Spectrum Analysis and GSM Broadcast Decoding in 2013Posted on November 17th, 2013 No comments
This post is about the low-cost SDR systems becoming available. I am afraid it’s not going to be very beginner friendly so I am going to assume that you have a general understanding of radio technology and SDR. In the last post I talked about the massive and expensive spectrum analyzers I used in the 1980s. In fact, even in that era I worked on SDR. Using a PDP 11 we analysed batch files of samples from radar systems to test new processing algorithms.
So why is SDR a hot topic now? Basically a combination of new hardware and the increasing power of desktop PCs has brought powerful SDR solutions within the reach of hobbyists and low budget researchers. There are two main strands:
Firstly, there is what we might call serious low-cost SDR. This consists of hardware boards in the spirit of something like the Arduino or Raspberries Pie which provide experimental but capable SDR platforms in a relatively low-cost package. Typically though these are not what you could call “cheap” as they still may cost hundreds or thousands of pounds. What you get is something with fairly good RF performance and perhaps the possibility of transmitting as well as receiving.
Secondly, there is what we might call seriously-low-cost SDR. This reuses very cheap USB TV receivers as SDR receivers. It is this ultra-low-cost SDR that I am going to talk about here.
Two key points make ultra-low-cost SDR possible. Firstly it was discovered that certain chipsets widely used in USB TV receivers had a much wider tuning range than was needed for TV. The chipsets can also send the intermediate frequency I and Q samples directly over USB to the host computer. Secondly it was found that the processing power on normal PCs was sufficient to perform, in real time, SDR functions on the I and Q samples coming from the USB receiver.
I bought a dongle based on the RTL2832U+R820T chipset from Amazon for £12.50. This was a slight mistake as it was despatched from the Far East and took several weeks to arrive so my first advice would be to order locally. So what does a cheap USB TV receiver like this provide in terms of performance? According to this very useful stream of consciousness this chipset can tune from 24 – 1700 MHz. That covers FM, ham radio and GSM. It uses a 3.57 MHz intermediate frequency and has a tuning error of perhaps 30 ppm which is relatively stable for a particular dongle when it is warm.
The intermediate frequency sampling is 8-bit and around 2MS/s is an achievable sampling rate. The dynamic range is about 45 dB. My experience is that the biggest problem is various spurious signals appearing that seem to by primarily due to interference at the intermediate frequency. There are various homebrew solutions to improve screening described on the web but I haven’t tried these.
My 1st experiment was using SDR# running on Windows. This was easy to install using a recipe I found on the web. I just hooked up a few meters of wire to use as an antenna. I was easily able to scan the FM and air bands to receive various stations. Once the “Correct IQ” option was checked I was able to receive sounds. I also looked around 900 MHz and saw what I thought were probably GSM cells. It’s not really fair to compare my 2013 technology to the spectrum analyzers of 1986, but as a way of visualising common radio signals it serves the same purpose for 0.07% of the cost (less allowing for inflation)! On its own I find this fascinating.
Though SDR# is easy to use I think the Windows environment is fairly limited for SDR and if I was starting again I would probably go straight to Linux. Most of the serious SDR tools are primarily developed for Linux.
Having seen what looked like GSM BCCHs I was really keen to try and decode them. I found this guide which I basically followed. I didn’t want to set up a dedicated machine for SDR so I decided to go down the virtual machine route. I installed the free version of VMware player and installed Kali Linux version 1.0.5. Though Kali Linux download page has an image for VMware it is an old version so I created a new VM and installed 1.0.5 from the ISO. This was very easy. Version 1.0.5 has many SDR tools already installed and as many of the tools seem difficult to install this is a significant advantage. I was very impressed with the performance of VMware player and the ease with which it was possible to connect the USB dongle.
Having created the virtual machine I followed the recipe linked above to decode the GSM broadcast channel. If you start from version 1.0.5 you don’t need to install GNU radio but when you install Airprobe you will need to add the additional dependencies as explained in the recipe. The only issue I found was that apt-get didn’t like the “-y” option so omit this from the dependency install and manually accept the installation.
The Airprobe tool used to decode the GSM BCCH seems pretty buggy and is still a work in progress. Though it has a GUI it doesn’t appear to respond to any clicks in my version so you need to set everything from the command line. The command I used was:
./gsm_receive_rtl.py -s 1e6 –f 948000000
948000000 is the frequency of the GSM BCCH I found using SDR# in Hz. You can see GSM downlink channels as fairly broad peaks around 900MHz in SDR#. Check the downlink centre frequencies used by GSM to get the exact centre for any candidate.
I immediately started getting decoded GSM cell data from Airprobe, but it seems to quickly loose sync or tuning and stop producing output. I suspect there is some kind of bug in its tracking algorithm, but it could also be a peculiarity of my configuration. When the program gets stuck use control-C in the starting terminal to kill it.
Anyway, for £12.50 and a load of free software I think the ability to receive GSM cells is pretty impressive.