Remotely Stopping Polish Trains

Turns out that it’s easy to broadcast radio commands that force Polish trains to stop:

…the saboteurs appear to have sent simple so-called “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train­—sending a series of three acoustic tones at a 150.100 megahertz frequency­—and trigger their emergency stop function.

“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains’ different technical standards in the European Union that describes the “radio-stop” command used in the Polish system. In fact, Olejnik says that the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”

Even so, this is being described as a cyberattack.

Posted on August 28, 2023 at 7:05 AM50 Comments


Daniel Feenberg August 28, 2023 7:24 AM

In the book and movie “The Railway Children” the children wave a red flag to stop a train and prevent a mass fatality accident. We should be careful not to assume all unencrypted communication is malicious, or that all encrypted communication is benign.


Ted August 28, 2023 7:43 AM

Poland’s planned railway upgrade to GSM cellular radios (that do have encryption and authentication) by 2025 would be a good development.

Great reporting and research by Andy Greenberg and Lukasz Olejnik.

DaveX August 28, 2023 8:08 AM

In the long document, the frequencies are listed under “The PKP Radio System”

“Annex B” has all the radio signaling systems.

I suppose that terrorist could copy the Railway Children and wave a red flag and it could be reported as a social engineering signals attack.

Peter A August 28, 2023 11:20 AM

It is known for years. It has been abused quite a few times in the past. In many cases, “pranksters” have been found and prosecuted. It only got attention this time because of the Russo-Ukrainian war nearby and additionally playing a Russian anthem over the radio. Many past cases did not make international news.

Having said that, the system lays open to abuse as it is. The abuse in all cases so far was localized. However anyone can imagine performing a massive abuse, relatively cheaply, in a semi-random fashion, over wide area or over different subareas of the Polish territory, with nearly no chance of catching the perpetrator(s).

Having said that, such a hypothetical massive abuse will only cause early dropping of the outdated system by disabling the automatic emergency braking triggers and ignoring of the signal by the mechanics (older locomotives do not have automatic triggers for the signal, the mechanic just hears it and applies brakes). The traffic control systems and signals are independent, this signal is used only as an emergency in an unforeseen situation, and is truly an analogue of waving a red flag or throwing yourself on the tracks, but a little more scalable.

A similar “prank” or sabotage would be just transmitting anything on the FM frequencies the railways use to relay commands or mimicking a dispatcher.

Mexaly August 28, 2023 11:44 AM

Contemplate the various ways a cash-low actor can disrupt transportation and whatever.

Stopping a train is kind of a low-level offense these days.

Clive Robinson August 28, 2023 11:52 AM

@ ALL,

It’s not just Poland, in some way or another it applied across most of Europe.

But it realy only takes a wire, look up more recent protests and back in the 1960’s in Britain “Great Train Robbery” where one of those involved used a battery and a couple of wires to cause a false “track occupied” thus stop signal.

To reduce this issue it was hoped that radio would make it difficult and for over half a century it worked. However modern electronics from China are increadibly cheap noe and “Software Defind Radio”(SDR) systems that can transmit easy to get for not a lot of money.

However you can go do it for even less, by going out and buying a Boufang UV5R for as little as $25…

Along witha Arduino Nano for three to six dollars that will easily generate the tones (look up how a “Direct Digital Synthesizer”(DDS) works it only takes,

1, A Sinewave lookup table.
2, A hardware interuput counter.
3, Four output pins and resistors.

Personally I prefere to use two squarewaves at fixed frequencies mix then together in the software equivalent of a D-Type latch and low pass the resulting pulse train, it’s clraner and quicker.

Or just put a tone generator app on your mobile phone and play the toend into the UV 5R microphone.

The point is there are a myriad of inexpensive ways to do this, which is why there os a European initiative to upgrade railway signalling across the whole of Europe but… It’s going slowely, whilst the mobile phone standards in comparison are going fast…

For some background and further information Have a look at,

lynn h August 28, 2023 12:41 PM

Even so, this is being described as a cyberattack.

While some dictionaries say a “cyberattack” must involve the internet—which I think is overly strict: a private network should count too—Merriam-Webster says it’s “an attempt to gain illegal access to a computer or computer system for the purpose of causing damage or harm”. If this radio signal were received by a computer, or triggered an emergency-braking signal on an inter-car computer network, then it would arguably qualify—assuming someone were trying to cause damage or harm, which is unclear.

Wikipedia has an even looser definition: “A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones.” Note the apparently intentional omission of any word like “computer” or “digital” before “infrastructures”, though the other 4 terms all include such a qualification. Unlike M-W, this definition doesn’t require malicious intent, and I think it’s absurdly broad: even spray-painting a street sign with some words intended to offend people would be a “cyberattack” according to Wikipedia.

lynn h August 28, 2023 1:32 PM

If the autobus, the police or the fire car tells the traffic light in which direction it needs to pass urgently that isn’t encrypted,neither, normally.

Often a bus or other transit vehicle will trigger a special “transit signal”, such as a vertical white rectangle, such that improper use would be obvious and wouldn’t trigger a green light anyway. The emergency vehicle override systems are sometimes based on visible strobe lighting, also obvious if sent from an ordinary car (of course, cities using such systems should make sure their detectors aren’t accidentally sensitive to infrared or ultraviolet strobes; and someone really serious about beating it could use a well-aimed visible-light laser that wouldn’t be externally visible in clear air).

I know of at least one city that uses something that seems more secure, but also really overcomplicated. The emergency vehicles have onboard GPS receivers that transmit their positions to the dispatch system via a cellular network; the dispatch system forwards the positions to traffic control via the internet; the central traffic computer calculates motion vectors, decides which lights should be changed, and contacts the control computer at each relevant intersection that’s connected (often via telephone lines, and not every light is connected).

At some point, security risks are just too minor to pre-emptively guard against.

Garabaldi August 28, 2023 4:57 PM

You could also call 112 from a burner phone and say there’s a truck stuck on the tracks. If they start ignoring that you can park a truck on the tracks.

vas pup August 28, 2023 5:05 PM

I guess that all new technology should incorporate in their design security measures before implementation not after.
So, prompt AI what vulnerabilities prospective system have, then eliminate them one by one before implementation.
This bleeping patch work fixing security issues after implementation for many applications/devices is becoming out control because companies immune from compensate damages – same paradigm should applied as e.g. for car makers. Then no ‘half-baked’ IT products will push into throat of the customer. Just opinion.

yet another bruce August 28, 2023 5:12 PM

I was shocked to discover most high school fire alarms will accept input without any user authentication whatsoever. As a consequence, these vital safety systems are frequently compromised by bad actors. I guess these are cybercriminals also?

Mr.Obvious August 28, 2023 8:09 PM

150.1 MHz limits you to radio-line-of-sight. You might reach 10 to 30 miles away, but not the other side of the country let alone the world. It’s strictly a local attack.

Those locks on your house can be easily picked. Check out Deviant Ollam’s lockpicking lectures from DEF CON on youtube. You can buy locks for hundreds of dollars apiece that have side indentations on the key, dumbbell (hard-to-pick) pins, etc. Much harder to pick. But here’s the thing: What are the chances someone’s going to pick the lock on your house? And if they are, what stops them from cutting through the wall, or breaking the lock off with a chisel & hammer?

