For our valuable customer in the telecommunication segment, we have designed a 2G/3G decoder for communication between base stations and mobile phones. The end application was a mobile communication intercepting device for a governmental agency.
Our Task and Challenge
Our task was to design a 2G/3G decoder based on an SDR (Software Defined Radio) module. The module contained a 6GHz transceiver and an FPGA. The decoder was partly inspired by an OpenBTS project that uses SDR to create a 2G/3G base station. However, not all decoding schemes were available in this code. These decoding schemes had to be studied, analyzed, and implemented by Consilia. Additionally, the UMTS standard is infamous for its incomprehensive description of the operation of higher layers. Consilia had to invest a lot of time into reverse engineering operation of these layers on communication analyzers in order to implement them into the decoder.
Solution
From the signal processing perspective
The system was divided into two parts. The first one was the Ettus board B205mini which performed signal processing and down-conversion of the input RF signal. The second part was a PC application.
The Ettus board was connected to the PC via USB 3.0. For communication the UHD drivers were used that ensured the transfer of data from the Ettus board to control application and configuration of on-board HW and FPGA. Subsequent signal processing on the PC side was performed in components for GNU Radio designed by Consilia. During the final stage, the messages were decoded by an application designed by Consilia. The host application was customer software which controlled the measurement and analyzed decoded messages.
From the user’s point of view
The system was divided into two parts - a 2G processing application and a 3G processing application.
Specific features of 2G
- GSM 2G downlink communication - signal measurement and analysis
- Scanning 2G band and finding scrambling codes of BTS on a specified frequency
- Decoding BCCH, CCCH, and SDCCH 4,8 messages from the downlink channel
- Measuring FFT on set bandwidth to detect active 2G channels
Specific features of 3G
- GSM UMTS 3G communication – signal analysis
- Scanning UMTS band and finding scrambling codes of BTS on a specified frequency
- Receiving data from primary, secondary, and dedicated channels
- Decoding BCCH, CCCH, and DCCH (over FACH or DCH) messages from the downlink channel
The project also contains jammer mode, which can jam on several specified frequencies at the same time.
Both applications run on Ubuntu Linux 16.04 LTS. The system and packages were supplied by the customer. Whole communication, control, and measurement are done via UDP messages.
Business Value
The 2G/3G decoder offloaded our customer from analysis and processing of the physical layer and the lowest SW layers of the 2G/3G standard.
The Customer’s team could focus on pure SW processing of higher layers.
The jammer allowed them to force any mobile phone in the vicinity to switch to a predefined test base station. This project served as a functional proof of concept and laid the foundation for further implementation of the decoder and jammer that are planned to be designed as a stand-alone product.
How It Is Made
The complete project was treated as a cost-effective proof of concept built from open-source and off-the-shelf SDR modules. However, it does not mean it was a simple puzzle for graduates.
It was a complex project where the most experienced engineers spent months on analysis and the implementation of the required features.
The 2G signal processing path starts in the SDR module. The FPGA firmware has been modified to meet 2G RF requirements. Mixers, decimators, and filters were recalculated and adjusted accordingly. The protocol for streaming decimated data was also adjusted in order to use the maximum bandwidth of USB 3.0.
On the PC side, the drivers were modified to correspond to the changed protocol streamed by the FPGA. In the next phase, the decimated data from the USB were converted to UDP packets, which are used as a communication protocol among GNU Radio components.
Here, one part of the processing was done by GNU Radio components and another part by components developed by Consilia.
The 3G signal processing was more challenging due to the fact that it uses spread spectrum on the physical layer. Computationally it is not possible to descramble the data only on a PC.
FPGA was used to search for scrambling codes and these codes were sent to the PC together with decimated data for further processing. Descrambling data in the FPGA offloaded the PC and saved its computation power for processing higher levels of the 3G protocol.
Client
The valuable customer in the telecommunication segment.
In the years 2017-2018, we created FPGA content and a PC library.
Next Solutions
Since the foundation of Consilia in 2004, we have finished and supported dozens of projects.