Book Gnuradio FR 19 en

Download as pdf or txt
Download as pdf or txt
You are on page 1of 37

Table of contents

Array signal processing optimization in GNU Radio for tracking and receiving
applications, Bieber E [et al.] 1

SatNOGS: Towards a Modern, Crowd Sourced and Open Network of Ground


Stations, Julien Nicolas 4

VLBI with GNU Radio, RFNoC and White Rabbit, Boven Paul 6

Frequency locking a laser on a spectral hole pattern with a multi-channel


heterodyne method using SDR and GnuRadio, Galland N [et al.] 7

Embedded and Connected Receiver System for nano-satellite in Low Earth


Orbit (LEO), Spies Francois [et al.] 9

Using GNU Radio to do signal acquisition and analysis with Scopy, Suciu
Adrian 11

Fully Digital Electronics for Fiber-Link Frequency Transfer Implemented on


Red Pitaya, Cardenas Olaya Andrea Carolina [et al.] 12

KiwiSDR as a new GNURadio source, Mayer Christoph 14

Phase noise & digital noise: what is it and why it is important for ground-
breaking RF-applications., Bourgeois Pierre-Yves 16

Using GNU Radio Companion to improve student understanding of signal


processing theory through VHF Omni-Directional Range (VOR) signal de-
modulation, Blais Antoine [et al.] 17

1
A LoRaWAN Security Assessment Test Bench, Claverie Tristan [et al.] 19

A 60GHz digital link with GNU Radio and USRP radios, Boeglen Herve 22

A Software Defined Radio 802.11 Infrared Transmission System, Joumessi


Steve [et al.] 24

Study of the use of a SDR Passive RaDAR for the safe outdoor operation of
an atmospheric LiDAR, Peyrin Frédéric [et al.] 26

Embedded GNU Radio running on Zynq/PlutoSDR, Goavec-Merou Gwen-


hael [et al.] 28

GNU Radio implementation for Multiuser Multi-Armed Bandit learning al-


gorithms in IoT networks, Manco Julio [et al.] 30

Framework for PHY-MAC layers Prototyping in Dense IoT Networks using


FIT/CorteXlab Testbed, Oubejja Othmane [et al.] 32

Hacking the DSMx Drone RC protocol, Morin Cyrille [et al.] 34

Author Index 36
Array signal processing optimization in GNU Radio
for tracking and receiving applications
E. Bieber1 , C. Campo1,2 , L. Bernard1 , H. Boeglen2 , S. Hengy1 , J.-M. Paillot2
1
French-German research institute of Saint-Louis (ISL), Saint-Louis, France
2
Université de Poitiers, XLIM, UMR 7252, Poitiers, France

Abstract

Among other missions the French German research Institute of Saint-Louis (ISL) works on array
signal processing for secured communications between high speed projectiles and allied base stations.
Within that framework, a projectile tracking receiving station based on commercial Software-Defined
Radios (SDR) was developed using four channels to steer an antenna array and recombine the received
signals, hence improving the gain of the receiving station. A transmitter embedded in the projectile
sent data to the developed receiving station at a 2 Mbits/s. In order to decode and process in real
time the data received by the four channel antenna array, a high sampling rate was required. As this
highly resource consuming application resulted in sample overflows that is, in periodic losses of data
between the SDR and the computer, an optimization of our algorithms computed on GNU Radio and
the communication between our blocks proved to be necessary.
This paper intends to provide feedback on our optimization work. Some of the main problems we
encountered and the solutions we propose to solve them are briefly exposed and will be further detailed
in our oral presentation.

1 Introduction
Among other missions, the ISL works on develop-
ing secure communications between fired projectiles
and ground stations for future smart ammunitions.
Antenna arrays then offer many advantages such as
directional radiation patterns that can be dynam-
ically reconfigured to follow a moving transmitter,
fight against hostile jammers or listeners, etc. In
this context a SDR-based receiving station was de-
veloped using GNU Radio and the commercial Uni-
versal Software Radio Peripherals (USRPs) sold by
National Instruments, and proved to be able to elec-
tronically follow a transmitter by steering a four
element Uniform Linear Array (ULA), increasing
Figure 1: Flowgraph runnable at 1MS/s but creat-
the gain on the received signal. However in order
ing data overflows at 8.33MS/s.
to simultaneously decode the transmitted signal at
a 2 Mbits/s baud rate, the sampling rate for all
channels needed to be raised to 8 MSamples/s. To
compose with the SDR requirements it was neces-
sary for our laptop to receive data at a total rate of Fig. 1 exhibits a flowgraph that managed to
33.33 MS/s (for all four channels), process the re- perform projectile following at 1MS/s but created
ceived data with our implemented algorithms such data overflows when higher sampling rates were re-
as beamforming and direction finding (DOA) that quired. The important number of streams and use
were introduced in [1], and record the whole in real of loops instead of vector oriented library kernels
time, resulting in a highly data consuming applica- (Volk) were partly responsible for these overflows.
tion. Our first attempt to run this application with
a laptop equipped with an Intel i7 processor, 32 This paper does not focus on our application and
GB of RAM and a Samsung 850 evo SSD resulted results, but intends to present our work on code
in data overflows, i.e. in periodic data losses due to optimization, especially to extend the computation
the lack of computation power, hence forcing us to efficiency of our algorithms and flowgraphs devel-
think carefully about computation efficiency when oped in C++ in GNU Radio [2]. The remaining of
implementing our application in GNU Radio. this abstract briefly covers suggested improvements
we have explored to avoid overflow issues.

1
2 Suggested improvements for tion will allow GNU Radio threads to have prior-
ity over concurrent threads. Finally blocks using
optimization computationally heavy algorithms like DOA esti-
mation, etc, can be bound to a dedicated proces-
The first and most obvious question that arises is sor core while less demanding threads are bound
the network throughput between the SDR and the to a pool of remaining cores. It can be noted that
laptop, as well as the laptop capability to record all sometimes splitting such blocks into several ones
the needed data fast enough. In the case of our ap- will take advantage of the multi-core environment.
plication, the total 33.33MS/s sampling rate forced
us to install a Thunderbolt 2 SANLink adapter. It
can also be useful to create a RAMDisk if the drive
is not capable to record fast enough. Reducing the
amount of written data will have a positive effect
on the bitrate: users should write binary files rather
than ASCII ones and use data types with smaller
memory size.
Once it is sure network throughput and data
recording speed are not the bottlenecks that cre-
ate data overflows, one can investigate his source
code to enhance his application efficiency. Due to
GNU Radio’s way of processing streams as buffers
of data, the work() method of a block is usually a
two-level loop that parses each sample of each input
stream. One should avoid multiple computations Figure 2: Flowgraph runnable at 8.33MS/s.
of invariant values inside loops, but also try to use
optimized functions such as memcpy() or the Volk Fig. 2 shows an optimized version of the previous
library [3] kernels instead of these loops whenever flowgraph that can be run on the same laptop at
possible. 8.33MS/s with a graphical view of the four received
However even if correctly managing streams be- signals.
tween blocks allows to spare resources, it remains
important to limit those streams when they are ex-
pendable. Although it might be tempting as a fast 3 Conclusion
implementation to simply add a stream to a block
This paper presents the main modifications we
as a trigger or a way to share a variable between
brought to our developed blocks, making our ap-
blocks, it is computationally expensive and can be
plication runnable for four channels at a 8.33MS/s
responsible for data overflows when high sampling
sampling rate. An alternative communication vec-
rates are required. In order to efficiently communi-
tor between blocks that fits some of our particular
cate information between blocks, GNU Radio na-
needs has been mentioned, and all the suggested
tively offers the possibility to tag existing streams
improvements presented above will be further de-
with metadata. Since a tag is associated to a sam-
tailed in our oral presentation.
ple of a data buffer, we can consider tags as a syn-
chronous communication vector. For asynchronous
communication GNU Radio allows blocks to send References
messages to other blocks. A message is a 1 to N
communcation carried out by the sender: the re- [1] C. Campo, L. Bernard, H. Boeglen, S. Hengy,
ceiver message handler is called for each pending J.-M. Paillot, Software-Defined Radio system
message. As no native option is given for users for tracking application, EuCAP London 2018.
to develop blocks that can asynchronously use a
shared variable, we developed a new communica- [2] GNU Radio 3.6.4.2 C++ API documen-
tion vector based on static variables that allow vari- tation at https://www.gnuradio.org/doc/
ables to be read and written by several blocks in doxygen-3.6.4/index.html
a thread-safe way assured by a mutex. Further [3] Vector Optimized Library of Ker-
details on our proposed communication vector be- nels (Volk) doxygen documentation at
tween blocks will be given in our presentation. libvolk.org/doxygen/
After information communication between blocks
has been verified enabling real time scheduling op-

2
SatNOGS: Towards a Modern, Crowd Sourced and
Open Network of Ground Stations
Manolis Surligas1,2 , Matthaios Papamatthaiou1 , Ilias Daradimos1 , Vasilis Tsiligiannis1 ,
Pierros Papadeas1 , Agisilaos Zisimatos1 , Fredy Damkalis1 , Kostis Triantafillakis1 , George Vardakis1,2 ,
Nestoras Sdoukos1,2 , Nikos Karamolegkos1,2
1
Libre Space Foundation, Athens Greece, [email protected]
2
Computer Science Department, University of Crete

Abstract

Over the last years the launching cost of a payload in space has been significantly reduced and this
trend is expected to continue, as the interest for space applications is increasing. The reduced launch
cost and the advancements in technology, gave the opportunity to small satellites to revolutionize access
to space.
The majority of the small satellites missions are targeting the Low Earth Orbit (LEO). Due to the
nature of this particular orbit, communication with a satellite is possible only for a few minutes per day
for a given location. This raises the need for multiple ground stations in several geographic locations.
Although such an infrastructure is possible, most of the times it is both complicated and expensive for
research or educational entities to obtain. Given the fact that each ground station exhibits a small per
day utilization for a specific satellite, the idle time can be used for reception of other missions.
SatNOGS is an open source software and open hardware project that addresses this problem by
interconnecting all participating ground stations, offering their idle time to other users of the SatNOGS
network.

1 Introduction able ground stations, while allowing the owner of


a ground station to have complete control over
SatNOGS is a global network of satellite ground her hardware. The SatNOGS Database (DB)[1]
stations, designed as an open source participatory is responsible for keeping the orbital elements and
project that receives data from Low Earth Orbit communication related information of each satel-
(LEO) satellites. This particular orbit provides the lite. It also holds decoded frames from the de-
ground station with a reception window that is lim- ployed ground station network. The Data Ware-
ited to a few minutes. Therefore, a ground sta- house, visualizes graphically the gathered data from
tion remains underutilized and idle for most of the each satellite using a web interface and the Grafana
time. On the other hand, using a single ground visualization framework. Last but not least, the
station means that there are only a few communi- SatNOGS Ground Station is the necessary software
cation windows to send or receive data from a LEO and hardware, that allows satellite tracking, the
satellite each day. control of the RF front-end, signal reception and
The concept of SatNOGS, is to use the deployed demodulation of possible data frames.
ground stations around the world in an efficient
manner so that both the underutilization of them as
well as the coverage problems can be resolved with 2.1 The network
a single solution. Aground station operator join-
ing the SatNOGS network, provides the idle time The SatNOGS Network[2] infrastructure is the
of their ground station to other users, while at the backbone of the SatNOGS ecosystem and instru-
same time they can take advantage of ground sta- ments essential functionalities for the flawless, effi-
tions at various locations of the earth to schedule cient and effective operation of the entire project.
observations. The network infrastructure services can be divided
into two main categories, the back-end and the
front-end. At the back-end, the SatNOGS Network
2 Architecture keeps track of the available online ground stations
and the list of the observation jobs that each one
The SatNOGS ecosystem consists of several com- has been assigned. Moreover, it receives observa-
ponents operating interchangeably. The SatNOGS tion data from the deployed ground stations. The
Network infrastructure orchestrates the schedul- received data are either stored in the network in-
ing of each ground station, based on the trajec- frastructure to be used through the web interface
tory of the targeted satellites and the online avail- or are submitted to the SatNOGS DB[1] for fur-

1
ther analysis. The front-end of the SatNOGS Net- The software on its core is written in C++, us-
work provides a set of different web interfaces. For ing also some Python bindings. The first task of
the ground station operators, a web-based control this module is to receive the signal from the SDR
panel is available in order to control and configure front-end, apply coarse filtering and re-sample it.
remotely their stations. It also allows operators to The later is crucial in order to reduce the sampling
schedule rate of the signal originating from the SDR device,
so the processing can be performed in CPU lim-
ited devices like the Raspberry Pi 3. Afterwards
2.2 Rotator hardware and based on the satellite trajectory, the gr-satnogs
SatNOGS Rotator is the mechanism that allows compensates the Doppler effect which introduces a
tracking of satellites in both azimuth and elevation constantly changing center frequency offset. Then,
axis. By design, the goal of the rotator is to keep the Doppler corrected signal passes additional and
the cost low, by using widely available materials of more fine grained filtering stages. Finally, the mod-
common sizes and 3D printed parts. For the users ule tries to automatically demodulate the resulting
that cannot afford a rotator, SatNOGS can still op- signal in real-time, based on the coding/modulation
erate without one, using a less directional antenna. scheme of the targeted satellite. At the same time,
the module produces a waterfall spectrum analysis
plot and an audible representation of the spectrum.
2.3 Client software The waterfall plot is an excellent tool, for imme-
diate and visual spotting of satellite transmissions,
The SatNOGS Client[4] is a Python program that nearby interference, possible RF performance issues
runs on the ground station computer. The client or misconfiguration at the station setup. The audi-
is responsible to retrieve observation jobs from the ble transformation of the spectrum, is a technique
network and execute them. When a new job is re- quite popular in the amateur community and many
ceived from the network, it is placed in an execu- amateur signal analysis tools utilize it. For each
tion queue, sorted in chronological order based on observation, the decoded frames, a waterfall spec-
the start time of the satellite pass. The client con- trum analysis plot and the audio file are uploaded
stantly monitors the local time of the ground sta- back to the SatNOGS Network, for visualization
tion and the starting time of the first observation at and further analysis. Currently, gr-satnogs pro-
the queue. When the timing is proper, the client re- vides automated demodulators decoders that cover
moves the observation job from the queue and pre- a wide range of satellite missions. From beacons to
pares to execute it. To do so, it initializes the SDR weather pictures.
front-end with the RF parameters described by the
job and then executes the appropriate GNU Radio
script provided by the gr-satnogs OOT module[3]. 3 Conclusion
Meanwhile, the client controls the rotator, so the
antennas can track the trajectory of the targeted The use of gnuradio enable an unmatched agility in
satellite. When the observation job is finished, the a groundstation network. The ability to demodu-
client instructs the rotator to place the antennas in late virtually any kind of transmission is fully future
a park position. Then, all the resulting files gener- proof. It only requires automated software update
ated by the grsatnogs OOT[3] are uploaded back to of the client. It is also the perfect match with low
the network. The client continues to operate, wait- cost SDR receiver like rtl-sdr.
ing for the execution of the next job in the queue.
References
2.4 Gnuradio OOT module
[1] SATNOGS Database : https://db.satnogs.
Each ground station is equipped with an SDR de- org/
vice for the signal reception. The architecture is
modular enough, so it can support a wide range of [2] SATNOGS network : https://network.
different SDR hardware, depending on the target satnogs.org/
cost of the station. For example, there are stations [3] gr-satnogs : https://gitlab.com/
using an RTL SDR dongle costing about 15USD, librespacefoundation/satnogs/gr-satnogs
whereas others utilize a high-end device like the
USRP B210 with a cost of 2000USD. For the signal [4] SATNOGS client : https://gitlab.
analysis and demodulation, the GNU Radio Out-of- com/librespacefoundation/satnogs/
Tree (OOT) module called gr-satnogs [3] is used. satnogs-client

