(Associated video with description also available here with “live” call sequence starting around 4:15)

For signal intelligence (SIGINT) and RF sensing applications, the first step in listening and analyzing radio communications typically resides in isolating independent communication channels. To do this in software-defined radio systems, one of the following techniques is commonly used:

• Digital down conversion (DDC)
• Frequency domain filtering
• Polyphase fast Fourier transform (FFT)

The third technique, polyphase FFT, is by far the most efficient signal processing method and the one most commonly used in wideband RF signal inspection and SIGINT applications. Because most commercial communication standards have a spectrum structure consisting of equally spaced communication channels, this method can be applied by simply using a single FIR structure along with an FFT implementation, which drastically reduces the signal processing needs per channel. For applications requiring real-time inspection of multiple simultaneous communication channels, the polyphase FFT technique is easily deployable in a parallel FPGA architecture. When mapped on fabric architectures like FPGAs, an efficient channelizer supporting large numbers of analyzed channels can be simple to implement.

We implemented the polyphase FFT technique on the Nutaq FPGA-based RF Wideband Digitizer WD20G. This system includes a wideband RF receiver unit (tunable from 100 KHz to 20 GHz

[WR20G]) and digitizes with up to a 100 MHz baseband bandwidth through the use of high-speed A/D converters attached to a hybrid PC-FPGA architecture [PicoDigitizer 250 Series].

RF Wideband Digitizer

In this project, we decided to implement a quad-band GSM channelizer, although any other standard could also have been implemented. With such a wide tuning range and available real-time bandwidth, the channelizer supports real-time inspection on the following bands:

• GSM 850: Simultaneous uplink and downlink inspection
• GSM 900: Simultaneous uplink and downlink inspection
• GSM 1800: Uplink or downlink inspection (UL + DL > 100MHz)
• GSM 1900: Uplink or downlink inspection (UL + DL > 100MHz)

The following photo shows the demo’s open-frame setup:

Open Frame Setup

Additionally, a model-based design approach was used to speed up the development process and, for being able to have something running on real-time hardware in less than two weeks of effort, goal achieved!

WD20G

 The project was designed using the Nutaq Model-Based Design Kit (MBDK), which allowed us to design the whole application without writing a single line of VHDL or C code.

In the FPGA section, we used Xilinx System Generator IP blocks to design the polyphase FIR/FFT algorithms, and then combined them with Nutaq communication blocks to get data from the high-speed A/D converters. We then streamed the resulting data to the embedded PC and finally shared the embedded PC registers for behavioral controls.

Perseus 601X Channelizer FPGA

In this polyphase FFT implementation, a 512 FFT is used. Each bin is associated with a 200 KHz GSM channel. This requires a sampling frequency of 102.4 MHz (512 * 200 KHz) on the A/D and FPGA logic. Averaging is also performed in order to enable the desired refresh rate of the waterfall real-time graph that will be performed in the embedded processor section. Straight IQ samples are also directed to separate communication channels in order to display time-domain waveform samples of a selected channel (see the additional RTDEx channels at the bottom of the above figure).

In the i7 embedded processor section, we used the GNU Radio environment to speed up the visualization and to control the FPGA IP behavior. The Nutaq RTDEx source block was used to combine the averaged output of the polyphase implementation with the index of the GSM associated channel (out1 and out2 respectively). Additionally, the block allows reception of the time domain signals (I/Q) from two identified GSM channels (out3 and out4).

Channelizer GNU Radio Companion

The screen capture below show the visualization of both the waterfall graph on the left side (RTDEx outputs 1 and 2), as well as the time domain I/Q plots on the right side (RTDEx outputs 3 and 4), according to the selected GSM channels from the control registers at the top-right (channel_number1/2).

GSM Waterfall Graph With Time Domain IQ Plots

In the top-right graph, we can clearly identify the time slots and bursts of data associated with a GSM cell phone on channel 90:

– WR20G RF receiver tuned at 859.2 MHz (exactly between UL and DL)
– GSM Channel 90 corresponds to 859.2 MHz + (90-256)*200 KHz = 826 MHz

Additionally, the Nutaq GSM Small Cell (SuperFemto) can be identified (bottom-right graph) on GSM channel 315:

– GSM Channel 315 corresponds to 859.2 MHz + (315-256)*200 KHz = 871 MHz

To summarize, a multi-channel real-time channelizer was rapidly implemented by combining the power of FPGA parallel computing with the Nutaq FPGA-based RF Wideband Digitizer WD20G and the Nutaq model-based design tools (MBDK).

