+ All Categories
Home > Documents > Examination of Techniques for Carrier Frequency Estimation...

Examination of Techniques for Carrier Frequency Estimation...

Date post: 17-Apr-2018
Category:
Upload: ngokien
View: 221 times
Download: 3 times
Share this document with a friend
41
University of California Los Angeles Examination of Techniques for Carrier Frequency Estimation of Frequency Hopped Signals in Time Domain A report submitted in partial satisfaction of the requirements for the degree Master of Science in Electrical Engineering by Mikhail B. Tadjikov Professor Danijela Cabric, Advisor 2010
Transcript

University of California

Los Angeles

Examination of Techniques for Carrier

Frequency Estimation of Frequency Hopped

Signals in Time Domain

A report submitted in partial satisfaction

of the requirements for the degree

Master of Science in Electrical Engineering

by

Mikhail B. Tadjikov

Professor Danijela Cabric, Advisor

2010

c© Copyright by

Mikhail B. Tadjikov

2010

Table of Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Radiometric Identification . . . . . . . . . . . . . . . . . . . . . . 2

1.1.1 Clock Drift & Radiometric Identification . . . . . . . . . . 2

1.1.2 Carrier Frequency Drift . . . . . . . . . . . . . . . . . . . 3

1.1.3 Frequency Hopping Spread Spectrum . . . . . . . . . . . 4

1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1 Frequency Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1.1 Peak Detections . . . . . . . . . . . . . . . . . . . . . . . 6

2.1.2 Mitigating Factors . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Time Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2.1 Yule-Walker Method for the AR Model . . . . . . . . . . 9

2.2.2 Other AR spectral Estimation Methods . . . . . . . . . . 11

2.2.3 Selection of AR Model Order . . . . . . . . . . . . . . . . 12

2.2.4 Recursive AR models . . . . . . . . . . . . . . . . . . . . 13

3 The Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.1 Universal Software Radio Peripheral . . . . . . . . . . . . . . . . 14

3.2 GNU Radio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.3 MATLAB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2

4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.1 Transmitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.2 Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.3 Troubleshotting . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

5 Results & Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5.1.1 System Bias . . . . . . . . . . . . . . . . . . . . . . . . . 21

5.1.2 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . 22

5.1.3 On Recursion . . . . . . . . . . . . . . . . . . . . . . . . . 24

5.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.2.1 Model Validity . . . . . . . . . . . . . . . . . . . . . . . . 26

5.2.2 Effective Signal-to-Noise Ratio . . . . . . . . . . . . . . . 27

6 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.1 Other Methods for Spectral Estimation . . . . . . . . . . . . . . 29

6.2 Speed Improvements . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.3 Recursive Approach . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.4 I&Q Mismatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

6.5 Wavelets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3

List of Figures

1.1 Currently Available Oscillators . . . . . . . . . . . . . . . . . . . 3

2.1 Example of AR Estimate with the model order 5, only the domi-

nant coefficient shown. . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2 CAT vs. FPE creterii for order determination. . . . . . . . . . . . 13

4.1 TX Spectrum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4.2 Block Diagram of the Receiver . . . . . . . . . . . . . . . . . . . . 19

4.3 Test Setup: 2 x USRP2 and 1 computer. 2nd computer not shown. 20

5.1 Comparison between actual carrier frequency offset and estimated

carrier frequency offset. . . . . . . . . . . . . . . . . . . . . . . . . 22

5.2 AR Spectral estimation performance summary for Yule-Walker,

Burg and Least Squares. . . . . . . . . . . . . . . . . . . . . . . . 23

5.3 Standard deviation of error vs. # of Recursions . . . . . . . . . . 25

5.4 Distribution of single frequency offset estimates. . . . . . . . . . . 26

5.5 A sample spectrum of a single burst overlaid with spectrum 20,000

bursts averaged. . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6.1 Wavelet De-noising(Spectral Estimation): Bior 3.7 with 3 higher

orders kept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

4

List of Tables

4.1 Bluetooth Nominal & Modified Simulation Parameters . . . . . . 17

5.1 A Summary of the AR Methods under different SNR and Effective

SNR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5

Abstract of the Report

Examination of Techniques for Carrier

Frequency Estimation of Frequency Hopped

Signals in Time Domain

by

Mikhail B. Tadjikov

Master of Science in Electrical Engineering

University of California, Los Angeles, 2010

Professor Danijela Cabric, Advisor

This report will cover the background of frequency hopping spread spectrum

(FHSS) and radiometric identification techniques; furthermore, it will introduce

and discuss the techniques to detect and characterize Bluetooth devices using

their radiometric features. Building upon simulated frequency offset detection

algorithms and explore their feasibility in real-time implementation via universal

software radio peripheral (USRP) in conjuncture with GNU Radio or Simulink c©

software defined radio (SDK) kit. This report will give a brief overview of some

frequency-domain solutions, but will be primarily devoted to time-domain treat-

ment of the problem. To conclude, future improvements will be explored and

overall performance analysis of herein discussed system will be presented.

