examination of techniques for carrier frequency estimation...
TRANSCRIPT
University of California
Los Angeles
Examination of Techniques for Carrier
Frequency Estimation of Frequency Hopped
Signals in Time Domain
A report submitted in partial satisfaction
of the requirements for the degree
Master of Science in Electrical Engineering
by
Mikhail B. Tadjikov
Professor Danijela Cabric, Advisor
2010
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Radiometric Identification . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Clock Drift & Radiometric Identification . . . . . . . . . . 2
1.1.2 Carrier Frequency Drift . . . . . . . . . . . . . . . . . . . 3
1.1.3 Frequency Hopping Spread Spectrum . . . . . . . . . . . 4
1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1 Frequency Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1 Peak Detections . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.2 Mitigating Factors . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Time Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.1 Yule-Walker Method for the AR Model . . . . . . . . . . 9
2.2.2 Other AR spectral Estimation Methods . . . . . . . . . . 11
2.2.3 Selection of AR Model Order . . . . . . . . . . . . . . . . 12
2.2.4 Recursive AR models . . . . . . . . . . . . . . . . . . . . 13
3 The Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1 Universal Software Radio Peripheral . . . . . . . . . . . . . . . . 14
3.2 GNU Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 MATLAB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2
4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.1 Transmitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.3 Troubleshotting . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5 Results & Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.1.1 System Bias . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.1.2 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.1.3 On Recursion . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2.1 Model Validity . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2.2 Effective Signal-to-Noise Ratio . . . . . . . . . . . . . . . 27
6 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.1 Other Methods for Spectral Estimation . . . . . . . . . . . . . . 29
6.2 Speed Improvements . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.3 Recursive Approach . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.4 I&Q Mismatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
6.5 Wavelets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3
List of Figures
1.1 Currently Available Oscillators . . . . . . . . . . . . . . . . . . . 3
2.1 Example of AR Estimate with the model order 5, only the domi-
nant coefficient shown. . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 CAT vs. FPE creterii for order determination. . . . . . . . . . . . 13
4.1 TX Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2 Block Diagram of the Receiver . . . . . . . . . . . . . . . . . . . . 19
4.3 Test Setup: 2 x USRP2 and 1 computer. 2nd computer not shown. 20
5.1 Comparison between actual carrier frequency offset and estimated
carrier frequency offset. . . . . . . . . . . . . . . . . . . . . . . . . 22
5.2 AR Spectral estimation performance summary for Yule-Walker,
Burg and Least Squares. . . . . . . . . . . . . . . . . . . . . . . . 23
5.3 Standard deviation of error vs. # of Recursions . . . . . . . . . . 25
5.4 Distribution of single frequency offset estimates. . . . . . . . . . . 26
5.5 A sample spectrum of a single burst overlaid with spectrum 20,000
bursts averaged. . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6.1 Wavelet De-noising(Spectral Estimation): Bior 3.7 with 3 higher
orders kept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4
List of Tables
4.1 Bluetooth Nominal & Modified Simulation Parameters . . . . . . 17
5.1 A Summary of the AR Methods under different SNR and Effective
SNR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5
Abstract of the Report
Examination of Techniques for Carrier
Frequency Estimation of Frequency Hopped
Signals in Time Domain
by
Mikhail B. Tadjikov
Master of Science in Electrical Engineering
University of California, Los Angeles, 2010
Professor Danijela Cabric, Advisor
This report will cover the background of frequency hopping spread spectrum
(FHSS) and radiometric identification techniques; furthermore, it will introduce
and discuss the techniques to detect and characterize Bluetooth devices using
their radiometric features. Building upon simulated frequency offset detection
algorithms and explore their feasibility in real-time implementation via universal
software radio peripheral (USRP) in conjuncture with GNU Radio or Simulink c©
software defined radio (SDK) kit. This report will give a brief overview of some
frequency-domain solutions, but will be primarily devoted to time-domain treat-
ment of the problem. To conclude, future improvements will be explored and
overall performance analysis of herein discussed system will be presented.
6
CHAPTER 1
Introduction
The future of communication is wireless. Millions of people already are accessing
their internet through wireless LANs on college campuses, coffee shops and places
of business, and these are just small scale networks. Plans to deploy a large-scale
wireless broadband in US over the next 5-10 years are already in motion. One
issue that all wireless networks have in common security! With no physical line
regulating the access to the network, compromising it becomes strictly a software
issue, that one with some time and not a lot of resources (simple laptop with
2 wireless cards would do) could overcome. Once on the network, intruder is
indistinguishable from the rest of the users and can now access their information.
This opens a whole new door to identity theft, as well as, illegal bandwidth
leaching. This paper will explore ways of identifying transmitter based on innate
hardware characteristics that are extremely hard to mimic, yet are fairly cost-
effective to detect; oftentimes, with the hardware already available at the base
stations.