2
VLBI with GNU Radio, RFNoC and White Rabbit
P. Boven
JIVE, Netherlands

Abstract

1 Introduction

1
Frequency locking a laser on a spectral hole pattern
with a multi-channel heterodyne method using SDR
and GnuRadio
N. Galland1,2 , N. Lucic2 , H. Alvarez-Martinez2 , S. Zhang2 , B. Fang2 , R. Le Targat2 ,
A. Ferrier3,4 , P. Goldner3 , S. Seidelin1,5 , Y. Lecoq2
1
Université Grenoble Alpes and CNRS, Institut NEEL,
F-38042 Grenoble, France
2
LNE-SYRTE, Observatoire de Paris, Université PSL, CNRS, Sorbonne Université,
61 avenue de l’Observatoire 75014 Paris
3
Université PSL, Chimie ParisTech, CNRS, Institut de Recherche de Chimie Paris,
75005, Paris, France
4
Sorbonne Université, 75005, Paris, France
5
Institut Universitaire de France, 103 Boulevard Saint-Michel,
F-75005 Paris, France

Abstract

High precision spectroscopic probing of a narrow spectral hole pattern imprinted in the inhomo-
geneously broadened absorption spectrum of Eu3+ : Y2 SiO5 crystal can be used to stabilize a laser
frequency. A multi-hole pattern can be burn and all the holes can be probed simultaneously using a
multiple frequency signal. The dispersion induced dephasing acquired by the light through the crystal
is measured to derive an error signal suitable to lock the laser frequency to the spectral hole pattern.
An Ettus USRP X310 driven by a python program based on GNU Radio is used for both generating
the multiple frequency signal and to compute the correction applied to the laser frequency.

1 Introduction 2 Experimental setup


Frequency stabilization of ultra-stable lasers is typi- To ensure the possibility of spectral hole burning,
cally realized using high finesse optical Fabry-Perot the europium doped yttrium orthosilicate (Eu3+ :
cavities (FPC) that can provide a stability of a few Y2 SiO5 ) crystal is maintained at a cryogenic tem-
10−16 at about 1 s integration time. However, re- perature, typically between 3.2K and 4K, in a com-
cent development concerning optical lattice clocks mercial close-cycle cryostat with vibration isola-
appear to require lower frequency noise at this time tion.
scale to obtain the best performances of the clock.
Eu3+:Y2SiO5
A new direction of development for laser stabi-
ML x2
lization relies on spectral hole burning. The spec- PD2
T=4K
tral pattern imprinted in a rare earth doped crys- PDH Cavity Lock
PD1 1.952 GHz
tal at cryogenic temperature is expected to show
higher stability than the brownian motion limited AOM
FPC [1], [2]. double
Frequency Comb pass
LPF LPF
The spectral hole burning technique relies on two 8 MHz

physical processes occuring in Eu3+ : Y2 SiO5 crys-


tals. First, the initially narrow 7 F0 → 5 D0 transi- USRP
X310
tion of Eu3+ is, due to inhomogeneities in the host Offset
PLL
SL x2

crystalline matrix, broadened from 120 Hz for an


isolated ion to approximately 2 GHz. Secondly, at
cryogenic temperatures, a narrow linewidth laser Figure 1: Schematics of the experimental setup.
can excite some ions to metastable levels with a The GNU Radio flowgraph is driving the USRP to
lifetime that can reach tens of days at 4 K. By do- generate multi frequency signal for AOM and com-
ing so, the absorption is saturated around the laser puting the correction applied to the offset of the
frequency and a hole is created in the absorption PLL from the two RX signals
spectrum that can be use as a frequency discrimi-
nator for laser stabilization. A two-laser optical system is used to burn and

1
then probe the spectral hole. The master laser at 4 Conclusion
1160 nm is pre-stabilized to a high finesse FPC. An
offset phase-lock loop is used to servo the slave laser The double-hole based detection has improved a lot
at 1160 nm to the master laser with a controlled the detection noise of the detuning induces disper-
offset frequency (typically 980 MHz). Both lasers sion. Indeed, the previous detection scheme using
are independently frequency doubled to reach 580 only one hole was exhibiting a noise level compati-
nm, the center of the broadened transition 7 F0 → ble with a stability in the low 10−15 at 1 s. The new
5
D0 . The slave laser is then sent to a double-pass scheme shows a detection noise compatible with a
AOM to generate an arbitrary spectral pattern in stability in the mid 10−16 at 1 s.
the light (in the 1 MHz range around the center We then infer that the residual instability of the
frequency). Both yellow lasers are then spatially laser when locked to the spectral hole is not due
overlapped and the resulting beam is splitted in to the detection noise of the setup, but to other
two channels, one going through the crystal and to technical issues. Next imporvement will be to re-
a 2 GHz bandwith photodiode, the other directly duce the thermal fluctuation of the sample holder
to an identical photodiode for reference. in the cryostat and the residual vibration due to
the working cycle of the pulsed tube. An investiga-
The beatnote obtained on each photodiode is de-
tion to find the optimal spectral pattern will also be
modulated to 8 MHz and amplified before acqui-
conducted to reach the low 10−16 at 1 s or below.
sition by the two RX channels of an Ettus USRP
This project has received fundings from Ville de Paris
X310. One TX channel is used to drive the fre-
Emergence Program, LABEX Cluster of Excellence FIRST-
quency offset between the two lasers. The other
TF (ANR-10-LABX-48-01), within the Program “Investisse-
TX channel is used to drive the double-pass AOM.
ments d’Avenir” operated by the French National Research
The GNU Radio flowgraph is on the one hand de- Agency (ANR), Région Ile de France; European Union’s
riving the error signal from the dephasing between Horizon 2020 research and innovation program under grant
RX channels induced by the spectral hole disper- agreement No 712721 (NanOQTech); ANR under grant
sion. A spectral mask is applied to band pass fil- number 14-CE26-0037-01 DISCRYS; EMPIR 15SIB03 OC18
ter the RX signal arround different frequencies and and from the EMPIR program co-financed by the Participat-
remove any unwanted spectral component. The a ing States.
proportionnal and integrator filter applied on the
error signal provides a correction modulating the
TX channel driving the offset frequency. On the References
other hand, another flowgraph is used to generate
an arbitrary spectral pattern applied to the AOM. [1] M. J. Thorpe, L. Rippe, T. M. Fortier, M. S.
Kirchner and T. Rosenband, “Frequency stabi-
lization to 6 × 10−16 via spectral-hole burning”,
Nat. Photon. 5, 688-693 (2011)
3 Results [2] D. R. Leibrandt, M. J. Thorpe, C.W. Chou, T.
M. Fortier, S. A. Diddams,and T. Rosenband,
An optical frequency comb stabilized on a state-of- “Absolute and Relative Stability of an Optical-
the-art ultrastable laser allows us to evaluate the Frequency Reference Based on Spectral Hole
stability of our laser over a timescale from 1 s to Burning in Eu3+:Y2SiO5”, Phys. Rev. Lett.
1000 s. We can therefore measure the stability 111, 237402 (2013)
of the laser pre-stabilized to our FPC to approx-
imately 10−14 fractional frequency instability at 1 [3] O. Gobron, K. Jung, N. Galland, K. Predehl,
s. R. Le Targat, A. Ferrier, P.Goldner, S. Sei-
By using a double hole pattern with one reference delin, and Y. Le Coq, “Dispersive heterodyne
mode (in a wide hole and so experiencing a small probingmethod for laser frequency stabiliza-
dispersion) and one signal mode (in a narrow hole, tion based on spectral hole burning inrare-earth
experiencing a big dispersion as a function ot the doped crystals”, Optics Express 25 (13), 15539-
detuning), we obtain a good frequency lock of the 15548 (2017)
laser on the narrow hole. The laser then exhibits
a stability in the low 10−15 for 1 s to 10 s time
scale. This result is almost one order of magnitude
better than the previous results obtained on this
experiment while using a single hole to derive the
correction signal [3].

2
Embedded and Connected Receiver System for
nano-satellite in Low Earth Orbit (LEO)

F. Spies1,2 , S. Givron2
1
FEMTO-ST Complex Computer System, Montbéliard, France
2
Université de Franche-Comté, Montbéliard, France

Abstract

The objective of this work is to design a set of satellite signal reception, embedded, connected and low
power consumption. This set must be simple to implement with the ambition of being widely deployed
on a global scale to provide complete and continuous coverage so that each satellite transmission can
be received at any time without loss. The altitude of the satellite orbit must allow the planet to be
covered with less than a hundred reception stations on earth. The stations will be located mainly in
universities with an eduroam connection to facilitate the transmission of information on a server.
1 Introduction threshold and thus increases the reception distance.
One of the advantages of using software radio is
Communication systems with nano-satellites re- that it allows you to reconfigure the demodulation
main complex to implement. They must have a chain for each passage of a nano-satellite. There
suitable receiving chain in order to be able to pro- are software programs such as gpredict that inte-
cess small amplitude signals. The implementation grates the paths of all active in-orbit nano-satellites
altitude is around 500 km. The nano-satellite trans- to predict the path times.
mission chain must be as light as possible, includ-
ing the antenna, power amplifier and communica-
tion board. The objective of nano-satellites is to 3 Picsat Demodulation
be as light as possible with a reduced altitude to
limit the cost of placing them in orbit as much as Picsat, a specific nano-satellite put into orbit in
possible. Therefore, the ground station must be 2018, demodulated the signal transmitted in BPSK
able to compensate for the transmission and recep- 1200 baud. The demodulation chain performed by
tion constraints of nano-satellites. It is necessary to [1] integrated all the demodulation functions nec-
be able to amplify weak signals received with mo- essary to interpret the information transmitted by
torized directional antennas combined with power the satellite and send it back to the server central-
amplifiers. The objective of this work is to provide izing all the reception on the planet. Indeed, at
a ground-based reception solution consisting of a this altitude, the flight times of an area are gener-
simple omnidirectional antenna and a Software De- ally between 5 and 15 minutes. We understand the
fined Radio (SDR) interface. The advantage of ra- importance of being able to multiply the number
dio software is that it can receive several different of reception sites around the world in order to be
nanosatellite signals and can be reprogrammed at able to increase the exchange times with the nano-
any time. In addition, this solution can be updated satellite. If ground systems are connected to the
over time to adapt to changes in modulation in the Internet, it is possible to gradually move towards a
nano-satellites of next generations. Finally, a study permanent and continuous connection that would
of the dimensioning of the ground reception module limit the redundancy of data transmitted from the
will make it possible to reduce the unit cost so that satellite and thus increase its ability to transmit in-
a large-scale deployment can be envisaged. formation to the ground. All you need is between
80 and 100 ground receiving systems evenly dis-
tributed to be in permanent communication with
2 Demodulation Chain the nano-satellite. A maximum distance between
2 reception systems of about 3500 km (30 degrees)
The frequencies mostly used by these nano- would allow this continuity of communication.
satellites are VHF/UHF amateur radio frequen-
cies (145 and 435/438 MHz) or the S band (2.2 to
2.3 GHz). Modulations are generally of the FSK, 4 Systems Implementation
BPSK or GMSK type. Baud rates are generally
between 1200 and 9600 baud. The use of two sym- Before attempting to embed the receiving chain on
bols per period significantly reduces the reception low-cost electronic boards, it is preferable to vali-

1
date oversized solutions to facilitate development. the restitution of the transmitted data. Software
Thus, we used a laptop computer, a Raspberry Pi 3, radios have a USB port and can only be connected
a Raspberry Pi zero and a microcontroller ESP8266 to the ESP8266 at a low speed equivalent to version
[2] including a Wi-Fi interface to perform the signal 1.0 or 1.1 of about 1Mbps. We have chosen to use
demodulation. The signal reception was performed the radio software in SDR-IP mode (Fig. 1), i.e.
with a USRP B200 mini, an ADALM-Pluto and an through a Wi-Fi/IP connection to validate the pro-
RTL-SDR. cessing capacity of the microcontroller. Data recep-
On laptops and Raspberry PIs that use a UNIX tion centered on the corrected frequency could be
system, the use of gnuradio is possible. On Rasp- completely integrated, in purely integer functions
berry PI boards, computing power is limited, the for more efficiency. In order to limit the energy
USB interface works in version 2 and the use of consumption by the entire station, it is only exe-
command line gnuradio is preferable. On the micro- cuted when a nano-satellite passes through and re-
controller, the program is downloaded from the Ar- mains in deep sleep between two passes. The times
duino development interface in C/C++/LUA lan- of the visits are obtained on servers located on the
guage. Internet.