6

CHAPTER 1

Introduction

The future of communication is wireless. Millions of people already are accessing

their internet through wireless LANs on college campuses, coffee shops and places

of business, and these are just small scale networks. Plans to deploy a large-scale

wireless broadband in US over the next 5-10 years are already in motion. One

issue that all wireless networks have in common security! With no physical line

regulating the access to the network, compromising it becomes strictly a software

issue, that one with some time and not a lot of resources (simple laptop with

2 wireless cards would do) could overcome. Once on the network, intruder is

indistinguishable from the rest of the users and can now access their information.

This opens a whole new door to identity theft, as well as, illegal bandwidth

leaching. This paper will explore ways of identifying transmitter based on innate

hardware characteristics that are extremely hard to mimic, yet are fairly cost-

effective to detect; oftentimes, with the hardware already available at the base

stations.

1

1.1 Radiometric Identification

1.1.1 Clock Drift & Radiometric Identification

There two different techniques for discriminating between transmitters: radio-

metric and location identifications. The latter is based on an idea that there

are specific features in the channel between transmitter and receiver, which are

unique to each geographic location. There has been significant work and suc-

cess on uniquely characterizing the channel and location for purpose of device

fingerprinting [1, 2]. Primary focus of our reseach is on the earlier concept of

radiometric identification; in particular, the modulation domain. There are sev-

eral metrics that can be used to differentiate transmitters in modulation domain,

listed from most to least effective:

• Carrier frequency offset errors.

• I & Q offset errors.

• Magnitude and phase errors

By using a combination of the above methods for radiometric identification it

is possible to achieve a highly accurate, sub 1%, transmitter identification given

a large sample size of about 100 ”identical” (Same device vendor and hardware

revision) transmitters. [3] In our research, the focus is on carrier frequency offset,

which is primarily caused by clock drift with some minute contributions from

transmitter’s system noise.

2

1.1.2 Carrier Frequency Drift

Clock drift is a phenomenon caused by manufacturing variability of oscillators.

Due to the importance of keeping the manufacturing cost low usually the range of

7.5 - 100ppm, as seen on Figure 1.1, is assumed for commonplace wireless devices.

With foresight of performing simulations in 2.4GHz band, we calculate carrier

frequency offset,δf , to be in the range from 18kHz to 240kHz. It is assumed that

crystal oscillators have a gaussian distribution of frequency offsets, with µ = fc

and σ = δf . Naturally, 240kHz would be the best case scenario; therefore, we

design our system for the worst case scenario of σ = 18kHz.

Sidenote: there is currently ongoing research into crystal controlled crystal

oscillators that would both reduce the price and increase the precision of the

oscillator [4]. There are two potential issues associated with lower cost precise

crystals: if they would be used in transmitting devices it would make the offset

detection virtually impossible due to small clock drift; secondly, it would become

much easier to imitate existing transmitters on the network for intruder.

Figure 1.1: Currently Available Oscillators

3

1.1.3 Frequency Hopping Spread Spectrum

Frequency-hopping spread spectrum (FHSS) devices implement the notion of

transmitting a signal with constantly switching carrier frequency according to

a pseudo random hopping sequence. There are three main advantages to using

FHSS transmission technique:

• The signal is highly resistant to narrow-band interference.

• The signal is extremely hard to intercept/sniff due to the random hopping

phenomenon, thus usually just appears as background noise to a narrow-

band receiver.

• The signal can share spectrum with many conventional wireless systems,

thus helping to provide higher spectral efficiency.

Originally spread spectrum transmission techniques were developed for the mil-

itary due to their resistivity to jamming and have since found a wide array of

civilian uses, like Bluetooth. In our research we focus on detecting and finger-

printing Bluetooth devices, due to their widespread commercial & personal use.

1.1.3.1 Bluetooth

Bluetooth signal hops over 79 RF channels that are spaced by 1MHz in 2.402

- 2.480GHz spectral range. Specification for the transmitted initial center fre-

quency must be within ±75kHz from Fc, making our clock drift limited to 7.5 -

31ppm. Gaussian frequency-shift keying (GFSK) is used as preferred modulation

scheme for transmission with bandwidth bit period product BT = 0.5 [5]. GFSK

is standard frequency-shift keying with Gaussian filters used for pulse shaping to

increase spectral efficiency [6]. With the hopping rate of 1/1600s the maximum

4

pulse duration is 625µs, but the pulses could be as short as 366µs. With the our

signal sampled at 1MHz at baseband there is a maximum of 625 time samples

available for analysis.

1.2 Motivation

The motivation of this project is to improve on the status quo in wireless secu-

rity by enabling receivers to uniquely identify the wireless transmitters. In this

particular project the focus is on first part of the problem of uniquely identifying

the transmitters via their radiometric characteristics. With the improvements

achieved here, hopefully it will soon be possible to reach the ultimate goal to

correctly fingerprint the transmitter and avoid network intrusion.

5

CHAPTER 2

Methodology

2.1 Frequency Domain

Frequency domain signal analysis often times preferred over time domain due to

its informative nature. For the purposes of this project frequency domain carrier

frequency estimations will not be considered; however, a brief overview of carrier

frequency estimation and it’s problems in frequency domain will follow.

