial
wire, as suitable radio waves do. Holes based upon the same principle can
also be found when looking inside a microwave oven.

----[ 1.5 - Transmission

    Perhaps one of the most difficult concepts to grasp in radio is how
radio waves are actually broadcast into the environment. As touched upon
previously, radio waves are transmitted using oscillators in electronic
circuits, and the rate at which the oscillator oscillates is the frequency
at which the radio waves are transmitted.

    As an example, we will focus on using an LC tuned oscillator circuit in
the radio transmitter circuit.  LC oscillators are made up of an inductor
(L), and a capacitor (C).  If we consider how a capacitor stores current,
we can come up with the conclusion that it is stored as an electric field
between two plates -- these two plates make up the capacitor. During one
oscillation (also known as a 'cycle') of the LC tuned circuit, all
available current is stored first in the capacitor as an electric field,
and then as a magnetic field associated with the LC circuit's inductor. 
After a *very* short time period (1/f), the magnetic field is turned back
into an electrical current, and begins to recharge the capacitor again. 
Because the inductor's magnetic field is beginning to change back into
electrical charge, the inductor turns another electrical field into a
magnetic field in order to counter-act the change. This continuous cycle of
quick changes keeps the current in the LC circuit flowing in the same
direction, driven by the current stored in the inductor. When the
inductor's charge eventually becomes zero, the capacitor becomes charged
again, but with the opposite polarity. After each oscillation (cycle),
energy loss has occured, but not all of the energy loss can be accounted
for as energy lost as heat from the inductor's coil. Thus, we can gather
that some energy has been 'leaked' from between the capacitor's plates, as
electromagnetic energy -- radio waves.

    If we consider this, we can conclude that the further apart the plates
in the capacitor are, the more energy is broadcast ('leaked') as radio
waves.  This must mean that if we have a capacitor with plates spaced
1 meter apart, more energy will be broadcast as radio waves than if the
capacitor had plates spaced a very small distant apart. By thinking even
deeper, we can conclude that to maximise 'leakage' of radio energy, a
capacitor is needed in the LC tuned oscillator circuit with plates spaced
at quite a distance apart.  It just so happens that for this task, to
maximise broadcast of radio waves, the world's largest plate can be used
to take the place of one plate of the capacitor -- the Earth!  The other
capacitor plate needs just be a suitably lengthed piece of wire, which is
an equally common sight -- this piece of wire is known as an 'aerial'!

    In real-world radio transmitters, oscillator circuits are used to make
a small current 'oscillate' in an aerial wire.  Because of the constant
change of energy form in the oscillator circuit, the current oscillating in
the length of the wire becomes electromagnetic and is radiated as radio energy.

    Back to the length of the aerial in relation to wavelength; this is
where the length calculated earlier comes in handy. From the knowledge
gained here, we can assume an adapted LC oscillator circuit as below.

      Capacitor           Inductor

            |                )
            |                )
           ---               )____________  Aerial
           ---               )
            |                )

    As a concept, using the adapted LC tuned oscillator circuit above, the
transmission of radio waves can be thought of like this; radio waves are
generated due to the propagation of an electric current in an aerial wire.
It is, as we have learnt, the 'leakage' of electromagnetic energy from
between the two plates of the capacitor which causes broadcasting of radio

    As oscillations occur in our LC tuned circuit, all available energy is
stored in the capacitor, followed by energy (electrical current) not leaked
as electromagnetic waves being fed into the inductor.  This whole process
measures one oscillation, and once one oscillation is over, the whole
process repeats itself again, and each time energy is being lost as radio
waves from the acting 'capacitor' (aerial and Earth). Therefore, it is the
rate at which the LC circuit is oscillating (the 'frequency') at that
determines the frequency at which the radio waves are broadcast at -- thus
determining the RF of the radio signals.

----[ 1.6 - Receiving

    The concept of receiving radio signals is based upon almost the opposite
of the concepts of transmitting radio waves. In similarity to radio
transmitters, radio receivers also use an aerial, but for a totally
different purpose; for detecting the radio signals in the environment. As
described previously, radio waves are a form of energy, propagated as
electromagnetic waves through the air. Thus, when radio signals transmitted
by nearby radio transmitters pass the aerial of the receiver, a *tiny* RF
alternating current is generated in the aerial wire.  When a signal becomes
present in the aerial wire, 'wanted' radio frequencies are 'selected' from
the assortment of RF currents in the aerial, using a 'tuned circuit'.