Same deal with trains. It’s pretty easy to derail a train. Somebody stopping the train with a radio signal, that’s small potatoes in comparison. Perhaps even desirable compared to more significant terrorism.

You can laugh at trains being stopped with a $25 radio. But at the end of the day, somebody is paying for whatever tech they use. There’s a real cost vs security tradeoff. And sometimes you’re better off eating the occasional train-stop cost…

Clive Robinson August 28, 2023 8:40 PM

@ vas pup, ALL,

Re : AI as the perp.

You give me a thought,

If some one tells an AI to find secirity vulnetabilities what happens when it finds one?

We know from long experience, that if an ordinary individual finds a vulnarabilitu, and reports it they are told it is not realy there or is not abusable etc.

This ignore/attack the messanger is so common that in nearly every case these daus a “Proof Of Concept”(POC) is developed and executed as a “demonstration”.

Technically developing/demonstrating a POC can be a crime and some managers at some software devrlopers like Oracal have threatened or actually taken leagal action against the researcher.

So the thought occures what happens if you use an AI and tell it,

1, Find vulnerabilities in XXX
2, Produce POC code
3, Test POC code

Are you being any less a criminal if you say,

1, Find and demonstrate vulnerability in XXX.

I guess it’s one of those qurstions that courts will no doubt have to deal with eventually. That is AI ans an agent of another entity.

But then what if the entity is another AI?

Those turtles would need to breed real fast to keep up…

Anyway The August Bank Holiday is over in England etc, so technically it will be nose back to the grind stone, unless of course Public Transport has “overrunning works” in which case it will be welcome to “The road to hell”,

(Shown is “Westway” A40(M40) in West London, with bits from London Heathrow into Edgware and down to Earls Court. Those tower blocks where you look into a flat and down onto the underground railway are on the “west cross route” A3220(M41) that strangely went north-south and was just East of what was White City where BBC Television Centre was,,_London

And where many many years ago long before the dump called Westfield was constructed we used to put out more than one Pirate radio station, that was back when work was fun 😉

Clive Robinson August 29, 2023 2:24 AM

@ Mr.Obvious, ALL,

“150.1 MHz limits you to radio-line-of-sight. You might reach 10 to 30 miles away, but not the other side of the country let alone the world. It’s strictly a local attack.”

Whilst I would agree with “let alone the world” not so much “the other side of the country” and certainly not a “local attack”.

I’ve previously pointed out the dangers of hand held radios like the Baofeng UV5R on the ground with a very what appears a very poor range of a couple of kilometers or so. But that with tiny SDR receivers and computers with WiFi dongles on drones that can fly to 300m or more getting 60km range for SigInt activities. We really have to think a little differently these days.

150MHz is 2m wave length only a fraction above the amateur radio VHF satellite band around 145.7-146.0 as can be seen,

And amateurs communicate with them at distances that easily exceed the width of the Atlantic ocean.

Now as most know there is a war going on at the East of Europe currently and there have been attacks on satellite and other commercial communications and transportation systems by Russian personnel.

I’m not sure how big Poland is exactly but a quick measure in my European road atlas indicates, about 650km north to south and 690km east to west.

We know a light aircraft can fly ordinarily at a “mile up” or call it 1600m with a quite powerful VHF signal of upto one kilowatt output being easily possible.

The radio horizon calculation which gives the coverage radius, can be found from,

Dist = 4.12 x sqr(h)

So sqr(1600) = 40
Times 4.12 = 164.8km

So the coverage diameter would be double that at 329.6 km, giving about a quarter of Poland.

In 1945 Herald T. Friis, working at Bell Labs derived The free space formula for power at the receiver input from the transmitter output for any given wavelength and Tx and Rx antenna gains. It’s known as the “Friis Calculation” and it’s used as a quick way to find out how much power you need to cover a radio path or area when designing a communications path or broabcast area.

The Polish railway system opperates at 150MHz so has a 2m wavelength and at a 60dBm (1kW) Tx output power at 164800m range, assuming a TX antena gain of 2.5dBi and an RX antenna gain of -10dBi you get approximately -67.8dBm. As a narrow band FM receiver needs around -120dBm to be quietened you’ve got a margin of ~53db or 200,000 times the power in hand…

A quick lookup says a Cessna 172 has a given maximum normal operational altitude of 14,000ft or 4260m giving an increase in coverage diameter out to 540km ordinary passanger jets like for instance, the Boeing 747-200, that debuted in 1968, has a “service ceiling” of 45,100ft. So say 30,000 to 45,000ft or 9120-13680m giving a coverage diameter of 588-964km.

So a passanger aircraft flying at normal operational hight carrying a 1kW transmitter could stop every train in Poland at the same time.

Now if this should be a concern to the Polish authorites or not at a time when a Super Power effectively “next door” has dropped a less than subtle hint they will attack them…

From a couple of days back,

If Russia does decide to invade Poland from Belarus, then almost the first thing they would want to do is shut down any and all transportation of military materials in Poland…

Francis Mayer August 29, 2023 10:47 AM

Well this is just another case where it is obvious that all industrial control systems need to be replaced with systems that are engineered with layers of security built in. Plain encryption without transmission security will be vulnerable to a replay and other attacks. Encryption is useful but not when used as a single layer of defense. The implementation of encryption must be done properly with layers of security or it will be not much more secure. Cyber war is here and now. This means it is negligent not to engineer in layers of robust security. The world will get a painful lesson in cybersecurity in the near future and the brain dead political class will claim that they did not see it coming and then they will go into crisis mode by throwing money at the problem with little thought for real security engineering. Thought thru solutions could be implemented now to fix the problem more effectively and do it for less but that won’t happen because the political class tends to be people with little to no scientific or engineering background.

lynn h August 29, 2023 11:42 AM

“Local attack” is a problematic term these days, because the concept falls apart if an attacker can gain control over any suitable equipment in the target area. Could someone, for example, hack a “smart” wireless doorbell to transmit on that frequency? Maybe not, ’cause there’s nothing but public FM radio, amateur radio, and aviation and marine radio near that frequency. Then again, perhaps setting a microcontroller’s clock tree to an “incorrect” configuration could give some interesting results, and of course there are “accidental antennas” in any computer system. It’s not going to be easy to track down a radio signal that’s transmitted only sporadically, for a few seconds at a time, when nobody’s around.

Anyway, according to the “PKP Radio System” section of the E.U. document, the “RADIOSTOP function can be activated by pressing single button (sealed) both track-side and on-board”. That makes me wonder why they went with a wireless radio system at all. Note that it isn’t a fail-safe system; if radio interference prevents receipt of that signal, the emergency stop buttons will have no effect. I would think an on-train button would be connected via wire, and the train would stop if the connection were lost. For track-side buttons, I’d have considered signalling via the metal rails or using magnetic induction (both have been used for cab signalling).

Referring to “Polish trains” is probably at least somewhat misleading. I’d imagine that the Polish regulators would also want foreign trains operating in their country to be stopped by the track-side emergency buttons; so, perhaps every train whose buyer thought it might ever operate in Poland is vulnerable even outside the country. (And, obviously, trains from Polish companies must remain vulnerable outside Poland if their on-train emergency buttons rely on this signal.)