2.1.1 Peak Detections

The problem of finding the center frequency offset estimation in frequency do-

main, for many signals, boils down to finding the peak of interest in the desired

spectral range - a simple peak detection. One of the major issues for signals

such as Bluetooth is, as previously discussed, Gaussian shaped spectrum that

introduces various sporadic peaks which alter the shape of the spectrum thus

complicating the problem. One could conclude that averaging many FFTs would

improve the overall shape of the spectrum, which it does due to the Gaussian

nature of the noise and GFSK. However, in the case of Frequency Hopped signals

without knowing the hopping sequence it is difficult to know if the burst came

from the same transmitter or not. Given these issues a single burst analysis sys-

tem should generally be considered.

6

One such approach to solving this problem is discussed in literature with results

that will be used as a baseline for our experiments. [7] Their results would be

used for comparison and evaluation of proposed center frequency offset estimation

algorithms.

2.1.2 Mitigating Factors

Independent from which frequency domain carrier frequency estimation method

used there are several known performance limitations that are associated with

the analysis of frequency hopped signals; in particular, Bluetooth:

• Limited frequency resolution which is caused by the duration of the trans-

mitted burst. Even in the best case scenario of 625µs with a sampling

frequency equal to 1MHz would provide a limited frequency resolution:

∆Fbin =1MHz

625samples= 1600Hz

.

• Another performance issue associated with Fourier transforms is in-between-

bin losses. Since FFTs are estimated as sinc, then if the signal falls in be-

tween the two adjacent FFT bins, a worst case scenario, it incurs additional

losses in power. These losses can be computed as:

|A(f)|2 =sin2(πfT )

(πfT )2

f=π/2

= −3.91dB (2.1)

With the signal power loss of almost 4dB, this can provide inconsistent

results for varying carrier frequency offsets. However,this can be mitigated

by increasing the size of the FFT through zero padding [8, 9]. Although,

7

zero-padding does not provide any additional frequency information it will

reduce the in-between-bin losses.

• The Gaussian shaped nature of the signal has drastic influences over the

shape of the spectrum; and also, creates a significant challenge in carrier

frequency offset estimation. Spectrum shape is discussed further in the

section Effective SNR.

8

2.2 Time Domain

As discussed before, one of the major disadvantages of using frequency domain

analysis is poor frequency resolution given a time limited signal. The problem,

of finding the center frequency, is further exaggerated in the case of Bluetooth

transmission considering the effects of GFSK on the spectrum. On the other

hand, time domain analysis is not limited by the number of data samples, and it

has been shown that in some cases AR methods provided superior performance

to FFT spectrum analysis. [10] Although, there are many different time-domain

methods the focus of this project is on Auto Regressive (AR) spectral estimators.

2.2.1 Yule-Walker Method for the AR Model

One of the possible algorithms for estimating carrier frequency in time-domain is

Yule-Walker Method. While often in the literature it is described as inferior to

other AR methods, it will be shown that for the case of Bluetooth signals it is

more optimal [11]. Furthermore, this algorithm has straight forward description

and implementation making it less computationally intensive that other models.

R(m) =1

N

N−m−1∑

n=0

x∗(n)x(n +m) (2.2)

After starting out with a simple auto-correlation of the signal in question, the

system order (p) needs to be selected.

Sx(f) =σ2

wp

|1 + Σpk=1

ak(k)e−j2πfk|2(2.3)

σ2

wp = R(0)p∏

k=1

[

1− |ak(k)|2]

(2.4)

9

(2.5)

Where p is the number of poles in the system, or the number of peaks one is

−1 −0.5 0 0.5 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Normalized Frequency

Nor

mal

ized

Am

plitu

de

Spectrum of a Single Burst

Yule−Walker AR Estimate

Figure 2.1: Example of AR Estimate with the model order 5, only the dominantcoefficient shown.

trying to estimate and ap(k) coefficients are found through the use of Levinson-

Durbin recursion. It is also important to note that by problem definition is peak

location and not strength is important thus need for estimate for the linear pre-

dictor, σ2

wp, is not clearly seen yet; nonetheless, its importance will become more

apparent in later discussion. While in this particular problem it is known that

there is only one peak to be acquired the actual problem is the exact location

of the peak. Although, higher order AR estimators produce better frequency

resolution they would impede the solution to the problem in the case of GFSK

10

transmission. As seen from figure 2.1 the signal shape could easily be consistent

with large number of sinusoids; therefore, by the introduction of higher order

AR estimators will only find multiple peaks instead of focusing on the main one.

A more detailed discussion on optimal order selection could be found later on.

Sample AR spectral estimate is shown in figure 2.1.

2.2.2 Other AR spectral Estimation Methods

For the purposes of this project two more AR spectral estimation methods will be

considered: Burg and Least-Squares. These methods are considered for compari-

son with full descriptions of the methodology can be found in references [12, 13].

However, it should be commented on the reasons for their omission.

Burg While Burg AR method for spectral estimation is considered superior to

Yule-Walker in literature [11], it is for reasons that would not, in this au-

thors opinion, benefit the spectral estimation of a GFSK signal. Burg

method is considered perform better in conditions with high levels of white

noise (AWGN), which in not necessarily the issue in the case of the Blue-

tooth. Also, with higher order estimates it produces line splitting phe-

nomenon that is highly undesirable in this instance.