1
1.1 Radiometric Identification
1.1.1 Clock Drift & Radiometric Identification
There two different techniques for discriminating between transmitters: radio-
metric and location identifications. The latter is based on an idea that there
are specific features in the channel between transmitter and receiver, which are
unique to each geographic location. There has been significant work and suc-
cess on uniquely characterizing the channel and location for purpose of device
fingerprinting [1, 2]. Primary focus of our reseach is on the earlier concept of
radiometric identification; in particular, the modulation domain. There are sev-
eral metrics that can be used to differentiate transmitters in modulation domain,
listed from most to least effective:
• Carrier frequency offset errors.
• I & Q offset errors.
• Magnitude and phase errors
By using a combination of the above methods for radiometric identification it
is possible to achieve a highly accurate, sub 1%, transmitter identification given
a large sample size of about 100 ”identical” (Same device vendor and hardware
revision) transmitters. [3] In our research, the focus is on carrier frequency offset,
which is primarily caused by clock drift with some minute contributions from
transmitter’s system noise.
2
1.1.2 Carrier Frequency Drift
Clock drift is a phenomenon caused by manufacturing variability of oscillators.
Due to the importance of keeping the manufacturing cost low usually the range of
7.5 - 100ppm, as seen on Figure 1.1, is assumed for commonplace wireless devices.
With foresight of performing simulations in 2.4GHz band, we calculate carrier
frequency offset,δf , to be in the range from 18kHz to 240kHz. It is assumed that
crystal oscillators have a gaussian distribution of frequency offsets, with µ = fc
and σ = δf . Naturally, 240kHz would be the best case scenario; therefore, we
design our system for the worst case scenario of σ = 18kHz.
Sidenote: there is currently ongoing research into crystal controlled crystal
oscillators that would both reduce the price and increase the precision of the
oscillator [4]. There are two potential issues associated with lower cost precise
crystals: if they would be used in transmitting devices it would make the offset
detection virtually impossible due to small clock drift; secondly, it would become
much easier to imitate existing transmitters on the network for intruder.
Figure 1.1: Currently Available Oscillators
3
1.1.3 Frequency Hopping Spread Spectrum
Frequency-hopping spread spectrum (FHSS) devices implement the notion of
transmitting a signal with constantly switching carrier frequency according to
a pseudo random hopping sequence. There are three main advantages to using
FHSS transmission technique:
• The signal is highly resistant to narrow-band interference.
• The signal is extremely hard to intercept/sniff due to the random hopping
phenomenon, thus usually just appears as background noise to a narrow-
band receiver.
• The signal can share spectrum with many conventional wireless systems,
thus helping to provide higher spectral efficiency.
Originally spread spectrum transmission techniques were developed for the mil-
itary due to their resistivity to jamming and have since found a wide array of
civilian uses, like Bluetooth. In our research we focus on detecting and finger-
printing Bluetooth devices, due to their widespread commercial & personal use.
1.1.3.1 Bluetooth
Bluetooth signal hops over 79 RF channels that are spaced by 1MHz in 2.402
- 2.480GHz spectral range. Specification for the transmitted initial center fre-
quency must be within ±75kHz from Fc, making our clock drift limited to 7.5 -
31ppm. Gaussian frequency-shift keying (GFSK) is used as preferred modulation
scheme for transmission with bandwidth bit period product BT = 0.5 [5]. GFSK
is standard frequency-shift keying with Gaussian filters used for pulse shaping to
increase spectral efficiency [6]. With the hopping rate of 1/1600s the maximum
4
pulse duration is 625µs, but the pulses could be as short as 366µs. With the our
signal sampled at 1MHz at baseband there is a maximum of 625 time samples
available for analysis.
1.2 Motivation
The motivation of this project is to improve on the status quo in wireless secu-
rity by enabling receivers to uniquely identify the wireless transmitters. In this
particular project the focus is on first part of the problem of uniquely identifying
the transmitters via their radiometric characteristics. With the improvements
achieved here, hopefully it will soon be possible to reach the ultimate goal to
correctly fingerprint the transmitter and avoid network intrusion.
5
CHAPTER 2
Methodology
2.1 Frequency Domain
Frequency domain signal analysis often times preferred over time domain due to
its informative nature. For the purposes of this project frequency domain carrier
frequency estimations will not be considered; however, a brief overview of carrier
frequency estimation and it’s problems in frequency domain will follow.
2.1.1 Peak Detections
The problem of finding the center frequency offset estimation in frequency do-
main, for many signals, boils down to finding the peak of interest in the desired
spectral range - a simple peak detection. One of the major issues for signals
such as Bluetooth is, as previously discussed, Gaussian shaped spectrum that
introduces various sporadic peaks which alter the shape of the spectrum thus
complicating the problem. One could conclude that averaging many FFTs would
improve the overall shape of the spectrum, which it does due to the Gaussian
nature of the noise and GFSK. However, in the case of Frequency Hopped signals
without knowing the hopping sequence it is difficult to know if the burst came
from the same transmitter or not. Given these issues a single burst analysis sys-
tem should generally be considered.
6
One such approach to solving this problem is discussed in literature with results
that will be used as a baseline for our experiments. [7] Their results would be
used for comparison and evaluation of proposed center frequency offset estimation
algorithms.