5 Signal Generator
When designing a demodulation function, it is nec-
essary to decode a good quality signal, but this
is not enough. It is also necessary to be able to
measure the qualities and characteristics of the al-
gorithm designed to identify the potential of the
reception sensitivity threshold obtained. If the re-
ception sensitivity threshold is too high, decoding
will only be possible when the nano-satellite is near
the zenith of our position. If the sensitivity thresh-
old is low enough, decoding can be carried out up to
positions close to the horizon where the link budget
is most unfavourable. Figure 1: Global Architecture with the Wi-Fi mi-
We have produced several types of files con- crocontroller ESP8266.
taining signals including increasingly large atten-
uations and small constant, linear and polynomial
frequency shifts to gradually reproduce the Doppler
effect of LEO orbits. 7 Conclusion
Porting demodulation functions into a microcon-
6 Decoding Tests troller has allowed us to improve the overall effi-
ciency of the receiving chain. The Doppler effect
First, we validated that reception could be achieved correction remains to be integrated into the micro-
with an omnidirectional antenna placed horizon- controller to complete the demodulation chain. We
tally in the perpendicular of the satellite path finally chose to reintegrate the entire demodulation
connected to a USRP B200 mini interface. The functions into gnuradio to reduce processing time
whole thing was connected to a laptop PC with and use a low-power Raspberry Pi zero that easily
gnuradio/gr-picsat [1] to ensure sufficient comput- connects an SDR interface.
ing power and memory capacity. The reception
time is approximately 8 minutes out of a potential
10 to 12 minutes. This first result was considered References
sufficient to qualify the reception.
[1] PicSat telemetry parser added to gr-
In a second step, we validated the computing and
satellites at https://destevez.net/2018/01/
memory capacity of the Rapsberry Pi zero Wi-Fi
picsat-telemetry-parser-added-to-gr-satellites/
(ARM 1 core 1GHz 512GB RAM) to demodulate
the I/Q signals received in gnuradio/gr-picsat in [2] ESP8266: Wi-Fi microchip with full TCP/IP
command line mode. stack and microcontroller at https://en.
In a third step, the demodulation was coded di- wikipedia.org/wiki/ESP8266
rectly into the micro-code of the ESP8266 to allow

2
Using GNU Radio to do signal acquisition and
analysis with Scopy
A. Suciu
Analog Devices Inc.

Abstract

GNU Radio is the go-to library when it comes to open source software-defined radio. However GNU
Radio can go beyond that. In this paper we will discuss the use of GNU Radio as a base library for
an end product application that requires general signal processing as well as other decoding libraries.
Specifically, we will address how GNU Radio can be leveraged for applications beyond software defined
radio and other communication systems.

1 Introduction 3 Results
We used GNU Radio for an end application that
In order to create Scopy – an open source mixed sig-
does not comply with the traditional scope of the
nal analysis and generation toolkit, we chose to use
framework. Although GNU Radio is well modular-
GNU Radio, along with a variety of open source
ized, starting and stopping instruments has been
libraries and frameworks such as libiio, libsigrok,
one of the challenges we faced. Since there is no
Qt5 or Qwt. Scopy currently interfaces with the
trivial way to reconfigure a GNU Radio flow, we
ADALM-2000 hardware which provides two analog
had to develop a method that recursively deletes
input channels, two analog output channels, as well
blocks starting with a parent. This and the use of
as 16 digital I/O pins – capable of high speed syn-
the copy block eased up flow reconfiguration. Gnu-
chronized buffered operations. Future plans include
radio is a good fit for this application as it abstracts
extending Scopy to interface with other hardware.
the complexities of signal acquisition and analysis
into an efficient data flow giving us more headroom
to develop a more user friendly, touchscreen com-
patible
2 Experimental setup
Scopy uses libiio to interface with ADALM-2000.
4 Background
This allows Scopy to connect to the hardware via The ADALM-2000 also known as M2k [1] is a Soft-
USB, as well as ethernet. By using an off the shelf ware Defined Measurement Platform that is a cross
(COTS) Wi-Fi dongle, the hardware can connect platform (Windows, Mac and Linux) USB oscil-
to a wireless network and Scopy can acquire data loscope and multi-function instrument that allows
remotely from the ADALM-2000. users to measure, visualize, generate, record, and
GNU Radio is used in this context to multi- control mixed-signal circuits of all kinds. It fea-
plex the data streams received from the hardware tures two-channel digital oscilloscope and arbitrary
via gr-iio to the oscilloscope/ spectrum analyzer/ function generator, with Time, Network and Spec-
network analyzer. GNU Radio’s efficient vector- trum Analyzer views. A 16- channel digital logic
optimized operations are used to implement instru- analyzer and pattern generator, with a countless
ment functionalities such as the oscilloscope refer- number of Bus Analyzers for all kind of protocols
ence waveform, digital AC coupling as well as math such as I2C, SPI, UART, CAN, JTAG, SPDIF, etc.
channels. The network analyzer uses the GNU Ra- just to mention a few. Besides this it also has true
dio flow to create a full network analyzer signal RMS voltmeters and programmable power supplies
chain. Combined with the M2K hardware it is able all in a pocket sized instrument.
to characterize circuits up to 30MHz and repre-
sent the results on Bode, Nichols and Nyquist plots.
The spectrum analyzer allows marker operations as References
well as different types of windowing up to 50MHz.
The signal generator uses GNU Radio to output [1] ADALM2000 for Developers at https:
various types of user configurable signals such as //wiki.analog.com/university/tools/m2k/
sine, square waves or the results of time-dependant developers
mathematical equations.

1
Fully Digital Electronics for Fiber-Link Frequency
Transfer Implemented on Red Pitaya
A. C. Cárdenas-Olaya, C. E. Calosso
INRiM, Quantum Metrology & Nanotechnology, Turin, Italy

Abstract

This paper presents a digital instrumentation for frequency transfer on optical fiber links. The pro-
posed system detects the phase and amplitude of the beatnotes at the two ends of the fiber for (actively
or passively) compensating by the phase noise and the polarization rotation. The implementation is
performed on Red Pitaya, an open source platform that integrates fast Analog-to-Digital and Digital-
to-Analog converters with a Zynq System-on-Chip. The system features a detection bandwidth of
10 MHz, compatible with thousand kilometers links, that can be finely tuned for reaching an adequate
Signal-to-Noise Ratio minimizing the generation of cycle slips.

1 Introduction detection bandwidth for minimizing the cycle slips


rate. In addition, it implements the simplex algo-
Fiber links have been demonstrated to be a suit- rithm, yielding a polarization control bandwidth up
able medium for optical frequency transfer featur- to 100 kHz.
ing an stability of the order of 10−19 ÷ 10−21 [1]. A fiber emulator is implemented on the FPGA
However, mechanical stress, environmental factors with the aim of studying the critical require-
and temperature fluctuations generate fiber length ments (detection bandwidth, SNR, polarization)
variations that degrade the frequency stability of under different scenarios (noise typologies and lev-
the signal being transmitted. In order to compen- els), while taking advantage of the System-on-Chip
sate for such fiber noise, two techniques are widely (SoC) bandwidth for long term analysis. In partic-
used: the classical Doppler [2] and the more recent ular for the evaluation of cycle slips whose rate in
Two-Way [3]. The implementation of these tech- current implementations is one cycle slip per one or
niques relies on the detection of the phase and the two minutes.
amplitude information contained in the beatnote Preliminary results of the instrument are in-
between the received and the transmitted signals tended to be presented at the workshop.
which is obtained through photo-detection at the
local and the remote ends. There are three crit-
ical implementation requirements that may limit
2 Method
the adequate noise compensation and consequently The proposed system, depicted in Fig. 1, was im-
the frequency transfer performance: First, the de- plemented on Red Pitaya [4]. The platform inte-
tection bandwidth that must be wide enough for grates a 14-bit, 125 MSps, dual channel Analog-to-
extracting the phase information before it gets cor- Digital Converter (ADC), a 14-bit, 125 MSps, dual
rupted by the noise. In current applications, it is channel Digital-to-Analog Converter (DAC) and a
of the order of hundreds of kilo Hertz which limits SoC containing a FPGA and a Dual-core ARM pro-
implementations on long links because the phase cessor.
can not be properly tracked. Second, additive noise The instrument subsamples directly the beat-
is generated during the beatnote photo-detection, enote from the photo-detection and retrieves the
which is revealed as excess of noise in the measure- phase (ϕ) and amplitude (α) information through
ment degrading the Signal-to-Noise Ratio (SNR) an I/Q demodulator in a 10 MHz bandwidth
and leading to the generation of cycle slips. This ef- which can be finely tuned down to 1 kHz. The
fect is in general removed by reducing the detection phase, if actively compensated, is tracked by a
bandwidth. And finally, the polarization rotation servo that drives the Acousto-Optic Modulator
that should be maintained in order to avoid am- (AOM) through a Numerically Controller Oscilla-
plitude fluctuations on the detected beanote that tor (NCO). The amplitude feeds a simplex algo-
could degrade the SNR. rithm that optimizes the polarization between the
In this work we present a fully digital instrument received and the transmitted signal for obtaining
for frequency transfer over fiber link. The system the maximum power on the beatnote.
provides the capability of finely tune the detection A two-channel system is implemented on a single
bandwidth from 10 MHz down to 1 kHz, allowing Red Pitaya which allows compensation and moni-
to reach the best tradeoff between the SNR and the toring at each side. The useful data are stored in

1
tected that differs a factor of two from Doppler to
Two-Way, the detection bandwidth, the data chan-
nels to be stored, etc.

References
[1] K. Predehl et al., A 920-kilometer Optical Fiber
Link for Frequency Metrology at the 19th Deci-
mal Place, Science, April 2012, 336(6080)
Figure 1: General scheme. PD: Photo-detector, [2] L.-S. Ma, P. Jungner, J. Ye and J. L. Hall,
FM: Faraday Mirror, EPC: External Polarization Delivering the same optical frequency at two
Controller, PL: Programmable Logic (FPGA), PS: places: accurate cancellation of phase noise
Processing System (ARM processor). introduced by an optical fiber or other time-
varying path, Optics Letters, Nov. 1994, 19(21)
memory and transferred to an external computer [3] C. E. Calosso, E. Bertacco, D. Calonico, C. Cli-
for post-processing. vati, G. A. Costanzo, M. Frittelli, F. Levi, A.
Fig. 2 sketches the block diagram of one channel Mura and A. Godone, Frequency transfer via
including the fiber emulator. The emulator gen- a two-way optical phase comparison on a mul-
erates the main noise sources involved in a setup tiplexed fiber network, Optics Letters, March
for frequency transfer such as: fiber noise, photo- 2014, 39(5)
detection noise and noise induced by the polariza-
tion. In addition, it is provided with the emulator [4] Red Pitaya, Documentation and technical infor-
of a polarization controller based on a four plates mation, http://redpitaya.readthedocs.io/
configuration. When the emulator is enabled, it en/latest/
acts on the NCO signal (DAC input) that instead
of driving the AOM will be the instrument input,
emulating the beatnote.

Figure 2: One channel system. τ : Fiber delay,


WNGen: White Noise Generator, EPC: External
Polarization Controller.

3 Conclusion
The proposed digital instrument is a compact so-
lution that integrates different functionalities such
as phase-meter, stability control and polarization
control in a single platform.
The instrument is provided with the capability
of applying different configurations of the two com-
pensation techniques by properly setting the differ-
ent blocks parameters, such as: the compensation
action (open or close loop), compensation band-
width (if any), the frequency of the beatenote de-

2
KiwiSDR as a new GNURadio source
C. Mayer

Abstract
By now, >300 world-wide distributed KiwiSDRs are online. After introducing the KiwiSDR, an
implementation of a GNURadio websocket client for the KiwiSDR. As an example on how to use
the GNURadio KiwiSDR client, the coherent combination of KiwiSDR IQ streams, and decoders
implemented in GNURadio for digital HF modes using the KiwiSDR client are shown.
1 Introduction 3 Decoding digital modes on
The KiwiSDR [1] was developed by John Seamons
HF using GNURadio
ZL/KF6VO and by now >300 of these SDRs are A GNURadio OOT module is being developed
available on the internet [2]. In this contribution, which allows to concisely specify the physical layer
a GNURadio websocket client for the KiwiSDR [3] characteristics of a given phase-modulated digital
is presented, along with some applications [4]. mode on HF in python [5], where preamble cross-
correlation, doppler estimation and adaptive filter-
ing are taken care of the framework. As an exam-
2 Coherent combination of ple the demodulation of a STANAG 4285 signal is
KiwiSDR IQ streams shown in Figure 2.

The maximum sampling rate for IQ data streams


available from KiwiSDRs is either 12 kHz or 20.25
kHz. In order to aqnalyze signals with wider band-
width, a method was developed which allows to co-
herently combine up to 6 IQ data streams from
a single KiwiSDR [3]. This method uses precise
GNSS-derived timestamps to align samples from
the same KiwiSDR. Remaining phase offsets be-
tween the IQ data streams are estimated and cor-
rected for, see Figure 1.

Figure 2: STANAG 4285 signal demodulation us-


ing a KiwiSDR IQ data stream. The constellation
diagram shows symbols after adaptive filtering and
after descrambling.

4 TDoA with KiwiSDR


The IQ data streams from KiwiSDRs contain pre-
cise GNSS-derived time stamps. Using this ab-
solute time reference, time difference of arrival
Figure 1: Coherent combination of two KiwiSDR (TDoA) methods can be explored. Currently the
IQ data streams for the case where the boundary code for the KiwiSDR TDoA analyis is written in
between the streams is centered on a DRM signal. Octave, see [6], which is used by the KiwiSDR
TDoA extension written by John Seamons.