Least Squares While in performance comparisons the it was found to have

better performance than Burg it is derived through similarly modeling and

shows weak performance under non-Gaussian noise.

11

2.2.3 Selection of AR Model Order

An important part of implementing any AR spectral estimator is the order se-

lection. With lower order producing smoothed and inexact spectrum estimates,

while really high order models the estimates tend to introduce low-level peaks in

the spectrum.[11] There are multiple methods that have been introduced through

out the years to deal with this particular problem, two of which will be reviewed

here. The earliest method for order estimation was FPE (final predictor error

criterion as described by: [14]

FPE(p) = σ2

wp

(

N + p+ 1

N − p− 1

)

(2.6)

where σ2

wp is the estimated variance of the linear prediction error, N is the length

of the data and p is the order. The order is selected to minimize the FPE(p).

FPE analysis of the system can be seen in Fig. 2.2.

Another method is CAT (criterion autoregressive transfer) and is defined as: [15]

CAT (p) =

(

1

N

p∑

k=1

1

σ2

wk

)

−1

σ2wp

(2.7)

σ2

wk =N

N − kσ2

wk (2.8)

Optimal order is determined by minimizing CAT (p). This approach was also used

on the current system with results found in Fig. 2.2. It can be seen from both

estimates that although the optimal p order is not the same it is very similar, thus

for the purposes of our experiments 5th order AR estimators will be computed.

However, only the first pole will be used to determine the carrier frequency, since

it contains the information about the most dominant signal in the spectrum.

12

2 4 6 8 10 12 14 16 18 200

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

X: 4Y: 0.1896

X: 5Y: 0.3545

p (order)

Nor

mal

ized

Am

plitu

de

FPE(p)

CAT(p)

Figure 2.2: CAT vs. FPE creterii for order determination.

2.2.4 Recursive AR models

One of the problems in using AR spectral estimators is the out-of-band noise.

Since the models provide a pole based estimates, the signals that are not near the

frequency of interest act as system noise and degrade overall system performance.

A simple experiment is setup to test if signal conditioning would rectify this

situation. With initial knowledge of the carrier frequency offset it is possible to

perform a very narrow low-pass filtering and improve the estimate by as much as

50%. However, without a priori knowledge of the carrier frequency offset it might

be possible to ”zoom” in to the desired frequency by recursively filtering away

extraneous information. A more detailed treatment of recursion can be found in

later sections.

13

CHAPTER 3

The Foundation

3.1 Universal Software Radio Peripheral

Universal Software Radio Peripheral, or USRP, is a computer peripheral that

in conjunction with Software Defined Radio platform, such as GNU radio or

SIMULINK c©, is a very powerful tool. Currently the device is in its second gen-

eration of hardware revision, USRP2, with technical specifications are as follows

[16]:

• Gigabit ethernet interface

• Xilinx Spartan 3 2000 FPGA

• RF bandwidth of 25 MHz @ 16bits

• ADC: 100 MS/s @ 14bits

• DAC: 400 MS/s @ 16bits

One of the most noticeable differences between the hardware revisions is the

increased RF bandwidth and an addition of a gigabit ethernet interface. The

original USRP has a bandwidth of 8MHz and it interfaced through USB2.0 con-

nection, which is much slower with higher processor overhead. Implementation

of the system would still be possible using USRP1, however limited RF band-

width would minimized the possibilities for future expansion. As was mentioned

14

before Bluetooth hops across 79MHz of spectrum in 2.4GHz band, yet as can

be seen from the USRP2 specifications only 25MHz of bandwidth is available.

Technically, it should be reduced down to 24MHz, since the outlying 0.5MHz

regions have a much greater attenuation compared to the center 24MHz where

the frequency response of the device is flat. This would be significant impasse

if the goal of the project was to transmit and receive Bluetooth signals rather

than to detect and characterize them. The pseudo-random hopping sequence in

Bluetooth has a uniform distribution for efficient spectrum usage. With that in

mind, about a quarter of all hops in one cycle of the sequence would lend within

24MHz spectrum and we can use those pulses to extract the desired information.

With the usage of two USRP2 units, one for transmission and one for reception,

it would be possible to modify the Bluetooth hopping sequence limiting the hops

to stay within the 24MHz bandwidth.

3.2 GNU Radio

GNU radio is a community maintained open-source software with block-oriented

design. Most of the signal processing blocks are programmed in C++, with the

use of Python as a wrapper for the blocks. Additionally, Python is also used

to connect the blocks together into flow graph, which is the end product [17].

The flow graph implementation allow for the paths that are in parallel to be ex-

ecuted in a multi-threaded fashion automatically without additional effort from

the system designer. In the context of our project this should significantly im-

prove the overall system performance considering that were monitoring multiple

channels in an effort to detect the hopping signal. Initially GNU Radio Com-

panion (GRC), a SIMULINK like design tool, was used to help with the design

and implementation of our system; however, we later moved to direct coding

15

in Python to connect the blocks after it was discovered that our system design

was too complex to implement in GRC. Similarly, we had to write several of our

own signal processing blocks in C++ to test compare the performance of our

algorithms from SIMULINK simulation to a real-world implementation.

