Sunday 29 November 2015

Part Two: Airspy R2 - Questions and Answers

Question   1: There are three multiplexed ADC channels in the Airspy, is there a simple way to access the other two if I wanted to implement a custom DDC firmware? 
Answer     1: .By default channel 0 is used for the R820T2, but channel 1 and channel 2 are unconnected. You could hack the firmware source code and modify this line "#define DEFAULT_ADCHS_CHAN (0)" in "firmware/airspy_m4/airspy_m4.c" to use channel 1 or channel 2 instead of channel 0 which is connected to the output of the R820T2 tuner chip.
Of course the R820T2 would still be powered on so you should disable it, since you are not using it (use disable_r820t_power() anywhere where enable_r820t_power() is called) because it may add unwanted noise. Of course disabling the R820T2 chip, also means that you should delete/disable any calls to set registers in it, since you are not be using it. You should also delete/disable the frequency tuning from the firmware since the tuner is not used. And by the time you have done that it might be easier just to write your own custom firmware.

Extra info  1: Since the spyverter is now available it might be easier just to use it unless you actually need an ADC, that in theory could run at 80MSPS. The problem is that the USB bus will limit the data transfer to about 20MSPS. And there is not enough RAM in the LPC4370 to buffer more than about 2x16KiB (double buffering) or 32KiB of data, and there is not enough processing power within the CPU to reduce this data. So unless 32KiB of data sampled at 80MSPS is enough for your function this is probably a dead end for your idea. If you are still going to use the two ADC ports the good news is that there is ESD protection in the R2 board, the R0 board had no ESD protection on the ADC inputs.


Monday 2 March 2015

How to use Kal software to workout the PPM frequency offset of a RTL-SDR

The basic idea behind the Kalibrate software is that a GSM mobile phone base station has an expensive very high precision atomic clock (0.01ppb), where as a RTL-SDR stick has a cheap low  precision 28.8MHz quartz crystal (+/-100ppm). This cheap low  precision oscillator is used to derive all frequencies when you tune the RTL-SDR, so the bigger the errors the more you are offset from the correct frequency. There are two pieces of good news the offset is linear and once the cheap crystal has warmed up it generally does not drift very much. Because the error is linear across the whole frequency range, only one correction value is required.

When you buy a 28.8MHz quartz crystal in a can, they are generally not 28,800,000Hz. There are two problems that need to be compensated for by the PPM offset in SDR receiver software. The first is manufacturing tolerance, generally about 100 PPM (0.01%) is the range to keep costs down, so the frequency of a new quartz crystal could be anywhere between 28,797,120Hz and 28,802,880Hz at 20 degrees Celsius. The second problem is that the frequency will change slightly as the device warms up. But the good news is once the device has warmed up it will not drift much, unless the ambient room temperature varies.

So basically you scan the local area for active GSM base station channels with a large amount of power (good signal strength, which will probably be from the base station that is physically closest to your current location). Then kal uses this channels GSM frequency correction bursts to workout the PPM (part per million) offset of the RTL-SDR that you are currently calibrating.


Download, compile and install the kal software

$ sudo apt-get install libtool autoconf automake libfftw3-dev
$ git clone https://github.com/steve-m/kalibrate-rtl
$ cd kalibrate-rtl
$ ./bootstrap && CXXFLAGS='-W -Wall -O3'
$ ./configure 
$ make 
$ sudo make install


Use the kal software to scan GSM base stations for channels with high power

My RTL-SDR only goes from 24MHz to 1750MHz, so I can not use the DCS or PCS GSM system, even if they were active in my area. I know that EGSM is active where I am, but I'll test all the frequencies to time and show how long a scans takes when no GSM is present, as well as how long it takes when GSM base stations are present (about 2-10 minutes). This will also provide the warm up time of about 10 minutes for my RTL-SDR to reach its steady state operating temperature. Some of the GSM down link frequencies are used to send the frequency correction bursts, to calibrate mobile phone handsets, so that the phones know the correction offset to use when TX'ing on the up link frequencies. This allows mobile phone makers to use cheaper hardware in their handsets, and if you are making a few billion of them small savings quickly add up to more profit..
  • GSM850  UPLINK:   824.2-  849.2MHz DOWNLINK:   869.2-  894.2MHz
  • GSM-R     UPLINK:   876.0-  915.0MHz DOWNLINK:   921.0-  960.0MHz
  • GSM900  UPLINK:   890.0-  915.0MHz DOWNLINK:   935.0-  960.0MHz
  • EGSM      UPLINK:   880.0-  915.0MHz DOWNLINK:   925.0-  960.0MHz
  • DCS         UPLINK: 1710.2-1784.8MHz DOWNLINK: 1805.2-1879.8MHz
  • PCS         UPLINK: 1850.2-1909.8MHz DOWNLINK: 1930.2-1989.8MHz
(Source of above info https://en.wikipedia.org/wiki/GSM_frequency_bands#Bands)

(confirm that the RTL-SDR is actually plugged into the Linux machine)
$ lsusb | grep -i RTL
Bus 004 Device 015: ID 0bda:2838 Realtek Semiconductor Corp. RTL2838 DVB-T

(print the help for the kal software to see what arguments should be used)
$ kal
error: must enter channel or frequency
kalibrate v0.4.1-rtl, Copyright (c) 2010, Joshua Lackey
modified for use with rtl-sdr devices, Copyright (c) 2012, Steve Markgraf
Usage:
        GSM Base Station Scan:
                kal <-s band indicator> [options]