As for the talk of cryptography, I don’t see any reasonable way to design it into a decentralised system like this. However unbreakable the crypto is, we probably can’t expect every emergency stop button to have an accurate clock (especially if they pre-date GPS), which means anyone could press any track-side button, record the signal, and replay it to stop trains—at least any train that hadn’t already been stopped by that exact signal.

lurker August 29, 2023 4:40 PM

@lynn h

“As for the talk of cryptography, I don’t see any reasonable way to design it into a decentralised system like this.”

The Chinese High Speed Rail system use GSM, and no doubt I will be told how GSM is cracked/useless/otherwise fraught with peril. I also expect the Chinese to have thought about their likely adversaries, the nature of “interference”, and such. They use a dedicated channel for data transmission from the train and a separate channel for voice communication with the driver. At regional control centres each sector controller can call up a duplicate of any driver’s dashboard. Trackside signal lamps are augmented by standard ETS on the GSM data channel.

vas pup August 29, 2023 4:58 PM

@Clive – Thank you – agree on almost all of your points.
My nickel: when management and owners are not the same people their interests not coincide. Owners want good product – management keep their asses and perks intact. That is why being messenger is not good but rather dangerous.

I guess if AI report of vulnerabilities passed to the Board (whatever it is called) of owners it’ll be better chance to address the issue timely not to sweep it under the rug.


Wiz eyes potential bid for Israeli-founded cybersecurity firm SentinelOne

“US-Israeli cloud security startup Wiz is mulling a potential bid for Israeli-founded cybersecurity firm SentinelOne, which has a market cap of almost $5 billion.

In response to reports over the weekend over a potential deal, a Wiz spokesperson said that the company has “openly discussed the possibility of acquisition.”

“We consistently evaluate potential opportunities that will support our business growth and help us maintain our market leadership position,” the spokesperson said.

“SentinelOne has a strong cybersecurity offering, and we have been following their
growth journey for the past several years.”

Listed on the New York Stock Exchange, SentinelOne, which has a market cap of more than $4.8 billion, has been weighing strategic options that could include a sale and has hired investment bank Qatalyst Partners to advise on talks with potential acquirers, including private equity firms, Reuters |reported last week.

=>Established in 2013, SentinelOne develops !!! AI-based software that protects laptops and cellphones from security breaches by identifying unusual behavior in enterprise networks. The Mountain View, California-based company was founded by Israeli entrepreneurs Tomer Weingarten, its CEO, and Almog Cohen. Meanwhile, Wiz’s agent-less technology provides security coverage of a company’s entire cloud environment “in minutes” for rapid risk reduction, according to the company.

“By utilizing the market-leading solutions offered by SentinelOne and Wiz, customers
can gain complete visibility into their infrastructure hosted in the cloud, quickly identify and remediate attack paths to critical resources, and prevent threats with comprehensive runtime protection of their cloud workloads,” the two cybersecurity firms said.

In March, Cisco Systems, a US maker of networking software and hardware, said it
intends to snap up Israel’s Lightspin Technologies, a developer of cloud security software. Other deals include US tech giant IBM buying Israeli cyber startup Polar Security, a developer of an automated data security platform to track and protect sensitive data across hybrid cloud-based systems, and US-based cybersecurity firm Palo Alto Networks acquiring Cider Security.”

Tatütata August 29, 2023 5:00 PM

I’ve been wondering for 15-20 years why this hadn’t happened yet. At least one other major European railway is susceptible to just the same attack, and if you don’t know where to look in RR related literature, the details of the signal are also published in official EU documents for operator interoperability…

One solution would be to leave VHF land-mobile to GSM-R, but IIRC, the lack of a built-in emergency stop facility in GSM-R was a reason delaying its adoption.

The emergency stop function was introduced after some ugly accidents. But in one case where it was used incorrectly, the result was even uglier. The signal boxes just locked the points in place, allowing a runaway train to run its full course…

GSM-R was/is 2G GSM based, which has gone off the air pretty much everywhere. The frequency allocation was chosen to be right at the edge of the old public band. I don’t know how the users deal with this obsolescence.

There was a story from circa Y2K about a kid actuating tramway points somewhere in Poland. The remote control was IR based, just like for a TV.

Clive Robinson August 29, 2023 5:56 PM

@ Tatütata, ALL,

Re : 2G and usage.

“GSM-R was/is 2G GSM based,”

It still is in the UK, where 2G refuses to die for various reasons (not least the chipsets are less than 2USD whilst 4G is upwards of 25USD last time I looked shortly before 5G became normal).

I’m not entirely certain but it looks like National Rail runs it’s own 2G network based on the trackside antennas.

From an operations based perspective 2G offers what TETRA, P25 and DMR based networks can not. Not least is clarity of voice which is realy absent in the narrow band FM Digital networks, and is vitaly of importance in emergancy situations (it’s also argued that voice clarity is the same reason Airband systems are still AM based).

Mad as it might appear I can see 2G outliving not just 3G but plain 4G as well. There is so much of it in “infrastructure control systems” that the cost of pulling it out even over a decade would just be to expensive and the UK radio regulator OfCom is not going to want to get into that battle as much to their horror they found out a few years back that not just the network operators but user interest groups are more than happy to get highly litigious and can pay legal tallent that OfCom can only dream about.

And with some OfCom staff like Clive Corrie caught out being less than honest on multiple occasions and their in house legal staff committing forgery then presenting it in court as prosecution evidence…

As OfCom know I’ve got the evidence tucked away in several places just in case…

lynn h August 29, 2023 7:44 PM

The Chinese High Speed Rail system use GSM, and no doubt I will be told how GSM is cracked/useless/otherwise fraught with peril.

It’s certainly not decentralised—as we found out in Canada just over a year ago, when one of our major cellular networks, Rogers, stopped working for a day (leading to a lot of “cash only” and “cash/credit only” signs). Some posters have said the rail operators would run their own networks, which makes me wonder whether they’d be better or worse than actual cellular companies. In a proper fail-safe system, a train should halt if it hasn’t seen a recent “everything’s okay” message from safety-critical equipment, so a large-scale GSM outage would necessarily mean a large-scale rail outage. It that better or worse, and less or more likely, than some asshole using a radio to stop trains?

Of course, a GSM system doesn’t have to be quite as centralised as the Rogers networks. Maybe a rail operator could run a separate network for each rail subdivision, and handovers would occur as necessary. A company that takes safety and security seriously could probably do this right; but, as usual, what’s their incentive to do more than the minimum? The Chinese high-speed rail system is hardly an example of doing things right, given that the Wenzhou train collision of 2011 was caused by faulty (non-fail-safe) signalling.

Mr.Obvious August 29, 2023 8:39 PM

Interesting response Clive.

Below 3MHz you can have groundwaves following the curve of the earth. Below 30 MHz, you can bounce radio off the ionosphere. You’ll miss points in the middle, but can hit points far away. This is how you hear AM radio stations far away at night. Not so good during the day, when the sun ionizes the atmosphere.

150 MHz is way to high. You’re not bouncing your radio signal off the ionosphere. You’re looking at satellite or moonbounce. And that means a radio transmitting at 150.1MHz on the satellite! Otherwise you’re limited to radio line of sight, at best. Terrain & atmospheric conditions will impact that further.