3.3 MATLAB

With USRP becoming a more widespread Mathworks has created a Simulink

Block for interacting with device. Since MATLAB version 2010a the two critical

blocks that have been added are USRP Transmitter and USRP Receiver. With

this advance it is not possible to prototype and experiment with new designs

rather quickly without having to implement proprietary signal processing blocks

in GNU Radio. It is important to note that there are some modifications that

need to be done to USRP units to enable their interaction with MATLAB [18].

Loading the units with a special firmware is only half the battle, with the new

firmware the units can no longer be interfaced through a switch. To resolve

this issue there needs to be two dedicated gigabit network interface cards in one

computer, or two computers with a dedicated gigabit port each.

16

CHAPTER 4

Implementation

4.1 Transmitter

To test the characterization in real-time on USRP2 a modified Bluetooth trans-

mitter was implemented. Details for both original Bluetooth standard and mod-

ified implementation are presented in Table 4.1.

Parameter Nominal ModifiedFrame Period 625µs 625µsBandwidth 1 MHz 1 MHz

Frequency hopping rate 1600 hops/s 1600 hops/sNumber of Subchannels 79 11

Carrier Frequency 2.4GHz 2.4GHzFrequency Offset Std.Dev. ± 20 ppm ± 20ppmMaximum Frequency Offset ± 31 ppm ± 31ppm

Table 4.1: Bluetooth Nominal & Modified Simulation Parameters

The number of subchannels needed to be adjusted due to the previously dis-

cussed spectral bandwidth limitations of USRP2. Aside from that change there

rest of the signal characteristics remain unchanged to ensure the validity of the

model, which depends primarily on the characteristics of individual bursts. The

system design is focused on the analysis of the signal on per burst basis and thus

the hopping sequence will not effect the final outcome of the results. However,

in further expanding the design the issue of keeping track of, or figuring out, the

hopping sequence would occur.

17

Using a reference Bluetooth transmitter implementation supplied by MATLAB

c©, and after the reduction of subchannels Simulink still had issues generating and

transmitting the required I&Q samples in real-time. To mitigate this problem

the transmitter was split in a two part design. First stage, generated 10 seconds

of Bluetooth samples at 90% duty-cycle and saved I & Q samples separately. In

the second stage, the samples were read back, combined into a complex signal

and fed directly to the USRP2 through a USRP Transmitter block. A 12MHz

snapshot of the transmitted spectrum with the burst is shown in Figure 4.1.

−6 −5 −4 −3 −2 −1 0 1 2 3 4 5 60

5

10

15

20

25

Frequency (MHz)

Am

plitu

de (

dB)

Figure 4.1: TX Spectrum

4.2 Receiver

Similarly to the transmitter the receiver was implemented in SIMULINK c©using

the USRP Receiver Block to interface with the USRP2 device. Figure 4.2 shows

the block diagram of the receiver implemented. Below is a description of each

block:

USRP The USRP, internally, has an RF front-end, a down-converter, and an

18

Figure 4.2: Block Diagram of the Receiver

analog-to-digital converter. Received signal is mixed down to intermediate

frequency (IF), then it is digitized to 14 bits via the ADC and transmitted

over the gigabit ethernet to the computer, where the samples stream from

the USRP Receiver block in Simulink, or a USRP source block in GNU

Radio. This whole operation occurs in the background and is transparent

to the user.

N-FFT & Energy Detection While in IF, the system needs to determine in

which one of the 11 subchannels that the burst is being transmitted. The

N-FFT block performs a N point fast fourier transform that enables the En-

ergy Detection block to analyze the spectrum and determine the proper

subchannel carrier frequency, denoted by Fchan.

Baseband Once the current subchannel been figured out the signal is mixed

down to baseband, low-passed and downsampled to reduce the effective

bandwidth to 1MHz.

AR Estimator This block is a placeholder for various AR spectral estimators

that have been implemented and tested as part of this project.

After the final stage the estimates are stored in the workspace with the final

statistics computed after the experiment.

19

4.3 Troubleshotting

There are some issues that were encountered during the simultaneous operation of

transmitting and receiving on the same computer. This issue was not encountered

during the initial tests using transmission and reception of simple sine waves.

Through some investigation, it was concluded most like culprit is the amount of

data that has to be handled one computer; nonetheless, it’s important to point

out that the processing power is not a problem [19]. Considering that each of the

USRP2 units is connected to its own dedicated Gigabit network interface card

and is being used wide bandwidth mode, which generates more data. To mitigate

this problem two computers were used, one for transmission and the other for

reception and real-time processing of the signal. The final test setup is partially

shown in the figure 4.3.

Figure 4.3: Test Setup: 2 x USRP2 and 1 computer. 2nd computer not shown.

