SecureAngle: Improving Wireless Security Using
Angle-of-Arrival Information
继续阅读SecureAngle: Improving Wireless Security Using Angle-of-Arrival Information
SecureAngle: Improving Wireless Security Using
Angle-of-Arrival Information
继续阅读SecureAngle: Improving Wireless Security Using Angle-of-Arrival Information
lib/src/phy/rf/rf_soapy_imp.c
int rf_soapy_recv_with_time(void *h,
void *data,
uint32_t nsamples,
bool blocking,
time_t *secs,
double *frac_secs)
->
lib/src/phy/rf/rf_dev.h
int (*srslte_rf_recv_with_time)(void *h, void *data, uint32_t nsamples,
bool blocking, time_t *secs,double *frac_secs)
->
lib/src/radio/radio_multi.cc
bool rx_now(cf_t *buffer[SRSLTE_MAX_PORTS], uint32_t nof_samples, srslte_timestamp_t* rxd_time)
->
srsenb/src/phy/txrx.cc
void run_thread() 接收完成后,触发信号,通知后续线程,也就是后面的发送接收线程。
srsenb/src/phy/phch_worker.cc
void work_imp();
->
srsenb/src/phy/phch_worker.cc
void srslte_enb_ul_fft(srslte_enb_ul_t *q)
填充关键的srslte_enb_ul_t->sf_symbols,这个指针在 int srslte_ofdm_rx_init(srslte_ofdm_t *q, srslte_cp_t cp_type, cf_t *in_buffer,cf_t *out_buffer,uint32_t max_prb)函数中被赋值,被共享,因此后面会不好理解何时srslte_enb_ul_t->sf_symbols被赋值
另外就是关注 int srslte_enb_ul_init(srslte_enb_ul_t *q,cf_t *in_buffer,uint32_t max_prb)中对于signal_buffer_rx的共享方式,也能解释后面的不需要拷贝内存的操作,主要就是指针被共享了。
srsenb/src/phy/phch_worker.cc
int decode_pucch()
->
lib/src/phy/enb/enb_ul.c
int srslte_enb_ul_get_pucch(srslte_enb_ul_t *q, uint16_t rnti,
uint32_t pdcch_n_cce, uint32_t sf_rx,
srslte_uci_data_t *uci_data)
->
lib/src/phy/enb/enb_ul.c
int get_pucch(srslte_enb_ul_t *q, uint16_t rnti,
uint32_t pdcch_n_cce, uint32_t sf_rx,
srslte_uci_data_t *uci_data, uint8_t bits[SRSLTE_PUCCH_MAX_BITS], uint32_t nof_bits)
->
lib/src/phy/phch/pusch.c
int srslte_pusch_decode(srslte_pusch_t *q,
srslte_pusch_cfg_t *cfg, srslte_softbuffer_rx_t *softbuffer,
cf_t *sf_symbols,
cf_t *ce, float noise_estimate, uint16_t rnti,
uint8_t *data, srslte_cqi_value_t *cqi_value, srslte_uci_data_t *uci_data)
解码函数在pucch.c,pusch.c中都存在 pucch主要是在上行上传送控制信息,cqi,ri,pmi和harq的应答 pusch除了传送控制信息外还要传送上行数据 两者在频域上所处的位置不同,pucch处于频带的两端,pusch处于中间,占据绝大部分资源 因此我们这里主要关注pusch
->
lib/src/phy/modem/demod_soft.c
int srslte_demod_soft_demodulate_s(srslte_mod_t modulation, const cf_t* symbols, short* llr, int nsymbols)(QPSK解码)
继续阅读On the Improvement of Positioning in LTE with Collaboration and Pressure Sensors
TIMING-BASED LOCATION ESTIMATION FOR OFDM SIGNALS WITH APPLICATIONS IN LTE, WLAN AND WIMAX
继续阅读TIMING-BASED LOCATION ESTIMATION FOR OFDM SIGNALS WITH APPLICATIONS IN LTE, WLAN AND WIMAX
DOA estimation based on MUSIC algorithm
注意,最新开发版本的代码不稳定,存在问题,以下的仅仅是记录自己的操作过程,代码并不能正常工作。正常使用的话,请不要使用如下的版本操作。
参考ubuntu 16.04系统LimeSDR V1.4使用OpenAirInterface搭建LTE实验环境,并参考 解决ubuntu 16.04系统上2017.06版本之后的LimeSDR V1.4驱动不能正常运行OpenAirInterface搭建的LTE实验环境的问题使用最新的LimeSDR
驱动能正常进行LTE