Question: Is your plane flying at 45,000 feet over Poland? Or are you doing it from outside Poland? Somewhere your plane won’t get shot down? Radio direction finding is comparatively simple & straightforward.

How exactly are you mounting the radio’s antenna on a 747 flying at 45,000 feet? 1 Kilowatt of power is a lot of RF energy. How do you keep it from interfering with the sensitive avionics? For that matter, your transmitter is going to take a lot more juice than 1 Kilowatt per hour. How are you powering it?

Now I’d like to think airport security would have some questions if you were haul all this onboard in your carry-on. I’d like to, but I’ve seen airport security in action.

And this isn’t some 2-watt Chinese made handheld radio you’re buying off Amazon. There’s a bit more to it. It can certainly be done, but there’s a steep learning curve for amateurs to put it all together, and more so not to get it traced back to them after they use it.

You can do a lot when you have a nation state’s resources backing the project. But consider, how long will it take Poland to disable the radio stop signal in their trains? Unplug it? Short the wire? What does it really take? Russia decides to send the stop signal. Poland can disable trains from radio-stopping whenever they want. Oh they’ll make a lot of noise about Russia’s cyber-attack. And that will justify whatever we do back to Russia. But at the end of the day, it’s just a short-term nuisance. Little more than harassment.

But what happens when Russia drops a small robot from a low-altitude drone? It moves into position on the train tracks. Digs itself in. When the Nth train passes overhead, it blows itself up, separating the train track and derailing the train. Or how about just welding the train to the tracks with thermite when it stops? Do you really think these sort of things haven’t been already dreamt up and implemented?

Seems like it’s more about giving both sides the ability to rattle their sabers without escalating too far. As in Russia radio stopping Poland’s trains is working as intended.

lurker August 29, 2023 11:31 PM

@lynn h

The Chinese rail system GSM is operated by the railways themselves, and compartmentalised regionally. Because of their need to follow rail lines, not road layouts, they only rarely share the same tower sites. So any failure of the “public” GSM system is unlikely to affect them seriously.

The Wenzhou accident was the typical result of many small factors coinciding in a complex technical system. Assigning weights to each factor is an eternal exercise for historical revisionists. In the context of the Polish stop system, I observe that at Wenzhou the human operators attempted (partially) to override the failed control system, but without knowledge of each train’s location the inevitable occurred.

Clive Robinson August 29, 2023 11:33 PM

@ Lynn H,

“Could someone, for example, hack a “smart” wireless doorbell to transmit on that frequency? Maybe not, ’cause there’s nothing but public FM radio, amateur radio, and aviation and marine radio near that frequency.”

It’s getting way easier day by day.

The world is moving very rapidly into “One chip/module fits all” type supply/inventory as it very significantly reduces BOM and SBOM costs.

All those Chinese hand helds and quite a few Japanese and South Korean manufactured radios all use the same family of chips/modules which are RDA1846 and use standard I2C interfacing[1]. Hence are very easy to reprogram and the 136-174MHz and 400-520MHz coverage commonality with the UV5R and which got augmented when the UV5X3 added 220–225Mhz (which is apparently now opening up to 50-600Mhz or more with the newer chips used in the Quansheng UV5 that appear to have an SDR within).

The difference between the Chinese commodity HTs etc below 30USD and Japanese and South Korean “Type approved” and carrying GCC and CE approvals with a 80USD and up price tag is how much in the way of filtering is added on the modual output prior to or following the aditional PA or the antenna circulator/diplexer both for TX and to remove de-sense issues on RX.

Even though the Japanese and South Korean “Ham HT’s” and PMR etc tend to have way better filtering, it’s still quite broad. This is because it’s the 1st harmonic (@2xF) they want to get -50dBc or more down. Such filters are sometimes low passes going for -60dBc at the 4th harmonic (@5xF), with a Q or T-notch on the 1st harmonic. Which whilst it works very well when the device is used “in band” as intended… the Q-notch being narrow band is of very limited use. So for a 144-148 2m amature band HT “serious TX filtering” does not start till around 275-280MHz so the 136-174 gets through quite easily and it falls to the antenna that acts as a ~5% to -3db bandwidth filter by having a non ideal match.

Yes more specific filtering can be added but this increases both cost and PCB realestate thus device casing size all of which adds considerable unwarranted cost. So does not get done in FMCE type manufacturing.

So you now have all the information you need to go play and hack the RDA chip, thus you just need to find a device you can “jail break”

If you search for the “Quansheng UV5” you will find a web site that alows you to “patch the code” and make a download.

Have a look at how to first make it do 18-1300MHz,

Then if you goto his channel you will find other vids.

None of this hacking is exactly difficult to do and should be well within the abilities of a college student or fitst year doing a hard science or engineering degree[2].

[1] Hacking the chip is not exactly difficult, in fact you can download all you need to get up and playing around with it in a day or less. There are even fairly explicit HOWTO’s such as,

Even though the chip is supposed to be “Under NDA Only” you can very easily find

1.1, Hardware data sheet
1.2, Programing guide
1.3, Code libraries

[2] For some reason, I point out things that are not just accurate but verifiable as such with an easy Intetnet search or three, yet I don’t get believed… Why I realy don’t know, I can only assume they think I’m making it up as a knee-jerk reaction and don’t or can’t be bothered to do the simple searches required to verify I’m not doing an “AI Hallucination”.

Jeremy August 30, 2023 4:43 AM

Well it seems the entire UK air traffic system can be thrown into turmoil by a single ‘dodgy flight plan’, so some old fashioned phreaking on the Polish railways is hardly surprising.

Clive Robinson August 30, 2023 7:10 AM

@ Mr.Obvious,

“Is your plane flying at 45,000 feet over Poland? Or are you doing it from outside Poland?”

In the case of some actors it could be way more than 45,000ft military aircraft can do 55,000 and up. Even a clandestinely released ballon can go that high with a small payload and go very long distances[1]. And the maths shows there is enough “signal margin” to come down quite a ways you’ve got aprox 50db margin so 1kW can be reduced by 10^5 or 10,000 times down to 0.1watt or less if clear line of sight can be assured (and the higher you are the more likely that is, but I don’t want to get into defraction and terain following effects as the maths starts getting beyond mental calculation.

“Somewhere your plane won’t get shot down?”

You can do it with multiple aircraft outside of national air space, and who is going to shoot down a passanger aircraft other than Russia?

But think a little further and life gets very interesting at a “four man brick” Gladio level which as I’ve mentioned before I was involved with in the 1980’s.

“Radio direction finding is comparatively simple & straightforward.”

It’s not as simple as many people think, as you find out when you get a few “intermitant RDF fox-hunts” under your belt… Anyway it’s currently not in place and would take a while to put in place. You can buy such a small bug/fox device of 10-100mW output for less than $50 for the 2m band and they are increadibly easy to change their frequency if you want to. Also some made with “surface mount” components can be put inside a “Sharpie Pen” or “highlighter pen” or larger “felt pen” case and use a strand of nearly invisable 40AWG wire as an OCFD or EFHW antenna (I’ve done both, remember I am an RF Engineer by training and sometimes vocation, as I’ve mentioned befor one of my jobs working with a friend used to be making high end surveillance devices and later designing some of the best broadcast transmitters money could buy via his company “Broadcast Warehouse”).

