Chipping
away
at
IS-95 A & B
(cdmaOne)
CDMA2000-1X
and more
A few words of explanation for our humor
impaired readers:
This family of communications technologies uses spread
spectrum signaling of which the lowest level data elements consist of
"chips".
Hence we show CHIPmunks, a
standard North American ground squirrel (Tamius Striatus) which is also
known to utilize
sequences of chips for communications purposes.
The long & short of it
CDMA as used in this web page specifically refers to a particular
family of mobile telephony standards developed and updated by Qualcomm
since the 90s. The primary U.S. carriers utilizing CDMA
technology are Verizon and Sprint in addition to many deployments
worldwide.
The original IS-95 standard was supplemented in the 90s (IS-95) and
continued the evolution into the present 2.5G & 3G CDMA-2000
species. Wikipedia has a nice set of articles on IS-95, CDMA2000, and even
the extinct EV-DO.
We make no attempt to explain the air interface and instead refer the
interested reader directly to the freely available standards at http://www.3gpp2.org. Technical
Specification Group C (TSG-C) is of particular interest.
CDMA
Signal Acquisition and Tracking
We acquire the CDMA signal by cross-correlating the over-the-air
signal with short spreading sequences (PN-Q and PN-I) at a 1.2288MHz
spreading rate. These 32768 length sequences technically modulate
Walsh channel zero, but since the associated Walsh sequence is all '1's
we needn't bother with any Walsh related processing at this stage.
Sampling is done with a USRP with a decimation of 40 (1.6MHz sampling
rate). This gives us plenty of wiggle room for the worst case
USRP DBSRX tuning offset and helps a little with the USRP FPGA CIC
filtering band edges. The data is resampled to 4x the chip rate
(4.9152MHz) and the pilot is then acquired using a fast circular
correlation corresponding in length to the entire short PN
sequence. As an optional pre-processing step one may
automatically compensate for the USRP tuning offset by sweeping these
circular correlations through a plausible range of offsets until the
signal peak is maximized.
Above: Successful detection and acquisition of a CDMA channel
showing two separate active base station transmissions. It turns
out these are coming from the same base station but represent
data beamed into different cells.
At this point we could select the desired transmission by synchronizing
the short PN sequence timing with the desired peak. Lock is
maintained using early/late correlation of the pilot.
Potential
Application - Passive Radar?
Having achieved lock we must take a detour and look for multipath
propagation. After all, this is something the CDMA system was
specifically designed to detect and exploit using rake receivers.
We take our signal and zoom in on a CDMA correlation peak; for good
measure we plot this as a function of time:
Each multipath peak can be resolved to better than 1µS
which corresponds to under 300 meters. Remember we are working with
a nominal 1.25MHz bandwidth signal.
We expect changes in reflectors (e.g. low flying helicopters) to
produce shifts in target geometry that may then be reflected in changes
of the multipath structure. Of course target movement immediately
makes one think of doppler. So instead let us
take a 160ms sample slice and plot a correlation against the short PN
sequence that is a function of doppler shift and path delay:
Above: Doppler bins are 6.25Hz wide which corresponds to a
velocity of about
1m/s or 3½ km/h at the 1.9 GHz system frequency. If there
were any really strong reflections from nearby traffic we should have
been able to resolve it.
Disclaimer: the above figures show no readily discernible
targets. We also suspect some of the subsidiary peaks represent
USRP / GNU Radio processing
artifacts.
Issues for further work:
- End to end
modeling. Is the USRP 12 bit dynamic range sufficient? What
sort of signal levels can we expect to see.
- Choice of optimum
integration time & effect of USRP phase noise (starting to become a
problem in the above figure which actually was selected because it
looked cleaner than some other samples taken with the same
setup). We do get help from the fact that first order phase noise
only manifests as a doppler offset; second order and higher will smear
the peaks.
- Antenna selection and
positioning; can we minimize the direct signal to help bring out the
weaker reflections.
Also worthy of note: Some base stations are set up to transmit
their geographical
coordinates which obviously comes in handy when doing path geometry
calculations. Sprint basestations in our neck of the 4103 SID are
nice enough to do this but Verizon basestations couldn't be
bothered. Either that or all our Verizon basestations are
swimming together off equatorial Africa at 0°N, 0°W... which in fact seems quite
possible based on their network quality.
Potential
Application - Receiving Signaling & Traffic Data
Above: Plot showing a CDMA channel after successful signal
synchronization and passing through a Walsh64 transform
stage.
The following channels are active:
- W064
Pilot (By far the highest code power)
- W164
Paging Channel
- W1764
Traffic Channel
- W3264
Sync Channel
Hypothetical USRP/GNU Radio Signal processing flow:
- Use USRP to sample a CDMA
forward channel at 1.6 MHz (decimation = 40).
- Upsample to 4x 1.2288MHz
sample rate (to match FIR filters in CDMA documentation)
- Acquire and correct for
USRP hardware specific frequency offset
- Use fast auto-correlation
to synchronize to CDMA short I+Q PN scrambling sequence, then maintain
synchronization use early/late gate
- Downsample to exactly
1.2288MHz and break samples into groups of 64
- Use 64 length fast Walsh
transform to recover raw signaling data. Do not confuse with the
Welsh transform which produces some spectacularly woolly results
instead.
- Process sync channel data
(W3264) to synchronize with base station
timing, long code state, etc.
- Paging channel traffic
available after long code generator synchronization with known long
code masks. It is at this point you learn things like the fact
that your mobile phone
operator has not bothered to enable signaling traffic encryption, et
cetera
- Receive voice channel
traffic and recover private long code masks (after all... voice privacy
based on an intentionally weak linear feedback shift scheme is about as
useful as a string bikini on Ron Jeremy).
- Recover audio after
passing through voice codecs from 3gpp2.
The Strange Politics
of CDMA Monitoring
We note that intercept systems
are available that monitor and record CDMA traffic in real time.
A few examples:
You may notice the above companies are all based outside of the
U.S. This may be because of title 18 of the U.S. Code,
specifically section 18USC2512. This not only makes it
illegal to sell items such as CDMA intercept systems to
non-governmental users but also to advertise their existence.
This state of affairs suits mobile telephone service providers who can
propagate less than accurate security assurances. A few
random examples:
The globalstar satellite system of interest because it is an IS-95 CDMA
satellite system. Unfortunately the S-Band satellite amplifiers
are failing (or have completely failed). There exists an
interesting correlation between Globalstar S-Band amplifier output and
the company stock price (ticker symbol GSAT).
Interesting work along related lines does of course occur in the U.S.
as the following suggests:
http://www.thespywhobilledme.com/the_spy_who_billed_me/2008/02/contractors-web.html
A lot of this seems really irrelevant anyway since in the U.S. your
calls will not be intercepted at the air interface level. Instead
your communications provider will happily run warrantless wiretaps on
behalf of the U.S. government without appropriate judicial or
constitutional oversight.
Disclaimers:
This web page constructed entirely
out of recycled electrons (minimum
75% post consumer content) and recycled ideas (minimum 99.99% post
consumer content). No electrons or animals were harmed during the
construction of this web page.