2.1.2 Mitigating Factors
Independent from which frequency domain carrier frequency estimation method
used there are several known performance limitations that are associated with
the analysis of frequency hopped signals; in particular, Bluetooth:
• Limited frequency resolution which is caused by the duration of the trans-
mitted burst. Even in the best case scenario of 625µs with a sampling
frequency equal to 1MHz would provide a limited frequency resolution:
∆Fbin =1MHz
625samples= 1600Hz
.
• Another performance issue associated with Fourier transforms is in-between-
bin losses. Since FFTs are estimated as sinc, then if the signal falls in be-
tween the two adjacent FFT bins, a worst case scenario, it incurs additional
losses in power. These losses can be computed as:
|A(f)|2 =sin2(πfT )
(πfT )2
∣
∣
∣
∣
∣
f=π/2
= −3.91dB (2.1)
With the signal power loss of almost 4dB, this can provide inconsistent
results for varying carrier frequency offsets. However,this can be mitigated
by increasing the size of the FFT through zero padding [8, 9]. Although,
7
zero-padding does not provide any additional frequency information it will
reduce the in-between-bin losses.
• The Gaussian shaped nature of the signal has drastic influences over the
shape of the spectrum; and also, creates a significant challenge in carrier
frequency offset estimation. Spectrum shape is discussed further in the
section Effective SNR.
8
2.2 Time Domain
As discussed before, one of the major disadvantages of using frequency domain
analysis is poor frequency resolution given a time limited signal. The problem,
of finding the center frequency, is further exaggerated in the case of Bluetooth
transmission considering the effects of GFSK on the spectrum. On the other
hand, time domain analysis is not limited by the number of data samples, and it
has been shown that in some cases AR methods provided superior performance
to FFT spectrum analysis. [10] Although, there are many different time-domain
methods the focus of this project is on Auto Regressive (AR) spectral estimators.
2.2.1 Yule-Walker Method for the AR Model
One of the possible algorithms for estimating carrier frequency in time-domain is
Yule-Walker Method. While often in the literature it is described as inferior to
other AR methods, it will be shown that for the case of Bluetooth signals it is
more optimal [11]. Furthermore, this algorithm has straight forward description
and implementation making it less computationally intensive that other models.
R(m) =1
N
N−m−1∑
n=0
x∗(n)x(n +m) (2.2)
After starting out with a simple auto-correlation of the signal in question, the
system order (p) needs to be selected.
Sx(f) =σ2
wp
|1 + Σpk=1
ak(k)e−j2πfk|2(2.3)
σ2
wp = R(0)p∏
k=1
[
1− |ak(k)|2]
(2.4)
9
(2.5)
Where p is the number of poles in the system, or the number of peaks one is
−1 −0.5 0 0.5 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Normalized Frequency
Nor
mal
ized
Am
plitu
de
Spectrum of a Single Burst
Yule−Walker AR Estimate
Figure 2.1: Example of AR Estimate with the model order 5, only the dominantcoefficient shown.
trying to estimate and ap(k) coefficients are found through the use of Levinson-
Durbin recursion. It is also important to note that by problem definition is peak
location and not strength is important thus need for estimate for the linear pre-
dictor, σ2
wp, is not clearly seen yet; nonetheless, its importance will become more
apparent in later discussion. While in this particular problem it is known that
there is only one peak to be acquired the actual problem is the exact location
of the peak. Although, higher order AR estimators produce better frequency
resolution they would impede the solution to the problem in the case of GFSK
10
transmission. As seen from figure 2.1 the signal shape could easily be consistent
with large number of sinusoids; therefore, by the introduction of higher order
AR estimators will only find multiple peaks instead of focusing on the main one.
A more detailed discussion on optimal order selection could be found later on.
Sample AR spectral estimate is shown in figure 2.1.
2.2.2 Other AR spectral Estimation Methods
For the purposes of this project two more AR spectral estimation methods will be
considered: Burg and Least-Squares. These methods are considered for compari-
son with full descriptions of the methodology can be found in references [12, 13].
However, it should be commented on the reasons for their omission.
Burg While Burg AR method for spectral estimation is considered superior to
Yule-Walker in literature [11], it is for reasons that would not, in this au-
thors opinion, benefit the spectral estimation of a GFSK signal. Burg
method is considered perform better in conditions with high levels of white
noise (AWGN), which in not necessarily the issue in the case of the Blue-
tooth. Also, with higher order estimates it produces line splitting phe-
nomenon that is highly undesirable in this instance.
Least Squares While in performance comparisons the it was found to have
better performance than Burg it is derived through similarly modeling and
shows weak performance under non-Gaussian noise.
11
2.2.3 Selection of AR Model Order
An important part of implementing any AR spectral estimator is the order se-
lection. With lower order producing smoothed and inexact spectrum estimates,
while really high order models the estimates tend to introduce low-level peaks in
the spectrum.[11] There are multiple methods that have been introduced through
out the years to deal with this particular problem, two of which will be reviewed
here. The earliest method for order estimation was FPE (final predictor error
criterion as described by: [14]
FPE(p) = σ2
wp
(
N + p+ 1
N − p− 1
)
(2.6)
where σ2
wp is the estimated variance of the linear prediction error, N is the length
of the data and p is the order. The order is selected to minimize the FPE(p).