    As an example, we'll focus on the LC tuned circuit as in the previous 
section, due to the simplicity of this circuit. RF current of the 'wanted'
frequency can be selected from amongst the other RFs by use of an LC tuned
circuit, which is set to resonate at the frequency of the 'wanted' radio
frequency.  This selection is done because the LC tuned circuit has low
impedance at any frequencies other than the 'wanted' frequency. Frequencies
other than the 'wanted' frequency are prevented from passing through the
circuit because they are 'shorted out' due to low impedance of the LC
circuit at any other frequency than the resonant frequency (the frequency
of the 'wanted' signals).

    Following the selection of correct radio frequencies from the other RF
signals, the radio receiver will usually amplify the signal, ready for
demodulating.  The technique which is adapted by the receiver for
demodulating the radio signal into the modulating signal is totally
dependant on the type of modulation being used in the received radio
wave.  In the case of an AM radio receiver, a selected signal will be
'rectified' and thus demodulated, using a low-drop germanium diode. This
process basically turns the alternating RF current back into a direct DC
current, which represents the power strength of the AM signal.  Next, the
RF component is generally removed by using a capacitor. The output product
of this process is a recovered modulating signal which can be fed to a pair
of high impedance headphones.  The diagram below represents how the
selected RF current is rectified by the diode.

  ||\\  //\\ ----------------------|>|--------------- ||\\ //\\
  || \\||  \\                                         || \\||  \\

AM Modulated Carrier  diode                     Modulating signal
                                              (RF carrier present)

    After being rectified by the diode, the AM radio signal is still not
suitable to be fed to an audio output, as the RF carrier is still present.
The RF carrier can be removed by using a single capacitor.

                                    | |
||\\  //\\  ------------------------| |---------------------  /\  /\
|| \\||  \\                         | |                      /  \/  \

Modulating signal                  capacitor          Modulating signal
                                                    (RF carrier removed)

    The output of the capacitor is a recovered modulating audio waveform
which is suitable for passing to an audio output device, such as a set
of headphones with a high impedance.

    This technique is likely to be the simplest way to create an AM radio
receiver, commonly known as the 'crystal set', used by the mass in the
1920s.  Other receivers are more often used to produce a higher quality of
audio output, such as TRFs (Tuned Radio Receivers) and Superhetrodyne

    The whole system model of a radio receiver at its most basic level can
be thought of as the below diagram.

         Modulated Radio Signal
(electric current generated in aerial wire by radio wave)
            Signal amplified
           Signal demodulated
          Modulating signal

    Although the techniques and components needed to achieve each step of
the diagram are different, most receivers stick to this sort of system. 
Other types of receivers and their circuits are discussed more indeph in
the section they are related to.

--[ 2 - AM Radio

----[ 2.1 - What is AM Radio?

    AM Radio refers to any form of technology which makes use of Amplitude
Modulation to modulate the 'carrier' with information. To package a radio
wave with often complex signals, the carrier of a radio wave is shifted in
power very slightly in sympathy with a modulating audio or data signal.
Next to morse code, AM is one of the simplest forms of modulation, and with
this, comes its disadvantages.

----[ 2.2 - Modulation

     AM Modulation involves nothing more than shifting the power of a radio
wave's carrier by tiny amounts, in sympathy with a modulating signal.
Amplitude, as you probably already knew, is just another word for 'power'.

     The simplicity of AM modulation can be demonstrated with a simple
diagram like the one below.

||\\    ///\    //\\
|| \\  //  \\  //  \\  --->  \  /\  /  --->     \\    \\
||  \\\/    \\\/    \\        \/  \/            \\ ///\\
                                                \\// \\
     RF Carrier            Modulating signal        AM signal

     As you can hopefully make out from the diagrams, whenever the
modulating signal (the signal which we are modulating) increases in
voltage, the amplitude (power) of the RF carrier is increased in sympathy
with the modulating signal.  When the voltage of the modulating signal
declines in voltage, the opposite of above happens.  After AM modulating
the carrier, the signal has usually twice the 'bandwidth' of the original
modulating signal.

----[ 2.3 - Demodulation

    When an AM designed radio receives a radio wave, as previously noted,
a small RF alternating current is generated in the aerial wire.  Because of
the AM modulation of the carrier applied by the sending transmitter, the
voltages in the carrier are larger and smaller than each other, but in
equal and opposite amounts.  As a result, to recover the modulating signal,
either the positive or the negative part of the modulated signal must be
removed. In the simplest AM radio receivers, the modulated signal can be
'rectified' by making use of a single germanium low-drop diode.