20

CHAPTER 5

Results & Discussion

5.1 Results

5.1.1 System Bias

For the experiment we must consider that there is some inherit clock drift in the

system. An experiment is setup to determine the relative clock drift between

the two USRP2 units. Different carrier frequency offsets are introduced into the

system: 0, 25k, 50k, 75k Hz. As can be seen from figure 5.1, the difference between

transmitter carrier frequency offset and the received signal carrier frequency offset

estimate is approximately 13kHz, which is ∆Fref or system reference drift. For a

sanity check, the number is checked against the oscillator that is used in USRP2

which is rated at a fairly lax ±20ppm. This clock drift is would give the maximum

possible offset of 48kHz while tuned into the desired Fc = 2.405GHz [20]. It is

important to note that in this experiment there are two USRP2 units, thus it is

impossible to know much clock drift is introduced by each oscillator. The only

thing that is for certain is that the overall offset has to fall within the range of

±40ppm. The clock drift for this system is computed below:

Drift =∆Fref × 106

Fc=

1.3× 103 × 106

2.405× 109= 5.4167ppm (5.1)

The estimator is now modified to subtract ∆Fref = 13kHz from all the estimates,

21

0 10 20 30 40 50 60 700

10

20

30

40

50

60

70

80

90

Actual Frequency Offset (kHz)

Est

imat

ed F

requ

ency

Offs

et (

kHz)

F

c − ∆F

ref

Estimated Fc

Figure 5.1: Comparison between actual carrier frequency offset and estimatedcarrier frequency offset.

this change can be observed in figure 5.1. Since the only difference in the estimator

is subtraction of the reference offset this doesn’t change the estimator statistics

with regard to standard deviation of error.

5.1.2 Comparison

Now that the system bias has been accounted for in the overall system perfor-

mance evaluation, we move on to the results of the experiments. Figure 5.2 shows

performance comparison of the three auto regressive spectral estimation methods

previously discussed. It can be seen that the signal-to-noise ratio increases the

overall system performance does not experience a great deal of improvement. In

comparison with literature, the time-domain methods discussed here outperform

22

0 5 10 15 20 25 300.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2x 10

4

SNR (dB)

σ erro

r (H

z)

Yule−WalkerBurgLeast Squares

Figure 5.2: AR Spectral estimation performance summary for Yule-Walker, Burgand Least Squares.

the frequency-domain analysis used for SNR greater than 10dB [7]. However,

time-domain approach is very susceptible to noise at lower (≤ 10dB) SNR. The

overall system performance improvement at 20dB (I20dB) can be computed as

follows:

I20dB =σfderror − σtd

error

σfderror

=8400− 5400

8400= 0.3571 (5.2)

Or 35.71%. With a significant improvement over status quo it is recommended

to use time-domain approach when estimating carrier frequency offset of the

23

frequency hopped signals.

The leveling-off of the performance improvement with an increase in SNR are

a cause of a further investigation into Bluetooth signal properties that will be

discussed below.

SNR (dB) σerror (kHz)No Nm +No Yule Burg LS-Cov4 1.7328 13.796 15.822 18.1176 2.8060 11.050 11.102 11.1798 3.6513 9.506 9.569 9.71510 4.2841 8.321 8.454 8.26412 4.7367 7.336 7.446 7.41915 5.1639 6.337 6.398 6.49620 5.4837 5.403 5.476 5.52525 5.5900 5.013 5.097 5.10130 5.6241 4.896 4.939 4.96750 5.6399 4.896 4.863 4.885100 5.6400 4.893 4.863 4.885500 5.6400 4.893 4.863 4.8851000 5.6400 4.893 4.863 4.885

Table 5.1: A Summary of the AR Methods under different SNR and EffectiveSNR

5.1.3 On Recursion

As previously discussed, one of the major issues with using filter as a signal

conditioning to improve the results is knowing where to set the cutoff frequency.

With the ability to establish a quasi -theoretical performance limit under certain

conditions

• SNR of 25dB

• Cutoff frequency, wc = 0.05, normalized or 25kHz.

• Carrier frequency offset, ∆Fc = 0Hz.

24

, it can be estimated as σerror ≈ 3kHz. Having obtained a performance boundary

well below the single estimate results, it was now time to loosen the conditions

and observe the results.

100

101

102

5600

5650

5700

5750

5800

5850

# of Recursions

σ erro

r (H

z)

Figure 5.3: Standard deviation of error vs. # of Recursions

Since the carrier frequency offset can range from ±75kHz the first estimate

was performed using a low-pass filter with wc = 0.99. With the final cutoff fre-

quency still set to 0.05, there is a variable number of equidistant stages from

almost no filtering to extreme. After each estimate the low-pass filter is shifted

in the complex baseband to be centered around said estimate instead of zero. The

idea is that with that the result will gradually improve with slowing shrinking

window. The results are summarized in the figure 5.3. Two important observa-

tions are that the results are worse than with a single pass estimate, and while

25

they are improving with more iterations (smaller decrements in window size) the

cost greatly outweighs any possible benefit.

5.2 Discussion

5.2.1 Model Validity

−15000 −10000 −5000 0 5000 10000 150000

0.005

0.01

0.015

0.02

0.025

0.03

0.035

0.04

0.045

Frequency (Hz)

Pro

babi

lity

σ error

Gaussian Distribution

Figure 5.4: Distribution of single frequency offset estimates.