FPE analysis of the system can be seen in Fig. 2.2.
Another method is CAT (criterion autoregressive transfer) and is defined as: [15]
CAT (p) =
(
1
N
p∑
k=1
1
σ2
wk
)
−1
σ2wp
(2.7)
σ2
wk =N
N − kσ2
wk (2.8)
Optimal order is determined by minimizing CAT (p). This approach was also used
on the current system with results found in Fig. 2.2. It can be seen from both
estimates that although the optimal p order is not the same it is very similar, thus
for the purposes of our experiments 5th order AR estimators will be computed.
However, only the first pole will be used to determine the carrier frequency, since
it contains the information about the most dominant signal in the spectrum.
12
2 4 6 8 10 12 14 16 18 200
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
X: 4Y: 0.1896
X: 5Y: 0.3545
p (order)
Nor
mal
ized
Am
plitu
de
FPE(p)
CAT(p)
Figure 2.2: CAT vs. FPE creterii for order determination.
2.2.4 Recursive AR models
One of the problems in using AR spectral estimators is the out-of-band noise.
Since the models provide a pole based estimates, the signals that are not near the
frequency of interest act as system noise and degrade overall system performance.
A simple experiment is setup to test if signal conditioning would rectify this
situation. With initial knowledge of the carrier frequency offset it is possible to
perform a very narrow low-pass filtering and improve the estimate by as much as
50%. However, without a priori knowledge of the carrier frequency offset it might
be possible to ”zoom” in to the desired frequency by recursively filtering away
extraneous information. A more detailed treatment of recursion can be found in
later sections.
13
CHAPTER 3
The Foundation
3.1 Universal Software Radio Peripheral
Universal Software Radio Peripheral, or USRP, is a computer peripheral that
in conjunction with Software Defined Radio platform, such as GNU radio or
SIMULINK c©, is a very powerful tool. Currently the device is in its second gen-
eration of hardware revision, USRP2, with technical specifications are as follows
[16]:
• Gigabit ethernet interface
• Xilinx Spartan 3 2000 FPGA
• RF bandwidth of 25 MHz @ 16bits
• ADC: 100 MS/s @ 14bits
• DAC: 400 MS/s @ 16bits
One of the most noticeable differences between the hardware revisions is the
increased RF bandwidth and an addition of a gigabit ethernet interface. The
original USRP has a bandwidth of 8MHz and it interfaced through USB2.0 con-
nection, which is much slower with higher processor overhead. Implementation
of the system would still be possible using USRP1, however limited RF band-
width would minimized the possibilities for future expansion. As was mentioned
14
before Bluetooth hops across 79MHz of spectrum in 2.4GHz band, yet as can
be seen from the USRP2 specifications only 25MHz of bandwidth is available.
Technically, it should be reduced down to 24MHz, since the outlying 0.5MHz
regions have a much greater attenuation compared to the center 24MHz where
the frequency response of the device is flat. This would be significant impasse
if the goal of the project was to transmit and receive Bluetooth signals rather
than to detect and characterize them. The pseudo-random hopping sequence in
Bluetooth has a uniform distribution for efficient spectrum usage. With that in
mind, about a quarter of all hops in one cycle of the sequence would lend within
24MHz spectrum and we can use those pulses to extract the desired information.
With the usage of two USRP2 units, one for transmission and one for reception,
it would be possible to modify the Bluetooth hopping sequence limiting the hops
to stay within the 24MHz bandwidth.
3.2 GNU Radio
GNU radio is a community maintained open-source software with block-oriented
design. Most of the signal processing blocks are programmed in C++, with the
use of Python as a wrapper for the blocks. Additionally, Python is also used
to connect the blocks together into flow graph, which is the end product [17].
The flow graph implementation allow for the paths that are in parallel to be ex-
ecuted in a multi-threaded fashion automatically without additional effort from
the system designer. In the context of our project this should significantly im-
prove the overall system performance considering that were monitoring multiple
channels in an effort to detect the hopping signal. Initially GNU Radio Com-
panion (GRC), a SIMULINK like design tool, was used to help with the design
and implementation of our system; however, we later moved to direct coding
15
in Python to connect the blocks after it was discovered that our system design
was too complex to implement in GRC. Similarly, we had to write several of our
own signal processing blocks in C++ to test compare the performance of our
algorithms from SIMULINK simulation to a real-world implementation.
3.3 MATLAB
With USRP becoming a more widespread Mathworks has created a Simulink
Block for interacting with device. Since MATLAB version 2010a the two critical
blocks that have been added are USRP Transmitter and USRP Receiver. With
this advance it is not possible to prototype and experiment with new designs
rather quickly without having to implement proprietary signal processing blocks
in GNU Radio. It is important to note that there are some modifications that
need to be done to USRP units to enable their interaction with MATLAB [18].
