Signal Structure of the Starlink Ku-Band Downlink
Todd E. Humphreys∗ , Peter A. Iannucci∗ , Zacharias Komodromos† , Andrew M. Graff†
∗ Department of Aerospace Engineering and Engineering Mechanics, The University of Texas at Austin
† Department of Electrical and Computer Engineering, The University of Texas at Austin
Abstract—We develop a technique for blind signal identifica-
tion of the Starlink downlink signal in the 10.7 to 12.7 GHz
band and present a detailed picture of the signal’s structure. Im-
portantly, the signal characterization offered herein includes the
exact values of synchronization sequences embedded in the signal
that can be exploited to produce pseudorange measurements.
Such an understanding of the signal is essential to emerging
efforts that seek to dual-purpose Starlink signals for positioning,
navigation, and timing, despite their being designed solely for
broadband Internet provision.
Index Terms—Starlink, signal identification, positioning, time
synchronization, low Earth orbit
I. I NTRODUCTION
In addition to revolutionizing global communications,
recently-launched broadband low-Earth-orbit (LEO) mega-
constellations are poised to revolutionize global positioning,
navigation, and timing (PNT). Compared to traditional global
navigation satellite systems (GNSS), they offer higher power,
wider bandwidth, more rapid multipath decorrelation, and
the possibility of stronger authentication and zero-age-of-
ephemeris, all of which will enable greater accuracy and
greater resilience against jamming and spoofing [1]–[5].
With over 3000 satellites already in orbit, SpaceX’s Starlink
constellation enjoys the most mature deployment among LEO
broadband providers. Recent demonstrations of opportunistic
Doppler-based positioning with Starlink signals [6]–[8] open
up exciting possibilities. But whether Starlink signals are
more generally suitable for opportunistic PNT—not only via
Doppler positioning—and whether they could be the basis of a
full-fledged GNSS as, proposed in [5], remains an open ques-
tion whose answer depends on details of the broadcast signals,
including modulation, timing, and spectral characteristics. Yet
whereas the orbits, frequencies, polarization, and beam pat-
terns of Starlink satellites are a matter of public record through
the licensing databases of the U.S. Federal Communications
Commission [9], details on the signal waveform itself and
the timing capabilities of the hardware producing it are not
publicly available.
We offer two contributions to address this knowledge gap.
First, we develop a technique for blind signal identification
of the Starlink downlink signal in the 10.7 to 12.7 GHz
band. The technique is a significant expansion of existing
blind orthogonal frequency division multiplexing (OFDM)
signal identification methods (see [10]–[12] and the references
therein), which have only been successfully applied to simu-
lated signals. Insofar as we are aware, blind identification of
operational OFDM signals, including exact determination of
synchronization sequences, has not been achieved previously.
Copyright © 2022 by Todd E. Humphreys, Peter A. Iannucci,
Zacharias Komodromos, and Andrew M. Graff
Second, we present a detailed characterization of the Star-
link downlink signal structure in the 10.7 to 12.7 GHz band.
This applies for the currently transmitting Starlink satellites
(versions 0.9, 1.0, and 1.5), but will likely also apply for
version 2.0 and possibly later generations, given the need to
preserve backward compatibility for the existing user base.
Our signal characterization includes the exact values of syn-
chronization sequences embedded in the signal that can be
exploited to produce pseudorange measurements. Combining
multiple pseudorange measurements to achieve multi-laterated
PNT, as is standard in traditional GNSS, enables faster and
more accurate opportunistic position fixes than the Doppler-
based positioning explored in [6]–[8], [13]. and can addition-
ally offer nanosecond-accurate timing, whereas even under the
optimistic scenario envisioned in [13], extracting timing from
Doppler-based processing of LEO signals yields errors on the
order of 0.1 to 1 ms.
II. S IGNAL C APTURE
To facilitate replication of our work, and as a prelude to
our presentation of the signal model, we begin with a detailed
description of our signal capture system.
One might reasonably wonder whether a standard consumer
Starlink user terminal (UT) could be modified to capture wide-
band (hundreds of MHz) raw signal samples for Starlink signal
identification. Not easily: operating the UT as development
hardware, which would permit capture of raw signal samples,
requires defeating security controls designed specifically to
prevent this. Moreover, the clock driving the UT’s downmixing
and sampling operations is of unknown quality and would
therefore taint any timing analysis of received signals.
We opted instead to develop our own system for Starlink
signal capture. Composed of off-the-shelf hardware and cus-
tom software, the system enables signal capture from one
Starlink satellite at a time with downmixing and sampling
referenced to a highly-stable GPS-disciplined oscillator.
Whereas the consumer Starlink UT operates as a phased ar-
ray of many separate antenna elements, our antenna is a steer-
able 90-cm offset parabolic dish. Starlink orbital ephemerides
provided publicly by SpaceX guide our selection and tracking
of overhead satellites. Only one or two Starlink satellites
illuminate a coverage cell at any one time with a data-bearing
beam [5]. To guarantee downlink activity, we solicit data by
downloading a high-definition video stream through a standard
Starlink UT co-located with our signal capture system.
Fig. 1 outlines our signal capture hardware and signal
pathways. A parabolic dish focuses signals onto a feedhorn
connected to a low-noise block (LNB) with a conversion gain
October 2022 preprint of paper submitted for review
 Fig. 1: Block diagram of the Starlink signal capture process.
of 60 dB and a noise figure of 0.8 dB. The LNB is dual-band,
downconverting 10.7–11.7 GHz (the lower band) to 950–1950
MHz, and 11.7–12.75 GHz (the upper band) to 1100–2150
MHz. The antenna’s nominal gain is 40 dBi at 12.5 GHz, but
there are losses of at least 4-5 dB due to lack of a circular-to-
linear polarizer and to feedhorn misalignment.
The signal capture system allows selection between narrow-
band (∼ 60 MHz) and wideband (∼ 1 GHz) signal capture
modes. For the narrowband mode, the output of the LNB is
fed to a transfer switch that diverts the signal through a tunable
bandpass filter for image rejection. Downstream hardware then
performs downmixing, additional bandpass filtering, and 16-bit
complex sampling at 62.5 Msps. The downmixing operation
in the LNB and the downmixing and sampling operations
in the downstream hardware are phase-locked to a common
GPS-disciplined oven-controlled crystal oscillator (OCXO)
to minimize the effects of receiver clock variations on the
received signals. A 3-TB data storage array permits archival
of several hours of continuous data.
Anti-alias filtering prior to sampling reduces the usable
bandwidth of the narrowband mode to approximately 60
MHz. This is much narrower than a single Starlink channel,
which prevents a synoptic signal analysis. A second capture
mode—the wideband mode—addresses this deficiency. Based
on direct digital downconversion of 12-bit samples at 4096
Msps (real), the wideband mode is capable of alias-free
capture of the LNB’s entire lower band and most of its upper
band. The wideband mode’s limitations are storage, timing,
and noise figure: our current hardware permits only 1-second
segments of contiguous data to be captured before exhausting
the onboard memory, the sampling is not driven by the same
clock used for LNB downmixing, and the noise figure results
in captured signals with a signal-to-noise ratio (SNR) that is
significantly worse than for the narrowband mode.
For the analysis described subsequently, signal identifica-
tion was based on narrowband-mode-captured data except for
estimation of the primary synchronization sequence.
III. S IGNAL M ODEL
Given its widespread use in wireless communications, one
would expect OFDM [14]–[18] to be the basis of the Ku-band
2
Starlink downlink. Indeed, inspection of the Starlink power
spectrum generated from captured data reveals spectrally-flat
frequency blocks with sharp edges, hallmarks consistent with
an OFDM hypothesis. Proceeding under the assumption of
an OFDM model, the problem of general signal identification
narrows to one of identifying the values of parameters fun-
damental to OFDM signaling. This section introduces such
parameters as it presents a generic OFDM signal model and
a received signal model.
A. Generic OFDM Signal Model
The serial data sequence carrying an OFDM signal’s infor-
mation is composed of complex-valued symbols drawn from
the set {Xmik ∈ C : m, i, k ∈ N, m ∈ k < N, i < Nsf } at
a rate Fs , known as the channel bandwidth. The subscript k
is the symbol’s index within a length-N subsequence known
as an OFDM symbol, i is the OFDM symbol’s index within
a length-Nsf sequence of OFDM symbols known as a frame,
and m is the frame index. Each symbol Xmik encodes one
or more bits of information depending on the modulation
scheme (e.g., 1 for BPSK, 2 for 4QAM, 4 for 16QAM,
etc.), with higher-order modulation demanding higher SNR
to maintain reception at a given acceptably-low bit-error rate
(BER) [18]. OFDM is a highly spectrally efficient case of
multicarrier signaling in which each Xmik modulates one of N
mutually orthogonal subcarriers with overlapping spectra. Let
T = N/Fs be the interval over which N information symbols
arrive, and F = Fs /N = 1/T be the subcarrier spacing,
chosen as indicated to ensure subcarrier orthogonality over the
interval T . Then the baseband time domain signal produced
by the ith OFDM symbol of the mth frame is expressed as
N
X −1
x′mi (t) = Xmik exp (j2πF tk) , 0≤t<T (1)
k=0
One recognizes this expression as a scaled inverse discrete
Fourier transform, commonly implemented as an IFFT. Thus,
one can think of each Xmik as a complex-valued frequency-
domain coefficient. To prevent inter-symbol interference (ISI)
arising from channel multipath, OFDM prepends a cyclically-
extended guard interval of length Tg = Ng /Fs , called the
cyclic prefix, to each OFDM symbol. Due to the time-cyclic
nature of the IFFT, the prepending operation can be modeled
by a simple modification of (1):
N
X −1
xmi (t) = Xmik exp (j2πF (t − Tg )k) , 0 ≤ t < Tsym
k=0
With the addition of the cyclic prefix, the OFDM symbol
interval becomes Tsym = T + Tg , with T being the useful
(non-cyclic) symbol interval. The function xmi (t) is called
a time-domain OFDM symbol, or simply an OFDM symbol
when there is little risk of confusion with its frequency-domain
representation.
In all wireless OFDM protocols, subsequences of OFDM
symbols are packaged into groups variously called slots,
frames, or blocks. We will use the term frame to describe the
smallest grouping of OFDM symbols that is self-contained
in the sense that it includes one or more symbols with
predictable elements to enable receiver time and frequency
synchronization. Let Nsf be the number of OFDM symbols in
a frame, Tf ≥ Nsf Tsym be the frame period, and
 
