Demodulating Over-the-Air Communications

Today, modern radio designs have made a predominant shift to the software-defined radio architecture. From cellular handsets to military communications devices, the flexibility to use multiple wireless standards with a common RF front end is a compelling benefit. While the architecture of a software-defined radio is well understood, the inner workings are often not. In this article, we will explain how the software-defined radio architecture can be used to demodulate an unknown over-the-air signal. In this case, we will use a software-defined PXI RF vector signal analyzer from National Instruments to prototype the software-defined radio. By understanding basic radio hardware and software fundamentals, even the novice engineer should be able to demodulate over-the-air transmissions.

Architecture of a Software-Defined Receiver

Figure 1. Block diagram of a zero-IF receiver

At a high level, we can describe a software-defined radio as a radio designed in such a way that classically analog functions such as demodulation and filtering are performed in software instead of in hardware. The design of a software-defined receiver is such that RF signals are downconverted to baseband (either directly or through an intermediate frequency) and sampled by analog-to-digital converter (ADC) chips. Today, the two most common software-defined receiver architectures are the zero-IF (intermediate frequency) receiver and the superheterodyne receiver1,2. Both radio architectures are designed to produce baseband I and Q samples that can be processed digitally, either by a digital signal processor (DSP), field-programmable gate array (FPGA), or even a PC.

Figure 1 shows the basic block diagram of a zero-IF, or direct downconversion, receiver. Here, the receiver generates a local oscillator (LO) that is tuned to the center frequency of the received signal. The zero-IF design downconverts an RF signal directly to analog I and Q signals, which are sampled by two DC-coupled baseband ADCs.

Note that the block diagram shown in Figure 1 can have many variations. For example, a receiver designed to detect weaker signals might utilize multiple gain stages, and a receiver designed to demodulate signals with widely varying power (like cellular communications) might use an automatic gain control (AGC) circuit to provide variable gain.

The second common receiver architecture, the superheterodyne model, uses an analog intermediate frequency (IF) that is directly sampled by an ADC.

Figure 2. Block diagram of a superheterodyne receiver.

In Figure 2, observe that the downconverter first translates an RF signal to an intermediate frequency with a mixer. The analog IF signal can then be amplified or filtered (in this case filtered) before being sampled at IF with an ADC. Once sampled as a digital IF, the signal must still be translated to baseband with a digital downconverter (DDC). DDC implementations are common in hardware through a dedicated application-specific integrated circuit (ASIC), and in software. Note that the NI PXIe-5663 6.6 GHz RF vector signal analyzer used in these experiments uses the superheterodyne downconversion approach.

Estimating Modulation and Bandwidth in the Frequency Domain

Once a software-defined receiver downconverts an RF signal to digital baseband, the signal can be digitally decoded with a DSP, FPGA, or even a PC. Of course, communications systems designers rely on a wide variety of security tactics such as frequency hopping, digital encryption, and spread spectrum techniques to prevent unauthorized sources from decoding their signals. Thus, a receiver designed to demodulate and decode any off-the-air signal must be extremely sophisticated. Many detection algorithms are regarded as highly confidential and highly valuable intellectual property. Thus, we’ll walk through the process of demodulating an unknown signal using a basic brute-force method. This method is useful for educational purposes but unsophisticated for practical signal intelligence applications. In either case, the brute-force method requires us to identify an unknown signal’s modulation scheme and symbol rate.

One of the easiest methods to guess a signal’s modulation scheme is to observe the signal profile in the frequency domain. In Figure 3 we can see the frequency domain of three types of signals we created using the NI Modulation and NI Wireless LAN Toolkits for LabVIEW – each of which use a different pulse-shaping filter.

Figure 3. Pulse-shaping filters in the frequency domain.

The first graph in Figure 3 illustrates a Gaussian Minimum Shift Keyed (GMSK) signal in the frequency domain. The Gaussian pulse-shaping filter is one of the most recognizable, and this filter type is often used in communications systems such as cellular devices (GSM). Note that the Gaussian filter is often mistaken for the half-sine pulse-shaping filter because both appear similarly in the frequency domain. Common communications systems that use this filter include cellular standards such as TETRA, EDGE, and WCDMA. The final graph in Figure 3 illustrates the profile of an IEEE 802.11g (Wireless LAN) signal. This signal, like other standards such as WiMAX and 3GPP LTE, uses orthogonal frequency division multiplexing (OFDM) to achieve more efficient spectrum utilization. This signal is composed of 52 sub-carriers, and the OFDM signal type can be identified by its relatively square appearance in the frequency domain. Note that OFDM signals are some of the most difficult to decode, since the number of sub-carriers is not readily visible in the frequency domain.