Oh and remember both legally and technically it’s a “civil nuisance” bordering on criminality not an “act of war” whilst shooting a civilian aircraft down is something we know causes considerable political and state level disquiet and action, as more than one reader/poster here is acutely aware of.

The thing to remember about such emergancy stop signals is they only need be transmitted for at most 15secs to cause several hours or even days of disruption. And as they are base level safety systems you can not just “yank them out” way to many other systems have been built up on them with the assumption “they will just work” to do that…

As to your other points I can address them all if you want me to, but first do some fairly easy “Internet Searching” you will be quite shocked at what you will find. I suspect others such as @Tatütata, @Winter, @RobertT, are well aware of all of this as well as several other long term readers/posters.

As I’ve pointed out before, just be very thankfull engineers don’t tend to become terrorists… But as the Russian’s are finding out, they do make very good freedom fighters in asymetric warfare (see YouTube “PERUN” channel for some very interesting oversight on what is going on).

I’ve been in this skullduggery game one way or the other since the mid 1970’s and still “advise” at all sorts of “Pay Grades”. I suffer from what our host @Bruce has in the past called “thinking hinky”, I can not look at systems without seeing ways to exploit them and I’ve been doing that since atleast being in “Primary School” when I first started picking locks and similar and fixing valve/tube radios. By the time I hit “Secondary school” as a pre-teen I was an absolute menace as was someone who became a life long friend. We were seen as a “pair” and nobody knew which one was holding the other back what we got upto was so outside the box it was “alien” to the way nearly every adult thought. They were in the main just grateful that we were not malicious or of criminal intent just as one senior person once said “doing it for the craic”… And ranged from silly pranks with boobytraped ballons full of water through to taking over the BBC FM broadcast in the Isle of Wight because the BBC had daftly simply rebroadcast what they received from the mainland…

[1] Also to answer @Tatütata’s “why?” question “yes it has all been done before” it’s just that nobody talks about it “in case it gives others ideas”… If you look back on this blog you will find me relating the tale of a friend, a tiny tone generator a two transistor buging device on a VHF frequency running on a small battery supply and some large ballons and a cylinder of “party gas” to fill them back in the 1980’s[2]. Released from the outskirts of SW London from a back garden in the evening after dark. The frequency selected was one that my friend knew would be quiet, ie the British Gas repeater input frequency, but one that could easily be “followed” simply by listening to the frequency, the repeater(s) output frequency, or both. Which quite a few people in the “Pirate Radio/scanner scene” who got phoned up did, all the way into Europe untill the battery died or it came down (it’s one reason the UK Gov via OfCom are very very anti amateur radio ballon to this day nearly half a century later).

[2] This was at a time of the “Repeater wars” you tend not to hear very much about these days (though the YouTube “Ringway Manchester” channel has covered some of it). But one repeater subject to such attacks at the time was GB3SL on the BBC mast at Crystal Palace in South East London. It finally escalated to the point things got booby-trapped with explosives and people got rather more than surprised. Prior to that however some of the “intermitant jammers” got hidden in black cabs and minicabs unbeknown to the cabs owner/drivers thanks to “Bob” of East London.

Peter A. August 30, 2023 7:16 AM

@Tatütata: “I’ve been wondering for 15-20 years why this hadn’t happened yet.”

If by this you mean local abuse of the radio stop system, it had happened, many times. The current iteration just got a lot more publicity “because Russians”.

Tatütata August 31, 2023 10:05 AM


Back in the 90s, the MORANE program looked both into GSM and TETRA as a potential basis for a railway radio system. Neither entirely met the needs of railways, but GSM seemed the prospects for customisation.

In retrospect this was the good choice. The implementation of TETRA (and other digital trunking sytems) has been sadly a running fiasco.

Some of the most recent bad news:

(granted, vanilla GSM too has backdoors and poor crypto).

I won’t dive too deeply into this, but I discover this on GSM-R Wiki page:

GSM-R could be supplanted by LTE-R, with the first production implementation being in South Korea. However, LTE is generally considered to be a “4G” protocol, and the UIC’s Future Railway Mobile Communication System (FRMCS) program is considering moving to something “5G”-based (specifically 3GPP R15/16, i.e. 5G NR), thus skipping two technological generations.

But IMO the key feature of 5G is IMO that it is really a broadband system which grabbed as much spectrum allocation as it could, whereas GSM-R is an application specific narrowband one. GSM-R also has safety features for improving the reliability of security-critical signaling. Can 5G do that?

By the time daughter-of-GSM-R is finalised, we’ll probably be at “8G” or “9G”, whatever that means.

Meanwhile, there are still mechanical signals in operation that were installed when Queen Victoria wasn’t amused, or at least designed. If GSM-R fits the bill, why replace it?

When I worked as a designer, I was aware that there was at times enough equipment on my bench to purchase at least one or three flats. (This was especially true if I was able to hold on to crown jewels such as the HP8566 or HP8510, or the bozo from the ministry wasn’t roaming about to impound instruments with “barely” expired calibration stamps. You’re taking my AvoMeter? Seriously? Help yourself! But a “6” is so easily rounded into an “8”, and a tiny drop of solvent on a finger does wonders at artfully smudging labels…)

Nowadays you can get so much done with SDRs, a laptop, and cheap test equipment bought on the internet. So much more opportunity for rascals, especially if you you don’t care about details such as spectral purity…

In my engineering school days back in the 1980s, the ham radio club operated a 2m repeater on the premises. For several months there had been some idiot looping a few bars of a melody (Mozart? A folk song?) on the input frequency hours on end, a bit like a extended interval signal. I guess someone was deeply frustrated by the scholarly discussions of Mohr’s circle or Laplace transforms in the wee hours of the night, but fortunately this jammer was low power, and easily overriden. (But I don’t remember how the talking time limiter circuit handled this situation.)

There were also frequent short interfering transmissions from a mysterious net. It couldn’t have been an image frequency of the receiver, as it was connected to the antenna through a bandpass cavity filter.

On a weekend day there was an unexpected breakthrough, when the operator suggested “Guys, let’s have lunch at $GREASYSPOON in 30 minutes”. My buddies and I immediately got on our way and converged on the calorie dispenser. We discovered a number of dispatcher cars parked outside that belonged to the transit authority. The cryptic numbers discussed on the air were schedule and vehicle numbers. (Quite obvious, but in retrospect.) They were quite startled as this party of twentysomethings barged in and (politely) asked “which one of you fellows is 86-37?”. The theory was that one of the older crystal-controlled transceivers had a mistuned frequency multiplier. In any case, the problem was solved, with the culprit’s set either fixed or replaced.

A few years later I was working for the company which had manufactured that radio.

Besides railways, there are other security critical systems out there.

I’m aware of the occasional idiot showing up on ATC frequencies. (The use of AM on VHF is more of an historical legacy, FM was still in its infancy in the 1940s, and so was frequency synthesis, explaining the original few and wide channels.)

But there is perhaps more worrying.

The ILS localizer and glide-slope beams are basically the Lorenz landing system of circa 1932. Sure, the frequencies are not the same, and the radio look different, but you’re still installing antennas right at the end of runways with particular radiation patterns.

