CDMA Technical Talk

advertisement
CDMA Technical Talk
Ken Pesyna
April 15, 2010
Outline
 Background
 Signal Spreading
 Forward Pilot Channel
 Synchronization Channel
 Geolocation
 Cell Phone Field Test Mode
 Mapping Base Stations
Background
 Major Carriers
 Verizon Wireless
 Sprint PCS
 CDMA2000®
 522 million global
subscribers (4/12/2010)
 99 countries

US, China, Korea,
India, Pakistan,
Afghanistan, Iraq
 CDMA is very strongly US based
 Most of the rest of the world, particularly Europe uses primarily GSM
 4G providers will continue to provide backwards compatibility with CDMA
phones
Background
 Code Division Multiple Access (CDMA)
 Multiple users can communicate at the same time & frequency by
Time
 Benefits
FDMA
Frequency
Frequency
Frequency
utilizing unique spreading codes
Time
TDMA
Time
CDMA
 Increased Capacity
 Universal Frequency Reuse
 Resistance to Interference
GSM Cells
CDMA Cells
US CDMA Frequency Spectrum
 850/1900 MHz, for the downlink (tower to phone, our concern)
 1850Mhz – 1910Mhz, for the uplink (phone to tower)
 Each block contains a number of frequency channels, i.e. center
frequencies




Each frequency channel is 1.25Mhz wide
Channel numbers (downlink): 25 – 1175, increments of 25
Basestations are assigned 1 channel number
An entire call is communicated on one single channel, i.e. center
frequency
 Split into frequency blocks: A - F
 San Antonio (for example):
CDMA: A (Sprint), B (Verizon)
Channel Number
Forward Link Channels
 CDMA signals consist of 4 different DATA channels that the basestation uses to

communicate to the mobile:
Pilot Channel



Continuously transmitted by the basestation
The mobile uses this channel to determine which basestation is strongest and link to it
Each basestation in an area has a different pilot channel offset


Beginning of Synch channel aligns with beginning of Pilot Ch.
Mobiles use this channel to receive synchronization messages that allow them to synchronize
with codes generated by the basestation used to encode, but not encript, the remaining two
channels.
 Synchronization Channel (Synch)
 Paging Channel





Carries overhead messages and system parameters to all mobiles
Authentication Challenge Message, based on mobiles electronic serial number
Communicates to the mobile, Shared Secret Data (SSD), used to encrypt the call
Assigns a Traffic channel to the mobile
Also contains a list of all available neighbors and their pilot channel offsets


Carries voice, data, and signaling messages during a call
Handles the handoff process from one base station to another
 Traffic Channel
Signal Spreading
 Spread CDMA signal can exist below the
noise floor
Noise Floor
 De-spreading yields processing gain
 RC
PG  10log10 
 RB

  SNRDe  spread  SNRSpread

Signal Spreading
 Signals are “dual-spread” by two different spreading sequences:





Walsh sequences and Pseudo-Random Number (PN) sequences
Walsh Sequences are orthogonal: no cross correlation interference
PN sequences are generated by a maximal-length shift register
Both spreading codes are at a rate of 1.2288e6 chips/second
Data gets up sampled to that data rate before being modulo 2 summed with
the spreading sequence
Signal Spreading
 Similarities
 Beginning of Walsh sequence lines up with beginning of
PN sequence
 They are overlapping so they are effectively modulo 2
added to each other before being used to spread to the
data
 Main differences:
 PN sequences are longer, 32768 chips, but not







orthogonal
Walsh sequences are shorter, 64 chips, but are
orthogonal
Walsh sequence repeats 512 times over the course of 1
PN repetition
PN sequences are used to provide most of the
spreading
Walsh sequences are used to provide the orthogonality
All data channels share the same PN sequence
Each of the data channels has a different walsh
sequence to make the channels orthogonal to each
other
The traffic channel also assigns a different walsh code
to each mobile using the channel
Signal Spreading – PN Sequence
 Pseudo-Random Number Sequence
 ML Linear Feedback Shift Register
 Sharp Autocorrelation (little time-shifted
Taps
correlation)
 Taps on defined registers
 PN-I and PN-Q sequences length 15
registers with different taps for each
 CDMA uses two PN sequences
 Short PN Sequence

32768 Chips (32767 from register + 1
more)

1.2288 MHz, Repeats every 26.6ms

Complex: PN-I, PN-Q

Pilot, Sync, Paging, and Traffic channels
 Long PN Sequence

4.4 trillion Chips

1.2288 MHz, Repeats every ~42 days

Used in addition to short PN sequence on
Paging and Traffic (Voice) channels
Short PN-I Shift Register
CDMA2000 Spreading Algorithm
Different Taps
Short PN-Q Shift Register
Signal Spreading – Walsh Sequence
 All channels are also spread by a 64 bit length, Walsh sequence
 Walsh Sequences are mathematically orthogonal codes – No correlation
with each other
 There are 64 different (orthogonal) 64 bit length Walsh sequences
 Each Channel is given a different Walsh sequence

Pilot: W064, Sync: W3264, Paging: W1-764, Traffic: WN64
Channel Modulation
Walsh modulation
Long PN modulation
Short PN modulation
Forward Pilot Channel
 Provides means for synchronizing mobile to a unique base station
 Continuously transmitted by base stations
 Simplest channel to process
 0’s transmitted, modulated only by short PN spreading code
 Modulated by Walsh code 0 (all 1’s), so code is not affected
 Provides means for processing sync channel
 Sync channel message lines up w/ beginning of short PN sequence from pilot
channel
 Allows mobile to select strongest base station