1, 0 ≤ t < Tsym 1, 0 ≤ t < Tf
gs (t) = , gf (t) =
0, otherwise 0, otherwise
be the OFDM symbol support and frame support functions,
respectively. Then the time-domain signal over a single frame
can be written
sf −1
NX
xm (t) = xmi (t − iTsym )gs (t − iTsym ) (2)
i=0
Over an infinite sequence of frames, this becomes
X
x(t) = xm (t − mTf )gf (t − mTf ) (3)
m∈N
B. Received Signal Model
As x(t) passes through the LEO-to-Earth channel and later
through the receiver signal conditioning and discretization
operations, it is subject to multipath-induced fading, noise,
Doppler, delay, filtering, and digitization.
In our signal capture setup, the receiving antenna is highly
directional, positioned atop a building with a clear view
of the sky, and only used to track satellites with elevation
angles above 50 degrees. Accordingly, the received signal’s
delay spread is negligible—similar to the wooded case of
[19]. In this regime, the coherence bandwidth appears to be
limited primarily by atmospheric dispersion in the Ku-band,
which, as reported in [20], amounts to sub-millimeter delay
sensitivity to dry air pressure, water vapor, and surface air
temperature for a 200 MHz-wide signal. In view of these
favorable characteristics, we adopt a simple additive Gaussian
white noise model for the LEO-to-Earth channel.
Doppler effects arising from relative motion between the
satellite and ground receiver are considerable in the Ku band
for the LEO-to-Earth channel. In fact, they are so significant
that, for a channel of appreciable bandwidth, Doppler cannot
be modeled merely as imposing a frequency shift in the
received signal, as in [10], [11], or simply neglected, as in [12].
3
Instead, a more comprehensive Doppler model is required,
consisting of both a frequency shift and compression/dilation
of the baseband signal.
Let vlos be the magnitude of the line-of-sight velocity
between the satellite and receiver, modeled as constant over
an interval Tf , and let β ≜ vlos /c, where c is the free-space
speed of light. Note that lack of frequency synchronization
between the transmitter and receiver clocks gives rise to an
effect identical to motion-induced Doppler. In what follows,
we treat β as parameterizing the additive effects of motion-
and clock-error-induced Doppler, and we refer to β as the
carrier frequency offset (CFO) parameter.
For an OFDM channel bandwidth Fs , the compres-
sion/dilation effects of Doppler are negligible only if
βFs Tsync ≪ 1, where Tsync is an interval over which OFDM
symbol time synchronization is expected to be maintained to
within a small fraction of 1/Fs . Violation of this condition
causes ISI in OFDM receiver processing as the receiver’s
discrete Fourier transform operation, implemented as an FFT,
becomes misaligned with time-domain OFDM symbol bound-
aries. In the context of standard OFDM signal reception, Tsync
may be as short as Tsym , whereas for the signal identification
process described in the sequel, Tsync > Nsf Tsym .
Consider a transmitter in LEO at 300 km altitude, a station-
ary terrestrial receiver, elevation angles above 50 degrees, and
relative (transmitter-vs-receiver) clock quality consistent with
a temperature-compensated crystal oscillator. The resulting β
is limited to |β| < 2.5 × 10−5 . Suppose Tsync = 1 ms.
Then, to ensure βFs Tsync < 0.1, Fs would be limited to 4
MHz, well below the Starlink channel bandwidth. Therefore
our Doppler model must include both a frequency shift and
compression/dilation of the baseband signal.
With these preliminaries, we may introduce the baseband
analog received signal model as
ya (t) = x((t − τ0 )(1 − β)) (4)
 