Historically, derivative of these systems have quickly been hacked in what became known as the Battle the Beams, as recounted by Reginald V. Jones in his memoirs.

The integrity of the beams is usually done by an add-on contraption which measures the near field near each individual radiator. But this is not a guarantee. In 2019, CommutAir Flight 4933 missed a runway in Maine. The ILS localizer array was covered in so much snow that the beam it was sending was crooked.

You can also make in-flight checks. A few years ago I was mightily annoyed by an aircraft making low altitude loops again and again over the city. Upon investigation I found out it was checking and calibrating navaids, including ILS.

The Microwave Landing System (MLS) was way better than ILS, but more costly. When GPS came along in the early 1990s along everyone in government and the airline industry conveniently jumped on the bandwagon and forgot about MLS. I remember one of my colleagues who was an authority on Omega navigation (he was extremely sad to see it decommissioned), and who argued passionately that you can’t possibly have a GPS-based CAT3B landing. I think he’s still right.

ILS is at least susceptible to DoS, or worse.

Clive Robinson August 31, 2023 8:40 PM

@ P Coffman,

“In the United States, there is a yet-again method where trains randomly derail.”

It’s not “randomly” it’s actually quite predictable on mass and so why you are noticing it as “yet-again”[1].

The reasons behind the derailments are mechanical in origin and can be and have been demonstrated as such. And it is primarily due to what boils down to incorrect design[2].

US regulation and legislation actually needs to be changed as a first step to resolve this. But that would inflict significant cost on what is a “private industry” that sees the costs of derailment as considerably less expensive over all. So any legaslitive changes have all the urgancy of hell freezing over, so don’t expect the derailment problems to go away any time soon.

History going as far back as Victorian England[3] shows that you need a significant and effrctively immediate death toll to cause a significant and sustained public out cry to get such legaslitive chanages to go against the profit interests of the “private industry” concerned.

[1] It’s the same principle as buildings burning. If you build a city where most buildings are made out of flammable material that is exposed… Then you know more buildings are going to burn than cities where buildings are either not made with flammable materials, or the flammable materials are enclosed in non flammable materials. So you can fairly easily predict the number of buildings that will burn in any reasonable period of time in a city, but generally not which actual buildings in particular. In the insurance industry it is the job of actuaries to know or determine the numbers,

[2] I won’t go into the actual details they are fairly tedious. But I can give you an example that keeps coming up when people build their first undergrad project in an appropriate subject. If you think of two wheels on an axle as a “cut-away cylinder” you know it will roll freely in a near straight line (as dors a bottle down a slope). However it does not turn corners at all well because the wheels are rotationaly not independant. So as the wheel on the outer side has to turn faster than the one on the inner side of the curve, there has to be considerable friction and slipage involved on a corner. The solution is make the wheels independent of the axle so they can turn at different rates. So obvious when you know, and not when you don’t. However providing that independence to the wheels involves considerable cost and care in design. In times past in railway design they used to cheat by saying if the curve is very slow/gentle then the slipage needed on the turn is minimal so the issues caused by the resulting friction are likewise minimal…

[3] The “learning curve” on boilers is a stark demonstration as to why proper design should be both taught and properly followed. Boilers were found to be dangerous and liable to explode within a very short period of the realisation the more preasure in the system the more efficient the system apparently was as it alowed greater work to be done (metal fatigue was not a general idea for another century though anyone who played with pieces of wire would be aware of it…).

But the lack of consideration or learning demonstrated by articifers and engineers is still happening even today,

trainspotter September 1, 2023 5:20 AM


The solution is make the wheels independent of the axle so they can turn at different rates.

The classical solution is to make the wheels slightly conical, so that even when they rotate at the same rate their linear speed can be different. But this leads to a new problem: ‘hunting oscillations’ which can become dangerous at high speed. There is no simple solution for those – it requires active control systems which of course become a risk when they fail.

lurker September 1, 2023 5:43 AM

@Clive Robinson
“The reasons behind the derailments are mechanical in origin”

Indeed, the mechanics of rolling a straight piece of iron rail are well known, but keeping it straight while trains run along it and there is insufficient quantity and/or quality of ballast under the sleepers, combined with the haphazard clampng of the rail to the sleeper, leaves some lines with a speed restriction as cheaper than fixing the problem.
Watching video clips of American trains swaying from side to side is not recommended for the faint hearted. Even new lines designed for 24/7 running of 50×50 ton coal wagons seem to lack that engineering excellence America was once known for.

Clive Robinson September 1, 2023 6:08 AM

@ Tatütata,

Re : Back in the 90s

“The implementation of TETRA (and other digital trunking sytems) has been sadly a running fiasco.”

And always will be…

Because at the very base level the digital systems require three very important things analog systems do not,

1, An increased bandwidth.
2, Synchronisation.
3, A distortion free channel.

The actual issue was a frequency spectrum one, on how you shared it.

To keep with the existing chanalised analog system which is what the “Trunked” systems are ment to do, ment squeezing a digital voice system with a lot of overhead, into an existing NBFM analog system bandwidth. Simple logic indicates there are no magic buckets, and once a bucket is full you can not carry more.

But worse such Trunked digital systems are very expensive with handsets being more than eight times the price of an analog system and do not ask about the base syations the multiple went into imaganary mathmatics. Thus to sell them a lot of features were added that had little cost “as it was software” but at sales talks made it sound like you were going to get a lot of bang for your buck. But the reality was that could only happen by utilising spare channel time. In emergancies you just do not get spare channel time, so these Trunked digital systems will undoubtedly be the cause of deaths.

But also those digital systems had a much lesser range due to needing twenty times or more the radiated power in open field near perfect channel conditions. So the Trunked digital system handsets could not meet the coverage or battery life needs in urban let alone city areas. Which ment the solution was having vastly reduced range and having a lot more base stations (and a lot more “no coverage” areas).

Motorola especially knowingly made a lot of false promises over digital systems and in the process incorect decisions were made at the political level (in the UK it was at the Home Office).

GSM went the other way it went for very wide bandwidth and synchronization and lots of small coverage areas, but easily shared amoungst thousands of users. But still suffers the “full bucket effect” which always becomes an issue in emergancies.

The trick with GSM is the base station can stop individual chosen handsets from being used, thus in emergancies certain users can be prioritised over others in the blink of an eye.

The problem is that in the UK certainly, you now find Police especially as well as other first responders carrying multiple GSM Phones to make up for the fact that Trunked Digital Systems just do not work even in quiet times…

So come a major emergancy as happend in 2005 with the 7/7 London bombings not only did the Trunked Systems fail the GSM systems did as well, and it was not a pretty sight.

Yes the radio communications systems failing was reported, but as always with “stupid” the politicians “doubled down” on Trunked Digital…

And the current “on the ground” response by those doing their daily job is more GSM handset traffic on Personal Phones.

Something not lost on the Mobile Phone network providers who now sell priority service to the Utility Companies who have switched over to these “Push to talk” GSM systems such as POC, Real-PTT and Global-PTT and Zello systems, using so called “Network Radios”. That basically use GSM “Networks” rather than Two Way Radio. To see how confusing it is watch,

(just remember that UV5’s are only Two Way NBFM HT’s)

Zello is interesting as it uses Android and thus can not only be customized it can use WiFi as well.

