Posts – Daniel Estévez

Decoding IEEE 802.11ah

Since some time, I’ve been thinking about doing something similar to my posts about LTE and 5G NR, but for WiFi (IEEE 802.11). In these posts, I take a signal recording and write a Jupyter notebook from scratch to analyze the signal and decode the data. I use these posts as a way of learning all the details of how these standards work, and I have seen that some people find them very useful.

Recently I was taking a look at a baby monitor camera system, composed by a camera and a monitor screen, since I was curious about how the camera transmits the video. Using Maia SDR, I located the signal at 866 MHz and realized that both the camera and the monitor screen were transmitting OFDM packets of approximately 2 MHz of bandwidth on this frequency. With some cyclostationary analysis, I found that the subcarrier spacing was 31.25 kHz (which works out to be 2 MHz / 64 FFT points), and that the cyclic prefix was 1/4 of the useful symbol duration. This pointed me straight to IEEE 802.11ah (WiFi HaLow), a variant of WiFi designed for the 800 MHz and 900 MHz license-exempt bands. After comparing the packet formats on the 802.11ah standard with the waterfall of my recording, I was sure that this was indeed 802.11ah. What started as a fun and short signal recording experiment has ended up going through the rabbit hole of implementing 802.11ah decoding from scratch in a Jupyter notebook. In this post I explain my implementation and the analysis of this recording.

Tianwen-1 second apoapsis raise

Some weeks ago I reported about an apoapsis raise manoeuvre done by Tianwen-1, the Chinese Mars orbiter. This has now happened again. Using state vectors from the telemetry decoded with the 20 m antenna in Bochum observatory by AMSAT-DL, we have detected an apoapsis raise manoeuvre done on 2025-01-08. This new apoapsis raise is much larger than the previous one. I have done the same kind of calculations as in the previous post, and also corrected a bug in my Keplerian elements plots (the periapsis and apoapsis passings were being paired incorrectly, which caused the SMA and eccentricity not to change in the plots I did in the previous post).

Tianwen-1 apoapsis raise

For a long time, AMSAT-DL has been using the 20 meter antenna in Bochum observatory to receive some telemetry from Tianwen-1, the Chinese Mars orbiter, almost daily. Since the telemetry includes the spacecraft’s state vectors, we can use this to monitor the spacecraft’s orbit. In 8 November 2021, Tianwen-1 entered its remote sensing orbit. This is an elliptical orbit with a period approximately 2/7 Mars sidereal days plus 170 seconds. This causes a ground track that is almost repeating, but drifts slowly to cover all the surface area of the planet.

I have been posting yearly updates about Tianwen-1’s orbit, the last of them this summer. In these updates, we can see that no manoeuvres have happened, and the changes in the Keplerian elements correspond to orbital perturbations caused by external forces. The orbit is in fact designed to cause the latitude of the periapsis to precess. In this way, all the surface of Mars can be scanned from low altitude.

Now we have some news. In the telemetry of the last few days we have detected that Tianwen-1 has raised its apoapsis radius from about 14134 km to 14489 km. All the data we have indicates that a propulsive burn has happened recently. In this post I give the details about this apoapsis raise manoeuvre.

5G NR PBCH

This post is a continuation of my series about the 5G NR RAN. In these posts, I’m analyzing a recording of the downlink of an srsRAN gNB in a Jupyter notebook written from scratch. In this post I will show how to decode the PBCH (physical broadcast channel). The PBCH contains the MIB (master information block). It is transmitted in the SSB (synchronization signals / PBCH block). After detecting and measuring the synchronization signals, a UE must decode the PBCH to obtain the MIB, which contains some parameters which are essential to decode other physical downlink channels, including the PDSCH (physical downlink shared channel), which transmits the SIBs (system information blocks).

In my first post in the series, I already demodulated the PBCH. Therefore, in this post I will continue from there and show how to decode the MIB from the PBCH symbols. First I will give a summary of the encoding process. Decoding involves undoing each of these steps. Then I will show in detail how the decoding procedure works.

Hera telemetry

In my previous post I spoke about the recording I made of the X-band telemetry signal of Hera with the Allen Telescope Array shortly after it was launched. Despite the lack of publicly available accurate ephemerides at the time of launch, I managed to track the spacecraft by hand and decode a good amount of telemetry frames. In this post I will do an in-depth analysis of the telemetry.