× exp −j2π (β + 1)Fc − F̄c (t − τ0 ) + w(t)
where Fc is the center frequency of the OFDM channel, F̄c ≈
Fc is the center frequency to which the receiver is tuned, τ0 is
the delay experienced by the signal along the least-time path
from transmitter to receiver, and w(t) is complex-valued zero-
mean white Gaussian noise whose in-phase and quadrature
components each have (two-sided) spectral density N0 /2. Let
the symbols {Xmik } be scaled such that x(t) has unit power
over nonzero OFDM symbols. Then, during such symbols and
within the channel bandwidth Fs , SNR = 1/N0 Fs .
In a late stage of the signal capture pipeline shown in Fig. 1,
the analog signal ya (t) is discretized. Let Fr be the receiver’s
sampling rate and h(t) be the impulse response of a lowpass
prefilter with (two-sided) 3-dB bandwidth Fh < Fr and rolloff
such that power is negligible for frequencies |f | > Fr /2,
permitting alias-free complex sampling. Then the baseband
digitized received signal model is
Z ∞
y(n) = h(n/Fr − τ )ya (τ ) dτ, n∈Z (5)
−∞
 TABLE I: Parameters of Interest
Independent Parameters
Fs Channel bandwidth; information symbol rate
N Number of subcarriers in bandwidth Fs
Ng Number of intervals 1/Fs in an OFDM symbol guard interval
Tf Frame period
Tfg Frame guard interval
Nsf Number of non-zero symbols in a frame
Nsfd Number of data (non-synchronization) symbols in a frame
Fci Center frequency of ith channel
Derived Parameters
T = N/Fs Useful (non-cyclic) OFDM symbol interval
Tg = Ng /Fs Symbol guard interval
Tsym = T +Tg OFDM symbol duration including guard interval
F = Fs /N Subcarrier spacing
Fδ = Fci −Fc(i−1) Channel spacing
Fg = Fδ −Fs Width of guard band between channels
IV. S IGNAL I DENTIFICATION
This section first summarizes and augments the terminology
and notation previously introduced so that our signal identifi-
cation problem may be clearly stated. It then states the problem
and presents our solution procedure.
A. Terminology and Parameters of Interest
We assume the frequency spectrum allocated for a multi-
band OFDM signal is divided into OFDM channels within
which power spectral density is approximately uniform. Adja-
cent channels are separated by guard bands. Each channel is
composed of N orthogonal subcarriers whose spectra overlap.
A frequency-domain OFDM symbol is a vector of N complex-
valued coefficients whose kth element modulates the kth
subcarrier.
The IFFT of a frequency-domain OFDM symbol, when
prepended by a guard interval (cyclic prefix), becomes a time-
domain OFDM symbol. Subsequences of such symbols are
packaged into frames in which one or more OFDM symbols
carry predictable elements, called synchronization sequences,
that enable receiver time and frequency synchronization. As
transmitted, an OFDM signal’s carrier phase remains stable
within each frame. Frames are separated from each other by
at least the frame guard interval. There may be further logical
subframe structure (e.g., slots, header segments), but these are
not addressed in this paper’s signal identification process.
Note that three distinct structures share the term “guard”:
the empty spectrum between channels (guard band), the
time between frames (frame guard interval), and the (cyclic)
prefix in a time-domain OFDM symbol (OFDM symbol guard
interval).
The OFDM parameters of interest for this paper’s signal
identification problem are summarized in Table I.
B. Problem Statement
This paper’s blind signal identification problem can be
stated as follows: Given one or more frame-length segments of
received data modeled by (5), estimate the value of the inde-
pendent parameters listed in Table I with sufficient accuracy
to enable determination of the symbols {Xmik } that apply
4
within the captured time interval over the bandwidth Fh . Also
identify any synchronization sequences present within a frame.
Note that this signal identification problem is more de-
manding than those treated in the existing blind OFDM signal
identification literature, in five ways. First, no prior identifica-
tion procedures were truly blind: they operated on simulated
signals generated by the researchers themselves. As will be
shown, simulated signals, which assume independent and
identically-distributed (iid) information symbols {Xmik }, bear
characteristics markedly different from operational OFDM
signals. Second, prior studies either neglected Doppler effects
or modeled only a bulk frequency shift arising from Doppler.
Third, the goal of prior work has been limited to distinguishing
known OFDM waveforms from each other [10], [12], or from
single-carrier systems [11]. As such, they do not estimate
the comprehensive set of independent parameters required to
recover the symbols {Xmik }. For example, [10] estimates
the useful symbol interval T and the symbol guard interval
Tg , but not Fs , N , and Ng independently. Fourth, existing
approaches assume the receiver bandwidth Fh is wider than
Fs , which is not the case for our narrowband capture mode.
Fifth, prior studies have not been concerned with identifying
and characterizing any synchronization sequences in OFDM
frames. Yet such sequences are key to standard OFDM signal
processing and are especially important for efforts to dual-
purpose OFDM signals for PNT.
C. Exploiting Signal Cyclostationarity
A fundamental concept exploited in feature-based signal
identification is signal cyclostationarity [10], [21]. While all
communications signals exhibit cyclostationarity, it is espe-
cially pronounced in OFDM signals due to the cyclic prefix
present in each OFDM symbol.
To simplify explanations in this subsection, assume that β =
0, that the receiver sampling rate Fr is identical to the OFDM
channel bandwidth Fs , and that the receiver filter bandwidth
Fh ≈ Fs . Then, letting E [·] denote the expectation operation,
define the autocorrelation function of the received discrete-
time signal y(n) as
Ry (n, τ ) = E [y(n + τ )y ∗ (n)] (6)
where y ∗ (n) is the complex conjugate of y(n). If the coeffi-
cients {Xmik } are iid and selected randomly from among the
possible constellation values, then Ry (n, τ ) is nonzero only
at τ ∈ {0, N, −N } [10]. As illustrated in Fig. 2, nonzero
autocorrelation at τ ∈ {N, −N } arises because y(n) is shifted
against itself in such a way that cyclic prefixes are aligned
perfectly with the portions of the symbols of which they
are a copy. Fig. 2 also makes clear that Ry (n, N ) is cyclic
in n with period N + Ng . Moreover, within a sequence
of nonzero OFDM symbols, E [y(n)] = E [y(n + N + Ng )].
These attributes imply that y(n) is wide-sense cyclostationary
[18]. The autocorrelation function Ry (n, τ ) is the key to
determining N and Ng without the need for prior time and
frequency determination. Since Ry (n, τ ) is periodic in n with
 cyclic prefix D. Estimation Procedure
OFDM symbol copied tail
segment What follows is a step-by-step solution to the the blind
N
signal identification problem introduced previously.
1) Estimation of N : We first construct S, the set of possible
Ng values of N . Here we exploit the constraints that designers of
|Ry (n, N )| n OFDM signals must respect when choosing N . Naturally, they
N + Ng wish to maximize the signal’s total data throughput, which for
an OFDM signal with all subcarriers fully modulated is
Fig. 2: Graphical explanation for why Ry (n, N ) is cyclic in
bs Fs N
n with period N + Ng . dOFDM = bits/s (12)
N + Ng
Here, bs is the number of bits per symbol (e.g., 2 for 4QAM
period N + Ng for certain values of τ , it can be expanded in modulation). Observe that, for given Fs and bs , increasing
a Fourier series as dOFDM implies increasing N/Ng . But Ng is lower-bounded
X by the physical characteristics of the channel: it must be
Ry (n, τ ) = Ryα (τ ) exp (j2πnα) (7)
large enough that Tg = Ng /Fs exceeds the channel’s delay
α∈A(ξ)
spread. Thus, designers are motivated to increase N insofar
where A(ξ) = {p/ξ : p ∈ Z}. The particular set A(N + Ng ) as possible to maximize throughput. But they must respect a
contains the so-called cyclic frequencies. The Fourier coeffi- practical upper bound on N related to the subcarrier spacing
cient Ryα (τ ), also called the cyclic autocorrelation function, F = Fs /N : a narrower F puts greater demands on CFO
equals estimation. Let β̃ be the error in a receiver’s estimate of the
M −1
CFO parameter β. To avoid inter-carrier interference (ICI),
1 X which degrades BER, β̃ must satisfy
Ryα (τ ) = lim Ry (n, τ ) exp (−j2πnα) (8)
M →∞ M
n=0 β̃Fc < ϵF (13)
Given the nature of Ry (n, τ ), the function Ryα (τ ) is only where Fc is the OFDM channel’s center frequency and ϵ is lim-
nonzero when τ = N and when α is one of the cyclic ited to a few percent [17]. Assume that known synchronization
frequencies from the set A(N + Ng ). This fact underlies the symbols present within a frame allow modulation wipeoff on
following estimators for N and Ng . Let S be the set of possible Nsync contiguous samples, exposing the underlying coherent
values of N . Then an estimator for N is obtained as carrier signal from which β can be estimated. Then a lower
N̂ = argmax Ry0 (τ ) (9) bound on the variance of β̃Fc is given by the Cramér-Rao
τ ∈S bound for the frequency estimation problem with unknown
Similarly, let Sg be the set of all possible values of N + Ng . phase and amplitude [22]:
Then, assuming N̂ is an accurate estimate of N , an estimator 6Fs2
var(β̃Fc ) ≥ (14)
for Ng is obtained as SNR · Nsync (Nsync
2 − 1)(2π)2

X
N̂g = −N̂ + argmax Ryα (N̂ ) (10) Based on this expression, the constraint on ϵ can be approxi-
ξ∈Sg
α∈A(ξ) mated as
s
Note that because they involve an autocorrelation limited N 6
ϵ≈ < 0.02 (15)
approximately to offsets |τ | ≤ N , which amounts to a short 2π SNR · Nsync 3

time interval of T = N/Fs , both estimators are robust to

Designers will wish to minimize Nsync , since deterministic
nonzero Doppler, provided that βFc T ≪ 1.
samples devoted to synchronization do not carry information.
The mathematical structure of these two estimators is sim-
Suppose Nsync = 210 and SNR = 10 dB. Then N must satisfy
ilar to the cyclic-correlation-based method presented in [10]
N < 5316 to ensure ϵ < 0.02.
except that they are intended to operate successively rather
Another practical constraint on N is that it must be a power
than jointly, which makes them more computationally efficient
of two for efficient IFFT and FFT operations at the transmitter
without loss of accuracy.
and receiver. No OFDM waveform of which we are aware
Observe that both estimators are based on the cyclic auto-
deviates from this norm.
correlation function given in (8). In practice, this function is
Combining the power-of-two constraint with reasonable
approximated as
values of N satisfying (15), one can construct S as
M −1
1 X S = {2q : q ∈ N, 9 ≤ q ≤ 12} (16)
Ryα (τ ) ≈ y(n + τ )y ∗ (n) exp (−j2πnα) (11)
M n=0
The development leading to (9) assumed that Fh ≈ Fr =
where M is a number much larger than the cyclic period N + Fs . But of course, in the context of blind identification of
Ng , such as the number of samples in one frame, or even operational OFDM signals, the relationship of the receiver’s
multiple frames if frame-to-frame correlation is of interest. sampling rate Fr to Fs is unknown a priori. As will be

5
revealed, the key to accurate estimation of both N and Fs 0
Ry0 (τ ) empirical
is the power-of-two constraint on N . simulated
-10
Let F̄s be a guess of Fs obtained by inspection of the power

dB
spectrum of y(n). Bear in mind that even at high SNR it is
-20
not possible to exactly determine Fs from the power spectrum
because subcarriers near the boundaries of an OFDM channel -30
may be left unmodulated to provide a frequency guard interval
[17]. Let Nr = ⌊N Fr /Fs ⌉ be the approximate number of −2N
-2 r −N
-1 r 0τ N1r 2N
2 r
receiver samples in the useful symbol interval T = N/Fs , 1 n
Ryα̃ (N )
where ⌊·⌉ denotes rounding to the nearest integer. Also let

η = Fr /F̄s be the estimated sampling rate ratio, and suppose
that |F̄s − Fs |/Fs < p for some 0 < p ≪ 1. Then for each
b ∈ S, a set of corresponding values of Nr can be constructed
that accounts for the uncertainty in F̄s :
Srb = {τ ∈ N : bη(1 − p) ≤ τ ≤ bη(1 + p)} (17)
The full set of possible values of Nr is the union of these:
[ Fig. 3: Top: Cyclic autocorrelation function at α = 0 for
Sr = Srb (18)
b∈S
In other words, for every b ∈ S, Sr contains an interval of
corresponding possible values of Nr whose width depends
on the assumed accuracy of F̄s . For convenience, define
fr : Sr → S as the function that maps possible values in
Sr to the corresponding value in S; i.e., ∀τ ∈ Srb , fr (τ ) = b.
With these preliminaries we may recast the estimator in (9)
for the case in which Fs is only approximately known and
may be significantly different from Fr :
 