There are now some units that can do all three ie Two Way on amateur bands, WiFi and GSM. They can be complicated to set up but they do offer considerable reserve capability. Whacking an emergancy WiFi hotspot in place is simply a case of throw a flight case on a high point and flipping a switch if you add filtering by MAC you can keep a lot of idiots away. Likewise these days a cross-band repeater with VHF in and UHF out is easy to deploy and as such you can put several in the same place without interfering with each other add multiple CTS/DTS tones and you can keep others out. Use cross band DMR and life can get interesting.

So we are starting to move towards systems that can cope with emergancies by tailoring bandwidth and time utilisation as needed, and which will even work underground and transition to above and remote as needed with Ambulance staff. But no one system is going to work, and untill the Politico’s get to understand this, the likes of Motorola are going to make a lot of snake-oil profit…

Winter September 1, 2023 7:03 AM


There is no simple solution for those – it requires active control systems which of course become a risk when they fail.

The fact that the USA are worse at keeping trains from derailing than other industrialized countries suggests that there is a lack of motivation underlying the US track record.

Clive Robinson September 1, 2023 8:39 AM

@ trainspotter, lurker, P Coffman, Winter, ALL,

“The classical solution is to make the wheels slightly conical,”

But it still only works with limited or gentle curves.

As old fashioned brewery and similar who rolled barrels down wooden rails can attest. Or more modernly those who design factory systems to transport items as they are made.

Another trick was “track banking” where you would cant the track up to minimise the difference in track lengths. Kind of like wrapping a strip of paper around a broom handle etc. The downside of this is of course it moves the center of gravity of the trains engines and cars which can be counter acted by velocity (and why motor bikes can “ride the wall of death”). But that puts a minimum speed on the banked section of track and center of gravity requirments on the loads carried, as well as having a significant effect on the track upkeep as @lurker has noted is “not a thing” in North America.

But the other scary problem and it’s a real issue in North America is the shere length of trains and curves.

In a traditional single engine pulls train, it can be worked out simply that the train has to be less than ~2/3rds of the curve radius in length as the engine pulls the train increasingly sideways in a curve, again moving the center of gravity. Whilst inertia lessens the effect the train still has to move with sufficient velocity, thus the minimum speed and track up keep issues are even more prevelant.

To get around this in the past, as with “climbs” a “banker engine” would be used to push from the back of the train. However this introduces other issues such as vertical buckling where light cars can lift off the track and move outward thus directly causing a derailment. The solution to this is two fold, firstly more engines distributed in the train but they have to be synchronized which is expensive, but secondly the cars have to be placed in the train by a complex calculation of weight and length…

The modern trend in North American railway companies is to entirely ignore the car placment requirments to increase profits, so derailment can come “built in” before the train even starts moving “out the yard”.

As can be seen none of these problems can be solved by computers as there are way to many unknowns. And managment are not their to run derailment free trains, but make profit for share holders. This can most easily be seen by the “hot box” detection issue, if ever there was a wrong way to do it…

Winter September 1, 2023 10:54 AM


But it still only works with limited or gentle curves.

Which is exactly what you tend to see in railway tracks.

The bend radius in the Netherlands seems to be 190m for speed up to 40km/h and 630m for higher speeds (minimum radius). A lot depends on the track canting. But I also have seen a radius of 1200m reported for 160 km/h tracks.


Clive Robinson September 1, 2023 12:31 PM

@ Winter,

But what would be the radius be for a gentle curve for a train nearly two miles (3kM) long?

If you use the traditional figures it would be 4500m…

A circle bigger than CERN’s LHC little toy…

Winter September 1, 2023 1:16 PM


But what would be the radius be for a gentle curve for a train nearly two miles (3kM) long?

We don’t have them in the Netherlands, at least not on the common routes. There are a few special routes for freight to Rotterdam harbor. I assume they don’t do bends on these.

Btw, 3km is 10% of the distance between Amsterdam and Utrecht or Rotterdam and The Hague, to name a few railway hubs. We are only a small country.

Tatütata September 1, 2023 1:55 PM

As the Rotterdam-Amsterdam “Oude Lijn” (today the main line of Holland) was built around 180 years ago, one landowner just south of central Delft held out and refused to sell.

The railway was forced to build a ridiculous hairpin around the lot, with a radius of “45 elbows” (This value is from memory, I could be wrong. Information on nonstandard old units is also hard to find, but I thing that 45 Ells would work out to about 50m). It was operated for a little while until the owner eventually relented. I believe I read this story in the beautiful “Spoorwegen in Nederland — van 1834 tot nu”, G. Veenendaal, 2008. This episode is a couple of contemporary engraving reproductions.

The Betuweroute is by no means an absolute straight line, and its speed is limited to an efficient 120km/h.

Tatütata September 1, 2023 2:09 PM

The engraving of the Delft detour is also part of the book’s the cover, on the lower half under the author’s name:

At the bottom is a detail of the strengthening of the outer rail.

Clive Robinson September 1, 2023 3:28 PM

@ Winter,

“Btw, 3km is 10% of the distance between Amsterdam and Utrecht or Rotterdam and The Hague, to name a few railway hubs. We are only a small country.”

Your country might be small but it’s easy to walk around and when I was last there with time on my hands a nice place to be. And the fun of freewheeling a bike down hill in Haarlam after the cheese and flower festival 🙂

Admittedly it’s more than a few years since I walked from Amsterdam to Rotterdam (don’t ask why) likewise cycle around other parts.

But one reason for me being there was being nearly 2m high, the taller than average girls there made me feel a little more normal than in other parts of Europe…

After all having a girl in your arms looking up and seeing a large scar causing a double chin[1] and also nostril hair was not a good look…

[1] Back in 1980 I was hammering my way to work on the push bike. Going down a slope to get maximum speed to join the traffic on a busy main road, when a cricket ball came flying over a fence and bounced into my front wheel. When I came to, out of the corner of my eye I could see lorry wheels going behind my head with inchs to spare… When the lights changed and the traffic stopped I got groggily to my feet and noticed about 15 people just standing at the bus stop watching but doing nothing. A man driving a mini bus for disabled people, however lept out and gave me some paper hankies for the blood on my chin. It was then that we found out it was not a graze or small cut but a large hole. Like an idiot I declined assistance to get to hospital as I lived just around the corner and I wanted to take my quite valuable but now wreaked bike back home. My brother in law was still at home when I got there and having locked the bike in the garage he drove me to hospital. Where they found I had torn the flesh back from the point of the jaw about 5cm across and all the way up into the mouth all but the skin inside. It was sown back in place and took months to heal and shaving from then on was a painful thing to do, Which was a bit problematic as the 1980’s was the time I was wearing the green and shaving once or twice a day was expected… It is why I tell people it was the reason I left the army and grew a beard. The real reason being the double chin it made me feel wrong. Well two decades of that and then again on my way to work I was attacked and had my head karate kicked into a sign pole in Twickenham West London by a student at Richmond college and got a full fracture of the lower jaw which necessitated several opperations, plates and screws and a consultant maxiofacial surgeon basically saying I was lucky to be alive as that sort of bone break is normally only seen on dead people who have gone head first through windscreens in high speed motor car accidents. Even though the police knew exactly who had done it –a lot of other students named him– they did not prosecute. Some time later a friend in the police looked him up in the system and discovered oddities, which lead him to believe the police were protecting him as a “Confidential Informant”…

Clive Robinson September 1, 2023 3:40 PM

@ Tatütata,

“At the bottom is a detail of the strengthening of the outer rail.”

