RECEIVER HUNTING USING THE 'I.F.' PRINCIPLE

By Nigel Ballard
28 Maxwell Road, Winton, Bournemouth,
Dorset, BH9 1DL, England.
5 August 1990

Firstly, what is an 'I.F.'? Well, incoming signals to any modern radio
are mixed with a fixed internal signal , these are produced by a circuit
known as a local oscillator. Your incoming signal mixes with the fixed
internal signal and produces an Intermediate Frequency, or I.F.

The I.F. frequency always operates above or below the incoming
frequency. If the incoming occurred at the exact same frequency
as your receivers I.F., then your receiver would find this an impossible
signal to detect. As an example, many cheaper receivers have the all
important first I.F. at 10.7MHz, if you had a bug operating in your room
on that exact frequency, then your average receiver would not aware of
it's existence. This is not a BIRDIE in the classical sense, more a
non-usable frequency. A normal Birdie is simply a dead channel caused by internally generated noise in the rf circuits. This 10.7MHz frequency is
not blanked by internal noise, but simply dead because it falls on the same frequency that the I.F. operates on.

The I.F. frequency is thus generated, not by adding them together, but
by taking one from the other. The resultant freq is known as the first
I.F. frequency. Dependent on the radio type, and where in the spectrum
you are monitoring, the Local Oscillator may be operating above or below
the received signal. Although we need to know the frequency of the
radio's first I.F., it is the Local Oscillator's output we are
interested in.

I'M RECEIVING, BUT I'M ALSO TRANSMITTING....SAY WHAT!
You don't have to have vast experience of TEMPEST and the like, to know
that any piece of equipment that is turned on and uses crystal
controlled or ceramically resonated circuits, generates spurious output.
Put an antenna on to this piece of supposedly dormant equipment, and you
now have unwanted radiations, in effect when your radio or scanner is
switched on and connected to an antenna, you are constantly transmitting
a signal, small it may be, but it is there! And if an amateur like me
can receive them at up to 50 feet, then how far can the pro's get!
'BULLSHIT' you say!

OKAY DISBELIEVERS
If I shoot the breeze in general terms for a while, just to convince you
that your Bearcat (example) scanner sat in your bedroom listening on one specific frequency, COULD be a dead giveaway to the authorities.

THE MILITARY
You don't need to convince the forces of both east and west that this
principle of detection works, they have been using it and trying to
defeat it in their own radio's for years and years.

EXAMPLE TIME
In the UK, all handhelds used by the Police walking the beat are between
451.00 and 453.00MHz NFM, no ifs or buts, that's the band limits that
they all operate in (London is excluded from this). Suppose you knew
that the first I.F. of the latest Motorola radio's they used were
24MHz. Now suppose you came across an officer who just refused to key
his radio up so that you could scan the 451 to 453 area with your
scanner. Not daunted by this, you set your scanner to scan 24MHz below
this band, i.e. 427.00 to 429.00MHz. Getting as close to your target as possible with a reasonable scanner using an external antenna tuned to
this band, you proceed to tune over his L.O. output. If his radio is
switched on, and he is NOT currently transmitting, as soon as you tune
over his L.O. your scanner will stop on a weak but constant low tone. If
your target then transmits the tone will disappear, as the L.O. can only
be picked up in receive. Make a note of the L.O., say it was 428.500,
add the original I.F. shift of 24MHz and hey presto you now have the EXACT frequency he is sat on. I make it 452.500. It is now a simple case of
sitting on that spot until he decides to talk.

STILL UNCONVINCED?
Well get a friend with a h/held to let you try it out. All you need is
the radio's first I.F.. Remember in a previous article I told you to
collect all the leaflets on PMR radio's you could, well most of the
catalogues will tell you the first I.F. of each and every radio they
sell. Pretty sneaky eh!

BACK TO THE MILITARY
Why do you think that our lot have a pre-occupation in getting hold of
the latest radio's from their lot. Well firstly there is the overall
capability of the radio. Then there is the RADIO SIGNATURE, each and
every type of radio ever produced, gives a unique if not slight, radio signature, the right equipment can tell the exact model of radio
transmitting. Further analysis by computer can even tell a particular
radio from another radio of the exact same type and model. Very handy if
the net is encrypted, thus no voice patterns can be analysed. Military producers go to great lengths to try and set all radio's up as close
together as possible, thus reducing the possibility of radio
signaturing.

The radio analyst's Then connect a standard combat antenna to the radio
and see how far away they can detect the L.O., the better the radio, the
more it will have been suppressed. And of course, the first I.F. is
recorded and passed around to the specialist units whose job it is to
work out where the enemy is listening.

ANTENNA GAIN
Just as an antenna increases it's TX output and RX input as you increase the gain. The same applies to the L.O. output. Take any Russian embassy, our
boys will not be far away with the most sensitive receivers known to
man. Not just hunting for their next transmission, that's child's play
with spectrum analysers and panadaptors. The trick now is to find out
WHAT they are listening to. Don't be fooled by all those antenna's on
embassy roofs, it's 50% talking and 50% listening to domestic traffic.
And I don't necessarily mean distant military exercises, they have their
own FERRET SATS for that, I mean the Senator that's a bit too descriptive
on his car phone etc etc. And please don't think the Russians are the
bad boys, no sir, we do it just as much and just as well, if not a
little better. Western monitoring technology being what it is!

BACK TO THE BASICS
The cheaper the radio, the greater the chances that the L.O. omissions
will be greater. Some domestic scanners put out a horrendous signal that
can be detected streets away. So in future don't think that just because
you're not transmitting, that no one can tell who, or on what frequency
you are monitoring, because they CAN!

THE DOWN SIDE
Ever read those dear BOB letters in the back of MT? "Dear Bob, why when cellular is on 800MHz does My ****** scanner also pick them up on 900Mhz?"
The answer always comes back, "well fred, it's the old low I.F. giving false images" The rule of thumb is, the higher the first I.F., the greater the
change of your receiver filtering out the false images, overloading and
general crud found in cheapo scanners.

Once again that's about it. I could have gone much deeper into this subject, but I value my freedom too much. If you have an inquisitive nature, then try and think of some other ways this principle could be put to good use.

HAPPY SCANNING

BEST REGARDS Nigel.

p.s. To those of you not in the know, TEMPEST is the military term used to describe case emissions from both civilian and military equipment used in
the armed services. Take an ordinary computer, it's emissions can be picked
up blocks away. In step's a tempest specialist. Case's are sprayed with nickel and coated in foil. All wires are screened. All cables are wrapped around ferrite rings. VDU screens have transluscent conductive film glued to them. Peripherals, especially printers get similar treatment, including soundproofing, this is because just like the unique signature made my a radio, printers, especially dot matrix types are a real give-away. Finally,
the equipment is run through a series of stringent TEMPEST approval trials.
If it passes then the military can buy it, and the specialist company has a license to print money.

Remember, security Doesn't come cheap!

--- Mystic BBS v1.12 A43 (Linux/32)
* Origin: HAMRADIO telnet lu9dce.dynu.com (21:5/101)