 \\  /// //    ---------------------|>|----------------- \\  ///  //
  \\// \\/                                                \\// \\//
AM radio signal                  diode         Modulating signal

    Here, part of the carrier has been removed, resulting in recovery, or
'rectification' of the modulating signal.

    Because the carrier frequency (the RF of the radio wave) is usually
significantly greater than the modulating frequency, the RF carrier can be
removed from the resultant modulating signal, using a simple capacitor.

\\        //                   |  | 
\\  ///  //    ----------------|  |----------------  \  /\  /
 \\// \\//                     |  |                   \/  \/

Modulating signal           capacitor             Modulating signal
(with RF carrier)                                (without RF carrier)

    By exposing the rectified signal to a capacitor, the audio signal (or
otherwise data signal) is smoothed, producing a higher quality of audible
output.  At this point, the modulating signal is more or less recovered.

    Although this technique of AM demodulation can be made to work to a
satisfactory level, the vast majority of commercial radio receivers now
adopt a design known as 'superhet', which I will explain briefly here.

    Superhet receivers are based upon the principle of 'mixing' two signals
to produce an intermediate frequency. The diagram illustrates a superhet
receivers operation.

Carrier in ---> Tuned circuit  ---> Mixer ---> IF amplifier ---> Detector 
              (selects correct RF)    |                           |
                                      |                           | 
                                      |                           |
                               Local oscillator               Audio Amp
                                                                |  |
    As we can see, superhet demodulation is significantly more complex than
'rectification'.  Superhet receiver systems, like the above system diagram,
works basically as follows.  First, an RF alternating current becomes
present in the circuit, because of the electromagnetic activity around the
aerial.  Signals of the correct radio frequency are selected via a tuned
circuit, and inputted into one input pin of the 'mixer'.  In the meantime,
the other input of the mixer is occupied by the 'local oscillator', which
is designed to be oscillating at a frequency just lower than the inputted
radio frequency. The output of the mixer is known as the 'Intermediate
Frequency' (IF), which is the difference between the local oscillator
frequency, and the frequency of the received AM radio signal. Next, the
'IF' is amplified, and passed to an 'envelope detector'. The output of the
envelope detector is the modulating audio signal (an AF -- Audio Frequency),
which is in turn amplified, and outputted to the user via a loudspeaker or
other audio output device.

    Since the local oscillator is almost always set to oscillate at a
frequency of approximately 465KHz *below* the frequency of the carrier
input, the output of the mixer will always be a 'carrier' of 465KHz --
which still carries the modulated information.  After the signal is
amplified by the IF amplifier(s) (there can be more than one IF amplifier),
the signal is now demodulated by the detector -- which is often just a
single diode.  As mentioned above, the modulating signal recovered by the
system can be fed to an amplifier, followed by an audio output device.

    As well as producing a higher quality of audio signal, superhet
receivers also eliminate the need to be able to tune multiple tuned
circuits in a TRF (Tuned Radio Receiver).  TRF designs become awkward
when it comes to tuning them into different radio frequencies because
of the many tuned circuits needed -- superhets overcome this problem
as they always 'know' what the collector load will be -- a 465KHz signal.
Superhet designs can also be adapted to work with FM radio signals, assuming
the 'detector' is changed to a suitable detector for FM signals (i.e phase detector).

----[ 2.4 - Circuits

    Since radio technology is a frequently discussed topic across the
Internet, many radio circuit design implementations are readily available,
ranging from very simple circuits, to quite complex ones. Here I present
some radio related circuits which most people with a bit of electronics
knowledge and the right components can build.

------[ 2.4.1 - Receivers

    Discussed above was the historic 'crystal set' radio receiver, which
allows anyone with a long enough aerial wire and a few components to
listen to AM radio bands.  Below is the basic crystal set radio
receiver circuit, which is very easy to construct.

    Aerial Wire             D1 *
        |            Q1
        |               ____|>|__________________
        |_____________|/             |          |
        |             |\             |          |
 _______|_____          |            |          |
(             |         |            |          |
( L1         --- C1 *   |        C2 ---         0  high impedance
(            ---        |           ---         0  headphones
(             |         |            |          |
(_____________|         |            |          |
        |               |            |          |
        |               | (not joined)

- C1 should be a variable capacitor to allow the station to tune into
  other frequency bands.