Once the pulse-shaping filter of an unknown signal is identified, the next step is to identify the modulation scheme and signal bandwidth. In many cases, one can make an educated guess at the modulation scheme simply by correctly identifying the pulse-shaping filter. For example, a Gaussian filter is often used with modulation schemes such as Gaussian minimum shift keying or its close relative, offset quadrature phase-shift keying (OQPSK). Similarly, root-raised cosine filters are generally associated with modulation schemes such as phase-shift keying (PSK) or quadrature amplitude modulation (QAM) schemes such as 4-QAM, 16- QAM, and 64-QAM. Since each correlation is merely an educated guess, it is generally preferred to apply more sophisticated signal processing to identify the specific modulation scheme used in the signal of interest. Note that one way to programmatically identify the modulation scheme is to correlate modulation metrics with a given scheme. Using software such as the NI Modulation Toolkit, we are able to measure signal characteristics such as error vector magnitude (EVM). Since the EVM performance will only be low when the demodulator achieves a lock on the signal, this method can be used to correctly identify the modulation scheme. Using software such as the NI Modulation Toolkit, we are able to measure signal characteristics such as error vector magnitude (EVM). Since the EVM performance will only be low when the demodulator achieves a lock on the signal, this method can be used to correctly identify the modulation scheme.

One can roughly estimate the symbol rate simply by inspecting the signal in the frequency domain. In general, the occupied bandwidth of a signal — defined as the bandwidth occupied by 99 percent of the signal power — can be directly correlated to the filter type and filter roll-off (alpha). For example, if we observe GMSK with an occupied bandwidth of 10 MHz and a filter alpha of 0.27, the symbol rate is approximately 10 MS/s. However, if the filter alpha is unknown, our 10- MHz occupied bandwidth measurement is sufficient only to report that the symbol rate is in the range of 9 and 13 MS/s. In this case, measurements such as occupied bandwidth only provide a rough estimate of symbol rate.

Demodulation and Decoding

Figure 4. Demodulation of QPSK in software.

Once the modulation scheme and symbol rate have been determined, the IQ waveform can be demodulated to a digital bistream in software. Figure 4 illustrates the symbol mapping of a QPSK waveform. Note that the translation of a baseband waveform into a digital bistream is not a trivial operation. In fact, determining useful information from a demodulated bistream still requires knowledge of the symbol map. In some cases, it might also be useful to recognize a synchronization sequence as well. In Figure 4, symbol mapping can be performed through native NI Modulation Toolkit functions.

Practical Implementations of Software-Defined Radios

While the discussion up until now has focused primarily on the basic building blocks of a software-defined receiver, many software-defined radio platforms are commercially available as off-the-shelf products. In accordance with the discussion above, most contain a general-purpose RF front end; a processor such as a DSP, FPGA, or PC; and software for demodulation and decoding. Today, engineers can also use PXI RF instruments such as a vector signal analyzer as a software-defined radio. In fact, new technologies such as PCI Express allow PXI instruments to stream IQ data not only to a host PC, but also to an FPGA. In these peer-to-peer streaming applications, a dedicated FPGA is used for real-time demodulation and signal processing using programming languages such as NI LabVIEW FPGA.

Conclusions

While the term “software-defined radio” is often overused and misunderstood, we can gain a practical understanding of this architecture by understanding the fundamental building blocks of a receiver. In addition, with a basic understanding of receiver architectures, pulse-shaping filter types, and modulation schemes, one can develop his own brute-force signal decoder. Of course, decoding highly encrypted signals presents a whole new magnitude of difficulty. If someone doesn’t want you to decode a transmission, the task of even demodulating the baseband waveform won’t be easy.

This article was written by David A. Hall, RF & Communications Product Manager at National Instruments, Austin, TX. For more information, Click Here 

References

  1. Qizheng, Gu. “RF System Design of Transceivers for Wireless Communications,” Springer, 2005.
  2. Reed, Jeffrey H. “Software Radio: A Modern Approach to Radio Engineering,” Prentice Hall, 2002.