实验之后,我们开始尝试把OpenAirInterface
的代码更新到最新版本(2018_w15
),新版本的代码结构更加清晰,但是不可用。
$ cd ~ $ cd openairinterface5g $ rm -rf * $ git checkout develop $ git pull #对于国内的用户来说,国外的几个代码地址需要修改一下,否则会出现无法下载或者下载非常慢的情况 $ sed -i "s/git clone https:\/\/gist.github.com\/2190472.git \/opt\/ssh/wget https:\/\/www.mobibrw.com\/wp-content\/uploads\/2018\/03\/ssh.tar.gz \&\& sudo tar -zxvf ssh.tar.gz -C \/opt/g" cmake_targets/tools/build_helper $ sed -i "s/git clone https:\/\/gitlab.eurecom.fr\/oai\/asn1c.git \/tmp\/asn1c/wget https:\/\/www.mobibrw.com\/wp-content\/uploads\/2018\/03\/asn1c.tar.gz \&\& tar -zxvf asn1c.tar.gz -C \/tmp/g" cmake_targets/tools/build_helper $ sed -i "s/https:\/\/pypi.python.org\/packages\/18\/fa\/dd13d4910aea339c0bb87d2b3838d8fd923c11869b1f6e741dbd0ff3bc00\/netifaces-0.10.4.tar.gz/https:\/\/www.mobibrw.com\/wp-content\/uploads\/2018\/03\/netifaces-0.10.4.tar.gz/g" cmake_targets/tools/build_helper $ sed -i "s/https:\/\/github.com\/google\/protobuf\/releases\/download\/v3.3.0\/protobuf-cpp-3.3.0.tar.gz/https:\/\/www.mobibrw.com\/wp-content\/uploads\/2018\/04\/protobuf-cpp-3.3.0.tar.gz/g" cmake_targets/tools/build_helper $ sed -i "s/git clone https:\/\/github.com\/protobuf-c\/protobuf-c.git/wget https:\/\/www.mobibrw.com\/wp-content\/uploads\/2018\/03\/protobuf-c.tar.gz \&\& tar -zxvf protobuf-c.tar.gz/g" cmake_targets/tools/build_helper #修正兼容问题,更高版本的protobuf-c跟我们上面安装的版本不匹配,会导致编译错误 $ sed -i "s/cd protobuf-c/cd protobuf-c \&\& git checkout 2a46af42784abf86804d536f6e0122d47cfeea45/g" cmake_targets/tools/build_helper # 如果使用最新版本的limesdr驱动已经修正了数据读取的BUG,不需要丢弃第一次的报文,我们需要 # 阻止第一个报文的丢弃,否则数据读取是错误的 $ sed -r -i "s/first_rx[ \t]*=[ \t]*1;/first_rx = 0;/g" targets/ARCH/LMSSDR/USERSPACE/LIB/lms_lib.cpp #执行编译 $ source oaienv $ ./cmake_targets/build_oai -I # install SW packages from internet # ./cmake_targets/build_oai -w USRP --eNB -t ETHERNET# compile eNB # 注意如果后续重新编译过limesdr的驱动,这部分也需要重新编译 $ ./cmake_targets/build_oai -c -w LMSSDR --eNB -x
接下来就是创建LimeSDR
的启动配置文件(从enb.band7.tm1.50PRB.usrpb210.conf修改而来):
$ vim targets/PROJECTS/GENERIC-LTE-EPC/CONF/enb.band7.tm1.25PRB.lmssdr.conf
里面的内容如下:
Active_eNBs = ( "eNB-Eurecom-LTEBox"); # Asn1_verbosity, choice in: none, info, annoying Asn1_verbosity = "none"; eNBs = ( { ////////// Identification parameters: eNB_ID = 0xe00; cell_type = "CELL_MACRO_ENB"; eNB_name = "eNB-Eurecom-LTEBox"; // Tracking area code, 0x0000 and 0xfffe are reserved values tracking_area_code = "1"; mobile_country_code = "208"; mobile_network_code = "92"; tr_s_preference = "local_mac" ////////// Physical parameters: component_carriers = ( { node_function = "3GPP_eNODEB"; node_timing = "synch_to_ext_device"; node_synch_ref = 0; frame_type = "FDD"; tdd_config = 3; tdd_config_s = 0; prefix_type = "NORMAL"; eutra_band = 7; downlink_frequency = 2685000000L; uplink_frequency_offset = -120000000; Nid_cell = 0; N_RB_DL = 25; Nid_cell_mbsfn = 0; nb_antenna_ports = 1; nb_antennas_tx = 1; nb_antennas_rx = 1; tx_gain = 90; rx_gain = 125; pbch_repetition = "FALSE"; prach_root = 0; prach_config_index = 0; prach_high_speed = "DISABLE"; prach_zero_correlation = 1; prach_freq_offset = 2; pucch_delta_shift = 1; pucch_nRB_CQI = 0; pucch_nCS_AN = 0; pucch_n1_AN = 32; pdsch_referenceSignalPower = -27; pdsch_p_b = 0; pusch_n_SB = 1; pusch_enable64QAM = "DISABLE"; pusch_hoppingMode = "interSubFrame"; pusch_hoppingOffset = 0; pusch_groupHoppingEnabled = "ENABLE"; pusch_groupAssignment = 0; pusch_sequenceHoppingEnabled = "DISABLE"; pusch_nDMRS1 = 1; phich_duration = "NORMAL"; phich_resource = "ONESIXTH"; srs_enable = "DISABLE"; /* srs_BandwidthConfig =; srs_SubframeConfig =; srs_ackNackST =; srs_MaxUpPts =;*/ pusch_p0_Nominal = -96; pusch_alpha = "AL1"; pucch_p0_Nominal = -104; msg3_delta_Preamble = 6; pucch_deltaF_Format1 = "deltaF2"; pucch_deltaF_Format1b = "deltaF3"; pucch_deltaF_Format2 = "deltaF0"; pucch_deltaF_Format2a = "deltaF0"; pucch_deltaF_Format2b = "deltaF0"; rach_numberOfRA_Preambles = 64; rach_preamblesGroupAConfig = "DISABLE"; /* rach_sizeOfRA_PreamblesGroupA = ; rach_messageSizeGroupA = ; rach_messagePowerOffsetGroupB = ; */ rach_powerRampingStep = 4; rach_preambleInitialReceivedTargetPower = -108; rach_preambleTransMax = 10; rach_raResponseWindowSize = 10; rach_macContentionResolutionTimer = 48; rach_maxHARQ_Msg3Tx = 4; pcch_default_PagingCycle = 128; pcch_nB = "oneT"; bcch_modificationPeriodCoeff = 2; ue_TimersAndConstants_t300 = 1000; ue_TimersAndConstants_t301 = 1000; ue_TimersAndConstants_t310 = 1000; ue_TimersAndConstants_t311 = 10000; ue_TimersAndConstants_n310 = 20; ue_TimersAndConstants_n311 = 1; ue_TransmissionMode = 1; } ); srb1_parameters : { # timer_poll_retransmit = (ms) [5, 10, 15, 20,... 250, 300, 350, ... 500] timer_poll_retransmit = 80; # timer_reordering = (ms) [0,5, ... 100, 110, 120, ... ,200] timer_reordering = 35; # timer_reordering = (ms) [0,5, ... 250, 300, 350, ... ,500] timer_status_prohibit = 0; # poll_pdu = [4, 8, 16, 32 , 64, 128, 256, infinity(>10000)] poll_pdu = 4; # poll_byte = (kB) [25,50,75,100,125,250,375,500,750,1000,1250,1500,2000,3000,infinity(>10000)] poll_byte = 99999; # max_retx_threshold = [1, 2, 3, 4 , 6, 8, 16, 32] max_retx_threshold = 4; } # ------- SCTP definitions SCTP : { # Number of streams to use in input/output SCTP_INSTREAMS = 2; SCTP_OUTSTREAMS = 2; }; ////////// MME parameters: mme_ip_address = ( { ipv4 = "127.0.0.20"; ipv6 = "192:168:30::17"; active = "yes"; preference = "ipv4"; } ); NETWORK_INTERFACES : { ENB_INTERFACE_NAME_FOR_S1_MME = "lo"; ENB_IPV4_ADDRESS_FOR_S1_MME = "127.0.0.10/8"; ENB_INTERFACE_NAME_FOR_S1U = "lo"; ENB_IPV4_ADDRESS_FOR_S1U = "127.0.0.10/8"; ENB_PORT_FOR_S1U = 