Monday, October 17, 2016

Charting cell tower activity

I wondered if cell tower activity slopes off during the night so I did a long-term waterfall using the method I described previously. I figured that since people do most of their talking, texting, and moving around during the day but leave their phone by their bed at night, there should be significantly less dynamic power change on the downlink as it gets later.

I chose half of the CDMA signal near my home, one of the ones Ywsia1 says has little activity. I also disabled the AGC so my SDRplay would not keep compensating on the gain reduction.

The picture below spans from 11:51 AM on Sunday, October 16, 2016 to 4:10 AM the next day with the usual 1 vertical pixel = 1 minute, with +/- <1 second accuracy.

Here's an annotated version:

To my surprise, the day did not show much activity but things really heated up from about 11:48 PM to 1 AM.

Thursday, October 13, 2016

Info on IS-95 (cdmaOne)

IS-95, I'm told by several sources, is one of the signals I've seen and which is half of the double signal provided on my cellphones page. Recently I did some reading on the standard. It turns out it was the predecessor of CDMA2000, which a lot of modern phones use. You may notice if you have a Verizon phone that the Internet will go out and the top bar will say "1X" when a phone call is in progress. That's your phone dropping 3G (or 4G) and switching down to CDMA2000 to make or receive the call. My phone, however, is on Cricket and switches down to 4G from LTE when I make calls.

IS-95 looks easy to decode because it only uses QPSK, never QAM. I found an interesting college lecture on the standard:

You'd think that IS-95 networks would have been shut down long ago, but like analog cell phones they may be required by law to keep the networks going until the FCC decides, or maybe enough people still use 2G phones that it's worth it.

When I contributed the first 3G signals on, Ywsia1 was quick to identify them and noted that he couldn't hear much traffic being handled (you can tell if you use AM). That's understandable, considering how far out I live, so when I was near Hanahan recently I recorded about 2 minutes of what appears to be IS-95. Look at an excerpt from the PDF linked above:

When I measured the bandwidth of the vast majority of the energy contained in the signal, it spanned from 862.281 to 863.509 MHz. That's 1.228 MHz! You can find a copy of this signal on the cellphones page.

When I recorded the sample I used slightly more amplification and aimed the antenna better, so if you measure the width you may come up with a little more. However, when the signal wasn't so strong, most of the energy was indeed contained within precisely 1.228 MHz.

[Update 10/14/2016]

CDMA2000 is considered 3G while IS-95 is 2G. I wondered if any modern phones could use IS-95, and I think I found a recent one on Amazon that can. Notice how it specifies both 2G and 3G CDMA.


I learned that a Costas Loop is instrumental in demodulating QPSK, so I spent a while yesterday trying to put one together. I took a 1200-baud Inmarsat signal and saved it into a 4800Hz wave file (pictured below).

Then I watched a YouTube video that explained the Costas Loop. I wrote a Java app that would multiply the I and Q channels by 2cos(ft) and -2sin(ft), respectively.

Once that was done, I combined the 2 channels back into a wave file and played it in HDSDR. I now had 2 peaks, one at -1200 Hz and another at 0 Hz. I was initially excited, thinking that the -1200 Hz peak meant I had guessed the rate on the first try and my program had found something, but I now think it may be entirely generated by the program and that the peak would be at any frequency I had entered.

Anyway, the next step is to low-pass filter the output so you don't get the high mixer product. I didn't know how to low-pass outside of Audacity so I skipped that step and just opened the resulting wave file in Audacity. I used the Nyquist command (mult (aref *track* 0)(aref *track* 1)) to multiply the tracks by each other and see if any error signal would show up. To my surprise, both tracks became completely zeroed out. I wondered how that could be, so I did Undo, amplified the original tracks, and then re-did the Nyquist. This time, it stayed flat for almost the whole file and then slowly ramped up. Click to enlarge.

This seems like a slowly-increasing error signal, but I couldn't be sure because I had skipped the low-pass step. Today I used Audacity to do that. I amplified first, then tried to do a 2400 Hz lowpass filter, but it told me that was impossible since my file was 4800 Hz. Then I realized that I had to enter 1200 Hz. After that I used the Nyquist command to produce the error signal and got this:

Here is the "error signal" both amplified and zoomed in:

There was a huge peak in the original file, so I don't know that that matters much.