Embed Size (px)
Citation preview
CDMA Technical TalkCDMA Technical Talk
Ken PesynaApril 15, 2010
Outline
Background Signal Spreading Forward Pilot Channel Synchronization Channel Geolocation Cell Phone Field Test Mode Mapping Base Stations
Background
Major Carriers Verizon Wireless Sprint PCS
CDMA2000®
522 million global subscribers (4/12/2010)
99 countries US, China, Korea,
India, Pakistan, Afghanistan, Iraq
CDMA is very strongly US based Most of the rest of the world, particularly Europe uses primarily GSM 4G providers will continue to provide backwards compatibility with CDMA
phones
Background
Code Division Multiple Access (CDMA) Multiple users can communicate at the same time & frequency by
utilizing unique spreading codes
Benefits Increased Capacity Universal Frequency Reuse Resistance to Interference
Fre
qu
en
cy
FDMA
Fre
qu
en
cy
TDMA
Time Time
Fre
qu
en
cy
Time
CDMA
GSM Cells CDMA Cells
US CDMA Frequency Spectrum
850/1900 MHz, for the downlink (tower to phone, our concern) 1850Mhz – 1910Mhz, for the uplink (phone to tower) Each block contains a number of frequency channels, i.e. center
frequencies Each frequency channel is 1.25Mhz wide Channel numbers (downlink): 25 – 1175, increments of 25 Basestations are assigned 1 channel number An entire call is communicated on one single channel, i.e. center
frequency Split into frequency blocks: A - F
San Antonio (for example): CDMA: A (Sprint), B (Verizon)
Channel Number
Forward Link Channels
CDMA signals consist of 4 different DATA channels that the basestation uses to communicate to the mobile:
Pilot Channel Continuously transmitted by the basestation The mobile uses this channel to determine which basestation is strongest and link to it Each basestation in an area has a different pilot channel offset
Synchronization Channel (Synch) Beginning of Synch channel aligns with beginning of Pilot Ch. Mobiles use this channel to receive synchronization messages that allow them to synchronize
with codes generated by the basestation used to encode, but not encript, the remaining two channels.
Paging Channel Carries overhead messages and system parameters to all mobiles Authentication Challenge Message, based on mobiles electronic serial number Communicates to the mobile, Shared Secret Data (SSD), used to encrypt the call Assigns a Traffic channel to the mobile Also contains a list of all available neighbors and their pilot channel offsets
Traffic Channel Carries voice, data, and signaling messages during a call Handles the handoff process from one base station to another
Signal Spreading Spread CDMA signal can exist below the
noise floor
De-spreading yields processing gain
Noise Floor
SpreadspreadDeB
CG SNRSNR
R
RP
10log10
Signal Spreading Signals are “dual-spread” by two different spreading sequences:
Walsh sequences and Pseudo-Random Number (PN) sequences Walsh Sequences are orthogonal: no cross correlation interference PN sequences are generated by a maximal-length shift register Both spreading codes are at a rate of 1.2288e6 chips/second Data gets up sampled to that data rate before being modulo 2 summed with
the spreading sequence
Signal Spreading
Similarities Beginning of Walsh sequence lines up with beginning of
PN sequence They are overlapping so they are effectively modulo 2
added to each other before being used to spread to the data
Main differences: PN sequences are longer, 32768 chips, but not
orthogonal Walsh sequences are shorter, 64 chips, but are
orthogonal Walsh sequence repeats 512 times over the course of 1
PN repetition PN sequences are used to provide most of the
spreading Walsh sequences are used to provide the orthogonality All data channels share the same PN sequence Each of the data channels has a different walsh
sequence to make the channels orthogonal to each other
The traffic channel also assigns a different walsh code to each mobile using the channel
Signal Spreading – PN Sequence Pseudo-Random Number Sequence
ML Linear Feedback Shift Register Sharp Autocorrelation (little time-shifted
correlation) Taps on defined registers PN-I and PN-Q sequences length 15
registers with different taps for each
CDMA uses two PN sequences Short PN Sequence
32768 Chips (32767 from register + 1 more)
1.2288 MHz, Repeats every 26.6ms Complex: PN-I, PN-Q Pilot, Sync, Paging, and Traffic channels
Long PN Sequence 4.4 trillion Chips 1.2288 MHz, Repeats every ~42 days Used in addition to short PN sequence on
Paging and Traffic (Voice) channels
Short PN-I Shift Register
Taps
CDMA2000 Spreading Algorithm
Different Taps
Short PN-Q Shift Register
Signal Spreading – Walsh Sequence All channels are also spread by a 64 bit length, Walsh sequence Walsh Sequences are mathematically orthogonal codes – No correlation
with each other There are 64 different (orthogonal) 64 bit length Walsh sequences
Each Channel is given a different Walsh sequence Pilot: W0
64, Sync: W3264, Paging: W1-7
64, Traffic: WN64
Channel ModulationWalsh modulation
Short PN modulation
Long PN modulation
Forward Pilot Channel
Provides means for synchronizing mobile to a unique base station Continuously transmitted by base stations Simplest channel to process
0’s transmitted, modulated only by short PN spreading code Modulated by Walsh code 0 (all 1’s), so code is not affected