- D1 should be a low-drop germanium diode -- non-germanium diodes
  won't work.

    From previous discussion, we can figure out that the above 'crystal
set' AM radio receiver works as follows; incoming radio waves generate a
tiny alternating current in the aerial wire, from which 'wanted' radio
frequencies are selected, by the tuned LC circuit. Selected current passes
through a diode, which 'rectifies' the signals, thus demodulating them.
Before the diode, there is a simple transistor, which amplifies the
'wanted' frequency. The only reason for this is to make the quality of
sound slightly better. Any remaining RF components are removed using a
single capacitor -- this consequently has the effect of smoothing out the
signal. The product audio signal is passed to a set of headphones -- these
*must* be high-impedance, or nothing audible sounds on the headphones.

    As was noted earlier, this type of receiver was used frequently in the
1920s, and gave even newbie electronic enthusiasts of that time the
opportunity to build something that would be considered very useful at that
time.  To make decent use of the 'crystal set' circuit, around 60-70 turns
of wire around a rod of ferrious metal would create a good aerial.

    Designs like above are never used in commercial radio receivers anymore.
Excluding superhet receivers, TRFs are occasionally used to produce low
quality radio receivers. Below is a simple TRF receiver schematic.



           |              C5*   C6   +9V
           |        ________________________________________
           |        |     |    |       )                    |
           |        |    ---  ---      )  LC2              |-|
           |        |    ---  ---      )                 __| |
           |        |     |____|_______)                 | |_|
           |        |        |                           |  |   C8
          ---  C1   |        |            D1     C7      |  |___| |____0
          ---      _|_     Q1_____________|>|________| |_|_|/   | |    0
  LC1      |    R1 | |      /                  |     | |   |\ Q2
  _________|__     |_|  __|/                   |            |  High impedance
  |           )     |  |  |\_____              |            |  headphones
  |           )     |  |        |              |            |
  |           )     |  |        |              |            |
 ---  C2 *    )___| |__|_       |              |            |
 ---          )   | |    |      |              |            |
  |           )   C3     |      |              |            |
  |___________)          |      |    C4        |            |
                         |      |_____         |            |
                         |      |    |     R4  |-|      R6 |-|
                    R2  |-| R3 |-|  ---        | |         | |
                        | |    | |  ---        |_|         |_|
                        |_|    |_|   |          |           |
                     ____|______|____|_________ |___________|


- C2 should be a variable capacitor
- C5 and C6 should be variable capacitors
- Resistors of sensible values should suffice
- Capacitors of sensible values should suffice

     As in the 'crystal set' receiver, when a radio signal is 'picked up'
by the aerial, the proper frequency is selected using the LC tuned
circuit.  The signal is passed to a transistor amplifier.  However,
this time, the transistor amplifier has a 'tuned collector load',
because of the tuned LC circuit (LC2) at the collector leg of the
transistor.  Next, the signal is rectified, stored in a few capacitors
until enough current has collected, and is eventually fed to the user
with the high impedance headphones.  The use of the tuned collector
load at the transistor causes for the receiver to be more precise,
amplifying only the signals which are at the frequency of LC2's
resonant frequency.  As expected, this causes for a higher quality of
audio signal to be fed into the users headphones, making this a much
better radio receiver.

     A few things can be done to improve the above receiver, such as adding
yet more tuned amplifiers, and perhaps adding a few more resistors and
capacitors for safety and efficiency purposes.

------[ 2.4.2 - Transmitters

    All that we really need to do when designing a simple radio transmitter
is keep in mind that we require an oscillator -- either tuned or crystal
controlled -- and a series of amplifier circuits which boost our signal.
After these stages, all that is left is to make the signals oscillate in
the aerial wire.

