Posts – Page 3 – Daniel Estévez

LTE downlink: PDSCH

This post is a continuation of my series about LTE, where I decode a recording of the downlink signal of an eNB using Jupyter notebooks written from scratch. Here I will decode the PDSCH (physical downlink shared channel), which contains the data transmitted by the eNB to the UEs, including PDUs from the MAC layer, and some broadcast information, such as the SIB (system information block) and paging. At first I planned this post to be about decoding the SIB1. This is the first block of system information, and it is the next thing that a UE must decode after decoding the MIB (located in the PBCH) to find the configuration of the cell. The SIB1 is always transmitted periodically, and its contents and format are relatively well known a priori (as opposed to a user data transmission, which could happen at any time and contain almost anything), so it is a good example to try to decode PDSCH transmissions.

After writing and testing all the code to decode the SIB1, it was too tempting to decode everything else. Even though at first I wrote my code thinking only about the SIB1, with a few modifications I could decode all the PSDCH transmissions (except those using two-codeword spatial multiplexing, since my recording was done with a single antenna). I will still use the SIB1 as an example to show how to decode the PDSCH step by step, but I will also show the rest of the data.

The post is rather long, but we will get from IQ samples to looking at packets in Wireshark using only Python, so I think it’s worth its length.

A modern implementation of the Parks-McClellan FIR design algorithm

The Parks-McClellan FIR filter design algorithm is used to design optimal FIR filters according to a minimax criterion: it tries to find the FIR filter with a given number of coefficients whose frequency response minimizes the maximum weighted error with respect to a desired response over a finite set of closed sub-intervals of the frequency domain. It is based on the Remez exchange algorithm, which is an algorithm to find uniform approximations by polynomials using the equioscillation theorem. In signal processing, the Parks-McClellan algorithm is often call Remez. This algorithm is a very popular FIR design algorithm. Compared to the windowing method, which is another commonly used algorithm, it is able to obtain better filters (for instance, meeting design constraints with less coefficients), in part because it allows the designer to control the passband ripple and stopband attenuation independently by means of the weight function.

I have been laying some groundwork for Maia SDR, and for this I will need to run the Parks-McClellan algorithm in maia-httpd, the piece of software that runs in the Pluto ARM CPU. To evaluate what implementation of this algorithm to use, I have first gone to the implementations that I normally use: the SciPy remez function, and GNU Radio’s pm_remez function. I read these implementations, but I didn’t like them much.

The SciPy implementation is a direct C translation of the original Fortran implementation by McClellan, Parks and Rabiner from 1973. This C translation was probably written decades ago and never updated. The code is very hard to read. The GNU Radio implementation looks somewhat better. It is a C implementation that was extracted from Octave and dates from the 90s. The code is much easier to follow, but there are some comments saying “There appear to be some problems with the routine search. See comments therein [search for PAK:]. I haven’t looked closely at the rest of the code—it may also have some problems.” that have seemingly been left unattended.

Because of this and since I want to keep all the Maia SDR software under permissive open source licenses (the GNU Radio / Octave implementation is GPL), I decided to write from scratch an implementation of the Parks-McClellan algorithm in Rust. The result of this has been the pm-remez crate, which I have released recently. It uses modern coding style and is inspired by recent papers about how to improve the numerical robustness of the Parks-McClellan algorithm. Since I figured that this implementation would also be useful outside of Maia SDR, I have written Python bindings and published a pm-remez Python package. This has a few neat features that SciPy’s remez function doesn’t have. The Python documentation gives a walkthrough of these by showing how to design several types of filters that are commonly used. This documentation is the best place to see what pm-remez is capable of.

The rest of this post has some comments about the implementation and the things I’ve learned while working on this.

LTE Transmission Mode 4 (closed-loop spatial multiplexing)

This is a long overdue post. In 2022, I wrote a series of posts about LTE as I studied its physical layer to understand it better. In the last post, I decoded the PDCCH (physical downlink control channel), which contains control information about each PDSCH (physical downlink shared channel) transmission. I found that, in the recording that I was using, some PDSCH transmissions used Transmission Mode 4 (TM4), which stands for closed-loop spatial multiplexing. For an eNB with two antenna ports (which is what I recorded), this transmission mode sends either one or two codewords simultaneously over the two ports by using a precoding matrix that is chosen from a list that contains a few options. The choice is done by means of channel-state information from the UE (hence the “closed-loop” in the name).

In the post I found a transmission where only one codeword was transmitted. It used the precoding matrix \([1, i]^T/\sqrt{2}\). This basically means that a 90º phase offset is applied to the two antenna ports as they simultaneously transmit the same data. I mentioned that this was the reason why I obtained bad results when I tried to equalize this PDSCH transmission using transmit diversity in another previous post, and that in a future post I would show how to equalize this transmission correctly. I have realized that I never wrote this post, so now it is as good a time as any.