1
Figure 3 shows cross correlations between a LO- [4] Singal Analysis and Monitoring blog at https:
RAN signal received by two KiwiSDRs, and Fig. 4 //hcab14.blogspot.com/
shows the TDoA map obtained by using the cross
correlations from three KiwiSDRs. [5] gr-digitalhf at https://github.com/hcab14/
gr-digitalhf
[6] TDoA at https://github.com/hcab14/TDoA

Figure 3: Cross correlations between two KiwiS-


DRs (LORAN).

Figure 4: TDoA map for the LORAN signal from


Anthorn, obtained using data from three KiwiS-
DRs.

References
[1] KiwiSDR at http://kiwisdr.com
[2] Map of available KiwiSDRs at http://rx.
linkfanel.net/
[3] gr-kiwisdr at https://github.com/hcab14/
gr-kiwisdr

2
Phase noise & digital noise:
what is it and why it is important for
groundbreaking RF-applications.
P.-Y. Bourgeois
FEMTO-ST, Time&Frequency dpt, UMR 6174 CNRS, Besançon, France

Abstract

For more than a decade, digital electronics has a massive impact on about every research field offering
flexibility, robustness and reconfigurability.

1 Introduction form such characterizations within the GNU Radio


context.
Numerous developments of complex scientific in-
strumentation now employ routinely partial or fully
digital systems, inherited from telecommunications References
and Software Defined Radio (SDR).
Within the framework of Time & Frequency [1] B P Abbott & al. Characterization of tran-
metrology, it has become challenging in the devel- sient noise in advanced LIGO relevant to grav-
opment of modern sensitive instrumentation where itational wave signal GW150914. Classical and
quantization noise and signal noise paths take a sig- Quantum Gravity, 33(13):134001, jun 2016.
nificant place for qualifying ultrastable clocks, os-
[2] He-Shan Liu, Yu-Hui Dong, Yu-Qiong Li, Zi-
cillators, frequency transfer and timing systems.
Ren Luo, and Gang Jin. The evaluation
From Amateur Radio to VLBI (Very-long-
of phasemeter prototype performance for the
baseline interferometry), DSN (Deep Space Net-
space gravitational waves detection. Review of
works), LIGO(Laser Interferometer Gravitational-
Scientific Instruments, 85(2):024503, 2014.
Wave Observatory)[1], Evolved LISA(Laser Inter-
ferometer Space Antenna)[2], ACES (Atomic Clock [3] Gnu radio. gnuradio.org.
Ensemble in Space), . . . , it is worth to note that
some knowledge on instrumentation limitations and [4] Franz Franchetti, Tze Meng Low, Doru Thom
their proper characterization is of importance. Popovici, Richard M. Veras, Daniele G. Spamp-
Unfortunately there is a lack on handy design inato, Jeremy R. Johnson, Markus Püschel,
tools and techniques for complex designs leading James C. Hoe, and José M. F. Moura. Spiral:
to high computational efforts in programming and Extreme performance portability. IEEE special
prototyping that are ultimately greatly error prone. issue on From High Level Specification to High
Although a few of valuable libraries and software Performance Code, 206(11), 2018.
do exist (GNURadio[3], Spiral[4], liquidsdr[5]. . . ),
[5] Liquidsdr. liquidsdr.org.
they are currently not adapted to oscillator metrol-
ogy modeling (parametric noise simulations, vari- [6] P-Y Bourgeois, G Goavec-Merou, J-M Friedt,
ances, normalized spectra . . . ). and E Rubiola. A fully-digital realtime soc
Along the journey, I propose to present differ- fpga based phase noise analyzer with cross-
ent techniques and pitfalls in the measurement and correlation. In Joint EFTF/IFCS, pages 578–
qualification of the digital signal processing chain 582. IEEE, 2017.
kernel (Signal→ADC→DDC) commonly used in
every SDR environment[6, 7]. [7] B Marechal, A Hugeat, G Goavec-Mérou, G Ca-
bodevila, J Millo, C Lacroûte, and PY Bour-
Fourier
analysis
geois. Digital implementation of various lock-
ing schemes of ultrastable photonics systems.
DUT ADC

NCO
In 2018 IEEE International Frequency Control
DDC Symposium (IFCS), pages 1–4. IEEE, 2018.

Figure 1: Elementary digital processing chain for


oscillator metrology

I will also show how it is currently difficult to per-

1
Using GNU Radio Companion to improve student
understanding of signal processing theory through VHF
Omni-Directional Range (VOR) signal demodulation

A. Blais, C. Morlaas

ENAC, Université de Toulouse, France

Abstract
The École Nationale de l'Aviation Civile (ENAC), the French Civil Aviation University, proposes a
graduate engineer program with, among three others, a major, in Aeronautical and Space Telecommu-
nications (SAT). This major is characterized by advanced theoretical courses in signal theory, signal
processing, digital communications and navigation in particular. Some practicals are given to help
the students understanding specic points in these courses. However, this scattered approach does
not provide any hindsight on the interest and the usefulness of these courses, either independently nor
together. This is the reason why these practicals are completed by a long project which proposes, as
a global case of application, to demodulate a VHF Omni-Directional Range (VOR) signal. This paper
details this long project, from its pedagogical approach to some interesting points of its implementation.
1 Introduction
The sometimes complex notions being taught in sig- M (t) = 0.3 cos (2π30t − QDR + θ30 )
nal theory and signal processing courses need to + 0, 05 ident(t) cos (2π1020t + θ1200 )
nd some practical realizations to be fully under-
stood by the students. It is the objective of the + 0.3 cos (2π9960t + θ(t) + θ9960 ) (2)
long project described in this paper. Indeed, it pro-
Z
poses the demodulation of a VOR signal using the t

GNU Radio Companion (GRC) software. The si- θ(t) = 16 · 30 · 2π cos(2π30u + θ30 )du
0
multaneous learning of this powerful software is an = 16 · sin(2π30t + θ30 ) − 16 · sin(θ30 ) (3)
interesting aside of this project, even if it is not
its primary goal. The signal in question is either with:
received by mean of a DVB-T USB dongle (one
is distributed per pair of students) or a synthetic • f0 ∈ [108, 118] MHz, the carrier frequency,
one, generated in the course of the project by the
• QDR the magnetic bearing from the station to
students themselves. In the rst part of this pa-
per, a model of the VOR signal is presented. Then, the aircraft, in units of radian,
the pedagogical approach selected by the teaching • ident(t) the identication signal of the VOR
team is described. Two interesting technical points beacon (Morse code),
are adressed in the third part, to point out the sig-
nal processing challenges the students have to face. • θ30 , θ1200 and θ9960 random initial phases.
At last, a brief conclusion is drawn.
A graphical representation of the spectrum corre-
sponding to the amplitude modulation (1 + M (t)),
2 A VOR signal model gure 1, is also shown to train the students to think
in the frequency domain as well as in the time do-
The VOR system is a navigation aid designed to main.
give the angle, in relation to the magnetic north, to
the aircraft from a ground radio beacon of known
position. This is done with the help of an hybrid
signal carrying several components. A noise-free
time model of this signal [1], as seen by the receiver,
is presented to the students:
e(t) = (1 + M (t)) cos (2πf0 t + θ0 ) (1)
Figure 1: Schematic representation of the baseband
spectrum of a VOR signal.

1
The models of the I & Q signals delivered by 4.1 The frequency demodulation
the DVB-T dongle are then derived from equations
(1), (2) and (3)), after a short explanation of how Figure 2 illustrates the demodulation principle the
this dongle works. This is an eective use of the students not only have to implement, but also to
complex envelope concept introduced in the digi- understand! The calculation of the value of the
tal communications course. These models are the delay is always an instructive brainstorm.
starting point of the practical implementation.

3 The pedagogical approach


Strong guidelines are set to the students to support
them toward the solution. Indeed, the project is
split in four distinct and successive steps, each one
improving gradually the skill and knowledge of the
student: Figure 2: Synoptic view of the FM demodulator.
1. The rst step is an interactive implementation
of a simple FM radio-broadcast receiver. This
rst SDR receiver serves as a presentation of 4.2 The phase comparator
the GRC GUI capabilities as well as a proof of The phase comparator, needed to extract the QDR,
the SDR concept for the students: it works! the value of interest, is an opportunity to introduce
2. The target of the second step is a more com- the students with the principle of the Hier block.
prehensive handling of GRC and of the USB They are asked to embedded this phase comparator
dongle. The students have to produce ow di- in a dedicated Hier block, to be tested and vali-
agrams which read, display and record to a le dated independently from the main ow diagram.
the I & Q samples. Figure 3 displays a possible implementation for this
phase comparator Hier block.
3. Then, to deepen the students understanding of
the VOR signal structure, as well as to provide
the future receiver with synthetic test signals,
a I & Q VOR signal generator has to be im-
plemented, component after component. The
generated test signals are validated with the
SDR receiver of the teaching team.
4. Finally, the VOR receiver itself has to be de-
veloped. Again, a component by component Figure 3: Flow diagram of the phase comparator
method is suggested to the students, so they
can safely move towards a proper nal design.
The project ends with a double evaluation: a one 5 Conclusion
hour written examination and a test of reception
of a real VOR signal with a QDR to decode. The It is the third year this long project is given. The
latter test is realized by radiating a low power VOR teaching team has observed each time the bene-
signal in the room with the help of a Marconi 2030 ts of this materialization of the theoretical notions
signal generator. taught during the related courses. The knowledge
and skill of the students are clearly improved as
well as their hindsight on the covered topics.
4 Two specic technical points
The philosophy of this long project being to im- References
prove the understanding of the students in signal
theory and signal processing, the use of high level [1] Subdivision Radionavigation conventionnelle
blocks, like the FM Demod block, is forbidden. The et par satellite. VOR Généralités. Technical re-
students have then to understand the processings port, École Nationale de l'Aviation Civile, 2010.
to be able to build them atomically. In this aspect,
the two following ones are particularly interesting.

2
A LoRaWAN Security Assessment Test Bench
T. Claverie, J. Lopes Esteves
Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI)
Paris, France

Abstract

LoRaWAN is a recent protocol and despite having been already studied from a security perspective,
several attacks have not been reproduced in practice mostly due to a lack of details regarding the test
benches used. After presenting previous work on the LoRaWAN protocol and the various platforms
described, we present an environment based on hardware, software and SDR to study the radio layer
of the protocol. The efficiency of this architecture is demonstrated by reproducing theoretical attacks
on LoRaWAN 1.0.

1 Introduction Even when specific radio testing has been inves-


tigated, the information regarding the test setup
LoRaWAN is a protocol dedicated to Low Power were left aside: no details on the jamming meth-
IoT devices; its current version (1.1) was released ods [3, 6], nor on how a LoRaWAN device is per-
in October, 2017 [5]. It is built upon the LoRa turbated by electromagnetic interference [7] were
(Long Range) modulation patented by Semtech. given.
In [4] a replay and decrypt attack is detailed on
LoRaWAN 1.0 and the authors provide a very accu-
rate and complete overview of the state of the art up 2 Experimental setup
to late 2017. A formal verification of the security of
In this section, the different components used for
the LoRaWAN handshake has been proposed in [8].
our test bench are introduced.
In [19], the biasing of a random number generator in
presence of electromagnetic interferences is demon- LoRaWAN Evaluation kit In order to rapidly
strated. Session cryptographic material desynchro- deploy a LoRaWAN 1.0 network without having to
nisation between a device and the network has been develop the core network services, a Microchip Lo-
discussed in various articles [4, 19, 14, 11, 12]. The RaWAN development kit [13] has been set up. This
possibility of spoofing LoRaWAN gateways in or- development kit includes two LoRa Mote (based on
der to provide fake time and position references the SX1276 chipset) and a LoRa gateway (SX1301)
appeared in [12, 20]. Message modification and which can be connected via ethernet to core net-
forgery in order to attack the network has been sug- work services packaged in a ready-to-use docker
gested in [15, 10]. container. The administration interface allows to
Several LoRaWAN security testing environments manage gateways, applications, devices, encryption
have already been mentioned in previous work. keys and some radio parameters (frequency, mod-
However, none have been described precisely ulation). It constitutes a ready-to-use LoRaWAN
enough to allow reproductibility of the results and infrastructure but is intended only for high level in-
some do not involve instrumentation of the radio teraction with the protocol and thus lacks low layer
layers. flexibility.
In [17, 18], the author describes using a Lo- LoRa programmable dongle A PyCom FiPy
RaWAN gateway, two test end devices and an open- board has been used to act as a malicious LoRa
source LoRaWAN server to emulate a complete in- node. It is a MicroPython development board
frastructure. However, these tests concerned only supporting LoRa modulation and including a Lo-
the communication in the core network, beyond the RaWAN stack. With this tool one can send and
gateway. A testing platform is mentioned in [12]; receive LoRa MAC frames with a better timing ac-
it is able to capture and analyze messages, how- curacy and lower latency than the LoRa Mote and
ever no information on its exact capabilities and act as both a gateway and a device.
building blocks are provided. In [11], hardware at- GNU Radio In order to also have physical layer
tacks on devices and radio attacks are mentioned. instrumentation, the GNU Radio framework was
In particular, eavesdropping of LoRaWAN commu- used along with a software defined radio (SDR)
nications, replay attacks, and various denial of ser- USB dongle based on a Realtek RTL2832U and
vice by flooding an object with messages are de- a R820T2 tuner. Several SDR-based LoRa re-
scribed. Again, the test infrastructure description ceivers are available, with varying completion rates
does not allow reproducing the setup. [16, 2, 1].

1
The gr-lora block from [9] provided very good tacker listens and waits until he captures a full join
results along with detailed explanations. However handshake from the targeted device. He captures
significant latency is induced by the decoding layer messages in this first session.
and it only supports demodulating uplink or down- When the device initiates a new join procedure,
link transmissions at once. A minor change has the attacker spoofs the gateway and forces a reini-
been made to enable decoding both uplink and tiation until the DevNonce sent by the device is the
downlink messages within a single LoRa decoder same as in the captured session; the attacker then
block. responds with the captured JoinAccept.
Once the join procedure succeeds, the device
starts sending data frames. Due to the nonce reuse,
they will be encrypted with the same keystream as
the captured session, which allows an attacker to
partially break the confidentiality of the messages.