Below is a simple radio transmitter schematic.

 |                        |                 |       |         |      |
 |                        |                 |       |         |      |
 |                     L1 )                 |       |         |   L3 |
 |                        )          R3    |-|   C3 |         |__    )
|-|  R1   Crystal         )                | |     ---        |  |   )
| |_________|_____________)                |_|     ---        |  | C5)
|_|        |||            |                 |       |         | ---  )
 |                        |_______| |_______|_AM ___|_______|/  ---  |
 |                       /        | |         Modulator     |\___|___|
 |__________| |________|/         C2                      Q2    |    |
 |          | |        |\   Q1                          (PNP)   |    )
 |          C1           |                                     ---   )
 |                      |-|                                 C4 ---   )
 M                      | |  R4                                 | L2 )
 |                      |_|                                     |    |
 |                       |                                      |    |
 |                       |                                      |    |

- TR2 is a PNP transistor
- M is a microphone

    This circuit works by oscillating at the frequency controlled by the
crystal (27MHz would be legal in the UK), amplifying the signal with tuned
collector loads at the transistor (TR1), and then by radiating the signal
off as radio waves by oscillating the signal in the aerial wire. Amplitude
modulation is added to the signal by varying the gain of the transistor
driver, by connecting it to the output of a microphone. The above circuit
is quite inefficient, and is likely to produce low quality signals, but it
can be used as a starting point to building a simple AM radio transmitter.
It's probably illegal to operate the above circuit on frequencies requiring
a license, so some countries *require* the circuit to be crystal controlled
on a 'model radio' RF.  One improvement to be made on the schematic is to
amplify the output of the microphone before feeding it to the transistor

    Possible devices which could apply the AM modulation are audio
amplifiers, or even op-amps.  An audio amp following the oscillator
would produce a higher quality, stronger signal, but would also provide
power gain (i.e amplitude gain), in sympathy with the audio signal produced
by the microphone.  This gain of amplitude due to the audio amp has
essentially applied Amplitude Modulation of the carrier signal,
because the power of the signal has been altered according to the
inputted audio signal (at the microphone).  An ordinary op-amp could
be used in a similar way, but by substituting the non-inverting input
pin with a suitable power supply.  Essentially, this would cause for
an outputted gain from the op-amp, according to the audio signal,
because the two inputs to the op-amp are compared, as such.

--[ 3 - FM Radio

----[ 3.1 - What is FM radio?

    FM radio just means any form of technology which makes use of radio
with FM modulated signals. To modulate a radio wave's carrier with
information, FM transmitters shift the frequency of the carrier very
slightly, to be in sympathy with a modulating signal.

----[ 3.2 - Modulation

    FM modulation consists of little more than shifting a radio wave's
carrier frequency very slightly in sympathy with a modulating signal's

Modulation of an example audio signal is shown in the figures below.

||\\    ///\    //\\
|| \\  //  \\  //  \\  --->  \  /\  /  --->       ||\\  /\\  //
||  \\\/    \\\/    \\        \/  \/              ||\\ //\\ //
                                                  ||\\// \\//
     RF Carrier            Modulating signal        FM signal

    The diagrams show that when the frequency of the modulating signal
increases, so does the given carrier frequency, and the opposite when
the modulating signal's frequency decreases. This is shown in the FM
signal diagram by the bands being spaced widely apart when the modulating
signal frequency is increasing, and more closely together when the
modulating signal's frequency is decreasing.

----[ 3.3 - Demodulation

    When an FM modulated carrier signal is detected by the receiver's
aerial wire, in order to recover the modulating signal, the FM modulation
must be reversed.

    Most modern FM radio receivers use a circuit called the 'phase-locked
loop', which is able to recover FM modulated radio signals by use of a VCO
(Voltage Controlled Oscillator), and a 'phase detector'. Below is the
system diagram of a PLL suitable for use in FM radio receivers.

    FM signal in -------------> Phase  ---------------
                                Detector             |
                                  |                  |
                                  |                  |
                                  |                  |
                                  |                  |
                                 VCO                 | 
                                            Modulating signal

    The above PLL is able to recover the modulating signal by having one
input to a phase detector as the modulated carrier, and the other input as
a VCO oscillating at the frequency of the RF carrier. The phase detector
'compares' the two frequencies, and outputs a low-power voltage relative to
the difference between the two 'phases', or frequencies. In essence, the
outputted voltage will be relative to the frequency by which the carrier's
frequency was shifted during modulation by the transmitter.  Therefore, the
output of the PLL, known as the 'phase error', is the recovered modulating
signal. In addition to being outputted from the small system, the voltage
is also given to the VCO as 'feedback', which it uses to 'track' the
modulation.  Acting upon the feedback received, the frequency of
oscillation is altered accordingly, and the process is repeated as

    In the past, less efficient and reliable circuits were used to
demodulate FM radio signals, such as the 'ratio detector'. Although the
'ratio detector' is less sophisticated than PLL methods, a functioning
ratio detector circuit is actually a little more complex than PLLs.