0
N̂ = fr argmax Ry (τ ) (19)
τ ∈Sr
Here, Ry0 (τ ) is calculated by (11). This estimator works well
for simulated OFDM signals, but must be augmented with
a validation step when applied to operational signals due to
the phenomenon manifest in Fig. 3. The blue trace in the
top panel shows that captured Starlink data exhibit a clear
peak in Ry0 (τ ) at τ = Nr . But the peak’s magnitude is
less than that at other plausible values τ ∈ Sr due to a
prominent central lobe in the empirical cyclic autocorrelation
function. This lobe is due to a slower autocorrelation rolloff
with increasing |τ | as compared to a simulated OFDM signal
with equivalent Nr , β, SNR, Fh , and Fr (gray trace). The
slow rolloff indicates significant redundancy in the received
signal y(n) at short offsets. Such redundancy doubtless stems
from some combination of (1) strong error correction coding,
(2) inherent redundancy in the data stream owing to light or
negligible data compression in an effort to achieve low latency,
and (3) adjacent-OFDM-symbol correlation caused by pilot
symbols. The regular scalloped profile of the rolloff suggests
that (1) and (3) may be the most important factors.
In any case, to prevent the maximization in (19) from
choosing a value of τ at which Ry0 (τ ) is large only because
linear units
0.5
0
-4 -3 -2 -1 0 1 2 3 4
α̃
an empirical Starlink signal with SNR = 5.5 dB captured
through the narrowband pipeline (blue), and for a simulated
OFDM signal with iid Gaussian 4QAM symbols (gray). The
simulated signal has been Doppler-adjusted, passed through
a simulated AWGN channel, lowpass filtered, and resampled
at 62.5 MHz to match the empirical signal’s Doppler, SNR,
bandwidth, and sampling rate. Bottom: Cyclic autocorrelation
as a function of the normalized frequency α̃ = α(N + Ng ) for
α ∈ {p/(N + Ng ) : p ∈ R}, derived from the same empirical
data as the blue trace in the top panel but resampled at Fs .
The peak at the fundamental cyclic frequency corresponding
to the period Ng + N appears at α̃ = 1; other peaks appear at
harmonics of this fundamental.
for some threshold ν. The point of this test is to ensure that
the peak value is sufficiently distinguished from others in
its neighborhood, a condition that does not hold within the
wide central lobe of Ry0 (τ ) . If this validation step fails, then
S is redefined as S ← S \ N̂ and (19) is applied again,
etc. Empirically, we find that for Starlink Ku-band downlink
signals a threshold value ν = 10 dB is adequate to ensure that
spurious maxima are excluded. Note that one must choose
p sufficiently large to ensure exploration of off-peak values
in the validation test. This is especially important when Fh
is significantly smaller than Fr , in which case the peak at
Ry0 (Nr ) may be several samples wide.
2) Estimation of Fs : Having obtained N̂ , it is straightfor-
ward to obtain a more accurate estimate of Fs . For b = N̂ ,
define
N̂r = argmax Ry0 (τ ) (21)
τ ∈Srb

of the prominent central autocorrelation lobe, N̂ is accepted

as valid only if Note that N̂r /N̂ ≈ Fr /Fs and that, owing to the way blocks
of bandwidth are allocated by regulatory agencies, Fs is
maxτ ∈Srb Ry0 (τ )
> ν, b = N̂ (20) extremely likely to be an integer multiple of 1 MHz. Therefore,
minτ ∈Srb Ry0 (τ ) for Fr and Fs expressed in MHz, an estimator for Fs is given

6
by
$ '
N̂ Fr
F̂s = (22)
N̂r
The key to this estimator’s accuracy is the power-of-two
constraint on N̂ .
3) Resampling: Estimation of the remaining OFDM param-
eters of interest is facilitated by resampling y(n) at F̂s . Recall
from (5) that y(n) is natively sampled at Fr after lowpass
filtering with bandwidth Fh . For the narrowband capture mode,
resampling at F̂s implies a sampling rate increase, which can
be modeled as [18]
X
yr (m) = y(n)sinc(mFr /F̂s − n) (23)
n∈Z
where sinc(x) = sin(πx)/(πx). Note that the useful frequency
content of the signal, |f | < Fh , remains unchanged. For the
wideband capture mode, resampling at F̂s implies conversion
to a lower sampling rate after lowpass filtering with a new
lower Fh . For notational simplicity, in what follows we will
drop the subscript from yr . Thus, y(n) will hereafter denote
the received signal with bandwidth Fh (possibly less than the
original) and sampling rate F̂s .
4) Estimation of Ng : Estimation of Ng begins by construct-
ing the set Sg of possible values of N + Ng . As with S, this
is informed by design constraints. From (12) it is clear that
signal designers will wish to minimize Ng , but this is subject
to the constraint that Tg = Ng /Fs exceeds the channel’s delay
spread under all but the most extreme operating conditions.
Worst-case 95% root-mean-square delay spread for the Ku-
band was found in [19] to be Td = 108 ns. Conservatively
considering a range of values from half to twice this amount,
and assuming that, for ease of implementation, Ng is even,
one can construct Sg as
n o
Sg = 2q + b : b ∈ S, q ∈ N, Td F̂s /4 ≤ q ≤ Td F̂s (24)
With y(n) sampled at F̂s , estimation of Ng then proceeds as
in (10) except that Ryα (N̂ ) is calculated via (11) and A(ξ) is
reduced to the finite set A(ξ) = {p/ξ : p ∈ Z, |p| ≤ Np }. for
some finite Np .
The accuracy of this estimator as a function of Np is ana-
lyzed in [10], where it is shown that no improvement attains
to values of Np above N/Ng . In practice, when applied to
Starlink signals captured via the narrowband mode, estimator
performance was reliable for Np as low as 1 provided that
the number of samples M in (11) covered at least one frame
(M ≥ Tf Fs ) and that SNR > 3.5 dB.
The lower panel in Fig. 3 shows a version of |Ryα (N )|
from empirical Starlink data at SNR = 5.5 dB that has been
normalized so that the cyclic frequencies are integers. The
span of cyclic frequencies shown corresponds to Np = 4.
5) Estimation of Tf : Each frame contains one or more
OFDM symbols with predictable elements, called synchro-
nization sequences, that enable receiver time and frequency
synchronization. A peak emerges in the cyclic autocorrelation
Ry0 (τ ) when one synchronization sequence is aligned with its
counterpart from a nearby frame. Thus, estimation of the frame
7
period Tf is also based on Ry0 (τ ) as calculated in (11), but now
with the number of samples M large enough to cover multiple
adjacent frames.
Let Nf = Tf Fs be the frame period expressed in number
of samples, and let Sf be the set of possible values of Nf .
By inspection of the empirical signal spectrogram during a
period of sparse traffic, one can easily obtain an upper bound
Tm on the smallest active signal interval. Observe that this
may be a loose upper bound on Tf because the smallest active
interval observed may actually be multiple frames. One can
then construct a conservative Sf as follows:
n o
Sf = q ∈ N : N̂ + N̂g < q ≤ F̂s Tm (25)
Considerations of expected signal numerology are once
again useful in the case of estimating Tf . While Tf need not
be an integer number of milliseconds, Nf is likely to be an
integer for ease of signal generation, and, more importantly,
the frame rate Ff = 1/Tf is almost certainly integer number
of Hz for ease of frame scheduling across the constellation.
Therefore, for F̂s expressed in Hz, an effective estimator for
Tf is given by
$  −1 '−1
0
T̂f = F̂s argmax Ry (τ ) (26)
τ ∈Sf
Note that, as for the estimators of N and Ng , this estimator
for Tf is robust to nonzero Doppler provided that βFc Tss ≪
1, where Tss is the longest time interval of any contiguous
synchronization sequence.
6) Symbol and Carrier Frequency Synchronization: Esti-
mating the remaining parameters in Table I and any synchro-
nization sequences requires both OFDM symbol synchroniza-
tion and carrier frequency synchronization. Such synchroniza-
tion must be carried out blindly, since the very sequences
designed to enable it are unknown.
Let nmik be the index of the kth sample in the ith OFDM
symbol of the mth frame, assuming zero-based indexing of k,
i, and m. For some m, i ∈ N with i < Nsf , we wish to find
nmi0 and the value of the CFO parameter β that applies at
nmi0 , denoted βmi .
When frame traffic is low enough that gaps are present
between frames, it is possible to observe an abrupt increase
in sample energy |y(n)|2 at the beginning of a frame, which
allows approximation of nm00 , the index of the first sample
in the first OFDM symbol of the frame. By adding integer
multiples of N̂ + N̂g , one can then approximate nmi0 for all
i ∈ (0, Nsf ). Let n̄mi0 be an approximate value for nmi0 . Then
Smi , the set of possible values of nmi0 , may be constructed
as
Smi = {n ∈ Z : |n − n̄mi0 | ≤ d} (27)
with d large enough to account for uncertainty in n̄mi0 .
Let Bmi be the set of possible values of βmi . One might
think that the range of a priori uncertainty in βmi is small
because, for known receiver location and time, and known
transmitting satellite ephemeris, the line of sight velocity vlos
can be readily calculated, from which β can be calculated as
β = vlos /c. But recall from Section III-B that β also accounts
 cluster’s centroid divided by twice the cluster’s variance. Note
that s is insensitive to rotations of the constellation due to the
unknown reference phase of the symbols {Xmik }.