Video

In this video we present the  Nutaq RF Wideband Digitizer. Specifically we show a GSM channelizer implementation developed using a model-based design approach.

Welcome to the GSM Channelizer demo developed by Nutaq with available on- the-shelf Nutaq product.

The hardware used to implement this application is the Nutaq wideband RF digitizer solution. On top we have a wideband RF receiver covering from 100 kilohertz up to 20 gigahertz with 400 megahertz of bandwidth. On the bottom we have a digitizer which includes and FPGA processor with two high speed ADCs and Intel quad-core i7 processor.

This picture represents the setup of the GSM channelizer demo. On the left you have a GSM cell phone which will initiate a call and that call will be processed by the Nutaq GSM small cell BTS. On the right side the wide band RF digitizer acts as a listener only. The digitizer is configured to receive 100 MHz of bandwidth in the GSM frequency band of 859.2 MHz in the middle of the uplink and the downlink.

The received bandwidth is moved down to baseband, digitized, and then processed in the FPGA to calculate the energy in specific GSM channels. The results are streamed to the i7 processor through gigabit Ethernet for scoping in the GNURadio software which is supported by Nutaq product.

This block diagram shows the actual data flow in the inside the wideband RF digitizer. The received I&Q signals are sent to the digitizer part of the system to be sampled and processed by a Virtex-6 FPGA. The FPGA channelizer algorithms implemented were developed using the Nutaq model- based design kit or MBDK which uses Matlab/Simulink and system generator to generate directly a plug-and-play bit stream from the Matlab/Simulink model. The channelizer results are sent to the i7 processor which runs GNURadio software through the gigabit Ethernet interface.

Using the Nutaq GNURadio plug in, GNURadio scopes the received data in real time, but also configures the wide band RF receiver directly from the GNURadio flow graph. Here we have the actual Xilinx model used for the FPGA in this new generation. The green blocks are provided by Nutaq MBDK and the other blocks are provided by system generator. The Nutaq blocks are used to generate the HDL code for the interfaces around the FPGA. Link the ADCs on the left, the gigabit ethernet interface on the right, and the custom registers on top of the model.

The system generator blocks are used to generate the HDL code for the digital signal processing part of the system. This portion of the design is made of a polyphase channelizer which is basically a 512-points windowed FFT, a magnitude extractor, and an averager to provide the average power for each bin of the FFT. The results of these algorithms are sent outside of the FPGA to the GNURadio flow graph through different gigabit Ethernet channels. In the GNURadio flow graph, the Nutaq GNURadio plug-in received the data from all the gigabit Ethernet channels for scoping purposes.

On the left, we can see that the Nutaq GNURadio plug-in also provides a radio configuration block which enables the control of the radio from the GNURadio environment. On the left this is the wideband RF receiver where the I&Q signals are connected to the ADCs which are on the other box on the right, through two black cables. The other black cable is for clock reference sharing between the different local oscillators of both hardware. Finally, the orange cable is the Ethernet cable used for the wide band RF receiver configuration.

The caller is initiating a call. The GSM SmallCell is receiving and establishing communication. On the screen on the back we can see a waterfall of the left showing the average energy at different frequencies. On the top right of the screen we can see the received I&Q digitized samples sent by the cell phone on the uplink frequency. We can tell that this is the actual voice data coming from the cell phone simply by the signal’s signature. The periodic bursts are showing that the GSM small cell has successfully allocated a specific timeslot for the cell phone to transmit in.

On the scope on the bottom the received I&Q samples sent by the GSM small cell are shown. Now let’s take a better look at what is on the screen. The waterfall on the left shows in real time the energy of all the GSM channels around 859.2 MHz or in other words the energy at each bin of the FFT. If we scope on the FFT bin number 90 which corresponds to the frequency 826 MHz we can see that there is a strong energy component at this frequency which corresponds to the uplink frequency. A little bit on the right at the FFT bin number 315 or 871 MHz we see the continuous beacons streaming of the GSM small cell corresponding to the downlink frequency. The scopes on the right show the received I&Q signals of both frequencies in the time domain.