SDR Spectrum Analyzer
The purpose of this tutorial is to shows how to use sdr card on callbox or UE as a spectrum analyzer. It is useful tool to check up the receiver functionality of the specified sdr card and check up the transmission functionality of other sdr (neighbouring) cards.
you don't need to have any separate hardware for the spectrum analyzer introduced in this tutorial. You can use any sdr cards that you already have installed in your Callbox or UEsim if you don't use it for any other purpose. For example, let's assume that you have two sdr cards in your system and you are running an LTE cell using the first sdr card (i.e, sdr0). Then you can use the second sdr cards (i.e, sdr1) as a spectrum analyzer. If you are not running lte service meaning that you are not activating any cell (i.e, no LTE cell, no NR cell), you can use both cards (i.e, sdr0 and/or sdr1) as spectrum analyzer. So if you have a callbox or UEsim with multiple SDR cards, it is same as you have multiple spectrum analyzer for free.
Major features that SDR spectrum analyzer provides are listed below.
- Plot the signal power in time domain, frequency domain or in waterfall in real time
- Walk through the spectrogram(waterfall). It can display spectrogram and waveform plot on the same screen and allow you to walk through(scroll through) each frequency on spectrogram (see this)
- Capture I/Q data from the incoming signal and save it into files
- Plot the signal power in time domain, frequency domain or in waterfall from the saved binary file (
NOTE : This binary file should be the ones that ware captured by Amarisoft software.)
In some aspect, this spectrum analyzer is not like dedicated spectrum analyzer. Followings are what you should not expect in comparision to a dedicated spectrum analyzer
- It does not provide wide frequency range. The frequency rate in this spectrum analyzer is a little bit limited. It is up to sample rate. Simply put, the frequency range would be barely enough for displaying the full bandwidth (e.g, 20 Mhz for LTE, 50 Mhz for NR with sdr 50, 100 Mhz for NR with sdr100).
- It does not have capability to show the constellation. (NOTE : If you want to show the constellation for incoming uplink while a call is connected, you can use WebGUI to display constellation. check out this tutorial for the constellation).
- It does not have Pre Amplifier
Table of Contents
- SDR Spectrum Analyzer
- Why Spectrum Analyzer on Protocol Box ?
- Test Setup
- Key Command Line
- Running on Callbox
- Running on ssh
- Test 1 : LTE on sdr 0 and Spectrum on sdr 1
- Configuration
- Run Lte Service
- Running Spectrum Analyzer with basic parameters
- Running Spectrum Analyzer with more parameters
- Test 2 : LTE on sdr 0 with different frequencies and Spectrum on sdr 1
- Configuration
- LTE Band 1 at 2140.0 Mhz
- LTE Band 2 at 1960.0 Mhz
- LTE Band 3 at 1842.0 Mhz
- LTE Band 4 at 2130.0 Mhz
- LTE Band 5 at 881.5 Mhz
- LTE Band 7 at 2680.0 Mhz
- LTE Band 20 at 806.0 Mhz
- LTE Band 71 at 634.4 Mhz
- LTE Band 72 at 463.4 Mhz
- Test 3 : LTE on sdr 0 (and 1) with different bandwidth and Spectrum on a remaining sdr
- Configuration
- LTE with BW 1.4 Mhz in Band 7
- LTE with BW 3 Mhz in Band 7
- LTE with BW 5 Mhz in Band 7
- LTE with BW 10 Mhz in Band 7
- LTE with BW 15 Mhz in Band 7
- LTE with BW 20 Mhz in Band 7
- LTE with 2 x BW 20 Mhz in Band 7
- Test 4 : sdr_test-generated OFDM signal on sdr 0 and sdr_spectrum on sdr 1
- Configuration
- OFDM BW 5 Mhz at Center Frequency = 500 Mhz
- OFDM BW 5 Mhz at Center Frequency = 1000 Mhz
- OFDM BW 5 Mhz at Center Frequency = 1500 Mhz
- OFDM BW 5 Mhz at Center Frequency = 2000 Mhz
- OFDM BW 5 Mhz at Center Frequency = 2500 Mhz
- OFDM BW 5 Mhz at Center Frequency = 3000 Mhz
- OFDM BW 5 Mhz at Center Frequency = 3500 Mhz
- OFDM BW 5 Mhz at Center Frequency = 4000 Mhz
- OFDM BW 5 Mhz at Center Frequency = 4500 Mhz
- OFDM BW 5 Mhz at Center Frequency = 5000 Mhz
- OFDM BW 5 Mhz at Center Frequency = 5500 Mhz
- OFDM BW 5 Mhz at Center Frequency = 5990 Mhz
- Test 5 : sdr_test-generated CW signal on sdr 0 and sdr_spectrum on sdr 1
- Enabling AGC / Finding Optimal Spectrum
- Power with Frequency Range
- Time Domain Waterfall Plot
- Trigger Mode
- Mixed Mode
- Analyzing LTE CRS
- Full Frequency Spectrum
- Channel Scan
- Saving I/Q Data into a file
- Spectrum from a file
- Signal Generation from a file
Why Spectrum Analyzer on Protocol Box ?