Mobile selects most powerful pilot signal received
Pilot PN sequences are offset differently for each base station. Offsets are in steps of
64 chips. So there exist 32768 ÷ 64 = 512 possible offsets
Forward Pilot Channel
 Correlated recorded CDMA


signals with short PN code
Peaks represent repetition
of pilot channel PN code
Recording is cut at first
positive offset to begin
prosecuting sync channel
Verizon CDMA signal recorded at 1960 MHz
Synchronization Channel
 After determining beginning of PN
sequence, synchronization channel is
demodulated and decoded
 Raw chips are multiplied by short PN
sequence and Walsh 32 sequence and
then “integrated and dumped” over 256
chips to demodulate BPSK bits
 Demodulated bits are then DeInterleaved, De-Repeated, and DeEncoded to extract Sync channel
information bits
Sync Channel BPSK Constellation
Sprint recording @ 1931.25 MHz
Sync Channel Encoding Process
Synchronization Channel

Synchronization Channel contains important information that the mobile needs to interface
properly with the base station and the user

Information such as PN Long Code State, Pilot PN Offset, and Paging Channel Data Rate
are all important in prosecuting additional channels

Information such as the System Identification Number, and the System Time of
transmission could be useful for GPS Opportunistic Ranging
Sync Channel Message Content
Description
Message Channel
Protocol revision
Min. Protocol Supported
System Identification
Network Identification
Pilot PN Offset
Long Code State
System Time (GPS)
Leap Seconds
Local Time Offset (from GMT)
Daylight Savings (0 or 1)
Paging Channel Data Rate
Channel Number
Parameters
Sprint PCS
Parsed Data
Verizon Wireless
Parsed Data
MSG_TYPE
P_REV
MIN_P_REV
SID
NID
PILOT_PN
LC_STATE
SYS_TIME
LP_SEC
LTM_OFF
DAYLT
PRAT
CDMA_FREQ
Sync Channel
5
1
4181 (Sprint)
1
428
0x3525506F5AA
2008/1/18 20:56:42.560
13
-12 (-6 hours)
0 (Not in effect)
9600 bps
25
Sync Channel
5
1
4182 (Verizon)
5
129
0x34D58A1B56A
2008/1/18 20:59:41.600
14
-12 (-6 hours)
0 (Not in effect)
9600 bps
600
Basestation Geolocation using CDMA
(one way it’s been done)
 Range Determination
 System time transmitted in the sync channel
message is the exact GPS time 320ms after the end
of the sync channel message
 Raw data was also time stamped, in picoseconds,
with the current GPS time as it was recorded
 (System Time – Time Stamp)  Propagation Delay
 Propagation Delay * 3 x 108 m/s (speed of light) 
Distance from base station to antenna
Basestation Geolocation
 Direction Finding
 Recordings were made with an
DF Results
Azimuth (deg)
175.8
175.6
175.4
175.2
1
2
3
4
5
6
Tasks over Time
7
8
9
10
1
2
3
4
5
6
Tasks over Time
7
8
9
10
0.96
0.955
Quality
antenna array with up to 8
channels
 Direction Finding techniques were
applied by correlating received
signals with the array manifold for
the antenna
 This determined the angle of
arrival for the incoming
 Results show azimuth and
confidence level for direction of
base station
0.95
0.945
0.94
Verizon Base Station: 175° at 94% confidence
Geolocation
 Distance prediction: 449 meters
 DF prediction: 175°
175°
.452 km
Cell Phone Field Test Mode

Gives information about towers it’s connected to:

Primary Tower it’s currently communicating with

Neighboring Towers are also shown
 Allows one to determine PN_Offsets, Channel Frequencie(s), and other
informaThis can be used to link data seen in the decoded synch channel
messages to an actual cell tower, and more importantly get the exact coordinates
of the cdma signal
 tion about the cell tower.
PN_Offset
Rx Signal Strength
Tower ID (SID)
Frequency Channel
Phone Status
Network ID
Mapping Base Stations
 Internet cell tower maps are available to
help find CDMA base stations in any area
 By driving out to base stations one could
create a database containing the SID of
each tower, its coordinates, and the
frequency channel(s) that it uses
Mapping Base Stations
What have I done so far in Frequency
Stability Transfer
 I have despread the pilot channel to remove any of the bit



transitions
What is left should be a continuous stream of 1’s which in
complex form allows me to calculate the phase of the
signal at a given point in time
By feeding these phases into Kyle’s Allan Variance
program, I have gotten Allan Variance measurements as
low as 10-11
I suspect that by applying coherent accumulation
techniques learned in class, that I can get this number
even lower
Final Thoughts
 Opportunistic Ranging
 Possibly track the change in phase of the carrier
using the Pilot Channel (all 1’s transmitted)
 Get the exact coordinates of the base station in
which we are connected by looking up the station
in a pre-loaded database, using the Station ID
(SID) found by decoding the synchronization
channel
 The paging channel, which I have not decoded in
the past, does contain the basestation latitude
and longitude, however the accuracy of each only
extends to .25” (seconds) which is about 25 feet
Questions?
Appendix
 PCS band frequency allocation
Uplink
Downlink
Channel Modulation
Short PN modulation
Mapping Base Stations
Mapping Base Stations
Download