CDMA Technical Talk Ken Pesyna April 15, 2010 Outline Background Signal Spreading Forward Pilot Channel Synchronization Channel Geolocation Cell Phone Field Test Mode Mapping Base Stations Background Major Carriers Verizon Wireless Sprint PCS CDMA2000® 522 million global subscribers (4/12/2010) 99 countries US, China, Korea, India, Pakistan, Afghanistan, Iraq CDMA is very strongly US based Most of the rest of the world, particularly Europe uses primarily GSM 4G providers will continue to provide backwards compatibility with CDMA phones Background Code Division Multiple Access (CDMA) Multiple users can communicate at the same time & frequency by Time Benefits FDMA Frequency Frequency Frequency utilizing unique spreading codes Time TDMA Time CDMA Increased Capacity Universal Frequency Reuse Resistance to Interference GSM Cells CDMA Cells US CDMA Frequency Spectrum 850/1900 MHz, for the downlink (tower to phone, our concern) 1850Mhz – 1910Mhz, for the uplink (phone to tower) Each block contains a number of frequency channels, i.e. center frequencies Each frequency channel is 1.25Mhz wide Channel numbers (downlink): 25 – 1175, increments of 25 Basestations are assigned 1 channel number An entire call is communicated on one single channel, i.e. center frequency Split into frequency blocks: A - F San Antonio (for example): CDMA: A (Sprint), B (Verizon) Channel Number Forward Link Channels CDMA signals consist of 4 different DATA channels that the basestation uses to communicate to the mobile: Pilot Channel Continuously transmitted by the basestation The mobile uses this channel to determine which basestation is strongest and link to it Each basestation in an area has a different pilot channel offset Beginning of Synch channel aligns with beginning of Pilot Ch. Mobiles use this channel to receive synchronization messages that allow them to synchronize with codes generated by the basestation used to encode, but not encript, the remaining two channels. Synchronization Channel (Synch) Paging Channel Carries overhead messages and system parameters to all mobiles Authentication Challenge Message, based on mobiles electronic serial number Communicates to the mobile, Shared Secret Data (SSD), used to encrypt the call Assigns a Traffic channel to the mobile Also contains a list of all available neighbors and their pilot channel offsets Carries voice, data, and signaling messages during a call Handles the handoff process from one base station to another Traffic Channel Signal Spreading Spread CDMA signal can exist below the noise floor Noise Floor De-spreading yields processing gain RC PG 10log10 RB SNRDe spread SNRSpread Signal Spreading Signals are “dual-spread” by two different spreading sequences: Walsh sequences and Pseudo-Random Number (PN) sequences Walsh Sequences are orthogonal: no cross correlation interference PN sequences are generated by a maximal-length shift register Both spreading codes are at a rate of 1.2288e6 chips/second Data gets up sampled to that data rate before being modulo 2 summed with the spreading sequence Signal Spreading Similarities Beginning of Walsh sequence lines up with beginning of PN sequence They are overlapping so they are effectively modulo 2 added to each other before being used to spread to the data Main differences: PN sequences are longer, 32768 chips, but not orthogonal Walsh sequences are shorter, 64 chips, but are orthogonal Walsh sequence repeats 512 times over the course of 1 PN repetition PN sequences are used to provide most of the spreading Walsh sequences are used to provide the orthogonality All data channels share the same PN sequence Each of the data channels has a different walsh sequence to make the channels orthogonal to each other The traffic channel also assigns a different walsh code to each mobile using the channel Signal Spreading – PN Sequence Pseudo-Random Number Sequence ML Linear Feedback Shift Register Sharp Autocorrelation (little time-shifted Taps correlation) Taps on defined registers PN-I and PN-Q sequences length 15 registers with different taps for each CDMA uses two PN sequences Short PN Sequence 32768 Chips (32767 from register + 1 more) 1.2288 MHz, Repeats every 26.6ms Complex: PN-I, PN-Q Pilot, Sync, Paging, and Traffic channels Long PN Sequence 4.4 trillion Chips 1.2288 MHz, Repeats every ~42 days Used in addition to short PN sequence on Paging and Traffic (Voice) channels Short PN-I Shift Register CDMA2000 Spreading Algorithm Different Taps Short PN-Q Shift Register Signal Spreading – Walsh Sequence All channels are also spread by a 64 bit length, Walsh sequence Walsh Sequences are mathematically orthogonal codes – No correlation with each other There are 64 different (orthogonal) 64 bit length Walsh sequences Each Channel is given a different Walsh sequence Pilot: W064, Sync: W3264, Paging: W1-764, Traffic: WN64 Channel Modulation Walsh modulation Long PN modulation Short PN modulation Forward Pilot Channel Provides means for synchronizing mobile to a unique base station Continuously transmitted by base stations Simplest channel to process 0’s transmitted, modulated only by short PN spreading code Modulated by Walsh code 0 (all 1’s), so code is not affected Provides