Decoding Queqiao-2

Queqiao-2 is the second Chinese lunar relay satellite. It was launched on March 20 from Wenchang, and it carries a large 4.2 m deployable dish for communications on X-band with assets on the lunar surface (up to 10 simultaneous channels, according to Wikipedia). The satellite will be placed on a frozen elliptical orbit that gives a 20 hour communications window with assets near the lunar south pole on each 24 hour orbit. A very interesting experiment that it will perform is LOVEX, the Lunar Orbit VLBI Experiment. During the 4 hours per orbit that it spends around the periapsis over the lunar north pole, the 4.2 m antenna will be used for VLBI, both for radioastronomy and for orbit determination of deep space satellites, as part of the Chinese Deep Space Network.

Queqiao-2 transmits telemetry on S-band, at 2234.5 MHz. In this post I will analyse a short IQ recording that Scott Tilley VE7TIL has shared with me.

5G NR downlink reference signals

Last summer I looked at the demodulation of the 5G NR downlink, using a short recording of an idle srsRAN gNB made by Benjamin Menkuec. In that post I looked at the phase compensation, which is new in NR compared to LTE, the SS/PBCH block, and performed OFDM demodulation of all the signals in the recording. One of these signals was the PDSCH transmitting the SIB1 (which is done periodically even on an idle cell), and its corresponding PDCCH transmission. However, there were some reference signals that I wasn’t able to identify at the time. In this post I will look at these reference signals in detail, and also to the DM-RS (demodulation reference signal) in the PDCCH and PDSCH.

Decoding IM-1

IM-1, the first lunar lander mission from Intuitive Machines, also called Odysseus, was launched on February 15 from KSC, and landed on February 22 near Malapert crater, in the lunar south pole region. The mission has been a partial success. The vehicle did not manage to land upright, and broke one of its legs due to landing with too much horizontal velocity. Despite this unfavourable attitude, communications with the lander have been able to proceed at reduced data rates, and some images and science data have been returned. On February 29, the mission ended, as lunar night started on the landing location. Congratulations to Intuitive Machines for all the milestones achieved in their first mission.

In this post I will examine some recordings of the S-band telemetry signal done by AMSAT-DL with the 20 metre antenna in Bochum observatory. These recordings were done while the lander was still in-orbit. When landed on the Moon, IM-1 used the same configuration, but the recordings done at Bochum are probably too weak to decode, due to the orientation of the lander antennas.

Lunar reflections during SLIM landing

In my previous post, I looked at the Doppler of the SLIM S-band telemetry signal during its landing on the Moon. I showed some waterfall plots of the signal around the residual carrier. In these, a reflection on the lunar surface was visible. The following figure shows a waterfall of the signal around the residual carrier, after performing Doppler correction and using a PLL to lock to the residual carrier. I was intrigued by the patterns made by these reflections, specially by some bands that look like a ‘1’ shape (the most prominent happens at 14:58).

In this post I study the geometry of the lunar reflection and find what causes these bands.

SLIM lunar landing radiometry

SLIM, JAXA’s Smart Lander for Investigating Moon, landed near Shioli crater on January 19. Shortly after the landing, the spacecraft was powered down to conserve power, since the probe had landed in an unexpected attitude which shaded its solar panels. After a few days of trying to contact SLIM, JAXA succeeded to reestablish communication with it on January 29. By then the Sun had moved west in the sky at SLIM’s location and had started illuminating the solar panels.

AMSAT-DL recorded the S-band signal from SLIM during the landing with the 20-meter antenna in Bochum Observatory. In this post I will analyse a recording done between 14:51:51 and 15:21:54 UTC (the touchdown was at 15:20 UTC). I will study the Doppler of the residual carrier and other radiometric quantities rather than the telemetry.

Trying to decode LEV-1

LEV-1 is a small lunar hopper that was carried by the SLIM lunar lander. It was released a few metres above the surface on January 19, as part of the lunar landing of SLIM. LEV-1 transmits telemetry in the 435 MHz amateur satellite band (it has an IARU satellite coordination approval), and also in S-band. Shortly after the landing, CAMRAS received the 437.410 MHz signal from LEV-1 using the 25 m radiotelescope at Dwingeloo. They have published a couple of IQ recordings in their directory of miscellaneous recordings (see the filenames starting by slim_).

The information about the telemetry signal of LEV-1 is scarce. Its website just says

Telemetry format of LEV-1 stands on CCSDS. The contents of telemetry are under developing.

The IARU coordination sheet contains other clues, such as the mention of PCM/PSK/PM, CW, and bitrates of 31, 31.25 and 32 bps, but not much else. Regardless of the mention of CCSDS, I have found that the signal from LEV-1 is quite peculiar. This post is an account of my attempt to decode the data.

An update about my Rust implementation of Galileo OSNMA

Galileo OSNMA (Open Service Navigation Message Authentication) is a service in the Galileo GNSS that allows receivers to authenticate cryptographically the navigation data transmitted in the Open Service signal. This is one of the mechanisms to avoid spoofing that are being deployed in Galileo. Currently, OSNMA is in its Public Observation Test Phase. Two years ago I presented a Rust library called galileo-osnma that implements OSNMA and includes some demo software for a small microcontroller, and also a PC CLI application. Since then, some breaking changes have happened in the format of the OSNMA signal-in-space, which have required updates in galileo-osnma. I have also implemented some new features. This post is an update about the current status of my galileo-osnma library and the OSNMA test phase.