2152; # Spec 2152 }; } ); MACRLCs = ( { num_cc = 1; tr_s_preference = "local_L1"; tr_n_preference = "local_RRC"; phy_test_mode = 1; } ); L1s = ( { num_cc = 1; tr_n_preference = "local_mac"; } ); RUs = ( { local_rf = "yes" nb_tx = 1 nb_rx = 1 att_tx = 0 att_rx = 0; bands = [7]; max_pdschReferenceSignalPower = -27; max_rxgain = 125; eNB_instances = [0]; } ); NETWORK_CONTROLLER : { FLEXRAN_ENABLED = "no"; FLEXRAN_INTERFACE_NAME = "lo"; FLEXRAN_IPV4_ADDRESS = "127.0.0.1"; FLEXRAN_PORT = 2210; FLEXRAN_CACHE = "/mnt/oai_agent_cache"; FLEXRAN_AWAIT_RECONF = "no"; }; log_config : { global_log_level ="info"; global_log_verbosity ="medium"; hw_log_level ="info"; hw_log_verbosity ="medium"; phy_log_level ="info"; phy_log_verbosity ="medium"; mac_log_level ="info"; mac_log_verbosity ="high"; rlc_log_level ="info"; rlc_log_verbosity ="medium"; pdcp_log_level ="info"; pdcp_log_verbosity ="medium"; rrc_log_level ="info"; rrc_log_verbosity ="medium"; };
另外,最新版本运行的时候如果增加-d
参数,启动图形界面,程序会崩溃。目前这个版本可以运行,但是貌似会导致LimeSDR
驱动数据发送异常,目前已知,这个版本的驱动没有正确的读取配置文件,导致给硬件的配置信息是错误的,暂时这个版本还不可用。
LTE物理层总结
参考ubuntu 16.04系统LimeSDR V1.4使用OpenAirInterface搭建LTE实验环境建立完成的环境。
代码为当时的代码,不是最新的代码。
->
targets/RT/USER/lte-enb.c
static void* eNB_thread_FH( void* param ) (eNB->rx_fh)
接收完成后,触发信号,通知后续线程,也就是后面的发送接收线程。
eNB收发处理线程
targets/RT/USER/lte-enb.c
static void* eNB_thread_rxtx( void* param )
->
targets/RT/USER/lte-enb.c
static inline int rxtx(PHY_VARS_eNB *eNB,eNB_rxtx_proc_t *proc, char *thread_name) (eNB->proc_uespec_rx(eNB, proc, no_relay ))
->
openair1/SCHED/phy_procedures_lte_eNb.c
void phy_procedures_eNB_uespec_RX(PHY_VARS_eNB *phy_vars_eNB,eNB_rxtx_proc_t *proc,relaying_type_t r_type)
->
openair1/SCHED/phy_procedures_lte_eNb.c
void pucch_procedures(PHY_VARS_eNB *eNB,eNB_rxtx_proc_t *proc,int UE_id,int harq_pid,uint8_t do_srs)
->
此处实际的解码,涉及到相位信息,这部分是PUCCH部分的数据,主要是通信控制数据,比如信噪比等,不包含实际的通信数据,比如TCP,UDP协议等等
openair1/PHY/LTE_TRANSPORT/pucch.c
uint32_t rx_pucch(PHY_VARS_eNB *phy_vars_eNB,
PUCCH_FMT_t fmt,
uint8_t UE_id,
uint16_t n1_pucch,
uint16_t n2_pucch,
uint8_t shortened_format,
uint8_t *payload,
int frame,
uint8_t subframe,
uint8_t pucch1_thres)
->
此处实际的解码,涉及到相位信息,实际的通信数据,比如TCP,UDP协议等等
openair1/PHY/LTE_TRANSPORT/ulsch_decoding.c
unsigned int ulsch_decoding(PHY_VARS_eNB *eNB,eNB_rxtx_proc_t *proc,
uint8_t UE_id,
uint8_t control_only_flag,
uint8_t Nbundled,
uint8_t llr8_flag) ( eNB->td)
->
此处解析数据段,TCP,IP相关部分了
openair1/PHY/LTE_TRANSPORT/ulsch_decoding.c
int ulsch_decoding_data(PHY_VARS_eNB *eNB,int UE_id,int harq_pid,int llr8_flag)
解码后的数据通过rx_sdu函数上报到MAC层。
当前的数字射频芯片,无一例外的用到了I/Q信号,就算是RFID芯片,内部也用到了I/Q信号,然而绝大部分射频人员,对于IQ的了解除了名字之外,基本上一无所知。I/Q信号一般是模拟的。也有数字的比如方波。基带内处理的一般是数字信号,在出口处都要进行D/A(数—>模)转换,每个基带的结构图里都有,可以仔细看。
网上有大量关于IQ信号的资料,但都是公式一大堆,什么四相图,八相图之类的,最后还是不明白,除了知道这两个名次解释:
I:in-phase 表示同相
Q:quadrature 表示正交,与I相位差90度。