Results Our implementation of the replay or


decrypt attack took about three days to complete,
with around 215 DevNonce tested and a ten-second
delay between two trials. With this setup, it is also
possible to implement several desynchronisation at-
tacks described in [4, 19, 14, 11, 12].
More generally, this combination of ready-to-use
Figure 1: GNU Radio flowgraph for capturing Lo- infrastructure and SDR proved invaluable for se-
RaWAN communications on 3 channels curity testing the LoRaWAN protocol. This setup
can also be used to monitor the LoRaWAN commu-
Using this block, we implemented a GNU Ra- nications and develop detection heuristics for these
dio LoRa decoder which listens on several chan- attacks. An unusual spectral occupation infringes
nels and forwards the decoded frames to a UDP the specifications and may indicate a problem or an
port (Fig. 1). This strategy allowed receiving all 21 attack.
LoRa channels in parallel. Along with the tradi-
tional waterfall visualization of the spectrum, the
use of GNU Radio allows debugging the physical
layer of aformentioned radio transmitters.
4 Conclusion

3 Reproducing the replay or In this paper we described a low cost security as-
sessment platform for the LoRaWAN protocol. We
decrypt attack provided a precise description of the building blocks
in order to guarantee accurate reproducibility of the
The LoRaWAN infrastucture from the development
test conditions.
kit was used as a test network. Being easily pro-
grammable, the FiPy was used to attack. The RTL- Furthermore, we validated our strategy by very
SDR dongle with LoRa decoder block was used to quickly implementing a theoretical attack on Lo-
monitor communications, understand the behavior RaWAN 1.0 (which has been fixed in LoRaWAN
of the devices and investigate in case of problems. 1.1). The theoretical results have been reproduced
and the estimations of the attack cost and complex-
Attack implementation This setup reimple-
ity were confirmed.
ments various radio tests on a LoRaWAN network.
In particular, it was possible to reimplement the re- The hybrid radio approach involving a ready-to-
play or decrypt attack on the LoRaWAN protocol use development kit, a progammable radio dongle
1.0 described in [4]. and a software defined radio has shown interesting
This attack leverages a nonce reuse (DevNonce) benefits in this case, combining the advantages of
in the handshake protocol between a device and the each platform while compensating for their draw-
network: The device sends a JoinRequest message backs.
and the network replies with a JoinAccept message. In particular, it provides an interesting frame-
After that, they both have shared cryptographic work to analyze the impacts of attacks on all lay-
material and can start sending data frames to each ers, such as jamming or intentional electromagnetic
other. The attack scenario is the following: the at- interference, and to test protocol stacks.

2
References [12] Renaud Lifchitz. Security review of LoRaWAN
networks. In Hardwear.io, The Hague, Nether-
[1] Lora-sdr, 2016. https://github.com/ lands, 2016.
myriadrf/LoRa-SDR.
[13] Microchip. Lora technology evaluation
[2] rtl-sdrangelove, 2016. https://github.com/ kit, 2018. https://www.microchip.
hexameron/rtl-sdrangelove. com/DevelopmentTools/ProductDetails/
DV164140-1.
[3] Emekcan Aras, Nicolas Small, Gowri Sankar
Ramachandran, Stéphane Delbruel, Wouter [14] Robert Miller. LoRa Security - Building a Se-
Joosen, and Danny Hughes. Selective Jam- cure LoRa Solution. Whitepaper, MWR Labs,
ming of LoRaWAN Using Commodity Hard- 2016.
ware. In Proceedings of the 14th EAI In-
[15] Robert Miller. LoRa the explorer: Attacking
ternational Conference on Mobile and Ubiq-
and Defending LoRa Systems. In Syscan 360
uitous Systems: Computing, Networking and
Singapore, Singapore, 2016.
Services, MobiQuitous 2017, pages 363–372,
New York, NY, USA, 2017. ACM. event-place: [16] Pieter Robyns. gr-lora, 2018. https://
Melbourne, VIC, Australia. github.com/rpp0/gr-lora.

[4] Gildas Avoine and Loı̈c Ferreira. Rescuing Lo- [17] Sébastien Roy. Lorawan: Déploiement
RaWAN 1.0. Technical Report 651, IACR, d’une infrastructure de test - partie
2017. 1/2. Guide technique, MISC Mag, 2018.
https://www.miscmag.com/lorawan-
[5] LoRa Alliance Technical Committee. Lo- deploiement-dune-infrastructure-de-
RaWAN 1.1 Specification, 2017. test-partie-1-2/.
[6] S. M. Danish, A. Nasir, H. K. Qureshi, A. B. [18] Sébastien Roy. Lorawan: Déploiement
Ashfaq, S. Mumtaz, and J. Rodriguez. Net- d’une infrastructure de test - partie
work Intrusion Detection System for Jamming 2/2. Guide technique, MISC Mag, 2018.
Attack in LoRaWAN Join Procedure. In 2018 https://www.miscmag.com/lorawan-
IEEE International Conference on Communi- deploiement-dune-infrastructure-de-
cations (ICC), pages 1–6, May 2018. test-partie-2-2/.

[7] S. M. Danish, H. K. Qureshi, and S. Jang- [19] S. Tomasin, S. Zulian, and L. Vangelista. Se-
sher. Jamming Attack Analysis of Wireless curity Analysis of LoRaWAN Join Procedure
Power Transfer on LoRaWAN Join Procedure. for Internet of Things Networks. In 2017
In 2018 IEEE Globecom Workshops (GC Wk- IEEE Wireless Communications and Network-
shps), pages 1–6, December 2018. ing Conference Workshops (WCNCW), pages
1–6, March 2017.
[8] Mohamed Eldefrawy, Ismail Butun, Nuno
Pereira, and Mikael Gidlund. Formal secu- [20] X. Yang, E. Karampatzakis, C. Doerr, and
rity analysis of lorawan. Computer Networks, F. Kuipers. Security Vulnerabilities in Lo-
148:328 – 339, 2019. RaWAN. In 2018 IEEE/ACM Third Inter-
national Conference on Internet-of-Things De-
[9] Matt Knight. gr-lora, 2016. https://github. sign and Implementation (IoTDI), pages 129–
com/BastilleResearch/gr-lora. 140, April 2018.

[10] JungWoon Lee, DongYeop Hwang, JiHong


Park, and Ki-Hyung Kim. Risk analysis and
countermeasure for bit-flipping attack in Lo-
RaWAN. In 2017 International Conference on
Information Networking (ICOIN), pages 549–
551, Da Nang, January 2017.

[11] Franck L’Hereec and Nicolas Joulain. Sécurité


LoRaWAN. In Computer & Electronics Se-
curity applications Rendez-vous (C&ESAR)
2016, pages 92–108, Rennes, France, 2016.

3
A 60GHz digital link with GNU Radio and USRP radios
H. Boeglen1

1
XLIM Laboratory, UMR CNRS 7252, Limoges, France
University of Poitiers
In this communication we present a 60 GHz radio link for Ettus USRP radios. The link is
built around dedicated integrated circuits from Analog Devices. The transmission chain is
validated with a 100Mbps OFDM system designed with GNU Radio.
Keywords: Millimeter wave communications, RF front-ends

1 Introduction firms provide this service for a relatively low cost.


For example, a lot of 10 pieces of 50 mm x 50 mm
Most Ettus USRP SDR equipments can be fitted FR4 4 layer boards would cost you about 50$ [1].
with RF daughter boards featuring different radio Up to a frequency of 10 GHz the PCB design
ranges and bandwidths. The maximum RF fre- process is relatively easy. But what about millime-
quency available for Ettus boards is currently 6 ter wave bands applications? As you may know,
GHz. Due to the overcrowded RF spectrum and to pushed by the 5G mobile telephony potential mar-
enable very high data rates (i.e. several Gbps) mil- ket, things are changing rapidly so that dedicated
limeter wave bands are being envisaged for 5G tele- ICs and suitable measurement equipment will be
phony. The forecasted bands are 26, 40 and 60GHz. easily available in the next few years. As far as mea-
Millimeter wave bands have specific characteristics surement equipment is concerned, the cost is defi-
which have to be evaluated in real transmission con- nitely going to be a problem for amateurs. Again,
ditions. It is therefore necessary to have measure- this problem can be overcome by the Software De-
ment equipments able to work in these bands. The fined Radio (SDR) technology. The only problem
goal of this paper is twofold. Firstly, to present the that remains is the availability of millimeter wave
constraints associated with millimeter bands and front-ends for off-the-shelf SDR hardware. It is
to look for existing solutions adaptable to USRP possible to build one using frequency mixers and
radios. Secondly, to design an affordable 60GHz gain blocks available from manufacturers like Mini-
transceiver solution based on available off-the-shelf Circuits but it is going to be bulky, costly and cur-
integrated circuits (IC). The rest of this paper is rently the maximum frequency achievable is 40 GHz
organized as follows. Section 2 presents the con- [2]. After some research, I found an interesting
straints associated with the design of printed circuit IEEE paper about an open source SDR frontend
boards (PCB) for millimeter wave radio communi- for the 60 Ghz band by Zetterberg et al [3]. Un-
cations. In section 3, a USRP based 60 GHz radio fortunately, the Hittite ICs they used have been
link is detailed and validated with the help of an phased out. In the meantime, Hittite was acquired
OFDM transmission chain built with GNU Radio. by Analog Devices (ADI). Frequently in the past,
Finally, section 4 concludes the paper by giving evo- I used to have several good ideas with no facilities
lution possibilities of the current demonstrator. to implement them, but was finally lucky to find
their realization by ADI. Again, I dreamt about a
60 GHz transceiver solution and ADI did it!
2 Electronics design con-
straints for millimeter wave
bands 3 A HMC6300/6301 60 GHz
link with USRP radios
In recent years, the design and the realization
of transceiver solutions up to about 6 GHz have The HMC6300/6301 Systems on Chips (SoC) from
been simplified by the availability of relatively low ADI are an evolution of the HMC6000/6001 from
cost dedicated chips and measurement equipment. Hittite. Their main characteristics are summarized
Moreover, the manufacturing of PCB even for more in Table 1. Figure 1 presents a block diagram of
than two signal layers is relatively easy and low the HMC6300 SoC. ADI provides an evaluation kit
cost. Nowadays, it is no longer necessary to be a for the HMC6300/6301 for about 3500$. This kit
member of a specialized firm or lab to take advan- allows the user to set up a half-duplex link but does
tage of RF PCB manufacturing. Several Chinese not include the antennas. In order to obtain a link
budget of more than 100m we decided to fit the user designed boards like the 60 GHz evaluation
boards with 23dBi horn antennas from SAGE [4]. kit presented in this paper. We are currently work-
The total price of this setup is around 5700$. ing on a cheaper and a better integration of ADI 60
GHz SoCs with USRP radios. This requires the de-
sign of a PCB integrating an HMC6300/6301 eval
board and a 71.42857 MHz ECL oscillator circuit
needed by the HMC6300/6301 synthesizers. The
setup of the SoC transmission parameters (e.g. out-
put power, carrier frequency) is made via an SPI
interface which can be implemented with the avail-
able GPIO pins on the LFTX/RX or BasicTX/RX
daughter boards. The working testbench and its
evolutions will be presented at the European GNU
Radio Days in Besançon and the design files will be
Table 1: HMC6300/6301 specifications.
shared with the community.
The last operation to perform is to connect the
kit to the USRP radios. This is easily accomplished
thanks to LFTX/LFRX or BasicTX/BasicRX
daughter boards from Ettus. These boards can
transmit/receive baseband data to/from the eval-
uation board as long as the user provides a differ-
ential/non differential adapter (balun transformer
or Fully Differential Amplifier) to the IQ interface
of the HMC6300/6301. The testbench has been
successfully tested over a 100 m link with a 100
MSymb/s OFDM chain designed with GNU Radio.
The transmit power was set to 10dBm. Figure 2
shows a picture of the transmitter section. Figure 2: HMC6300 TX front-end fitted with
SAGE horn antenna.

References
[1] https://www.pcbway.com/

[2] https://ww2.minicircuits.com/homepage/
homepage.html

[3] P. Zetterberg, R. Fardi, Open Source SDR Fron-


tend and Measurements for 60-GHz Wireless
Figure 1: Block diagram of the HMC6300 SoC.
Experimentation, IEEE Access, Vol. 3, pp. 445-
456, 2015.
4 Conclusion
[4] https://www.sagemillimeter.com/23-dbi-
The daughterboard interface of N210 and X310 ra- gain-wr-15-v-band-rectangular-horn-ant
dios is quite generic and allows to easily connect enna/
A Software Defined Radio 802.11 Infrared
Transmission System
S. Joumessi-Demeffo,H. Boeglen,S. Sahuguede,P. Combeau,D. Sauveron,L. Aveneau,
A. Julien-Vergonjanne
CNRS, XLIM UMR 7252, F-87000 Limoges & F-86000 Poitiers, France

Abstract

We present a 802.11 infrared packet transmission system built around GNU Radio and homemade
infrared front-ends. The communication system is validated by a demonstration of audio transmission.