Loading the units with a special firmware is only half the battle, with the new
firmware the units can no longer be interfaced through a switch. To resolve
this issue there needs to be two dedicated gigabit network interface cards in one
computer, or two computers with a dedicated gigabit port each.
16
CHAPTER 4
Implementation
4.1 Transmitter
To test the characterization in real-time on USRP2 a modified Bluetooth trans-
mitter was implemented. Details for both original Bluetooth standard and mod-
ified implementation are presented in Table 4.1.
Parameter Nominal ModifiedFrame Period 625µs 625µsBandwidth 1 MHz 1 MHz
Frequency hopping rate 1600 hops/s 1600 hops/sNumber of Subchannels 79 11
Carrier Frequency 2.4GHz 2.4GHzFrequency Offset Std.Dev. ± 20 ppm ± 20ppmMaximum Frequency Offset ± 31 ppm ± 31ppm
Table 4.1: Bluetooth Nominal & Modified Simulation Parameters
The number of subchannels needed to be adjusted due to the previously dis-
cussed spectral bandwidth limitations of USRP2. Aside from that change there
rest of the signal characteristics remain unchanged to ensure the validity of the
model, which depends primarily on the characteristics of individual bursts. The
system design is focused on the analysis of the signal on per burst basis and thus
the hopping sequence will not effect the final outcome of the results. However,
in further expanding the design the issue of keeping track of, or figuring out, the
hopping sequence would occur.
17
Using a reference Bluetooth transmitter implementation supplied by MATLAB
c©, and after the reduction of subchannels Simulink still had issues generating and
transmitting the required I&Q samples in real-time. To mitigate this problem
the transmitter was split in a two part design. First stage, generated 10 seconds
of Bluetooth samples at 90% duty-cycle and saved I & Q samples separately. In
the second stage, the samples were read back, combined into a complex signal
and fed directly to the USRP2 through a USRP Transmitter block. A 12MHz
snapshot of the transmitted spectrum with the burst is shown in Figure 4.1.
−6 −5 −4 −3 −2 −1 0 1 2 3 4 5 60
5
10
15
20
25
Frequency (MHz)
Am
plitu
de (
dB)
Figure 4.1: TX Spectrum
4.2 Receiver
Similarly to the transmitter the receiver was implemented in SIMULINK c©using
the USRP Receiver Block to interface with the USRP2 device. Figure 4.2 shows
the block diagram of the receiver implemented. Below is a description of each
block:
USRP The USRP, internally, has an RF front-end, a down-converter, and an
18
Figure 4.2: Block Diagram of the Receiver
analog-to-digital converter. Received signal is mixed down to intermediate
frequency (IF), then it is digitized to 14 bits via the ADC and transmitted
over the gigabit ethernet to the computer, where the samples stream from
the USRP Receiver block in Simulink, or a USRP source block in GNU
Radio. This whole operation occurs in the background and is transparent
to the user.
N-FFT & Energy Detection While in IF, the system needs to determine in
which one of the 11 subchannels that the burst is being transmitted. The
N-FFT block performs a N point fast fourier transform that enables the En-
ergy Detection block to analyze the spectrum and determine the proper
subchannel carrier frequency, denoted by Fchan.
Baseband Once the current subchannel been figured out the signal is mixed
down to baseband, low-passed and downsampled to reduce the effective
bandwidth to 1MHz.
AR Estimator This block is a placeholder for various AR spectral estimators
that have been implemented and tested as part of this project.
After the final stage the estimates are stored in the workspace with the final
statistics computed after the experiment.
19
4.3 Troubleshotting
There are some issues that were encountered during the simultaneous operation of
transmitting and receiving on the same computer. This issue was not encountered
during the initial tests using transmission and reception of simple sine waves.
Through some investigation, it was concluded most like culprit is the amount of
data that has to be handled one computer; nonetheless, it’s important to point
out that the processing power is not a problem [19]. Considering that each of the
USRP2 units is connected to its own dedicated Gigabit network interface card
and is being used wide bandwidth mode, which generates more data. To mitigate
this problem two computers were used, one for transmission and the other for
reception and real-time processing of the signal. The final test setup is partially
shown in the figure 4.3.
Figure 4.3: Test Setup: 2 x USRP2 and 1 computer. 2nd computer not shown.