Provides means for processing sync channel Sync channel message lines up w/ beginning of short PN sequence from pilot
channel Allows mobile to select strongest base station
Mobile selects most powerful pilot signal received Pilot PN sequences are offset differently for each base station. Offsets are in steps of 64
chips. So there exist 32768 ÷ 64 = 512 possible offsets
Forward Pilot Channel
Correlated recorded CDMA signals with short PN code
Peaks represent repetition of pilot channel PN code
Recording is cut at first positive offset to begin prosecuting sync channel
Verizon CDMA signal recorded at 1960 MHz
Synchronization Channel
After determining beginning of PN sequence, synchronization channel is demodulated and decoded
Raw chips are multiplied by short PN sequence and Walsh 32 sequence and then “integrated and dumped” over 256 chips to demodulate BPSK bits
Demodulated bits are then De-Interleaved, De-Repeated, and De-Encoded to extract Sync channel information bits Sync Channel BPSK Constellation
Sprint recording @ 1931.25 MHz
Sync Channel Encoding Process
Synchronization Channel Synchronization Channel contains important information that the mobile needs to interface
properly with the base station and the user
Information such as PN Long Code State, Pilot PN Offset, and Paging Channel Data Rate
are all important in prosecuting additional channels
Information such as the System Identification Number, and the System Time of transmission
could be useful for GPS Opportunistic Ranging
Description ParametersSprint PCSParsed Data
Verizon WirelessParsed Data
Message Channel MSG_TYPE Sync Channel Sync Channel
Protocol revision P_REV 5 5
Min. Protocol Supported MIN_P_REV 1 1
System Identification SID 4181 (Sprint) 4182 (Verizon)
Network Identification NID 1 5
Pilot PN Offset PILOT_PN 428 129
Long Code State LC_STATE 0x3525506F5AA 0x34D58A1B56A
System Time (GPS) SYS_TIME 2008/1/18 20:56:42.560 2008/1/18 20:59:41.600
Leap Seconds LP_SEC 13 14
Local Time Offset (from GMT) LTM_OFF -12 (-6 hours) -12 (-6 hours)
Daylight Savings (0 or 1) DAYLT 0 (Not in effect) 0 (Not in effect)
Paging Channel Data Rate PRAT 9600 bps 9600 bps
Channel Number CDMA_FREQ 25 600
Sync Channel Message Content
Basestation Geolocation using CDMA(one way it’s been done) Range Determination
System time transmitted in the sync channel message is the exact GPS time 320ms after the end of the sync channel message
Raw data was also time stamped, in picoseconds, with the current GPS time as it was recorded
(System Time – Time Stamp) Propagation Delay Propagation Delay * 3 x 108 m/s (speed of light)
Distance from base station to antenna
Basestation Geolocation
Direction Finding Recordings were made with an
antenna array with up to 8 channels
Direction Finding techniques were applied by correlating received signals with the array manifold for the antenna
This determined the angle of arrival for the incoming
Results show azimuth and confidence level for direction of base station
1 2 3 4 5 6 7 8 9 10175.2
175.4
175.6
175.8DF Results
Tasks over Time
Azi
mut
h (d
eg)
1 2 3 4 5 6 7 8 9 100.94
0.945
0.95
0.955
0.96
Tasks over Time
Qua
lity
Verizon Base Station: 175° at 94% confidence
Geolocation
Distance prediction: 449 meters DF prediction: 175°
175°
.452 km
Cell Phone Field Test Mode Gives information about towers it’s connected to:
Primary Tower it’s currently communicating with
Neighboring Towers are also shown
Allows one to determine PN_Offsets, Channel Frequencie(s), and other
informaThis can be used to link data seen in the decoded synch channel
messages to an actual cell tower, and more importantly get the exact coordinates
of the cdma signal
tion about the cell tower.
PN_Offset
Rx Signal Strength
Tower ID (SID) Network ID
Frequency Channel
Phone Status
Mapping Base Stations
Internet cell tower maps are available to help find CDMA base stations in any area
By driving out to base stations one could create a database containing the SID of each tower, its coordinates, and the frequency channel(s) that it uses
Mapping Base Stations
What have I done so far in Frequency Stability Transfer I have despread the pilot channel to remove any of the bit
transitions What is left should be a continuous stream of 1’s which in
complex form allows me to calculate the phase of the signal at a given point in time
By feeding these phases into Kyle’s Allan Variance program, I have gotten Allan Variance measurements as low as 10-11
I suspect that by applying coherent accumulation techniques learned in class, that I can get this number even lower
Final Thoughts Opportunistic Ranging
Possibly track the change in phase of the carrier using the Pilot Channel (all 1’s transmitted)
Get the exact coordinates of the base station in which we are connected by looking up the station in a pre-loaded database, using the Station ID (SID) found by decoding the synchronization channel
The paging channel, which I have not decoded in the past, does contain the basestation latitude and longitude, however the accuracy of each only extends to .25” (seconds) which is about 25 feet
Questions?
Appendix
PCS band frequency allocation
Uplink Downlink
Channel Modulation
Short PN modulation
Mapping Base Stations
Mapping Base Stations