1 Introduction with the design challenges involved, we found it


practical and efficient to develop our solution using
Optical wireless transmission is of great interest in the SDR technology and in particular with USRP
many critical environments due to the confinement radios and GNU Radio. Indeed, the GNU Radio
of optical beams (higher level of security) and the platform already provides a large library of digi-
lack of interference of existing radio frequency con- tal communication blocks and allows implementing
nections. This is particularly true for aeronautical rapidly design modifications in software. One can
contexts. As part of the Aircraft Light Commu- find several research works dealing with the im-
nication (ALC) project (European project Clean- plementation of the 802.11 standard for SDR ap-
Sky2 H2020), our goal is to design a multi-user plications. These implementations are focused on
optical communication system in an aircraft cock- RF communications. As far as optical communi-
pit. Since the brightness inside the cockpit must cations are concerned one can find several Visible
be greatly reduced during the critical phases of Light Communications (VLC) implementations fo-
flight, the visible band is not appropriate. There- cused on the 802.15.7 standard. The rest of this
fore, the optical wavelengths in the infrared (IR) paper is organized as follows. Section 2 discusses
domain are used.One of the most successful IR stan- the main characteristics of the developed communi-
dard (IrDA) is not applicable due to small oper- cation chain. Section 3 presents an infrared packet
ating distance and the need for directed Line-Of- transmission system using homemade IR front-ends
Sight (LOS) links with strong alignment. Because before concluding in Section 4.
of growing interest in visible light communications,
there is today a lot of activities on optical wire-
less communication standards. This includes differ- 2 Communication chain
ent groups such as IEEE802.11bb, IEEE802.15.7r1,
IEEE802.15.13, and the ITU G.vlc. We decided to The developed chain uses the classical MAC/PHY
follow the IEEE 802.11 standard and adapt it to our layer model. We focus in particular on the trans-
study using IR technology. To enable interoperabil- mission and the reception of packets for the LLC
ity with the 802.11 radio-frequency standards that sub-layer and the frames of the IR PHY physical
dominate the market and thus facilitate light com- layer.The LLC sub-layer is, among others, in charge
munication penetration, the future standard should of building 802.11 compliant packets. One can find
be as close as possible to existing 802.11 specifica- an existing GNU Radio transmission chain which
tions.Particularly in the ALC project, the interop- includes this compliant packet forming scheme [1].
erability of the system with the 802.11 standard The 802.11 compatibility can be verified by using
is important because it guarantees a system evo- the network analyzer tool Wireshark. The LLC
lution and the ease of adaptation of this system blocks are: WIFI MAC in charge of the packetiz-
to the future 802.11bb standard. The standardiza- ing operation at the transmission side and WIFI
tion effort consists of the data link control layer PARSE MAC in charge of the packet analyze at
(subdivided into two sublayer namely: the Logical the reception side. The packetizing operation has
Link Control (LLC) and the medium access con- the structure presented in Fig.1.
trol (MAC)) and physical (PHY) layer.We choose The WIFI PARSE MAC block is able to distin-
a multi-step work: firstly we implement the On- guish and list the different fields of the received
Off-Keying (OOK) modulation which is one of the packet. In the Bloessel implementation [3], the
most used modulations in optical wireless transmis- block in charge of this operation is part of the
sion systems, and second we will study other mod- OFDM physical layer. This is the reason why we
ulations used in 802.11 versions. In order to cope could not use it in our IR PHY implementation and

1
of IR technology, the link has to work in base-
band (OOK,L-PPM modulations). To comply with
this requirement, Ettus LFTX and LFRX daugh-
terboards have been selected as they allow com-
munications between 0 and 30MHz. The designed
Figure 1: IR PHY packet structure. TX IR front-end converts the LFTX board voltage
ranging between 0 and 3.3V to a 0-100mA current
into the IR LED thanks to a high speed video op
had to develop a MAC packet data unit (MPDU) amp. The role of the RX front-end is to convert
Parse block. This block is in charge of recovering the very low PIN photodiode current (in the order
the payload.The LLC sub-layer packets are then of 1uA) into a voltage value of around 1V. This is
aggregated in a frame compliant with the 802.11 accomplished by a special type of op amp called
IR PHY standard specification [2], shown in Fig.2. a transimpedance amplifier (TIA).The demonstra-
This is a starting point because this specification tion is made of two parts: first, we send a file from
is no longer present in the latest versions of the the IR transmitter and analyze the frame received
standard. One of our goals is to adapt it to the at the receiver side using Wireshark. Secondly, a
constraints of the ALC project. user directly speaks in a microphone connected to
the PC of the IR transmitter and it is possible to lis-
ten the sound recorded by the computer connected
to the IR receiver.

Figure 2: LLC packet structure. 4 Conclusion


We have worked with the available GNU Radio As part of the H2020 ALC project we are devel-
tutorials and documentation. We have developed oping a multi-user infrared system for communica-
a PHY Formatter block dealing with the insertion tions in a cockpit. To ensure scalability, the sys-
of the synchronization fields and the transmission tem should be as close as possible to the 802.11
header forming a frame. The Parse PHY block at standard currently under development for optical
the reception side analyzes the frame and returns wireless communications. Our approach is based
the length field to the Demux Header/Payload on the implementation of an 802.11 packet trans-
block which then demultiplexes the header and the mission system developed with GNU Radio, tested
payload. For simplification reasons, as a first step, with USRP radios including specifically manufac-
we fix the time slot value to the bit time instead of tured optical front-ends. Currently, our system is
8s as specified in the 802.11 IR standard. Us PHY able to transmit 802.11 packet data with an OOK-
layer implements an OOK modulation by adding modulated PHY IR. Our future work will focus on
an offset to the BPSK modulation scheme. This the integration of other modulation schemes such
offset is required by the IR front-ends. OOK mod- as OFDM used in 802.11 a/p/n and the implemen-
ulation is one of the most used in wireless opti- tation of the DCF access method.
cal communication systems.The main GNU Radio
tools for packet communication systems design are
the tags and the messages.These tools use polymor- References
phic type (PMT) data. Several blocks of our chain
use PMT. For example the convolutional code ECC [1] B. Bloessl et al., ”Towards an Open Source
block specified by the 802.11 standard, the packe- IEEE 802.11p stack: A full SDR-based
tizing blocks WIFI MAC, WIFI Parse, PHY For- transceiver in GNU Radio,” 2013 IEEE Vehicu-
mater, PHY Parse and Header/Payload Demux. lar Networking Conference, Boston, MA, 2013,
pp. 143-149.

3 Front-ends & demonstration [2] Wireless LAN Medium Access Control (MAC)
and Physical Layer (PHY) Specifications p1491
The 802.11 PHY IR specification recommends data 2012.
rates of 1 Mbps and 2 Mbps. In a multi-user con-
[3] H Boeglen, Steve Joumessi-Demeffo, et al.. Op-
text, it is essential to have a high data rate to ensure
tical front-ends for USRP radios. French GNU
good communications of all users. For that pur-
Radio Days 2018, Jul 2018, Lyon, France.
pose, we designed RX and TX front-ends [3] hav-
ing a 10MHz bandwidth. Due to the constraints

2
Study of the use of a SDR Passive RaDAR for the
safe outdoor operation of an atmospheric LiDAR
F. Peyrin1 , J.-M. Friedt2
1
OPGC, UMS 833 CNRS, Univ. Clermont Auvergne, Aubière, France
2
FEMTO-ST, UMR 6174 CNRS, Univ. Franche-Comté, Besançon, France
March 28, 2019

Abstract

Our project aims to evaluate the potential of the Software Defined Radio technology associated to
GNU Radio ecosystem in order to propose new and pragmatic solutions when applied to scientists
needs, thus bridging the gap between engineering and research points of view. Here, we study the
ability for a passive RaDAR to detect aircrafts and allow safe operation of a LiDAR.

1 Introduction
The OPGC [1] is an Observatory of Earth Sciences
dedicated to Volcanology and Physical Meteorol-
ogy. Among instruments implemented, a LiDAR
helps to characterize the composition of the atmo-
sphere in aerosol particles.
The LiDAR activity requires compliance with in-
ternational air traffic regulation [2]. Due to strong
Laser emission, the potential ocular hazard for the
pilots must be cancelled by stopping the Laser emis-
sion while an aircraft is flying over the critical zone Figure 1: LiDAR location and critical zone.
of the LiDAR. Usually, air traffic safety is provided
by a X-band pulsed radar determining the presence
(position, altitude, speed) of any aircraft entering We used GNU Radio to acquire and save DVB-T
the vicinity of the LiDAR. signal (Fig. 2) echoed by the moving distant target.
On the one hand, a first alternative solution has
been developed based on acquiring and processing
ADS-B frames transmitted by the IFR aircrafts [3].
On the other hand, we also study and present here
the potential of a passive RaDAR solution based
on J.-M. Friedt previous work [4] using an existing
non-cooperative source.

2 Experimental setup Figure 2: GNURadio code for DVB-T acquisition

Experimental setup involves the reception of echoes Then, using MATLAB (MatWorks), we post-
of the local Terrestrial Digital Video Broadcasting processed these data by autocorrelation to find the
(DVB-T) source reflected by cabin’s aircrafts. The transmitted signal, delayed in time, so shifted in
LiDAR and receiver are located (Fig.1) on the roof frequency by Doppler shift.
of the OPGC, 420 m above sea level, 4 km away
from the airport and 11 km from the Puy de Dôme,
1465 m asl., where is located the DVB-T emitter. 3 Results
The receiver hardware configuration was based
on a RTL-SDR USB stick that features the Realtek Several tests have been processed (available at [5]).
RTL2832U chipset and the R820T2 tuner specifi- Among these, a measurement at a bistatic distance
cally designed for use in SDR mode. We used this of 10 km (Fig.3), which is sufficient compared to the
broadband receiver coupled to a UHF yagi antenna critical zone, suggests the ability to detect aircraft
to acquire DVB-T broadcast at 482 MHz. flying up to ten thousand meters above our LiDAR.

1
be complementary for operational purpose if hard-
ware is upgraded and calculation time is lowered.
More generally, SDR implementation may also
be helpful for further Earth Science Experiments
driven at the OPGC, in particular when applied to
remote sensing instruments. For example, Software
Defined Radio could also be dedicated to passive or
active RaDAR concepts involved in characteriza-
tion of atmospheric clouds or volcanic ash plumes.
The main technical objectives are to improve the
ergonomics and the mobility of instruments on the
field, to improve the spatial and temporal resolu-
tions (size and movement of the targets), to reach a
greater modularity (emission-reception, directions,
frequencies ...), and to optimize the overall cost
Figure 3: Remote detection (a.u.) of the target, of development and maintenance of these new sys-
circled with red, at a bistatic distance of 10 km, i.e. tems. This ongoing study will be focused on free
an aircraft at a distance of 5 km in a configuration and open source ecosystem such as GNURadio.
where source, receiver and target are aligned.

References
The DVB-T emitter provides promising results
that need to be confirmed with a suitable hardware, [1] at http://wwwobs.univ-bpclermont.fr/
i.e. two synchronized receivers fed by directional
antennas, one pointing to the transmitter (reference [2] Doc 9815 AN / 447 2003 of the Inter-
signal) and an other one pointing to zenith to de- national Civil Aviation Organization, 2003
tect eventual mobile targets (surveillance channel). at https://www.skybrary.aero/bookshelf/
Separating the reference and monitoring channels books/3849.pdf
improves the signal-to-noise ratio and, more im- [3] Tests of the ADSB-SDR technique to detect
portantly, eliminates artifacts related to autocor- aircrafts - An alternative to radar solution
relations of signals due to multiple targets. for air traffic safety during Lidar activity,
The main limitation currently observed is the F. Peyrin et P. Freville, 2018 at https:
processing time of the acquired signals. In the ab- //www.researchgate.net/publication/
sence of any optimization (arbitrary choice of 221 329874059_Tests_of_the_ADSB-SDR_
processed points, for a Doppler shift analyzed by technique_to_detect_aircrafts_-_An_
steps of 5 Hz between -400 and +400 Hz), and alternative_to_radar_solution_for_air_
post-processing the acquired data with an inter- traffic_safety_during_Lidar_activity/
preted language (GNU / Octave), two minutes are
needed to process every second of recording. With- [4] RADAR passif par intercorrélation de sig-
out considering a processing shorter than the ac- naux acquis par deux récepteurs de télévision
quisition time, the main effort, in addition to the numérique terrestre, J.-M Friedt, 2018 at http:
experimental setup, must focus on the reduction //jmfriedt.free.fr/passive_radar.pdf
of this computation time, highly parallelizable and [5] RADAR passif pour la sécurité d’opération
optimizable in terms of choice of the parameters of d’un LiDAR, F. Peyrin et J.-M Friedt,
analysis. Towards the aim of real time processing, Experiment Findings, 2018 at https:
shifting part of the processing chain from general //www.researchgate.net/publication/
purpose Central Processing Units (CPUs) to FPGA 331929425_RADAR_passif_pour_la_
parallel computing units is being developed [6]. securite_d%27operation_d%27un_LiDAR/
[6] J.-M Friedt, W. Feng, S. Chrétien, G. Goavec-
4 Conclusion, Perspectives Merou, M. Sato, Passive radar for measuring
passive sensors: direct signal interference sup-
This study highlights the potential of the SDR con- pression on FPGA using orthogonal matching
cept in regard to our applications. While detecting pursuit, accepted SPIE Multimodal Sensing and
ADS-B with a dongle could already give an inex- Artificial Intelligence: Technologies and Appli-
pensive solution for air traffic safety during LiDAR cations (München, 2019)
activity, the passive RaDAR implementation could

2
Embedded GNU Radio running on Zynq/PlutoSDR

G. Goavec-Merou1 , P.-Y. Bourgeois1 , J.-M Friedt1


1
FEMTO-ST Time & Frequency, Besançon, France

Abstract

GNU Radio has been ported to the buildroot environment and hence can be run on any plat-
form supported by this development framework, including the Zynq. We extend the frozen version
of buildroot used by Analog Devices (2018.02) to the BR2 EXTERNAL mechanism allowing to use the
latest release of buildroot and hence the latest added packages, including GNU Radio and associated
packages to run on the Zynq as found on the PlutoSDR. We demonstrate running the demodulation
scheme on the PlutoSDR itself, and streaming the resulting audio file, as well as providing custom
FPGA bitstream for embedded RF frontend processing.