20
CHAPTER 5
Results & Discussion
5.1 Results
5.1.1 System Bias
For the experiment we must consider that there is some inherit clock drift in the
system. An experiment is setup to determine the relative clock drift between
the two USRP2 units. Different carrier frequency offsets are introduced into the
system: 0, 25k, 50k, 75k Hz. As can be seen from figure 5.1, the difference between
transmitter carrier frequency offset and the received signal carrier frequency offset
estimate is approximately 13kHz, which is ∆Fref or system reference drift. For a
sanity check, the number is checked against the oscillator that is used in USRP2
which is rated at a fairly lax ±20ppm. This clock drift is would give the maximum
possible offset of 48kHz while tuned into the desired Fc = 2.405GHz [20]. It is
important to note that in this experiment there are two USRP2 units, thus it is
impossible to know much clock drift is introduced by each oscillator. The only
thing that is for certain is that the overall offset has to fall within the range of
±40ppm. The clock drift for this system is computed below:
Drift =∆Fref × 106
Fc=
1.3× 103 × 106
2.405× 109= 5.4167ppm (5.1)
The estimator is now modified to subtract ∆Fref = 13kHz from all the estimates,
21
0 10 20 30 40 50 60 700
10
20
30
40
50
60
70
80
90
Actual Frequency Offset (kHz)
Est
imat
ed F
requ
ency
Offs
et (
kHz)
F
c − ∆F
ref
Estimated Fc
Figure 5.1: Comparison between actual carrier frequency offset and estimatedcarrier frequency offset.
this change can be observed in figure 5.1. Since the only difference in the estimator
is subtraction of the reference offset this doesn’t change the estimator statistics
with regard to standard deviation of error.
5.1.2 Comparison
Now that the system bias has been accounted for in the overall system perfor-
mance evaluation, we move on to the results of the experiments. Figure 5.2 shows
performance comparison of the three auto regressive spectral estimation methods
previously discussed. It can be seen that the signal-to-noise ratio increases the
overall system performance does not experience a great deal of improvement. In
comparison with literature, the time-domain methods discussed here outperform
22
0 5 10 15 20 25 300.4
0.6
0.8
1
1.2
1.4
1.6
1.8
2x 10
4
SNR (dB)
σ erro
r (H
z)
Yule−WalkerBurgLeast Squares
Figure 5.2: AR Spectral estimation performance summary for Yule-Walker, Burgand Least Squares.
the frequency-domain analysis used for SNR greater than 10dB [7]. However,
time-domain approach is very susceptible to noise at lower (≤ 10dB) SNR. The
overall system performance improvement at 20dB (I20dB) can be computed as
follows:
I20dB =σfderror − σtd
error
σfderror
=8400− 5400
8400= 0.3571 (5.2)
Or 35.71%. With a significant improvement over status quo it is recommended
to use time-domain approach when estimating carrier frequency offset of the
23
frequency hopped signals.
The leveling-off of the performance improvement with an increase in SNR are
a cause of a further investigation into Bluetooth signal properties that will be
discussed below.
SNR (dB) σerror (kHz)No Nm +No Yule Burg LS-Cov4 1.7328 13.796 15.822 18.1176 2.8060 11.050 11.102 11.1798 3.6513 9.506 9.569 9.71510 4.2841 8.321 8.454 8.26412 4.7367 7.336 7.446 7.41915 5.1639 6.337 6.398 6.49620 5.4837 5.403 5.476 5.52525 5.5900 5.013 5.097 5.10130 5.6241 4.896 4.939 4.96750 5.6399 4.896 4.863 4.885100 5.6400 4.893 4.863 4.885500 5.6400 4.893 4.863 4.8851000 5.6400 4.893 4.863 4.885
Table 5.1: A Summary of the AR Methods under different SNR and EffectiveSNR
5.1.3 On Recursion
As previously discussed, one of the major issues with using filter as a signal
conditioning to improve the results is knowing where to set the cutoff frequency.
With the ability to establish a quasi -theoretical performance limit under certain
conditions
• SNR of 25dB
• Cutoff frequency, wc = 0.05, normalized or 25kHz.
• Carrier frequency offset, ∆Fc = 0Hz.
24
, it can be estimated as σerror ≈ 3kHz. Having obtained a performance boundary
well below the single estimate results, it was now time to loosen the conditions
and observe the results.
100
101
102
5600
5650
5700
5750
5800
5850
# of Recursions
σ erro
r (H
z)
Figure 5.3: Standard deviation of error vs. # of Recursions
Since the carrier frequency offset can range from ±75kHz the first estimate
was performed using a low-pass filter with wc = 0.99. With the final cutoff fre-
quency still set to 0.05, there is a variable number of equidistant stages from
almost no filtering to extreme. After each estimate the low-pass filter is shifted
in the complex baseband to be centered around said estimate instead of zero. The
idea is that with that the result will gradually improve with slowing shrinking
window. The results are summarized in the figure 5.3. Two important observa-
tions are that the results are worse than with a single pass estimate, and while
25
they are improving with more iterations (smaller decrements in window size) the
cost greatly outweighs any possible benefit.
5.2 Discussion
5.2.1 Model Validity
−15000 −10000 −5000 0 5000 10000 150000
0.005
0.01
0.015
0.02
0.025
0.03
0.035
0.04
0.045
Frequency (Hz)
Pro
babi
lity
σ error
Gaussian Distribution
Figure 5.4: Distribution of single frequency offset estimates.
To ensure the validity of carrier frequency offsets that were computed through
spectral estimates the distribution of single frequency offset estimates was plotted
and fitted it with normal distribution with the same standard deviation as the
result, in this case σ = 5kHz. Figure 5.4 displays the statistics for 5th order Yule-
Walker AR spectral estimates with SNR = 25dB. In accordance with Central
Limit Theorem this allows us to draw large sample statistics thus validating the
26
statistical conclusions from all the results presented in this report.[21].