    It should be noted that superhet receivers, touched upon a little
earlier, can also be used as FM radio receivers, but their 'detectors' are
different to that of an AM superhet -- for example, a PLL circuit or ratio
detector discussed here could be used in conjunction with a superhet
receiver to make an FM radio. This is the method which is actually adopted
by most commercial radio receiver manufacturers.

----[ 3.4 - Circuits

------[ 3.4.1 - Transmitters

    The same general principles apply to FM radio transmitters as they do
to AM radio transmitters, except that information must be modulated in a
different way.  In AM radio transmitters, the carrier frequency is more or
less always constant.  However, in FM transmitters, the whole principle is
to alter the carrier frequency in small amounts. This means that a tuned
oscillator circuit is not appropriate, because we need to alter the
frequency accordingly, not transmit at one static frequency.  The method
used to overcome this problem is discussed a little later. A simple FM
transmitter schematic diagram is presented below.

  |                               |                 |    |      |      |
  |                               |                 |    |      |      )
  |                               )                |-|  --- C3  |      )
  |  R1                      L1   )             R3 | |  ---     |_ C4  )
 |-|                              )                |_|   |      | |    )
 | |                              )                 |    |      | ---  |
 |_|               |   Crystal    |         C2      |    |      | ---  | L2
  |_______________|||_____________|___________| |___|____|____|/   |   |
  |                              /            | |             |\___|___| 
  |____________| |_____________|/                                      |
  |            | |             |\  Q1                         Q2       |
  |                              |                                     |
  |            C1                |                                     |
  M                             |-|                                    |
  |                             | | R2                                 |
  |                             |_|                                    |
  |                              |                                     |

    When audio signals are produced by the microphone, current carrying
audio frequencies are amlified, and are used to modulate the radio
wave.  Since the microphone does this all for us, there is no need to
use modulation modules, ICs, or other technology.  In situations where
an elecret microphone is not available to do the modulation for us, a
varactor diode can be used to vary the capacitance in an oscillator
circuit, depending on the amplitude of a modulating signal.  This
varies the oscillation frequency of the oscillator circuit, thus
producing FM modulation.

--[ 4 - Misc

----[ 4.1 - Pirate Radio

    Pirate Radio stations are simply just radio stations ran by
individuals who are not licensed amateur radio enthusiasts.  Although
radio is actually a natural resource, it has been illegal for a
significant amount of time in some countries to transmit radio waves
on certain frequencies.  Although transmitting radio signals on
certain frequencies (around 27MHz) is legal in places like the UK,
strict FCC regulations kick in, almost limiting the threshold to
useless.  Because of this limitation, radio enthusiasts all around the
globe see fit to set up pirate radio stations, which they use for
their enjoyment, playing their favourite music tracks to the 'public',
and for a breeding ground for aspiring DJs.  Some 'pirate radio'
stations keep within the FCC terms, by transmitting at low-power.
These types of stations are often referred to as 'free radio', or
'micropower stations'.

    The legality of pirate radio stations is questionable, but varies from
country to country.  In some European Countries, you can be arrested
for just owning an unregistered transmitter.  In Ireland, prosecution
rarely takes place if registered radio stations are not affected, but
it is still illegal.  The US allows transmission of radio signals at
*microscopic* power, making the limitations almost useless for
unlicensed radio enthusiasts, thus causing them to resort to pirate

    Contrary to popular belief, setting up a pirate radio station is not
necessarily a difficult task.  At the minimum, someone wanting to
setup a pirate radio station would need the following pieces of

- Stereos, CD Players, Microphones, etc.
- Audio Amp
- Audio Mixer
- Transmitter
- Aerial

    Stations using only the above equipment can sometimes sound quite
crude, and might interfere with other legal radio stations.  To avoid
this, a 'compressor' can be used, which also limits the noise created
by sudden loud noises in the background.

    Although any of the example transmitters in this article probably
wouldn't be sufficient enough to transmit music audio signals over the
air, but they could be used as a starting point to building your own, more
efficient kit.  Additionally, FM and AM radio kits can be purchased,
which anyone with a soldering iron can build.

    The length and height of the antenna depends entirely on how far the
radio signals need to be transmitted.  By reading the previous
sections, some information on getting a correctly sized aerial can be
gained.  For example, a quick and dirty aerial for an AM pirate radio
station could be around 15-20 feet tall.