Algorithm 1: SC(n, β)
Input : n ∈ Smi , β ∈ Bmi
Output: s ∈ R+
1 y = [y(n), y(n + 1), . . . , y(n + N̂ + N̂g − 1)]

Fig. 4: Empirical Starlink symbol constellations for 4QAM 2 ty = [0 : N̂ + N̂g − 1]/F̂s

(left) and 16QAM (right) OFDM modulation. 3 [y, ty ] = resample(y, ty , (1 − β)F̂s )
4 for i = 0 : N̂ + N̂g − 1 do


5 y(i) = y(i) exp j2πβ F̄c ty (i)
for any frequency offset between the transmitter and receiver 6 end
oscillators. In the present context, such an offset may arise not 7 y = y(N̂g : N̂g + N̂ − 1)
only because of disagreement between the oscillators, but also 8 Y = fft(y)
due to uncertain knowledge of Fc , the center frequency of the 9 [c, σ] = kmeans(Y , 2bs )
OFDM channel captured to produce y(n). As a consequence, 10 for i = 0 : 2bs − 1 do
the range of βmi values included in Bmi may be several times 11 s(i) = |c(i)|2 /2σ 2 (i)
larger than what would be predicted based on vlos /c alone. Let 12 end
β̄mi be a prior estimate of βmi based on ephemeris calculations 13 s = mean(s)
and any other relevant prior information, βm be the maximum
offset from β̄mi considered, and ∆β = ϵF̂s /N̂ F̄c be the search
stride, chosen to satisfy (13), where F̄c is both an a priori With SC, construction of the estimator for nmi0 and βmi0
estimate of Fc obtained by inspection of the power spectrum is straightforward:
of y(n), and the exact center of the band captured to produce n̂mi0 , β̂mi = argmax SC(n, β) (29)
y(n). Then Bmi may be constructed as n ∈ Smi
 β ∈ Bmi
Bmi = q∆β : q ∈ Z, q∆β − β̄mi ≤ βm (28)
This estimator was found to work well on both types of
By a simultaneous search through the values in Smi and standard OFDM symbol modulation found in the captured
Bmi , one may estimate nmi0 and βmi0 with sufficient accuracy Starlink signal frames, namely 4QAM (bs = 2) and 16QAM
to enable standard receiver processing of each corresponding (bs = 4), even when the signals’ SNR was too low to ensure
OFDM symbol in y(n), leading to recovery of the relevant error-free cluster identification, as in the right panel in Fig.
original information symbols {Xmik }. Fig. 4 shows the suc- 4. But the estimator failed unexpectedly when applied to the
cessful result for a portion of one frequency-domain OFDM first OFDM symbol interval in each frame. Closer examination
symbol with 4QAM modulation and another symbol with revealed that this interval does not contain an OFDM symbol
16QAM modulation. Tight constellation clusters like those in but rather a repeating pseudorandom time-domain sequence.
the left panel only emerge when SNR is sufficiently high (15 Nonetheless, estimates of nm00 and βm00 were accurately
dB in this case) and when the estimates of nmi0 and βmi are obtained as n̂m00 = n̂m10 − N̂ − N̂g and β̂m0 = β̂m1 .
accurate enough that ISI and ICI are negligible. Otherwise, 7) Estimation of the Synchronization Sequences: Estimat-
the clusters become elongated (due to mild ISI or ICI), or ing the synchronization sequences embedded in each Starlink
they experience a complete collapse toward the origin (severe frame is one of this paper’s key contributions. To this end,
lack of synchronization). Clearly then, symbol constellations one must first locate the sequences, i.e., determine which
can be used to develop a score function that increases with OFDM symbol intervals within a frame contain predictable
synchronization accuracy. features. Recall that, by definition, synchronization sequences
Let SC : Smi × Bmi → R+ be such a function, with trial are predictable from the perspective of the user terminal. For
synchronization values n ∈ Smi and β ∈ Bmi as arguments. public-access OFDM signals such as Wi-Fi, WiMAX, LTE,
Algorithm 1 shows the computations underlying SC. First, an etc., they are not only predictable but constant from frame to
OFDM-symbol-length block of samples is isolated starting at frame. Presuming the same for Starlink signals, locating such
the trial index n. The block is then resampled and frequency sequences within a frame is a matter of isolating individual
shifted to undo the effects of nonzero β, after which its cyclic OFDM symbol intervals and correlating these across multiple
prefix is discarded and the remaining samples are converted frames to determine whether the candidate intervals contain
to the frequency domain via an FFT. The resulting received features that repeat from frame to frame. Isolating OFDM
information symbols in Y cluster as shown by the examples symbol intervals is possible at this stage because n̂mi0 , N̂ ,
in Fig. 4. Assuming bs bits per symbol, 2bs clusters will and N̂g , and are available.
be present. These are identified automatically via k-means This procedure revealed that the first OFDM symbol in
clustering. For bs ≤ 2, the function’s output s is the empirical each Starlink frame, the one starting at sample index nm00 ,
SNR, calculated as the mean of the squared magnitude of each contains a synchronization sequence. The interval was found