1 Introduction
Current embedded platforms and associated elec-
tronics frontends exhibit on the one hand increasing
flexibility and on the other hand increasing embed-
ded computational power, with a bandwidth bot-
tleneck at the data transfer from one processing
unit to another. A demonstration of this evolu-
tion is Analog Device’s (ADI) PlutoSDR combin-
ing on a same board an AD9363 radiofrequency
frontend streaming digital data to the Zynq 7010
System on Chip providing both FPGA (PL) and
general computational (PS) functionalities on the Figure 1: Adding an audio interface to the Plu-
same chip. The resulting complex I/Q data are toSDR through EMIO driven by a PWM added to
then streamed to a personal computer through a the original bitstream. In this example, the PWM
USB connection for further processing. The archi- datapath is independent of the data stream com-
tecture provided by ADI, in which the Zynq is only ing from the AD9363 radiofrequency frontend pro-
used to collect the data and stream them to the viding the raw I/Q signals needed to demodulate
personal computer on the one hand restricts the a broadcast FM station and playing sound on the
available bandwidth due to the USB bus, and pre- headphones.
vents using fully the PS capability of the Zynq. In
order to run GNU Radio on the PS and take ad-
vantage of the processing power as well as the huge ded radiofrequency transceiver.
communication bandwidth between PL and PS, we
have ported the development framework provided 2 Experimental setup
by ADI to the BR2 EXTERNAL framework providing a
homogeneous, fully consistent development frame- ADI’s development framework provided at
work. Hence, the latest release of the buildroot github.com/analogdevicesinc/plutosdr-fw
framework shall be used on the embedded software, uses a Makefile configuration to run multiple
including the latest packages such as the necessary tools in order to generate all the files needed to
extensions to GNU Radio needed to collect data generate the embedded firmware. The kernel is
from the AD9363 and process such data on the compiled out of the buildroot environment, which
embedded board. Since the processing requiring is itself a version frozen at the time of the release.
most bandwidth is run on the PS, the resulting dec- While the generation of the image is functional, its
imated stream becomes consistent with USB band- long term evolution is dependent on porting the
width when streamed to the personal computer. updates to the current kernel to the latest Linux
In addition to providing the Buildroot frame- release. Furthermore, the version of buildroot is
work to add custom software, including GNU Radio frozen to a version not yet supporting GNU Radio.
blocks, to the PlutoSDR, we provide the ability to Various efforts aimed at leveraging the pro-
tune the bitstream configuring the Zynq PL with cessing power of the Zynq [1] include running a
custom processing blocks, such as a sound output, web server on the embedded target (github.com/
making the PlutoSDR a fully autonomous, embed- unixpunk/PlutoWeb) or updating the PL bitstream

1
github.com/timcardenuto/testPlutoSDR. All Beyond allowing for processing datastreams at
these projects still rely on the official ADI frame- the PS side of the Zynq, accessing the bitstream
work whose long term stability is questionable since generated to configure the PL allows for including
buildroot and the linux kernel will keep on evolv- basic preliminary processing steps at the FPGA
ing. In order to avoid freezing features of a given level. Fig. 3 exhibits the initial FPGA con-
buildroot release, we have extracted the mod- figuration provided by ADI to fetch data from
ifications brought by ADI to buildroot and in- the AD9363 and stream them to the PS memory
cluded them in an external branch designed to be through the AXI DMA interface. While the basic
merged with the latest buildroot release as provided design only includes FIR decimator and interpola-
through the BR2 EXTERNAL mechanism. tor blocks between the AD936{1,3} block and the
Furthermore, thanks to the availability of AXI DMA, any additional processing block com-
the PlutoSDR HDL firmware, a bitstream plying with the interfaces might be included to pre-
can be generated to configure the PL with process the data at the FPGA level, hence removing
custom functionalitites. We here promote the bandwidth limitation introduced by the PL to
the compatibility with the OscimpDigital PS communication.
PL/PS co-design framework as documented at
https://github.com/oscimp/oscimpDigital/
tree/master/doc/tutorials/plutosdr/.

3 Results
In order to demonstrate the embedded signal pro-
cessing using GNU Radio, we tune the AD9363
(whose configuration was updated [2] to match an
AD9364 to allow reaching the 100 MHz commer-
cial FM broadcast band) to a broadcast FM sta-
tion, stream the data to an embedded command- Figure 3: FPGA processing chain, from AD9363
line python script generated from GNU Radio Com- to PS memory through the Direct Memory Access
panion, and transfer the resulting audio stream (DMA) AXI stream, and collecting the AXI stream
to the personal computer through the ZeroMQ to feed the custom processing chain here made of
framework. The personal computer then sends the an NCO and a mixer to demonstrate an additional
stream to the sound card to assess the demodula- frequency transposition.
tion quality.

4 Conclusion
A fully functionnal extension to buildroot support-
ing the PlutoSDR to run embedded processing soft-
ware is proposed. All development files are released
at github.com/oscimp/PlutoSDR. The demon-
stration of the operational framework is achieved
by streaming the sound demodulated from the in-
coming commercial broadcast FM radiofrequency
signal onboard the Zynq processor.

References
Figure 2: Flowgraphs running on the Zynq tar-
get (bottom right) and on the host PC (top-right), [1] PlutoSDR: enable 2nd CPU core for better
streaming the FM signal demodulated on the PS of performance at www.reddit.com/r/RTLSDR/
the target (top-left) and using the host as a sound comments/7h2hh2/plutosdr_enable_2nd_
card. cpu_core_for_better/
Fig. 2 exhibits the flowcharts running on the [2] Updating to the AD9364 at wiki.analog.
embedded target and the host computer, as well as com/university/tools/pluto/users/
the resulting oscilloscope output. customizing

2
GNU Radio implementation for Multiuser Multi-Armed
Bandit learning algorithms in IoT networks
Julio Manco-Vasquez1 , and Christophe Moy2 , Faouzi Bader1
1
IETR / CentraleSupélec Campus de Rennes, F-35510 Cesson-Sévigné, France,
{JulioCesar.MancoVasquez, Faouzi.Bader} @CentraleSupelec.fr
2
Univ Rennes, CNRS, IETR - UMR 6164, F-35000, Rennes, France
[email protected]

Abstract

Novel access schemes based on multi-armed bandit (MAB) learning approaches has been proposed to support the
increasing number of devices in IoT networks. In the present work, a GNU radio framework is implemented to recreate
an IoT network where IoT devices embedding MAB algorithms are able to learn the availability of the channel for
their packet transmissions to the gateway. It allows to incorporate several IoT users recognized by an identifier (ID),
and provides a gateway to handle a large number of IDs as well as the packet collisions among IoT devices. The
experimental results show that the introduction of learning mechanism in access schemes can improve the performance
of the network.
1 Introduction

Several efforts to introduce reinforcement learning algo-


rithms tailored for low-power wide-area (LPWA) networks
have been recently carried out [1, and references therein].
However, unlike opportunistic spectrum access (OSA) Figure 1: A LPWA scenario with IoT devices that aim to select the
schemes, where several proof of concept based on MAB best channel for their transmissions to the gateway, while collisions
among other IoT devices and interference from other networks may
algorithms have been developed [2, and references therein], occur.
the experimental evaluation for IoT networks has been
overlooked.
2 Experimental setup
Previous works regarding the evaluation of MAB al-
gorithms for OSA in decentralized networks do not take Our testbed is implemented using N210 USRPs connected
into account realistic transmissions between the primary to an Octoclock for time and frequency synchronization
and secondary users, and utilize particular toolboxes among the devices. Each USRP running a GNU radio
avoiding to run reproducible experiments. In this regard, application implements a transceiver composed of three
a first proof of concept to assess the potential usage of GNU radio blocks. For instance, in an IoT user, a first
MAB algorithms for IoT scenarios is provided in [1]. block corresponding to the physical layer detects and
It is fully implemented in GNU radio, and we consider demodulates the packets into QPSK symbols, after which
this initial effort to introduce features concerning an a second block detects the ID within the ACK packet. In
LPWA network. In doing so, the emulation of an IoT the last block, a new packet is created and transmitted
network to support a large number of users is addressed. through the frequency channel pointed out by the MAB
Our testbed is composed of several IoT devices and a algorithm, if it is embedded in the IoT device 1 .
Gateway, where each IoT device following an ALOHA
wireless protocol transmits a packet containing its ID, The implemented data packet structure is shown in
and waits for an ACK packet transmitted by the gateway, Fig. 2, where a preamble is utilized for the packet de-
as it is shown in Fig. 1. For that end, a data packet tection and phase correction of the received signal, while
structure is implemented to provide the required support the values in the field UP/DOWN allow the receivers at
for a multiuser scenario. Our demonstration shows that the gateway and the IoT user to only receive uplink and
significant gains can be obtained, when a well-known MAB 1 In a similar way, it operates at the gateway side, where after
approach, an Upper-Confidence Bound (UCB) algorithm demodulating the packet, an ID detection is carried out to identify
[1] is embedded in IoT devices. the IoT user, and finally an ACK packet is created in the last block.

1
Figure 2: A data packet composed of a preamble, a field named
UP/DOWN, and a user ID given by six blocks of QPSK symbols,
Bk .

downlink packets, respectively. The ID user is defined


by 6 blocks of QPSK symbols Bk for k ∈ [1 6], which
are assigned two possible constellation symbols. Then, a Figure 4: Number of times a channel is selected (curve in blue)
and the number of successful transmissions (curve in red) for each
channel and IoT users.

a sample rate of 64 kbps, and 4×103 symbols for each block


Bk are configured. An FFT block of 16 bins is employed to
a provide a channel selection mechanism with four chan-
nels indexed as 2, 5, 9, and 12. In this example, one of
the IoT user is set to use the channels 9 and 12, whereas a
second IoT user is able to choose among the four channels.
The obtained results in Fig. 4 shows that the second IoT
user learns to select the available channels 2 and 12 (curve
in blue), meaning that the gateway is able to handle the
incoming packets by replying with the corresponding ACK
packets. On the other hand, a gap is observed between
the number of trials and successful transmission due to the
collisions involved in the learning process.

4 Conclusion
Figure 3: The GRC designs for the IoT device and the gate-
We have presented a GNU radio implementation that
way are described at the top and bottom of the figure, respectively.
The blocks corresponding to our framework are higlighted (in orange
recreates an IoT network for the evaluation of access poli-
boxes) within the flowgraphs.
cies based on reinforcement learning approaches. Our
framework introduces a packet structure to handle a large
threshold is applied to the number of times that a symbol number of IoT users that may incorporate MAB algo-
is received within each block Bk , so that a decision about rithms. Finally, the experimental results show that a UCB
the transmitted symbol is made. Hence a binary sequence approach improves the performance of the IoT user. Fur-
of 6 bits are obtained, and consequently a total of 64 users thermore, the modular design of the proposed framework
can be supported 2 . allows the evaluation of any novel access policy, as well as
the incorporation of other physical layers.
3 Results
References
We evaluate our demo in a scenario with a clear line of sight
(LOS) by placing two IoT users and a gateway, all of them [1] L. Besson, R. Bonnefoi, and C. Moy, “GNU Radio Im-
working at a carrier frequency of 433.5 MHz. Each IoT user plementation of MALIN: ”Multi-Armed bandits Learn-
embedding a UCB algorithm 3 is able to select among four ing for Internet-of-things Networks”,” in To appear in
frequency channels and transmit packets of roughly 0.5 sec- 2019 IEEE Wireless Communications and Networking
onds following a LoRa standar. In Fig. 3, the implemented Conference (WCNC), Apr. 2019.
GNU radio companion (GRC) designs are depicted, where
[2] R. Kumar, S. Darak, A. Sharma, and R. Tripathi,
2 The length of the fields can be adjusted to support more users. In
“Two-stage decision making policy for opportunistic
fact, our implementation allows to divide the blocks Bk into chunks
spectrum access and validation on USRP testbed,”
of symbols so as to convey more bits. Furthermore at higher sample
rates, more symbols per block Bk are available. Springer: Wireless Networks, vol. 24, pp. 1509–1523,
3 For a more detailed illustration of the implemented UCB algo- 2018.
rithm, the reader may refer to [1].

2
Framework for PHY-MAC layers Prototyping in
Dense IoT Networks using FIT/CorteXlab Testbed
Othmane Oubejja, Diane Duchemin, Matthieu Imbert, Leonardo S. Cardoso, Jean-Marie Gorce
Univ Lyon, INSA Lyon
Inria, CITI
F-69621 Villeurbanne, France
[email protected]

Abstract—In this paper we present an Internet-of-Things channel bandwidth, the emitted power and the waveform used
(IoT) network implementation developed as part of the project to communicate. The testbed is located in a large shielded
”Enhanced Physical Layer for Cellular IoT” (EPHYL) , using room which is partially covered with electromagnetic absorb-
FIT/CorteXlab radio testbed. The aim of our work is to provide
a customizable and open source design for IoT networks pro- ing foams. Conclusively, the design of the room enables to
totyping in a massive multi-user, synchronized and reproducible ensure a high level of reproducibility of experimentations.
environment thanks to the hardware and software capabilities of Last but not least, all SDR nodes are remotely accessible
the testbed. The massive access feature is managed by emulating through a service interface allowing to deploy proprietary
several sensors per radio nodes. Two categories of network software [1].
components are used in our design: a base station unit and
a multi-sensor emulator unit. The components are separately III. D ESIGN A RCHITECTURE
hosted in dedicated and remotely accessible radio nodes. Their
design features can be illustrated through a live demo, which is A. Overview
also reproducible as it is available for any interested reader.
Index Terms—IoT, FIT/CorteXlab, NB-IoT, Reproducibility, We started by investigating how we can deploy an IoT-like
LPWAN, Channel Emulation, Software Defined Radio network considering the testbed capabilities for SDR applica-
tions, therefore the objective was to choose then implement
I. I NTRODUCTION key features from NB-IoT systems [2]. Our approach was
to design two classes of nodes. The first class represents a
With the growing needs of rigorous and transparent sci-
Base Station (BS) and the second one a Multi-Sensor emulator
entific experimentation across many research fields, the im-
(MS). In this work, a Sensor is the actual resource user.
portance of reliable testbeds is only getting more crucial in
To ensure time and frequency synchronization, only USRP
order to validate scientific models and simulations. Among
nodes are used, since they are connected to 8-Channel Clock
these fields is wireless communication, and more particularly
Distribution modules. The wireless channels are the downlink
Internet-of-Things (IoT) which is a rapidly growing and chal-
Broadcast Channel (BCH) and the uplink, which is based on
lenging domain. However, one of the challenges is robust joint
a custom and simplified version of NB-IoT PHY layer [2] [3].
hardware/software prototyping that is still lacking due to var-
Fig.1 depicts the overall network structure.
ious reasons (e.g. synchronization, immutable implementation
solutions, unrealistic testing environment) especially for large RF Wireless Uplink Ethernet Downlink RF Wired Sync. link
scale experiments as required for IoT.
FIT/CorteXlab [1] radio testbed has the key properties
BS node
to develop an IoT network framework, remotely and freely
Octoclock

available for the research community. It allows to fasten


the execution of large scale emulated radio experiments, as
illustrated here with the evaluation of custom PHY-MAC MS node 1
M1 sensor emulator
MS node 2
M2 sensor emulator
MS node N
MN sensor emulator
layers derived from 3GPP Narrowband Internet of Things
(NB-IoT) standard [2]. The proposed framework offers to
researchers the opportunity to plug their algorithms or designs Fig. 1. EPHYL Network diagram.
in Software Defined Radio (SDR) nodes, thus making it
possible to evaluate diverse communication scenarios and
perform necessary physical measurements. B. Network Resources Scheduling
The BS follows a defined resource grid policy and a frame
II. FIT/C ORTE X LAB R ADIO T ESTBED structure known by the sensors. At the present time, our design
FIT/CorteXlab is a large scale radio testbed composed of an supports single carrier mode only. The BS starts by emitting a
extensive set of SDR nodes. These latter provide substantial beacon signal (BCN) within the Broadcast Channel (BCH)
RF flexibility, enabling to tune the operating frequency, the which allows active Sensors to detect the BS and obtain
primary time synchronization. During the Synchronization BS Node
(Sync) time slot, the Sensors compute the timing of Physical GNU Radio (Computer) USRP
Shared Slots (Si ) and decide which slots to use according Channel Beacon
to their respective access policies (regular access, Poisson Estimation Generator

distribution, etc). More details about nodes functioning are Header


Trigger UHD
given in III-C. A guard time is used at the end of each Shared Header/Payload BS
Demux Scheduler
Slot to store decoded data and avoid overlapping. The final
slot within the frame is a post-processing slot and is also Payload