To ensure the validity of carrier frequency offsets that were computed through

spectral estimates the distribution of single frequency offset estimates was plotted

and fitted it with normal distribution with the same standard deviation as the

result, in this case σ = 5kHz. Figure 5.4 displays the statistics for 5th order Yule-

Walker AR spectral estimates with SNR = 25dB. In accordance with Central

Limit Theorem this allows us to draw large sample statistics thus validating the

26

statistical conclusions from all the results presented in this report.[21].

5.2.2 Effective Signal-to-Noise Ratio

−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Normalized Frequency

Nor

mal

ized

Am

plitu

de

Single Burst FFTAvg. Spectrum

Figure 5.5: A sample spectrum of a single burst overlaid with spectrum 20,000bursts averaged.

As previously discussed, due to signal characteristics of GFSK modulated

signal and the time limited nature of the Bluetooth signal it is difficult to ascertain

exact carrier frequency. Let us consider a scenario with a Bluetooth burst that is

625µs in duration and has a very high SNR (above 100dB). In this scenario, it is

fair to say that AWGN has little to no impact on the overall performance of the

system. A sample of such signal is demonstrated in Fig. 5.5 in conjunction with

a time averaged spectrum to show the underlying signal shape. By defining the

averaged spectrum as the signal and the single burst spectrum as GFSK noise

27

(or modulation noise Nm). We compute the signal-to-noise ratio for our scenario:

Es

Nm=

Es

Eb − Es=

N∑

1

|x|2

N∑

1

(

|x|2 − |x|2)

= 5.64dB (5.3)

Where Es is the signal power without the GFSK modulation, as shown as aver-

aged spectrum in figure 5.5. And Eb is the energy of a single burst.

Now, let us consider a more realistic scenario with AWGN present. There is still

modulation noise in the system, but now there is also white noise present, No.

Considering the effects of both white noise and modulation noise on the system

a new equation for SNR (effective SNR) is derived as shown in equation 5.4.

SNR =Es

Nm +No(5.4)

From table 5.1.2 it is clearly seen that modulation noise (Nm) is the factor is that

is driving the results, especially at higher signal energy. The discovery paves the

way for a different approach in carrier frequency offset estimation in the future

works, where white noise will not be considered the only variable and performance

limiting parameter in the system.

28

CHAPTER 6

Future Work

With the current implementation there are already significant improvements to

carrier frequency offset estimation in Bluetooth devices over the status quo. There

are several directions that should be explored to improve the accuracy of the

estimate and overall system robustness, as well as, getting closer to the final goal

of uniquely identifying transmitters.

6.1 Other Methods for Spectral Estimation

This project explored three of the more common methods for Auto Regressive

spectral estimation methods: Yule-Walker, Burg and Least-Squares. There is

a plethora of other methods out there. Other methods include ARMA Model,

Pisarenko, ESPIRIT and MUSIC.

• ARMA Model for spectral estimation is closely related to the Burg Model,

but provides better performance for signals in additive white noise [11].

• Pisarenko is another eigenvalue decomposition spectral analysis tool, but it

is primarily used for finding sinusoidal signals.

• ESPIRIT and MUSIC Algorithms are not explicitly meant for sinusoids,

but are intended for narrow bandwidth signals.

29

ARMA will most likely produce results similar to the AR methods used in this

report. While the other algorithms will need some adaptation to perform the

best in a frequency hopped environment like Bluetooth.

6.2 Speed Improvements

This is more of a long-term goal, since there seems to be no real limitation on

real-time processing as of now. That said, USRP2 does come with an on-board

Xilinx FPGA, which could be programmed do some pre-processing on the data

before it gets to the SDR platform. Some investigation into the capabilities of

the FPGA revealed that it is capable of processing a full 2048-point FFT at 16bit

I&Q samples [22]. One solution is to increase the complexity of the first stage,

while still keeping up with real-time constrains by performing it on the USRP.

During the first stage the USRP can identify the actual sub-channel for the burst

and downconvert it to baseband. This would significantly limit the amount of

data that is generated by the USRP2 on the network and possibly allow a single

computer to act as a Software Defined Radio platform for both transmitter and

receiver.

6.3 Recursive Approach

As previously discussed, it is thought possible to improve results on a single burst

by recursive estimating and adapting the system to each burst. While the specifics

of such future endeavors would depend on a particular spectral estimation or

carrier frequency estimation methodology in mind, this idea should be tested

with which ever approach is implemented.

30

6.4 I&Q Mismatch

Although, I&Q mismatch is not considered a highly robust or reliable way uniquely

identify transmitters [3] it is this authors belief that in conjunction with carrier

frequency offset estimation it would provide a better method for unique transmit-

ter identification. Furthermore, it is important to note that I&Q mismatch can

be calculated on per burst basis thus providing a better statistic for identification.

6.5 Wavelets

−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Nor

mal

ized

Am

plitu

de

Normalized Frequency

Single Burst SpectrumDenoised Spectrum

Figure 6.1: Wavelet De-noising(Spectral Estimation): Bior 3.7 with 3 higherorders kept.