8
to lack any discernible constellation structure when viewed in
the frequency domain. But its cross-correlation against first
symbol intervals in neighboring frames revealed a pattern of
peaks indicating that the interval is composed of 8 repetitions
of a subsequence of length N̂ /8, with the first instance
inverted. Estimation of the exact time-domain values of the
subsequence was only possible using data obtained via the
wideband capture mode, since the subsequence’s frequency
content spans the whole of Fs . Despite the low SNR of the
wideband capture mode, knowledge of β̂m0 , n̂mi0 , N̂ , and
N̂g allowed the 8 subsequence repetitions to be stacked and
summed coherently to reveal the unique subsequence values,
which will be presented in a following section. The 8 subse-
quence repetitions are prepended by a cyclic prefix of length
N̂g . Borrowing language from the LTE specification, we call
the full (N̂ + N̂g )-length sequence the primary synchronization
sequence (PSS). It was found that the PSS is not only identical
across all frames from the same Starlink satellite, but also
identical across all satellites in the constellation.
The second OFDM symbol interval, which starts at sam-
ple index nm10 , was also found to contain a (N̂ + N̂g )-
length synchronization sequence, which we call the secondary
synchronization sequence (SSS). Unlike the PSS, the SSS
was found to be a standard OFDM symbol, with 4QAM
modulation. Estimating the information symbols {Xm1k }N −1
k=0
was possible even with narrowband-mode-captured data be-
cause the received symbols that fell within the narrowband
mode’s bandwidth were clearly observable (to within a phase
offset), as shown in the left panel of Fig. 4. In other words,
with the high-SNR narrowband data, those elements of Y in
Algorithm 1 corresponding to frequencies within the 62.5-
MHz narrowband window could be confidently assigned to
one of four clusters. At this stage, it was not known whether
the SSS was anchored with an absolute initial phase so that
−1
the symbols {Xm1k }N k=0 would be constant across m, or
∗
differentially encoded so that only Xm1(k+1) Xm1k would be
constant, for k ∈ [0, N −2] . Moreover, the estimates n̂m10 for
various m were not precise enough at this stage to ensure that
corresponding constellation clusters could be associated with
each other from frame to frame. Therefore, only differential
∗
values were initially estimated, with Ym1(k+1) Ym1k being an
∗
estimate of Xm1(k+1) Xm1k , where Ym1k is the kth element
of Y in Algorithm 1 for OFDM symbol i = 1 of frame m.
By successively shifting the 62.5-MHz capture band across
an OFDM channel of width Fs in repeated captures, and
by ensuring sufficient frequency overlap, it was possible to
∗
confidently estimate each Xm1(k+1) Xm1k such that the full
N −1
sequence {Xm1k }k=0 could be determined to within two
unknown symbols, Xm12 and Xm1(N/2) . The first of these
is unobservable from the differential estimates due to the
presence of a mid-channel “gutter” in which Xmik = 0 for
k ∈ {0, 1, N − 2, N − 1}; the second is unobservable because
it lies at the bottom edge of the frequency band. By searching
through all possible combinations of these two unknown
symbols, re-generating for each trial combination a candidate
time-domain OFDM SSS (prepended by the appropriate cyclic
prefix), concatenating this candidate SSS with the known time-
9
domain PSS, and maximizing correlation against the first two
OFDM symbol intervals in received data frames, all while
resampling and frequency shifting the received data to account
for nonzero β as in Algorithm 1, it was possible to estimate
Xm12 and Xm1(N/2) and thereby completely determine the
SSS. As with the PSS, it was found that the SSS is identical
across all satellites in the Starlink constellation.
The last nonzero OFDM symbol in each frame, the one
starting at sample index nmi0 with i = 301, was also found to
contain a (N̂ + N̂g )-length synchronization sequence, which
we call the coda synchronization sequence (CSS). Like the
SSS, the CSS is a standard 4QAM OFDM symbol whose
−1
information symbols {Xmik }k=N i=301,k=0 can be determined by
inspection. The CSS symbol constellation is rotated by 90
degrees with respect to the SSS: whereas the SSS exhibits
the diamond configuration shown in the left panel of Fig. 4,
the CSS’s constellation clusters form a box aligned with the
horizontal and vertical axes.
The penultimate nonzero OFDM symbol in each frame, the
one starting at sample index nmi0 with i = 300, was found
to contain some information symbols that are constant from
frame to frame. But, unlike the SSS and the CSS, not all
the information symbols are constant. We call the predictable
elements of this symbol the coda-minus-one synchronization
sequence (CM1SS).
8) Estimation of Nsf , Nsfd , and Tfg : Equipped with n̂mi0 ,
N̂ , N̂g , T̂f , and knowledge that the first two OFDM symbol
intervals in each frame are synchronization sequences, it is
trivial to estimate Nsf , Nsfd , and Tfg . The estimated OFDM
symbol duration is T̂sym = (N̂ + N̂g )/F̂s , and thus the
estimated number of whole symbol intervals in one frame is
⌊T̂f /T̂sym ⌋. The final interval was found to be vacant. Thus,
the estimated number of non-zero symbols in a frame is
N̂sf = ⌊T̂f /T̂sym ⌋ − 1 (30)
Counting the PSS, SSS, CM1SS, and CSS as synchronization
symbols, the estimated number of non-synchronization sym-
bols in a frame is
N̂sfd = N̂sf − 4 (31)
Finally, the estimated frame guard interval—the vacant interval
between successive frames—is
T̂fg = T̂f − N̂sf T̂sym (32)
9) Estimation of Fci : Estimation of Fci , the center fre-
quency of the ith Starlink OFDM channel, is complicated by
the exponential in (4) being a function of both β and the offset
Fc − F̄c . This implies that an error in the a priori estimate F̄ci
results in a frequency offset just as with nonzero β. But the two
effects can be distinguished by recognizing that compression
or dilation of the modulation x(t) in (4) is solely a function
of β. Therefore, determination of Fci begins by estimating the
β that applies for the ith channel as expressed via x(t), which
may be done by measuring a sequence of frame arrival times.
Assume that the local receiver clock used for downmixing
and sampling the received signal is short-term stable and GPS-
disciplined, as with the 10-MHz OCXO in Fig. 1, so that it
may be considered a true time reference. Let {n̂m00 }m∈M be TABLE II: Starlink Downlink Signal Parameter Values
the estimated indices of samples that begin a frame for channel Parameter Value Units
i, as determined by (29) or by correlation against the known
Fs 240 MHz
PSS and/or SSS. Note that the set of frame indices in M may N 1024
not have a regular spacing. Let the nominal time t(m) and the Ng 32
received time tr (m) of frame m ∈ M be Tf 1/750 s
Tfg 34/33 = 1.03 µs
t(m) = mT̂f , tr (m) = n̂m00 /F̂s Nsf 302
Nsfd 298
For intervals up to one second, which is the cadence at which T 64/15 = 4.266 µs
Tg 2/15 = 0.133 µs
clock corrections are applied onboard the Starlink satellites, Tsym 4.4 µs
the relationship between t(m) and tr (m) can be accurately F 234375 Hz
modeled as a second-order polynomial Fci 10.7 + F/2 + 0.25(i − 1/2) GHz
Fδ 250 MHz
2 Fg 10 MHz
tr (m) = a0 + a1 (t(m) − t(m0 )) + a2 (t(m) − t(m0 ))
where m0 = min M. Let {âi }2i=0 be coefficient estimates
obtained via least squares batch estimation. Then β̄m0 0 = â1 is phase rotation. The m-sequence can be generated using a 7-
the modulation-estimated β value that applies at the beginning stage Fibonacci LFSR with primitive polynomial 1 + D3 + D7
of frame m0 . Let β̂m0 0 be the value of β that applies at the and initial state (a−1 , . . . , a−7 ) = (0, 0, 1, 1, 0, 1, 0), follow-
same instant, as estimated by (29). Also, recall that F̄ci is both ing the convention in [23]. Suppose that the LFSR’s output
the a priori estimate of Fci assumed in (29) and the exact a0 , a1 , . . . , a126 is stored as a 127-bit number with a0 as MSB
center of the band captured to produce the y(n). Then and a126 as LSB. Appending this number with a 0 yields the
$ ' 128-bit hexadecimal number that appears in (36):
F̄ci
F̂ci = (33) qpss = C1B5 D191 024D 3DC3 F8EC 52FA A16F 3958
1 + β̄m0 0 − β̂m0 0
To ensure correct interpretation of (35) and (36), we list the
is an estimator of Fci , where F̂ci and F̄ci are expressed in first 8 values of the PSS subsequence:
MHz. Rounding to the nearest MHz is justified for the same
reasons given in connection with (22). pk = exp (jπ [1/4 + qk /2]) , k ∈ {N/8, . . . , N/8 + 7}
(qN/8 , . . . , qN/8+7 ) = (0, 1, 2, 1, 0, 1, 0, 1)
V. R ESULTS The time-domain expression of the SSS can be written as
Application of the foregoing blind signal identification xm1 (t) from (3) with the complex coefficients given by
procedure yields the parameter values given in Table II for 
exp(jθk ), k ∈ {2, . . . , N − 3}
the Starlink Ku-band downlink. Figs. 5 and 6 offer graphical Xm1k = (37)
0, otherwise
representations of the channel and frame layouts. The PSS
θk = sk π/2 (38)
was found to be composed of eight repetitions of a length- j q k
sss
N/8 subsequence prepended by a cyclic prefix. As shown in sk = k−2 mod 4 (39)
Fig. 6, the cyclic prefix and the first instance of the repeated 4
subsequence have inverted polarity relative to the remainder where qsss is the hexadecimal number
of the PSS. The time-domain expression of the PSS can be qsss = BD 565D 5064 E9B3 A949 58F2 8624 DED5
written as 6094 6199 F5B4 0F0E 4FB5 EFCB 473B 4C24
N −1 B2D1 E0BD 01A6 A04D 5017 DE91 A8EC C0DA
X
xm0 (t) = sinc [tFs − k − Ng ] pk (34) 09EB FE57 F9F1 B44C 532F 161C 583A 4249
0A5C 09F2 A117 F9A2 8F9B 2FD5 47A7 4C44
k=−Ng
   BABB 4BE8 5DA6 A62B 1235 E2AD 084C 0018
k mod N 0142 A8F7 F357 DEC4 F313 16BC 58FA 4049
1 1 X8
pk = exp jπ 1P (k) − − bℓ  (35) 09A3 FCA7 F88E 4219 02B6 A258 0AE8 0308
4 2 03F6 5809 DB34 7F59 0DBC 46F0 10EB E3A2
ℓ=0
j q k  5C06 0D74 429F C46B DF9B 6371 9279 798D
pss 232C 5ABA 2741 22FF 66AD 7E44 9F44 CB40
bℓ = 2 mod 2 −1 (36)
2ℓ C49C 24A1 E262 9F5B FE82 CE53 1FDC 34F8
C64A 43A9 63F4 0D5B 71BD E6FB 2F13 492D
where 1P (k) is the indicator function, equal to unity when
6F2E 8544 B21D 4497 22C6 3518 0342 CD00
k ∈ P and zero otherwise, and P = {k ∈ Z : k < N/8}. 26A1 E7F7 E80E 91B1 75E8 52F9 1976 7E5A
The indicator function rotates the phase by π for k < N/8 F9B6 E909 AF36 2F52 18E2 B908 DC00 5803
to invert the cyclic prefix and the first repetition of the To ensure correct interpretation of (39), we provide the first 8
2N/8−1
PSS subsequence. The PSS subsequence (pk )k=N/8 is a values of sk corresponding to nonzero Xm1k :
symmetric differential phase shift keying (symmetric DPSK)
(s2 , . . . , s10 ) = (3, 0, 0, 0, 0, 2, 1, 1)
encoding of a length-127 maximal-length linear-feedback shift
register (LFSR) sequence (m-sequence). In this modulation, The CSS and the CM1SS will be presented in a later
each bit of the m-sequence indicates a positive or negative π/2 publication.