        Clock Offset Calculation:
                kal <-f frequency | -c channel> [options]

Where options are:
        -s      band to scan (GSM850, GSM-R, GSM900, EGSM, DCS, PCS)
        -f      frequency of nearby GSM base station
        -c      channel of nearby GSM base station
        -b      band indicator (GSM850, GSM-R, GSM900, EGSM, DCS, PCS)
        -g      gain in dB
        -d      rtl-sdr device index
        -e      initial frequency error in ppm
        -v      verbose
        -D      enable debug messages
        -h      help
$


$ date ; kal -s GSM850 ; date
Mon Mar  2 16:05:26 CET 2015
Found 1 device(s):
  0:  Generic RTL2832U OEM

Using device 0: Generic RTL2832U OEM
Found Rafael Micro R820T tuner
Exact sample rate is: 270833.002142 Hz
kal: Scanning for GSM-850 base stations.
GSM-850:
Mon Mar  2 16:08:44 CET 2015
$ date ; kal -s GSM-R ; date
Mon Mar  2 16:16:37 CET 2015
Found 1 device(s):
  0:  Generic RTL2832U OEM

Using device 0: Generic RTL2832U OEM
Found Rafael Micro R820T tuner
Exact sample rate is: 270833.002142 Hz
kal: Scanning for GSM-R-900 base stations.
GSM-R-900:
Mon Mar  2 16:17:09 CET 2015
$ date ; kal -s GSM900 ; date
Mon Mar  2 16:19:42 CET2015
Found 1 device(s):
  0:  Generic RTL2832U OEM

Using device 0: Generic RTL2832U OEM
Found Rafael Micro R820T tuner
Exact sample rate is: 270833.002142 Hz
kal: Scanning for GSM-900 base stations.
GSM-900:
        chan: 9 (936.8MHz + 22.294kHz)  power: 52744.70
        chan: 11 (937.2MHz + 22.198kHz) power: 148897.40
        chan: 48 (944.6MHz + 21.298kHz) power: 64839.80
        chan: 50 (945.0MHz + 21.360kHz) power: 76421.47
        chan: 66 (948.2MHz + 21.020kHz) power: 100342.53
        chan: 68 (948.6MHz + 21.109kHz) power: 148650.05
        chan: 74 (949.8MHz + 21.369kHz) power: 57399.97
Mon Mar  2 16:23:30 CET 2015
$ date ; kal -s EGSM ; date
Mon Mar  2 16:24:36 CET 2015
Found 1 device(s):
  0:  Generic RTL2832U OEM

Using device 0: Generic RTL2832U OEM
Found Rafael Micro R820T tuner
Exact sample rate is: 270833.002142 Hz
kal: Scanning for E-GSM-900 base stations.
E-GSM-900:
        chan: 9 (936.8MHz + 22.059kHz)  power: 55782.16
        chan: 11 (937.2MHz + 22.136kHz) power: 141612.90
        chan: 48 (944.6MHz + 21.194kHz) power: 60347.62
        chan: 49 (944.8MHz + 20.859kHz) power: 52131.68
        chan: 50 (945.0MHz + 21.268kHz) power: 79892.10
        chan: 66 (948.2MHz + 21.026kHz) power: 95478.05
        chan: 68 (948.6MHz + 21.074kHz) power: 142679.30
        chan: 74 (949.8MHz + 21.314kHz) power: 73531.29
        chan: 985 (927.2MHz + 23.002kHz)        power: 79791.55
        chan: 988 (927.8MHz + 22.555kHz)        power: 64283.53
        chan: 992 (928.6MHz + 21.866kHz)        power: 57287.97
        chan: 1000 (930.2MHz + 22.159kHz)       power: 192336.94
Mon Mar  2 16:29:38 CET 2015

$

Use the kal software to calculate the PPM clock offset of a RTL-SDR.

So  now that I have at least one channel number, with a high broadcast power in my region,  I can calculate the PPM offset with the kal software (best if the RTL-SDR has had a chance to warm up, the cheap 28.8MHz quartz crystal probably drifts most with temperature).


$ date ; kal -c 1000 ; date
Mon Mar  2 16:37:01 CET 2015
Found 1 device(s):
  0:  Generic RTL2832U OEM

Using device 0: Generic RTL2832U OEM
Found Rafael Micro R820T tuner
Exact sample rate is: 270833.002142 Hz
kal: Calculating clock frequency offset.
Using E-GSM-900 channel 1000 (930.2MHz)
average         [min, max]      (range, stddev)
+ 22.137kHz             [22112, 22160]  (49, 13.404841)
overruns: 0
not found: 0
average absolute error: -23.798 ppm
Mon Mar  2 16:37:23 CET 2015
$

Since there where no overruns and the signal was found every time I know that this is a good result, that I can confidently use this value with this particular RTL-SDR hardware in GRC or SDRSharp. I would round this number and use a PPM offset of -24 (0.0024%), since none of the software supports PPB corrections (yet). Even if there were 1 to 2 overruns or 1 to 5 not-found the PPM value would still probably be valid, it just meant that there was interference during the test or the signal strength of the channel used was not high enough, maybe try the test again using a different channel, that has more power (or less interference).


The Kalibrate software actually uses the GSM signals own inbuilt frequency correction bursts, that are used by mobile phone handsets (which also have cheap quartz crystals inside them) to calculate their ppm frequency correction. The original open source software was written for the Ettus Research USRP hardware and was ported work with the RTL-SDR.