31

One way to reduce the noise and improve the shape of the spectrum for the

purpose of carrier frequency estimation is using Wavelet de-noising. Although,

traditionally wavelets are utilized in data compression they are extremely versatile

and could be adopted to multitude of applications. [23]. The premise of wavelets

is decomposing the signal into many levels with each decomposition created by

repetition of the mother wavelet. Generally, with higher order decompositions

(above 6) higher order components, such as noise, are easily removed in the

reconstruction by avoiding the higher order coefficients. This can be observed in

figure. 6.1 where the Bluetooth burst spectrum has been decomposed with only

the major contributors kept in the reconstruction. As can be seen from the figure

6.1, there is definitely lots of possibilities working with wavelets for the purposes

of spectral estimation or signal processing.

32

References

[1] D. Faria and D. Cheriton, “Detecting identity-based attacks in wireless net-works using signalprints,” ACM WiSe, vol. 1, no. 1, pp. 43–52, 2006.

[2] N. Patwari and S. Kasera, “Robust locationdistinction using temporal linksignatures.” in ACMMOBICOM. Quebec, Canad: ACM, 2007, pp. 111–122.

[3] V. Brik, S. Banerjee, M. Gruteser, and S. Oh, “Wireless device identificationwith radiometric signatures,” in MobiCom’08. San Francisco, California,USA: ACM, September 14-19 2008, 978-1-60558-096-8/08/09.

[4] T. Schmid, J. Friedman, Z. Charbiwala, Y. Cho, and M. Srivastava, “Xcxo:An ultra-low cost ultra-high accuracy clock system for wireless sensor net-works in harsh remote outdoor environments,” NESL @ UCLA, Tech. Rep.TR-UCLA-NESL-200802-02, February 2008.

[5] Various, “Get technical,” WWW, April 2009,http://www.bluetooth.com/Bluetooth/Technology/.

[6] M. S. Nixon and A. S. Aguado, Feature Extraction and Image Processing.Maryland Heights, Missouri: Academic Press, 2008, pp. 88.

[7] A. Gok, S. Joshi, J. Villasenor, and D. Cabric, “Estimating the number offrequency hopping interferers using spectral sensing with time and frequencyoffset measurements,” in IEEE MILCOM, IEEE MILCOM. Boston,MA:IEEE, 2009.

[8] J. B. Tsui, Fundamentals of Global Positioning System Receivers: A Software

Approach, 2nd ed. Hoboken, New Jersey: Wiley-Interscience, 2004, pp. 239-243, ISBN: 0471706477.

[9] J. K. Holmes, Spread Spectrum Systems for GNSS and Wireless Commu-

nications. Norwood, Massachusetts: Artech House Publishers, 2007, pp.387-388, ISBN: 978-1-59693-083-4.

[10] E. Boyer, M. Petitdidier, W. Corneil, C. Adnet, and P. Larzabal, “Applica-tion of model-based spectral analysis to wind-profiler radar observations,”Annales Geophysicae, vol. 19, pp. 815–824, 2001.

[11] J. Proakis and D. G. Monolakis, Digital Signal Processing, 3rd ed. UpperSaddle River, New Jersey: Prentice Hall, 1996, pp.910-930.

[12] J.P.Burg, “The relationship between maximum entropy and maximum like-lihood spectra,” Geophysics, vol. 37, pp. 375–376, April 1972.

33

[13] T. J. Ulrych and R. W. Clayton, “Time series modeling and maximum en-tropy.” Physics of the Earth and Planetary Interiors, vol. 12, pp. 188–200,August 1976.

[14] H. Akaike, “Power spectrum estimation through autoregression model fit-ting,” Annals of the Institute of Statistical Mathematics, vol. 21, pp. 407–419,1969.

[15] E. Parzen, “Some recent advances in time series modeling,” IEEE Transac-

tions on Automatic Control, vol. AC-19, pp. 723–730, December 1974.

[16] M. Ettus, USRP2 FAQ, GNU Software Foundation, 2010,http://gnuradio.org/trac/wiki/USRP2GenFAQ.

[17] E. Blossom, How to Write a Signal Processing Block,rev. 0.3 ed., Free Software Foundation, Inc, April 2008,http://www.gnu.org/software/gnuradio/doc/howto-write-a-block.html.

[18] Various, “Where can i obtain firmware for my usrp2?” WWW, Novem-ber 2010, http://www.mathworks.com/support/solutions/en/data/1-CUN7JZ/index.html?product=CB&solution=1-CUN7JZ.

[19] L. Choong, “Multi-channel ieee 802.15.4 packet capture us-ing software defined radio,” Master’s thesis, UCLA, April 2009,http://nesl.ee.ucla.edu/fw/thomas/leslie choong multichannel ieee802154.pdf.

[20] Ecliptek, EC26 Series Oscillator Data Sheet, Ecliptek Corporation, April2009.

[21] J.Rice, Mathematical Statistics and Data Analysis, 2nd ed. Pacific Grove,California: Duxbury Press, 1995, iSBN 0-534-20934-3.

[22] J. Corgan, “FPGA ”headroom” in USRP2,” February2009, http://lists.gnu.org/archive/html/discuss-gnuradio/2009-02/msg00192.html.

[23] Y. Meyer, “Wavelets - Algorithms and applications,” Applied Mathematics,1993.

34


Recommended