5.2.2 Effective Signal-to-Noise Ratio
−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Normalized Frequency
Nor
mal
ized
Am
plitu
de
Single Burst FFTAvg. Spectrum
Figure 5.5: A sample spectrum of a single burst overlaid with spectrum 20,000bursts averaged.
As previously discussed, due to signal characteristics of GFSK modulated
signal and the time limited nature of the Bluetooth signal it is difficult to ascertain
exact carrier frequency. Let us consider a scenario with a Bluetooth burst that is
625µs in duration and has a very high SNR (above 100dB). In this scenario, it is
fair to say that AWGN has little to no impact on the overall performance of the
system. A sample of such signal is demonstrated in Fig. 5.5 in conjunction with
a time averaged spectrum to show the underlying signal shape. By defining the
averaged spectrum as the signal and the single burst spectrum as GFSK noise
27
(or modulation noise Nm). We compute the signal-to-noise ratio for our scenario:
Es
Nm=
Es
Eb − Es=
N∑
1
|x|2
N∑
1
(
|x|2 − |x|2)
= 5.64dB (5.3)
Where Es is the signal power without the GFSK modulation, as shown as aver-
aged spectrum in figure 5.5. And Eb is the energy of a single burst.
Now, let us consider a more realistic scenario with AWGN present. There is still
modulation noise in the system, but now there is also white noise present, No.
Considering the effects of both white noise and modulation noise on the system
a new equation for SNR (effective SNR) is derived as shown in equation 5.4.
SNR =Es
Nm +No(5.4)
From table 5.1.2 it is clearly seen that modulation noise (Nm) is the factor is that
is driving the results, especially at higher signal energy. The discovery paves the
way for a different approach in carrier frequency offset estimation in the future
works, where white noise will not be considered the only variable and performance
limiting parameter in the system.
28
CHAPTER 6
Future Work
With the current implementation there are already significant improvements to
carrier frequency offset estimation in Bluetooth devices over the status quo. There
are several directions that should be explored to improve the accuracy of the
estimate and overall system robustness, as well as, getting closer to the final goal
of uniquely identifying transmitters.
6.1 Other Methods for Spectral Estimation
This project explored three of the more common methods for Auto Regressive
spectral estimation methods: Yule-Walker, Burg and Least-Squares. There is
a plethora of other methods out there. Other methods include ARMA Model,
Pisarenko, ESPIRIT and MUSIC.
• ARMA Model for spectral estimation is closely related to the Burg Model,
but provides better performance for signals in additive white noise [11].
• Pisarenko is another eigenvalue decomposition spectral analysis tool, but it
is primarily used for finding sinusoidal signals.
• ESPIRIT and MUSIC Algorithms are not explicitly meant for sinusoids,
but are intended for narrow bandwidth signals.
29
ARMA will most likely produce results similar to the AR methods used in this
report. While the other algorithms will need some adaptation to perform the
best in a frequency hopped environment like Bluetooth.
6.2 Speed Improvements
This is more of a long-term goal, since there seems to be no real limitation on
real-time processing as of now. That said, USRP2 does come with an on-board
Xilinx FPGA, which could be programmed do some pre-processing on the data
before it gets to the SDR platform. Some investigation into the capabilities of
the FPGA revealed that it is capable of processing a full 2048-point FFT at 16bit
I&Q samples [22]. One solution is to increase the complexity of the first stage,
while still keeping up with real-time constrains by performing it on the USRP.
During the first stage the USRP can identify the actual sub-channel for the burst
and downconvert it to baseband. This would significantly limit the amount of
data that is generated by the USRP2 on the network and possibly allow a single
computer to act as a Software Defined Radio platform for both transmitter and
receiver.
6.3 Recursive Approach
As previously discussed, it is thought possible to improve results on a single burst
by recursive estimating and adapting the system to each burst. While the specifics
of such future endeavors would depend on a particular spectral estimation or
carrier frequency estimation methodology in mind, this idea should be tested
with which ever approach is implemented.
30
6.4 I&Q Mismatch
Although, I&Q mismatch is not considered a highly robust or reliable way uniquely
identify transmitters [3] it is this authors belief that in conjunction with carrier
frequency offset estimation it would provide a better method for unique transmit-
ter identification. Furthermore, it is important to note that I&Q mismatch can
be calculated on per burst basis thus providing a better statistic for identification.
6.5 Wavelets
−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Nor
mal
ized
Am
plitu
de
Normalized Frequency
Single Burst SpectrumDenoised Spectrum
Figure 6.1: Wavelet De-noising(Spectral Estimation): Bior 3.7 with 3 higherorders kept.