10
 comb of
channels 1&2 vacant Fs leakage tones
...
Fc1 Fc7 Fg Fc8
F /2
leakage tone
... ...
4F
F gutter
Fig. 5: Channel layout for the Ku-band Starlink downlink.
VI. D ISCUSSION
Our blind signal identification process reveals a Starlink Ku-
band downlink signal that is elegantly simple. Unlike LTE and
5G New Radio (5G NR), whose bandwidth and duplexing
scheme may vary from region to region, and whose cyclic
prefix length may vary with time, Starlink employs fewer
modes of operation. This section offers observations on salient
features of the Starlink signal.
A. Channel Layout
As shown in Fig. 5, a total of eight channels, each with
a bandwidth of Fs = 240 MHz, span the band allocated for
Starlink’s Ku-band downlink. Only one channel appears to
be active at a time within a service cell. We assume that
neighboring cells are each serviced with different channels
to avoid inter-cell interference, as described in [5], but we
were not able to verify this with our limited experimental
setup. The lower two channels, those centered at Fc1 and Fc2 ,
are currently vacant. This likely reflects a concession SpaceX
has made to avoid interfering with the 10.6-10.7 GHz radio
astronomy band.
Each channel’s central four subcarriers are vacant, leaving
a mid-channel gutter. Reserving such a gutter is a common
practice in OFDM; otherwise, leakage from a receiver’s mix-
ing frequency may corrupt central information symbols. In
Starlink’s case, a transmitter-side leakage tone is present in
some satellites’ gutters. Interestingly, the ith channel’s center
frequency, Fci , is F/2 higher than the channel’s midpoint,
which lies in the center of the mid-channel gutter. A gutter
leakage tone, if present, resides at the midpoint.
A guard band with a generous bandwidth Fg = 10 MHz
separates adjacent channels. Within some guard bands there
appears a comb of leakage tones with time-varying amplitudes.
We suspect that these are the tones tracked in [6], [7] and
[8] to perform Doppler-based positioning with Starlink. We
note that neither the gutter tones nor the between-channel
tones appear deliberate: their presence and amplitudes are not
consistent from satellite to satellite, and the between-channel
tones appear to vary in amplitude with beam adjustments.
B. Frame Layout
As shown in Fig. 6, each frame consists of 302 intervals of
length Tsym = 4.4 µs plus a frame guard interval Tfg , for a
total frame period of Tf = 1/750 s. Each frame begins with
the PSS, which is natively represented in the time domain,
followed by the SSS, which is formatted as a standard 4QAM
OFDM symbol. Each frame ends with the CM1SS followed by
f
the CSS and the frame guard interval. A subsequent frame may
be immediately present or not, depending on user demand.
The known information symbols of the SSS and CSS allow
N a receiver to perform channel estimation across all subcarriers
subc’s
f at the beginning and end of each frame, permitting within-
frame interpolation. The purpose of the CM1SS, which arrives
just before the CSS and is only partially populated with
information symbols that repeat from frame to frame, is
unclear, but its predictable elements are no doubt also useful
for channel estimation.
In each frame, the OFDM symbols with index
i ∈ {2, 3, 4, 5} appear to contain header (control plane)
information—likely including satellite, channel, and
modulation schedules. We infer this from an abrupt 90-
degree shift in constellation orientation between symbol
i = 5 and i = 6, which we interpret as denoting a transition
from header to payload symbols. Such a shift in orientation
may be seen between the left and right panels of Fig. 4.
The first seven or so payload symbols (from i = 6 to
approximately i = 12) are sometimes 16QAM modulated,
with the remainder of the symbols 4QAM modulated. We
presume that the 16QAM symbols are destined for users
whose received SNR is sufficient to support decoding them
(about 15 dB, depending on channel coding).
The previously-mentioned 4F -wide mid-channel gutter is
present in all OFDM symbols contained in a frame, but not
in the PSS.
C. Synchronization Sequences
The synchronization sequences are of special import for
efforts to dual-purpose Starlink signals for PNT. As with the
spreading codes of civil GNSS signals, the synchronization
sequences can be predicted by a passive (receive only) radio
and thus used to construct a local signal replica whose correla-
tion with the received signal yields standard pseudorange and
Doppler observables, the raw ingredients for a PNT solution.
Fig. 7 shows correlation against the PSS yielding sharp
peaks at the beginning of each frame. The distinctive shape
of the 11-tined comb shown in the figure’s inset results from
2N/8−1
the repetition and inversion of the subsequence (pk )k=N/8
of which the PSS is composed. Note that adjacent frames
may have different power levels despite being received from
the same satellite and beam, evidence that the system em-
ploys user-subset-specific power adaptation within a service
cell. Note too the absence of frames during some intervals,
which suggests that user data demand was well below system
capacity during the interval shown. It should be pointed out,
however, that frame occupancy never dropped below 1 in 30
(one frame every 40 ms) throughout the scores of data intervals
we studied. We intuit that a steady stream of frames, albeit
sparse, is required to support initial network entry. Thus, even
during periods of little or no user demand, frame arrival from
each satellite will be regular and dense enough to support
opportunistic PNT.
11
 f Frame: Tf = 302Tsym + Tfg
T Tsym
Tg 8 T Tfg = Tsym + Tg
PSS SSS Tg CSS PSS

...

...

...
...
F
...
4F

...

...

...
...
t
0 1 2 301 302 0
8 repetitions of the PSS subsequence gutter frame guard
with the first inverted interval
PSS cyclic prefix copied from
tail and inverted
Fig. 6: Frame layout for the Ku-band Starlink downlink along time-frequency dimensions.

3.5 and frame arrival time.

It seems clear why the PSS is composed of repeating
3 subsequences: in high SNR conditions, the search in Doppler
and frame start time entailed by (29) for initial network entry
2.5 can be made more efficient by correlating against a single PSS
subsequence and then taking the FFT of the resulting complex
C(τ )

2 accumulations with maximum modulus to refine the Doppler

5.33 µs
1.5
1 can be coherently accumulated for a slower but more sensitive
0.5
0 [23]. Encoding the m-sequence as a series of π/2 phase shifts
0 0.005 0.01
Time (s)
Fig. 7: Correlation of received Starlink data against a local
PSS replica.
Importantly, phase coherence is maintained throughout each
frame, and the phase relationship between the synchronization
sequences appears to be constant across frames and satellites.
This implies that time-domain representations of the syn-
chronization sequences (with their respective cyclic prefixes)
can be combined to extend the coherent integration interval
over each frame, increasing receiver sensitivity and observable
measurement accuracy. This technique enables production of
pseudorange and Doppler observables below -6 dB SNR, well
below the SNR required to support communication. Thus,
receivers exploiting Starlink for PNT need not be equipped
with high gain antennas and may even be able to extract
observables from satellites not servicing their cell.
Unlike GNSS spreading codes, however, the Starlink syn-
chronization sequences are are not unique to each satellite.
This presents a satellite assignment ambiguity problem that
must be solved combinatorially based on approximate user
location, known satellite ephemerides, and measured Doppler
estimate. The shorter initial coherent integration interval is
more forgiving of errors in β. If this fails due to insufficient
single-subsequence-correlation SNR, multiple subsequences
search.
That the PSS is based on an m-sequence is also logical,
given such sequences’ excellent autocorrelation properties
0.015 appears intended to reduce spectral leakage compared to a
conventional binary encoding. The rationale for differentially
encoding the PSS is less clear. Symmetric DPSK is known
to improve data demodulation robustness to the Doppler and
timing uncertainty common in satellite communications [24].
But this does not apply to coherent correlation against a known
PSS (or portion thereof) for frequency and time synchroniza-
tion. Most likely, the differential encoding is meant to offer an
additional means for trading off search sensitivity for increased
efficiency.
We were unable to identify the SSS as a canonical se-
quence. Its frequency-domain complex coefficients manifest
good autocorrelation properties, but not the constant-amplitude
zero autocorrelation of m-sequences or of the Zadoff-Chu
sequences used for the PSS in LTE. We suspect the SSS may
be a mixture of two scrambled m-sequences, as with the SSS
from LTE.
D. Gap to Capacity
It is interesting to examine the Starlink signal structure in
terms of its design margins. What balance did its designers
strike in trading off data throughput for communications
reliability or cost?