Data Ethernet
used to generate a wired downlink message to MS nodes. This PHY RX
formatting Downlink
message contains information about potential slots usage and
collisions as well as a decoding success score. This feedback
(To MS nodes)

can be used to improve the network usage by adapting the Fig. 3. EPHYL BS Node Block Diagram
access policy and/or PHY layer parameters.
Fig.2 illustrates a functional example of the network flow
MS Node i
during one frame, including one BS node and 3 emulated
Sensors running with different parameters. GNU Radio (Computer) USRP
Sensor M

Frame

....

....
RF state Tx Rx Tx … Sensor 3

Time slots BCH Sync S0 S1 S2 … SN PCH BCH … Sensor 2


Ethernet
Downlink
Sensor 1 UHD
Tsync TS TG TP
Node Access Policy
state (From BS)

Process Data PHY TX Local Channel


Send Send
BS
beacon
data + … bits (SC-FDMA) Scheduler Emulator
Feedback beacon
t Sync
Wake
Sensor i
up Search Detect Sync Emit Emit …
Wake
Sensor j
up Search Detect Sync …
Fig. 4. EPHYL MS Node Block Diagram
Wake
Sensor k
up Search Detect Sync Emit …
Slot collision

IV. D EMONSTRATION
Fig. 2. Example Scenario with slot collision Conducting experiments in FIT/CorteXlab requires a basic
expertise. All required procedures are explained in the testbed
C. Nodes Description Wiki [4] through several tutorials. Furthermore, these latter
1) BS Node: The BS node is disciplined by its Scheduler and the present framework can be carried out by any person
which controls slots timing. On the one hand, the Sched- possessing a FIT/CorteXlab account, an Internet connection
uler triggers the Beacon Generator during the BCH, on the and a Unix Shell. All framework components of this work
other hand, it feeds the demodulation chain which starts are customizable and can be adjusted to users needs. The
with a Header-Payload Demultiplexer and consists of two proposed demo acts as an example to show the flexibility and
other chains. The first one is actually a loop and concerns the modularity of the design.
the header. The Channel Estimation block removes channel V. ACKNOWLEDGMENT
impairments by correlating the expected pilot sequence with
This work was supported by the French National Research Agency (ANR),
the received header. The second chain purpose is to extract the
under grant agreement ANR-16-CE25-0002 (EPHYL project). Experiments
payload, decode it, identify the emitters, count the decoded
presented in this paper were carried out using the FIT/CorteXlab testbed.
messages for each sensor, then broadcast the results in the
wired downlink feedback channel. R EFERENCES
2) MS Node: The MS node is composed of emulated [1] L. Cardoso, A. Massouri, B. Guillon, F. Hutu, G. Villemaud, T. Risset,
Sensor blocks which are connected to a complex adder. After J.M. Gorce, ”CorteXlab: A Cognitive Radio Testbed for Reproducible
the ”wake-up” state, each sensor generates its own packets and Experiments,”. in Proc. Wireless @ Virginia Tech Symposium, May
2014, Blacksburg, United States. 2014.
waits for the Sync block to trigger the local Scheduler as soon [2] Y. -. E. Wang et al., ”A Primer on 3GPP Narrowband Internet of Things,”
as a beacon is detected. The Access Policy block dictates to the in IEEE Communications Magazine, vol. 55, no. 3, pp. 117-123, March
Scheduler which shared slots to use based one the BS feedback 2017.
[3] X. Lin, A. Adhikary and Y. -. Eric Wang, ”Random Access Preamble
and modifies PHY parameters if needed. Then, the generated Design and Detection for 3GPP Narrowband IoT Systems,” in IEEE
waveform passes through a Channel Emulator which applies Wireless Communications Letters, vol. 5, no. 6, pp. 640-643, Dec. 2016.
arbitrary attenuation as well as timing and frequency offsets. [4] ”FIT/CorteXlab Wiki”. [Online]. Available: https://wiki.cortexlab.fr/.
[Accessed: 17- Dec- 2018].
(See Fig.4)
Hacking the DSMx Drone RC protocol
Cyrille Morin1 , Leonardo S. Cardoso1
1
Univ Lyon, Inria, INSA Lyon, CITI, France

Abstract

We present a decoder for a proprietary drone radio-control protocol, DSMx, implemented in GNU-
Radio. This decoder is able to detect a transmission, decode transmitted data, find and follow the
corresponding frequency jump sequence and identify the emitter by its manufacturing ID.

1 Introduction detect and decode a transmission and emit signals


to hijack a drone in October 2016 at PacSec in
Unmanned Aerial Vehicles (UAVs) or drones have Tokyo [3]. GNURadio was used to study the pro-
been around fo decades for military and scientific tocol but the implementation was done on hard-
purposes. But they have become increasingly pop- ware with the original radios. So, to the best of
ular with the general public in the last 10 years. our knowledge, there is no previous DSMx decoder
Their widespread usage causes airspace sharing implemented with software defined radio
issues. Existing regulations are tailored to big air-
crafts, not drones, and their use is either not prop-
erly regulated or not covered at all and the public 2 Protocol description
is often not aware of the legal issues with piloting
what is sold to be a toy. The DSMx protocol works on a CYRF6936 radio
This creates privacy and safety issues: It’s ex- chip that implements a frame based data trans-
tremely simple to fly over private properties and mission with Frequency Hopping Spread Spec-
film unwilling third parties, or even fly by restricted trum (FHSS) and Direct-Sequence Spread Spec-
areas such as airports, military fields or nuclear trum (DSSS) based on a GFSK modulation scheme
plants. Manned aircrafts are also at risk of colli- at 1Mbit/s in the 2.4GHz ISM band. After a
sion, and some drug cartels are starting to use some preamble, a start-of-packet (SOP) code is sent in
to deliver drugs to dealers. a specific sequence to tell the hardware the DSSS
Regulations enforcement is not simple due to the parameters of the communication. In normal oper-
drones’ size and stealthiness and, even if one is ation, the DSSS step is done by sending variations
caught, it does not help with locating the pilot that over two 64bits long pseudo-noise (PN) codes: one
can be more than a kilometre away. bit corresponds to the PN code used, one tells if a
Systems have been developed to physically cap- NOT operation was applied and six more describe
ture drones with nets, to jam the radio transmis- the number of bit-wise shifts of the code, so one
sion, or to simply destroy them. All these systems 64bits chip codes for one byte.
require knowledge of the drone’s position and to be Over this, the frame consists of the last two of
close to it. the four identification bytes defined in each radio
A study and implementation of the radio con- card, followed by 14 bytes coding for the values of
trol protocols in use could allow for detection of seven RC channels. If needed, frames can be sent
unwanted drones without line-of-sight and either in pairs to handle up to 12 RC channels.
takeover or targeted jamming without blocking the The PN codes used for data and SOP are selected
radio spectrum. from a 5 by 9 matrix depending on the current radio
DSMx is a proprietary protocol from Spektrum channel and the ID bytes.
used by other drone manufacturers such as Hori- A CRC is added at the end of each frame for
zon Hobby. A couple of hobbyist groups such as error detection. It uses the first two ID bytes as
PaparazziUav[1] and Deviation, whose objective is seed. Unfortunately, the exact algorithm and/or
to create an universal transmitter implementing polynomial was not found.
protocols from the various drone manufacturers, The FHSS element is done by changing the ra-
have it in their support list. The Deviation GitHub dio channel after each frame in a jump sequence
repository has a very good description of it[2]. But of 23 different channels over 74 possibilities. We
their approach uses the proprietary hardware with won’t go into the details of the algorithm, but it is
a source code modification to implement other pro- a constrained pseudo-random generator with a seed
tocols and add different transmission chips for in- being the ID bytes.
creased compatibility. There is also a pairing frame to configure the re-
Jonathan Andersson presented a system able to ceiver to listen to one specific transmitter. It’s sent

1
Figure 1: GNURadio flowgraph for DSMx detection, decoding, and FHSS channel sequence following

on a random radio channel and contains data de- To get these, the pairing frame can be listened
scribing the transmittter capabilities (RC channel to. This allows to demonstrate the capacity of the
number and protocol type) and, more importantly, USRP to follow the jump sequence over a known
the four ID bytes used in the jump sequence and transmitter.
the PN code selection.

4 Conclusion
3 Demo setup In this demonstration, we present a GNURadio im-
plementation of a system able to decode DSMx
This demonstration presents an implementation of data from an unknown transmitter with a partial
a DSMx decoder in GNURadio. identification of the transmitting radio chip. If the
The USRP listens to one channel at a time at transmitter is known, we can show that the SDR
2Msps. In the three following blocks, the quadra- hardware used is able to follow the protocol’s FHSS
ture demod with the binary slicer handle the GFSK jump sequence quickly enough and not lose frames.
demodulation and the Clock recovery does the syn- Further progress on the system depends on the dis-
chronisation. Then, we look for the preamble for covery of the exact CRC algorithm: It would allow
time synchronisation and use next three custom full transmitter identification and jump sequence
blocks for: packet isolation and PN code discov- computation for full data decoding, selective jam-
ery, data decoding, and frequency jump following ming of the concerned channels or emission of cus-
and GUI output. tom frames.
The implementation code and flowgraph are
available on GitHub at https://github.com/
lscardoso/gr-dsmx-rc.

References
Figure 2: Gui output of the system with current
RC channel values and computed jump sequence [1] Paparazzi. (2017) Paparazzi uav wiki. [Online].
Available: http://wiki.paparazziuav.org/wiki/
The codes used in each frame are based on the Main Page
value of the ID bytes, that we don’t know, but,
[2] Deviation. (2017) Custom firmware for walkera
with the selection algorithm and the radio channel
devo radios. [Online]. Available: https://
number known, it becomes simple to search for the
github.com/DeviationTX/deviation
SOP code in only seven possibilities, and with that
the PN codes can be extracted. So there is no need [3] J. Andersson. (2016) Attacking dsmx spread
to know anything about the transmitter to be able spectrum frequency hopping drone remote
to decode data. control with sdr. [Online]. Available: https://
If the algorithm was known, it would be possible pacsec.jp/psj16/PSJ2016 Andersson Hacking
to search over the space of 2 bytes to extract the DSMx with SDR PacSec 2016 English.pdf
two ID bytes that are not sent with each frame.
Those two bytes would allow for exact transmitter
identification and computation of the radio channel
jump sequence.

2
Author Index

Alvarez-Martinez H., 7, 8 Morin Cyrille, 34, 35


Aveneau Lilian, 24, 25 Morlaas Christophe, 17, 18
Moy Christophe, 30, 31
Bader Faouzi, 30, 31
Bernard L., 2, 3 Oubejja Othmane, 32, 33
Bieber E, 2, 3
Blais Antoine, 17, 18 Paillot J.-M, 2, 3
Boeglen H., 2, 3 Peyrin Frédéric, 26, 27
Boeglen Hervé, 24, 25
Sahuguède Stéphanie, 24, 25
Boeglen Herve, 22, 23
Sauveron Damien, 24, 25
Bourgeois Pierre-Yves, 16, 28, 29
Seidelin S., 7, 8
Boven Paul, 6
Spies Francois, 9, 10
Calosso Claudio Eligio, 12, 13 Suciu Adrian, 11
Campo C, 2, 3
Zhang S., 7, 8
Cardenas Olaya Andrea Carolina, 12, 13
Cardoso Leonardo, 32–35
Claverie Tristan, 19–21
Combeau Pierre, 24, 25

Duchemin Diane, 32, 33

Fang B., 7, 8
Ferrier A., 7, 8
Friedt Jean Michel, 26–29

Galland N, 7, 8
Givron Stéphane, 9, 10
Goavec-Merou Gwenhael, 28, 29
Goldner P., 7, 8
Gorce Jean Marie, 32, 33

Hengy S., 2, 3

Imbert Matthieu, 32, 33

Joumessi Steve, 24, 25


Julien Nicolas, 4, 5
Julien-Vergonjanne Anne, 24, 25

Le Targat R., 7, 8
Lecoq Y., 7, 8
Lopes Esteves Jose, 19–21
Lucic N, 7, 8

Manco Julio, 30, 31


Mayer Christoph, 14, 15

36

You might also like