means for processing sync channel Sync channel message lines up w/ beginning of short PN sequence from pilot channel Allows mobile to select strongest base station Mobile selects most powerful pilot signal received Pilot PN sequences are offset differently for each base station. Offsets are in steps of 64 chips. So there exist 32768 ÷ 64 = 512 possible offsets Forward Pilot Channel Correlated recorded CDMA signals with short PN code Peaks represent repetition of pilot channel PN code Recording is cut at first positive offset to begin prosecuting sync channel Verizon CDMA signal recorded at 1960 MHz Synchronization Channel After determining beginning of PN sequence, synchronization channel is demodulated and decoded Raw chips are multiplied by short PN sequence and Walsh 32 sequence and then “integrated and dumped” over 256 chips to demodulate BPSK bits Demodulated bits are then DeInterleaved, De-Repeated, and DeEncoded to extract Sync channel information bits Sync Channel BPSK Constellation Sprint recording @ 1931.25 MHz Sync Channel Encoding Process Synchronization Channel Synchronization Channel contains important information that the mobile needs to interface properly with the base station and the user Information such as PN Long Code State, Pilot PN Offset, and Paging Channel Data Rate are all important in prosecuting additional channels Information such as the System Identification Number, and the System Time of transmission could be useful for GPS Opportunistic Ranging Sync Channel Message Content Description Message Channel Protocol revision Min. Protocol Supported System Identification Network Identification Pilot PN Offset Long Code State System Time (GPS) Leap Seconds Local Time Offset (from GMT) Daylight Savings (0 or 1) Paging Channel Data Rate Channel Number Parameters Sprint PCS Parsed Data Verizon Wireless Parsed Data MSG_TYPE P_REV MIN_P_REV SID NID PILOT_PN LC_STATE SYS_TIME LP_SEC LTM_OFF DAYLT PRAT CDMA_FREQ Sync Channel 5 1 4181 (Sprint) 1 428 0x3525506F5AA 2008/1/18 20:56:42.560 13 -12 (-6 hours) 0 (Not in effect) 9600 bps 25 Sync Channel 5 1 4182 (Verizon) 5 129 0x34D58A1B56A 2008/1/18 20:59:41.600 14 -12 (-6 hours) 0 (Not in effect) 9600 bps 600 Basestation Geolocation using CDMA (one way it’s been done) Range Determination System time transmitted in the sync channel message is the exact GPS time 320ms after the end of the sync channel message Raw data was also time stamped, in picoseconds, with the current GPS time as it was recorded (System Time – Time Stamp) Propagation Delay Propagation Delay * 3 x 108 m/s (speed of light) Distance from base station to antenna Basestation Geolocation Direction Finding Recordings were made with an DF Results Azimuth (deg) 175.8 175.6 175.4 175.2 1 2 3 4 5 6 Tasks over Time 7 8 9 10 1 2 3 4 5 6 Tasks over Time 7 8 9 10 0.96 0.955 Quality antenna array with up to 8 channels Direction Finding techniques were applied by correlating received signals with the array manifold for the antenna This determined the angle of arrival for the incoming Results show azimuth and confidence level for direction of base station 0.95 0.945 0.94 Verizon Base Station: 175° at 94% confidence Geolocation Distance prediction: 449 meters DF prediction: 175° 175° .452 km Cell Phone Field Test Mode Gives information about towers it’s connected to: Primary Tower it’s currently communicating with Neighboring Towers are also shown Allows one to determine PN_Offsets, Channel Frequencie(s), and other informaThis can be used to link data seen in the decoded synch channel messages to an actual cell tower, and more importantly get the exact coordinates of the cdma signal tion about the cell tower. PN_Offset Rx Signal Strength Tower ID (SID) Frequency Channel Phone Status Network ID Mapping Base Stations Internet cell tower maps are available to help find CDMA base stations in any area By driving out to base stations one could create a database containing the SID of each tower, its coordinates, and the frequency channel(s) that it uses Mapping Base Stations What have I done so far in Frequency Stability Transfer I have despread the pilot channel to remove any of the bit transitions What is left should be a continuous stream of 1’s which in complex form allows me to calculate the phase of the signal at a given point in time By feeding these phases into Kyle’s Allan Variance program, I have gotten Allan Variance measurements as low as 10-11 I suspect that by applying coherent accumulation techniques learned in class, that I can get this number even lower Final Thoughts Opportunistic Ranging Possibly track the change in phase of the carrier using the Pilot Channel (all 1’s transmitted) Get the exact coordinates of the base station in which we are connected by looking up the station in a pre-loaded database, using the Station ID (SID) found by decoding the synchronization channel The paging channel, which I have not decoded in the past, does contain the basestation latitude and longitude, however the accuracy of each only extends to .25” (seconds) which is about 25 feet Questions? Appendix PCS band frequency allocation Uplink Downlink Channel Modulation Short PN modulation Mapping Base Stations Mapping Base Stations