    To avoid being busted, it is probably a good idea to stay within the
legal power limits.  Otherwise, a Direction Finding device used by the
authorities could easily track down the exact location of the

----[ 4.2 -  Wireless Telephone Tapping

    'Beige boxing' has long been the easiest and most exploited way to tap
telephones, interrupt on neighbours conversations, and use enemies
phone lines to make long distance calls to your friend in Australia.
However, since beige boxing requires the phreak to lurk around like a
ninja, a safer method can be used, which doesn't require you to be
physically close to the target phone line.

    As expected, audio signals on a target phone line can be transmitted as 
radio signals at an arbitrary frequency, and be received by any phreak with 
an FM radio receiver.  Although this concept is not new, it serves as an 
interesting and useful project for radio newbies to try out.  Below is a 
simple FM phone bug transmitter circuit.

                  |                    |                                    |
                  |                    |                                    |
IN (green) ___.___|_______            |-|                                   |
              |   |       |           | |                                   |
              |  /\  LED  |           |_|                                   |
              |  ---     | |           |___| |      op-amp                  | 
              |   |   C1 | |           |   | |---|\                         |
              |   |       |__________|/      ____| >------- Aerial          |
IN (red) _____|___|                  |\ _____|___|/                         |
              |   |                    |     |   |                          |  
              |   |                    |     |   |                          |
OUT (green) __|   |                    (     |   |                          |
                 /\                    (     |  /\  varactor                |
                 ---                   (     |  ---                         |
                  |                    (     |   |                          |
OUT (red) ________|____________________|_____|___|__________________________|

- inductor should be about 8 turns of wire
- aerial should be about 5 inch long

    By interchanging the varator with a crystal, or by using a variable
capacitor, the frequency band on which the bug transmits line activity
could be changed accordingly.  The varactor making up part of the
oscillator circuit is intended to alter the frequency of oscillation,
depending on the audio signal inputted from the green wire of the
telephone line.  The varactor diode can be thought of as an
electrically variable capacitor, which in this case alters its
capacitance in sympathy with the audio frequency on the telephone
line -- causing for change of oscillation frequency, and thus
frequency modulation.  
    The following op-amp provides additional strength to the
signal, in an attempt to avoid a weak, unreliable signal.  For
user-friendly purposes, the LED connecting to the red wire of the line
pair should illuminate when a signal is present on the line.

    The above circuit can be modified to be made more efficient, and a
longer aerial is an obvious way of lengthening the range of
transmission.  If a phreak was to contruct and use a device like this,
all they would need is an FM radio to tune into the correct
frequency.  There are much better designs than the minimalistic one
above -- if a practical FM telephone bug is required, many plans are

----[ 4.3 - Jamming

    Technically, all it takes to carry out 'radio jamming' is to transmit
noise at a desired frequency.  For example, if a person in the UK were
to transmit RF noise at 30MHz+, police radio communications could
possibly disrupted.  Although the principles are mostly the same,
there are several different types of jamming.

- modulated jamming
  This consists of mixing different types of modulation, and
  transmitting the results at a desired radio frequency.  This is
  designed to make receiving legimate radio signals hard or next to

- CW (continuous wave)
  CW jamming only involves transmitting a consistant carrier frequency
  once tuned into a RF frequency/band you want to jam.  This again makes
  receiving desired radio signals particuarly hard.

- Broadband
  Broadband jammers spread Gaussian noise across a whole band of audio
  frequencies, blocking legimate audio signals from easy receival.

    A basic radio transmitter is easily modifiable, by adding a noise
generator, to successfully jam arbitrary frequency bands.  Many other
types of radio jammers exist, and their details are readily available
on the World Wide Web.

--[ 5 - Conclusion

    Radio is an extremely useful technology, which is at least as old as
the atom.  But we are only just beginning to exploit its full
usefullness in even new and up and coming technology, and probably
will do for the next few hundred years.

    As we've discovered, contrary to popular belief, employing the use of
radio in electronic circuits isn't at all as complicated as one would
think.  Because of this, the use of radio and be both used and
exploitfully abused -- only a few basic principles need to be
understood to make use of this wonderful technology.  Although the
surface has only been scratched, and way forward is open.

--[ 6 - Bibliography

Phrack 60
Low Cost and Portable GPS Jammer

The Art of Electronics

Updates to the article:

[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.