The 1090 Megahertz Riddle (second edition)

A Guide to Decoding Mode S and ADS-B Signals
By: Junzi Sun (junzis.com)

Basics of Mode S services

In Chapter [chap:intro], an overview of different Mode S services is given. Most of the services except the extended squitter are interrogations based, which means information is only transmitted upon request. The request, also known as ‘uplink’, is transmitted using 1030 MHz radio frequency. The reply (‘downlink’) signals are all transmitted using the 1090 MHz radio frequency. Hence, all Mode S downlink messages can be intercepted using the same setup as ADS-B.

In the following chapters of this book, we are going to explain the interrogation based Mode S services in four groups, specifically:

  1. All-call reply (DF 11)

  2. ACAS short and long replies (DF 0/16)

  3. Altitude and identity replies (DF 4/5)

  4. Comm-B, with altitude and identity replies (DF 20/21)

    1. Mode S elementary surveillance (ELS)

    2. Mode S enhanced surveillance (EHS)

    3. Meteorological information

In this chapter, we discuss some of the common aspects regarding the decoding of Mode S messages. First of all, the structure of Mode S services is reviewed. Then, Mode S parity and ICAO address recovery are discussed. Finally, some common terminologies related to Comm-B messages are explained.

Mode S message structures

Based on Figure [fig:mode_s_uplink_pulses] from the introduction chapter, we see that there are two types of Mode S messages in terms of message length. Table [tb:mode_s_formats] indicates that among the current 11 different downlink formats, four are short messages consisting of 56 bits. The other seven are long messages with 112 bits. All formats share the same structure of a header consisting of 5 bits of format code and 24 bits parity at the end, as shown in the Figure [fig:modes_msg_structures].

Parity

Mode S uses three types of parity. The first one is what is used for ADS-B in the extended squitter (see Chapter [chap:adsb_parity]). The other two types of parities are Address Parity (AP) and Data Parity (DP).

For any type of Mode S messages, the parity can be calculated as follows:

1) Let \(x^{i}\) represent each bit of the message and \(M(x)\) represent the polynomial corresponding Mode S message, the parity \(P(x)\) can thus be calculated as the CRC remainder:

\[\label{eq:crc} \begin{split} M(x) &= \sum_{i=0}^{87~\mathrm{or}~32} a_i x^i , \quad a_i \in (0, 1)\\ P(x) &= M(x) ~ \% ~ G(x) \end{split}\]

2) For an extended squitter message, \(P(x)\) is directly transmitted as the parity in the last 24 bits of the message. Errors can be detected by performing the same computation process at the receiving side when received parity differs from this newly computed remainder.

However, for other types of Mode S messages, Address Parity (AP) is generated by overlaying the normal CRC remainder with the 24-bit transponder ICAO address. Thus, the final parity included in the message is not \(P(x)\), but a new parity \(P_A(x)\):

\[P_A(x) = P(x) + A(x)\]

where \(A(x)\) is the polynomial representing the ICAO address of the transponder.

3) For some of the Downlink Format 20 and 21 Mode S messages, upon request of the SSR interrogation, another addition with the Comm-B Data Selector (BDS) number is performed . In this case, the Data Parity (DP), is included in the last 24 bits of the Mode S message and transmitted.

When DP is in use, the parity is overlaid with the modified ICAO address, Modified AA (MA). The MA is calculated as the polynomial addition of ICAO address and BDS code (with 16 bits of zeros appended after), for example:

ICAO:         DD33AA      1101 1101 0011 0011 1010 1010

                                      XOR

BDS 4,4       440000      0100 0100 0000 0000 0000 0000
-------------------------------------------------------
Modified AA   9933AA      1001 1001 0011 0011 1010 1010

Denoting the modified address as \(P_\mathrm{MA}(x)\) and the Data Parity as \(P_D(x)\), the calculation of \(P_D(x)\) is:

\[\begin{split} P_D(x) &= P(x) + P_\mathrm{MA}(x) \\ &= P(x) + A(x) + D(x) \end{split}\]

where \(D(x)\) is the polynomial representing the BDS code of the Mode S Comm-B message.

ICAO address recovery

Since the interrogations are not known, information such as the transponder address is not known to third party receivers. The lack of this information makes error detection difficult.

For AP, the message parity field is produced by overlaying the direct parity with the transponder address. Hence, in order to recover the ICAO address, we can simply overlay the received parity (AP) with the parity calculated again from the payload data:

\[A'(x) = P_A(x) + P(x)\]

where \(P_A(x)\) is the last 24-bit (assuming Address Parity) for the received message.

In order to demonstrate how to recover an ICAO address, we use the following example message:

Message:      A0001838CA380031440000F24177
------------------------------------------
Payload:      A0001838CA380031440000
------------------------------------------
Parity (AP):                        F24177

Figure [fig:icao_revover] illustrates the ICAO address recovering process. We first use the Mode S CRC algorithm to compute the remainder (parity) from only the payload data A0001838CA380031440000. The remainder is found to be CE2CA7. Then, by performing the polynomial addition (XOR for bitwise operation) with the actual parity included in the message, the ICAO address can be computed as 3C6DD0.

For the cases of Data Parity, it is still possible to recover the transponder address using a similar process. However, we need to overlay again the previous result with the BDS code, assuming that the BDS code can be identified from the data:

\[A'(x) = P_D(x) + P(x) + D(x)\]

where \(P_D(x)\) is the last 24-bit (assuming Data Parity) for the received message.

It is worth noting that in either case, the resulting \(A'(x)\) is the same as the actual transponder address (\(A(x)\)) only if no error has occurred during the transmission. If the message is corrupted, the obtained address will be different from the actual one.

By combining with ICAO addresses obtained in ADS-B and other information independently decoded from Mode S messages, this process can also be used for detecting Mode S errors as a third party observer. This method is described in .

Try it out Using pyModeS, we can obtain the ICAO address as:

import pyModeS as pms

msg = "A0001838CA380031440000F24177"
pms.icao(msg)

Output:

3C6DD0

Two’s complement coding

Two’s complement coding is used for representing negative numbers in some Mode S messages, for example, heading and vertical rates in BDS 5,0 and BDS 6,0 messages. Every parameter in Mode S using two’s complement coding include a 1-bit sign and n-bit value.

1) If the sign bit is , the result is simply the decimal representation of the value bits.

For example, we have the following representation of a signed parameter:

 sign    value
------------------
  0    111010011

The result is the decimal representation of the last nine value bits, which is 467.

2) If the sign bit is , we first calculate the decimal representation of the value bits (\(x\)) and then calculate the negative value as:

\[x - 2^n\]

For example, if we changed the signed bit in the previous example to , as follows:

 sign    value
------------------
  1    111010011

since the sign bit is and there are 9 value bits, the final value is calculated as: \[467 - 2^9 = -45\]

Site maintained by @junzis. Build with LaTeX, Pandoc, and GitHub