12
 1) Spectral Occupancy: The 10-MHz guard band between
channels reduces Starlink’s spectral occupancy to Fs /Fδ =
24
25 . Leaving such a wide unused bandwidth between channels,
which amounts to over 42 subcarrier intervals, suggests that
Starlink intends to activate more than one channel at a time in
a given service cell and wishes to keep the costs of UTs low
by reducing their sampling rate and RF filtering requirements.
2) OFDM Symbol Occupancy: The ratio of the useful
symbol interval to to the full OFDM symbol interval is
32
T /Tsym = N/(N + Ng ) = 33 , which reflects a fairly efficient
design. Compared to LTE, for which N/Ng ranges from 12.8
(more efficient) to 4 (more margin for delay spread), Starlink’s
ratio is 32. Clearly, Starlink designers are taking advantage of
the low delay spread in the space-to-Earth channel. Even still,
Tg = Ng /Fs = 130 ns exceeds the worst-case 95% root-
mean-square delay spread for the Ku-band, found in [19] to
be Td = 108 ns.
3) Frame Occupancy: One can view the frame occupancy
298
as Nsfd Tsym /Tf = 303.03 . If one additionally discounts OFDM
symbols with index i ∈ {2, 3, 4, 5}, which appear to contain
294
header information, then occupancy becomes 303.03 . The
number of OFDM symbol intervals devoted to synchronization
sequences—four every 1.33 ms—is unusually high compared
to terrestrial OFDM waveforms. For example, LTE transmits
two synchronization sequences once every 5 ms. By bookend-
ing each frame with two synchronization sequences, Starlink
designers ensure that UTs can perform channel equalization
and Doppler (CFO) estimation with unusually high accuracy.
This reduces frame occupancy, but bodes well for dual-use of
Starlink signals for PNT: the greater fraction of predictable
elements in each frame, the longer a PNT-oriented receiver
can coherently integrate and thus produce pseudorange and
Doppler observables at lower SNR.
4) Channel Occupancy: Due to the 4F -wide gutter, the
channel occupancy is at most (N − 4)/N = 1020 1024 , but is
likely somewhat lower: Besides revealing the location of syn-
chronization sequences, the symbol-by-symbol frame-to-frame
correlation analysis described in Section IV-D7 suggests the
presence of pilot subcarriers that are intermittently modulated
with predictable information symbols.
Another measure of channel occupancy is the subcarrier
spacing F . Recall that the number of subcarriers N in Fs
must be a power of two for efficient OFDM processing, and
that, ceteris paribus, dOFDM in (12) rises with increasing N .
Could Starlink designers have chosen N = 2048 rather than
N = 1024, thus narrowing F by a factor of two and increasing
dOFDM by 1.54%? Likely so: assuming Nsync = 210 (fewer
than the samples in the PSS) and SNR = 5 dB (the threshold
for 4QAM decoding assuming a benign channel and strong
coding), the constraint (15) could be comfortably met for N =
2048.
VII. C ONCLUSIONS
We have developed and applied a blind signal identification
technique to uncover the frequency- and time-domain structure
of the Starlink Ku-band downlink signal. We further identified
four synchronization sequences that can be used to passively
13
exploit Starlink signals for pseudorange-based positioning,
navigation, and timing (PNT), and explicitly evaluated two
of these. The results in this paper illuminate the path to use
of Starlink signals as a backup to traditional GNSS for PNT.
ACKNOWLEDGMENTS
Research was sponsored by by the Army Research Of-
fice under Cooperative Agreement W911NF-19-2-0333. Ad-
ditional support was provided by the U.S. Department of
Transportation (USDOT) under the University Transportation
Center (UTC) Program Grant 69A3552047138 (CARMEN),
and by affiliates of the 6G@UT center within the Wireless
Networking and Communications Group at The University
of Texas at Austin. The views and conclusions contained
in this document are those of the authors and should not
be interpreted as representing the official policies, either
expressed or implied, of the Army Research Office or the
U.S. Government. The U.S. Government is authorized to
reproduce and distribute reprints for Government purposes
notwithstanding any copyright notation herein.
R EFERENCES
[1] T. G. Reid, A. M. Neish, T. Walter, and P. K. Enge, “Broadband LEO
constellations for navigation,” Navigation, Journal of the Institute of
Navigation, vol. 65, no. 2, pp. 205–220, 2018.
[2] T. G. R. Reid, T. Walter, P. K. Enge, D. Lawrence, S. Cobb, G. Gutt,
M. O’Connor, and D. Whelan, Position, Navigation, and Timing Tech-
nologies in the 21st Century: Integrated Satellite Navigation, Sensor
Systems, and Civil Applications. Wiley-IEEE, 2020, vol. 1, ch.
Navigation from Low Earth Orbit: Part 1: Concept, Capability, and
Future Promise., pp. 1359–1380.
[3] Z. M. Kassas, Position, Navigation, and Timing Technologies in the
21st Century: Integrated Satellite Navigation, Sensor Systems, and Civil
Applications. Wiley-IEEE, 2020, vol. 1, ch. Navigation from Low Earth
Orbit: Part 2: Models, Implementation, and performance, pp. 1381–1412.
[4] N. Jardak and Q. Jault, “The potential of LEO satellite-based opportunis-
tic navigation for high dynamic applications,” Sensors, vol. 22, no. 7,
p. 2541, 2022.
[5] P. A. Iannucci and T. E. Humphreys, “Fused low-Earth-orbit GNSS,”
IEEE Transactions on Aerospace and Electronic Systems, pp. 1–1, 2022.
[6] M. Neinavaie, J. Khalife, and Z. M. Kassas, “Exploiting Starlink signals
for navigation: First results,” in Proceedings of the ION GNSS+ Meeting,
St. Louis, Missouri, Sept. 2021, pp. 2766–2773.
[7] M. Neinavaie, J. Khalife, and Z. Z. Kassas, “Acquisition, Doppler
tracking, and positioning with Starlink LEO satellites: First results,”
IEEE Transactions on Aerospace and Electronic Systems, pp. 1–1, 2021.
[8] J. Khalife, M. Neinavaie, and Z. M. Kassas, “The first carrier phase
tracking and positioning results with Starlink LEO satellite signals,”
IEEE Transactions on Aerospace and Electronic Systems, vol. 58, no. 2,
pp. 1487–1491, 2022.
[9] SpaceX, “Revised SpaceX Gen2 non-geostationary satellite system,
Technical Attachment,” https://licensing.fcc.gov/myibfs/download.do?
attachment key=12943362, Aug. 2021, SAT-AMD-20210818-00105.
[10] A. Bouzegzi, P. Ciblat, and P. Jallon, “New algorithms for blind
recognition of OFDM based systems,” Signal Processing, vol. 90, no. 3,
pp. 900–913, 2010.
[11] A. Gorcin and H. Arslan, “An OFDM signal identification method
for wireless communications systems,” IEEE Transactions on Vehicular
Technology, vol. 64, no. 12, pp. 5688–5700, 2015.
[12] M. S. Chaudhari, S. Kumar, R. Gupta, M. Kumar, and S. Majhi, “De-
sign and testbed implementation of blind parameter estimated OFDM
receiver,” IEEE Transactions on Instrumentation and Measurement,
vol. 71, pp. 1–11, 2021.
[13] M. L. Psiaki, “Navigation using carrier Doppler shift from a LEO con-
stellation: TRANSIT on steroids,” Navigation, Journal of the Institute
of Navigation, vol. 68, no. 3, pp. 621–641, 2021.
[14] L. Cimini, “Analysis and simulation of a digital mobile channel us-
ing orthogonal frequency division multiplexing,” IEEE transactions on
communications, vol. 33, no. 7, pp. 665–675, 1985.
[15] W. Y. Zou and Y. Wu, “COFDM: an overview,” IEEE transactions on
broadcasting, vol. 41, no. 1, pp. 1–8, 1995.
[16] J. Armstrong, “OFDM for optical communications,” Journal of light-
wave technology, vol. 27, no. 3, pp. 189–204, 2009.
[17] A. Ancora, I. Toufik, A. Bury, and D. Slock, LTE–The UMTS Long
Term Evolution: From Theory to Practice. Wiley, 2011, vol. 1, ch. 5:
Orthogonal Frequency Division Multiple Access (OFDMA), pp. 123–
143.
[18] J. Proakis and M. Salehi, Digital communications 5th Edition. McGraw-
Hill, 2007.
[19] E. L. Cid, M. G. Sanchez, and A. V. Alejos, “Wideband analysis of the
satellite communication channel at Ku-and X-bands,” IEEE Transactions
on Vehicular Technology, vol. 65, no. 4, pp. 2787–2790, 2015.
[20] T. Hobiger, D. Piester, and P. Baron, “A correction model of dispersive
troposphere delays for the ACES microwave link,” Radio Science,
vol. 48, no. 2, pp. 131–142, 2013.
[21] O. A. Dobre, “Signal identification for emerging intelligent radios:
Classical problems and new challenges,” IEEE Instrumentation & Mea-
surement Magazine, vol. 18, no. 2, pp. 11–18, 2015.
[22] D. Rife and R. Boorstyn, “Single tone parameter estimation from
discrete-time observations,” IEEE Transactions on information theory,
vol. 20, no. 5, pp. 591–598, 1974.
[23] E. H. Dinan and B. Jabbari, “Spreading codes for direct sequence cdma
and wideband cdma cellular networks,” IEEE communications magazine,
vol. 36, no. 9, pp. 48–54, 1998.
[24] J. Winters, “Differential detection with intersymbol interference and
frequency uncertainty,” IEEE Transactions on Communications, vol. 32,
no. 1, pp. 25–33, 1984.

14