31
One way to reduce the noise and improve the shape of the spectrum for the
purpose of carrier frequency estimation is using Wavelet de-noising. Although,
traditionally wavelets are utilized in data compression they are extremely versatile
and could be adopted to multitude of applications. [23]. The premise of wavelets
is decomposing the signal into many levels with each decomposition created by
repetition of the mother wavelet. Generally, with higher order decompositions
(above 6) higher order components, such as noise, are easily removed in the
reconstruction by avoiding the higher order coefficients. This can be observed in
figure. 6.1 where the Bluetooth burst spectrum has been decomposed with only
the major contributors kept in the reconstruction. As can be seen from the figure
6.1, there is definitely lots of possibilities working with wavelets for the purposes
of spectral estimation or signal processing.
32
References
[1] D. Faria and D. Cheriton, “Detecting identity-based attacks in wireless net-works using signalprints,” ACM WiSe, vol. 1, no. 1, pp. 43–52, 2006.
[2] N. Patwari and S. Kasera, “Robust locationdistinction using temporal linksignatures.” in ACMMOBICOM. Quebec, Canad: ACM, 2007, pp. 111–122.
[3] V. Brik, S. Banerjee, M. Gruteser, and S. Oh, “Wireless device identificationwith radiometric signatures,” in MobiCom’08. San Francisco, California,USA: ACM, September 14-19 2008, 978-1-60558-096-8/08/09.
[4] T. Schmid, J. Friedman, Z. Charbiwala, Y. Cho, and M. Srivastava, “Xcxo:An ultra-low cost ultra-high accuracy clock system for wireless sensor net-works in harsh remote outdoor environments,” NESL @ UCLA, Tech. Rep.TR-UCLA-NESL-200802-02, February 2008.
[5] Various, “Get technical,” WWW, April 2009,http://www.bluetooth.com/Bluetooth/Technology/.
[6] M. S. Nixon and A. S. Aguado, Feature Extraction and Image Processing.Maryland Heights, Missouri: Academic Press, 2008, pp. 88.
[7] A. Gok, S. Joshi, J. Villasenor, and D. Cabric, “Estimating the number offrequency hopping interferers using spectral sensing with time and frequencyoffset measurements,” in IEEE MILCOM, IEEE MILCOM. Boston,MA:IEEE, 2009.
[8] J. B. Tsui, Fundamentals of Global Positioning System Receivers: A Software
Approach, 2nd ed. Hoboken, New Jersey: Wiley-Interscience, 2004, pp. 239-243, ISBN: 0471706477.
[9] J. K. Holmes, Spread Spectrum Systems for GNSS and Wireless Commu-
nications. Norwood, Massachusetts: Artech House Publishers, 2007, pp.387-388, ISBN: 978-1-59693-083-4.
[10] E. Boyer, M. Petitdidier, W. Corneil, C. Adnet, and P. Larzabal, “Applica-tion of model-based spectral analysis to wind-profiler radar observations,”Annales Geophysicae, vol. 19, pp. 815–824, 2001.
[11] J. Proakis and D. G. Monolakis, Digital Signal Processing, 3rd ed. UpperSaddle River, New Jersey: Prentice Hall, 1996, pp.910-930.
[12] J.P.Burg, “The relationship between maximum entropy and maximum like-lihood spectra,” Geophysics, vol. 37, pp. 375–376, April 1972.
33
[13] T. J. Ulrych and R. W. Clayton, “Time series modeling and maximum en-tropy.” Physics of the Earth and Planetary Interiors, vol. 12, pp. 188–200,August 1976.
[14] H. Akaike, “Power spectrum estimation through autoregression model fit-ting,” Annals of the Institute of Statistical Mathematics, vol. 21, pp. 407–419,1969.
[15] E. Parzen, “Some recent advances in time series modeling,” IEEE Transac-
tions on Automatic Control, vol. AC-19, pp. 723–730, December 1974.
[16] M. Ettus, USRP2 FAQ, GNU Software Foundation, 2010,http://gnuradio.org/trac/wiki/USRP2GenFAQ.
[17] E. Blossom, How to Write a Signal Processing Block,rev. 0.3 ed., Free Software Foundation, Inc, April 2008,http://www.gnu.org/software/gnuradio/doc/howto-write-a-block.html.
[18] Various, “Where can i obtain firmware for my usrp2?” WWW, Novem-ber 2010, http://www.mathworks.com/support/solutions/en/data/1-CUN7JZ/index.html?product=CB&solution=1-CUN7JZ.
[19] L. Choong, “Multi-channel ieee 802.15.4 packet capture us-ing software defined radio,” Master’s thesis, UCLA, April 2009,http://nesl.ee.ucla.edu/fw/thomas/leslie choong multichannel ieee802154.pdf.
[20] Ecliptek, EC26 Series Oscillator Data Sheet, Ecliptek Corporation, April2009.
[21] J.Rice, Mathematical Statistics and Data Analysis, 2nd ed. Pacific Grove,California: Duxbury Press, 1995, iSBN 0-534-20934-3.
[22] J. Corgan, “FPGA ”headroom” in USRP2,” February2009, http://lists.gnu.org/archive/html/discuss-gnuradio/2009-02/msg00192.html.
[23] Y. Meyer, “Wavelets - Algorithms and applications,” Applied Mathematics,1993.
34