Decoding Hera

Hera is an ESA mission to the Didymos binary asteroid system. It will arrive there in December 2026 to study the asteroids and the effects of the impact of DART on Dimorphos. It was launched on October 7 from Cape Canaveral, exactly one week before Europa Clipper. In the same way as for Europa Clipper, Hera’s launch trajectory allowed me to track it with the Allen Telescope Array, starting approximately 90 minutes after launch.

However, the ephemerides publicly available when the launch happened turned out to be completely wrong, as I will explain below in more detail. I needed to find the spacecraft’s signal by moving the antenna in the blind, and continue tracking it by hand by tweaking the pointing every few minutes. For this reason, the quality of the recordings I have done is not so good. The signal drops down frequently as the spacecraft moves away from where I was pointing or when I made mistakes in my pointing adjustments.

For this reason, I have prioritized decoding the Europa Clipper recordings, since I expected that decoding these low quality recordings of Hera would take more work. Nevertheless I have managed to decode a good amount of telemetry.

I have published the IQ recordings made with the ATA in the following two Zenodo datasets:

Europa Clipper telemetry

In my previous post I spoke about the recording I did of the Europa Clipper X-band telemetry shortly after launch with one of the Allen Telescope Array antennas. In that post I analysed the recording waterfall and the signal modulation and coding, and decoded the telemetry frames with GNU Radio. In this post I analyse the contents of the telemetry. As we will see, there are several similarities with the telemetry of Psyche. This makes sense, because both are NASA missions that have been launched only one year apart.

Decoding Europa Clipper

Europa Clipper is a NASA mission that will study Europa, Jupiter’s icy moon, to investigate if it can support life, perhaps in hydrothermal vents in a global ocean under the ice crust. The mission launched on Monday from Cape Canaveral, after some days of delay due to Hurricane Milton. As happened with Psyche one year ago, the launch trajectory was such that the first pass over the Allen Telescope Array, in northern California, started only about 1.5 hours after launch. To put this in perspective, launch was at 2024-10-14T16:06 UTC, spacecraft separation at T+1:02:39, and my recording began at 17:33:24 UTC, with signal acquisition a couple minutes later as the spacecraft raised above the 16.8 deg elevation mask of the ATA antennas.

I used one of the ATA antennas to record the X-band telemetry signal for about 2 hours and 50 minutes, until the spacecraft set again due to Earth rotation. In this post I overview the recording and decode the telemetry with GNU Radio.

I recorded at 6.144 Msps IQ, but since the telemetry symbol rate was only 12 kbaud throughout all the recording, I have made files decimated to 96 ksps and published them in the dataset “Recording of Europa Clipper X-band telemetry with the Allen Telescope Array shortly after launch” in Zenodo. This decimation discards the sequential ranging tones, which were present during most of the observation, but it greatly reduces the file size.

Analysis of DME signals

You might remember that back in July I made a recording of the DME ground-to-air and air-to-ground frequencies for a nearby VOR-DME station. In that post, I performed a preliminary analysis of the recording. I mentioned that I was interested in measuring the delay between the signals received directly from the aircraft and the ground transponder replies, and match these to the aircraft trajectories. This post is focused on that kind of study. I will present a GNU Radio out-of-tree module gr-dme that I have written to detect and measure DME pulses, and show a Jupyter notebook where I match aircraft pulses with their corresponding ground transponder replies and compare the delays to those calculated from the aircraft positions given in ADS-B data.

Not-LoRa GRCon24 CTF challenge

This year I submitted a track of challenges called “Not-LoRa” to the GRCon 2024 Capture The Flag. The idea driving this challenge was to take some analog voice signals and apply chirp spread spectrum modulation to them. Solving the challenge would require the participants to identify the chirp parameters and dechirp the signal. This idea also provided the possibility of hiding weak signals that are below the noise floor until they are dechirped, which is a good way to add harder flags. This blog post is an in-depth explanation of the challenge. I have put the materials for this challenge in this Github repository.

To give participants a context they might already be familiar with, I took the chirp spread spectrum parameters from several common LoRa modulations. These ended up being 125 kHz SF9, SF11 and SF7. LoRa is somewhat popular within the open source SDR community, and often there are LoRa challenges or talks in GRCon. This year was no exception, with a Meshtastic packet in the Signal Identification 7 challenge, and talks about gr-lora_sdr and Meshtastic_SDR.