These are not uncommon in London, where some of the rail network is the oldest in the world –and scarily still in use–

There was one station on the underground on the central line in West London where the wheels on the train scream in pain on a curve just outside “white city”. Again it’s one of the places I used to frequent but nolonger do.

Oh fun fact the central line else where runs very close under a nuclear reactor that was used for making isotopes for medical imaging and the like. I once traveled that section with a giger counter and it sang a high tempo song, fit to put it in a punk band 😉

trainspotter September 1, 2023 6:49 PM


But what would be the radius be for a gentle curve for a train nearly two miles (3kM) long?

Why would the train lenght matter for the minimum radius ?

But it (conical wheels) still only works with limited or gentle curves

The ratio of the linear speeds on the outer and inner rails is 1+G/R, with G the rail gauge and R the curve radius. Even for R = 150m and standard gauge that’s only 1 percent, so you don’t need much ‘conicality’.

You’d need more on points (switches in the US) but these always have a speed limit on the diverging track.

Another trick was “track banking”

Banking the track is really a standard thing in curves. In the city where I live the underground system tracks are banked, even if the speed limit is only 80 km/hour. High speed trains require a higher minimum radius in order to limit the amount of banking required (as the track must be safe even for a static train).

Winter September 2, 2023 8:55 AM


Your country might be small but it’s easy to walk around and when I was last there with time on my hands a nice place to be.

Walkable and cyclable is indeed how I would characterize the Netherlands. The whole country is around 150 x 300 km (100 x 200 ml). About 9 million people live in the Triangle Amsterdam, Rotterdam, and Utrecht.

Btw, the Dutch Urban region is part of the Blue Banana. This funny name Labels the European Liverpool – Milan axis, a megalopolis that houses 85 million people.

Clive Robinson September 2, 2023 3:52 PM

@ Winter, ALL,

Re : The aged blue is not alone.

“Btw, the Dutch Urban region is part of the Blue Banana. This funny name Labels the European Liverpool – Milan axis, a megalopolis that houses 85 million people.”

Depending on who you ask it’s upto 120million people these days and more Aubergine than Banana shaped. Plus the jokes from cooking aubergine such as “salty old”, “sucks up oil”, “over cooked and bitter” and more.

However it is not alone as a banana these days there is the Green Eastern and Golden Mediterranean,

The two new bananas are most notable because unlike the blue banana the green and gold have extrodinarily weak labour representation. In fact both the green and gold appear to actually feature labour oppression and features of “sweat shops” and similar that used to be found in the likes of India and Bangladesh as standard.

But the reason for the change from banana to aubergine has a lot to do with TEN-T or the “Trans European Network – Transport” which is a mixture or road, rail and water transport corridors through which many of Europes goods and trans continental imports flow,

There are a number of “TENs” under consideration including eTENs for telecomunications. This and the other TENs have unbeknow to many taken a real battering due to Brexit.

Even the satellite “Galileo” GPS system has taken a bashing as much of it was UK-Swiss collaboration technology wise. Part of this has bern illegal behaviour by certain European Aerospace companies buying up UK companies and decimating them by shifting work out into Europe supposadly under French inspired “National Security”.

But the other issue is “subsea cables” and “satellite ground stations”. In trying to “make a hole” where the UK or more specifically England is and much of European International communications comes through[1] Europe is doing a number of daft things. You would have thought that the loss of Nord Stream would have taught the EU Commission some lessons but no.

Just over a year and a half ago in early Feb 2022 Russia was due to hold “war games” south of Ireland over the “Goban Spur”. Which is a point in the Atlantic, where four major Atlantic cables that land in Ireland come up from the deep atlantic. Eire kicked up a fuss about “fishing” –which is probably not carried out there due to the cables– and Russia moved the war games to a nearby area. Making many think it was just a saber ratteling excercise aimed at the UK rather than at the EU and it’s communications.

Russia has kind of made it clear they want to take the EU off of the Map and NATO with it in their madness of a Greater Soviet Empire to be a compleat anixation to the entire Atlantic European coast.

Cutting all subsea cables in that triangle from Bristol in England out Westward just south of Ireland and down South Westward would have significant implications for Europe, which whilst it does have some Geo-Stationary Satellite backup does not have even a fraction of the capacity nor does a number of links going out of the med via the Strait of Gibraltar or Suez… As for up and through the Black Sea straits, and across Turkey/Georgia and out, is that ever going to happen? They are still arguing over a power cable…

[1] England due to historical UK-US and UK-Ccommonwealth subsea cables also got accompanying satelite ground stations became the landing point for most of Europes eComms. This is historical in nature and geography of the Bristol Channel out into the deep Atlantic and off to Africa and the Middle East. It was also why the Five-Eyes formed, and is the only part of the so called “Special Relationship” that was not entirely sacrificial for the UK end.

Winter September 3, 2023 5:20 AM


Depending on who you ask it’s upto 120million people these days and more Aubergine than Banana shaped.

The origin and evolution of the “Blue Banana” concept is discussed here:

Historically, this region is the combination of the Rhine-Meuse and Po river systems with England. These connections go back to medieval times where Flemish cities traded with England and all the way south to the Tuscan city states. In the 19th century, Manchester/London, Rhine and Po were the industrial and financial centers of Europe.

All the additions you name are more like extensions, the blue star. I am wondering when the Rhone river system, Lyon-Marseilles, will be integrated?

But the reason for the change from banana to aubergine has a lot to do with TEN-T

Transport is crucial for a megalopolis. Hence the central roles of Rhine and Po. The blue Banana is basically the Rhine Alpine corridor+England. If England still wants to be part of it, that is.

More and better connections will recruit more cities to this megalopolis.

Clive Robinson September 3, 2023 7:59 AM

@ ALL,

Over on the Squid page @Ismar, posted the following,

“Update on train hacking in Poland

Which indicates it was two men with Belerus or Russian sympathies / connections on of whom was a Policeman, commiting sabotage.

Not sure how the Polish authorities will treat them, but most places spying / sabotage in wartime in support of a hostile state or power tends to get treated with “high speed lead poisoning, or hemp neck tie”. Such sabotage could alternatively be treated as terrorism, where jail sentences tend to atract a life time consideration if you are lucky.

So if what they did were just “drunken pranks” they are likely to find the “no sense of humour” response.

What the article does not mention and I think should is that “Grain for the world” also moves along those Polish railtracks. As the Ukraine supplies a remarkable percentage of grain to third world countries when it can, there are currently with Russia now blockading the Black Sea again the question of the global effects of a lack of food supply that the two arressted men may have caused and the countless resulting deaths.

Thus some will still be asking the question,

“How could / did they do this?”

We don’t actually know currently but as I and others above have noted it’s not difficult.

If you want others views you could watch,

(though a lot of the images are actually stock shots of English rail and radio systems).

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.