Based on my first and second hand experience in the field of testing in Protocol, RF and even in baseband, I experienced and saw many cases of verification/validation engineers struggling with troubleshooting their issues just because of the lack of cheap troubleshooting tools while they are using sub million dollar test equipment. For example, a lot of RF test fails because of protocol issues, not RF issues. In this case, relatively small investment for quick protocol test equipment (or selecting RF test equipment with better protocol analysis option) would save a lot of time and effort to troubleshoot and find root cause of the fails. On the contrary, many of protocol fails not because of protocol issues but because of RF (radio link) issues. Usually most of the protocol equipment is very expensive (usually starting from a few hundred K USD to over million dollars). When some test with such a super expensitive box fails and no clear root cause is found in terms of protocol itself, in many cause such a super expensive box goes idle and expensive verification engineers tend to get lost in wrong direction. In many cases when I see this kind of situation, I was wondering why it is so difficult for them to make such a small investment like just a few 10K USD for some basic spectrum analyzer to troubleshoot sub million dollar test equipmemt.
I think most of the readers would know why.. but it is what it is. The best case would be to have a protocol box and spectrum analyzer in a bundle. That's what Amarisoft Callbox (UEsim as well) does.
Amarisoft box does not provide the spectrum analyzer as a separate hardware only for spectrum analyzer. It provides a special program (sdr_spectrum) that can convert a SDR card installed in the box into a spectrum analyzer. For example, if you have a Amarisoft callbox with 4 SDR cards. When you are using only one of the SDR cards for a specific test, you can use any one (or all) of the remaining 3 SDR card as spectrum analyzer. You can use it as a quick troubleshooting or visualization tool as introduced in this tutorial or you can use them to capture I/Q signal for your algorithm test or verification software.
Test Setup
Test setup for this tutorial is as shown below. I would suggest you to connect antenna (or RF cables) to as many sdr cards as possible as per your needs. (NOTE : In this setup, sdr1 is measuring power from sdr0 via antenna. so the measured spectrum would not be as accurate and stable as RF cable. If you need more accurate / stable spectrum, connect the two sdr in conductive way (RF cable)). I just want you to build up some intuitions on the output power of a sdr depending on center frequency, channel bandwidth etc.
Setup A
Setup B
SDR 0 : TX1--------> SDR 1 : RX1 AND SDR 0 : TX2 --------> SDR 1 : RX2
Key Command Line
Followings are the list of the important command used in this tutorial. You may copy and paste these examples and modify the parameter values as you need
- sdr_spectrum.
- /sdr_spectrum -args "dev0=/dev/sdr1" -rx_freq 2680e6
- ./sdr_spectrum -args "dev0=/dev/sdr1" -rx_freq 2680e6 -rate 50.0e6 -dft_sample_ratio 1
- ./sdr_spectrum -args "dev0=/dev/sdr1" -rx_freq 2680e6 -save-and-exit -duration 3.0 -save_path "/tmp"
- ./sdr_spectrum -iq filename
- sdr_test
- ./sdr_test -c 0 rfic_tx_test 30.72e6 500e6 30 ofdm 5e6
- sdr_play
- ./sdr_play -args "dev0=/dev/sdr0" -rate 50.0e6 -tx_freq 2680e6 -tx_gain 90 iq_file_name
Running on Callbox
If you want to run this directly on Callbox, you need to switch to graphics mode to launch spectrum window.
Switch to the graphics mode using following command
Open up two (or more) Terminals. One for running lte service and another for running spectrum analyzer
Running on ssh
If you want to run the spectrum from a remote PC via ssh. you can run the spectrum without running startx on the callbox. However, to run the spectrum (display the spectrum) on the remote PC, the remote PC should be running on X11. The only restriction you have to do is to connect ssh with -X option as in following example.
# ssh -X root@10.0.0.185
A couple of example setup that works or does not work with ssh -X are as follows.
Example 1 > Remote PC running on Fedora GUI (or any other X11 based Linux) mode ==> OK
Example 2 > Remote PC running on Windows ==> NOT OK. This would give you the message 'Could not display' when you run './sdr_spectrum'
Example 3 > Remote PC running on Windows with Virtual box running X11 based GUI (e.g, Ubuntu) ==> OK
Test 1 : LTE on sdr 0 and Spectrum on sdr 1
Configuration
You may use any configuration. In this tutorial, I used the configuration for basic LTE attach as shown here . In this test, I am measuring the spectrum for an LTE cell without any UE connected. It means the cell is just transmitting PSS/SSS/PBCH and SIB messages and there is no user traffic going on in this test.
Run Lte Service
In this tutorial, I will run a eNB/gNB on sdr0 and run the spectrum analyzer on another sdr (sdr 1 or 2 or 3) and measure spectrum of the signal transmitted by the tx port of sdr 0
Running Spectrum Analyzer with basic parameters
Go to /root/trx_sdr directory
Run sdr_spectrum program as follows. Notice that sdr1 is used and the center frequency is set to the tx frequency of sdr card to measure
./sdr_spectrum -args "dev0=/dev/sdr/sdr1" -rx_freq 2680e6
Change rx gain by Up/Down keys from previous screen to get this waveform
Press 'o' key (show sample power) on previous screen to switch to 'power vs time' mode as below
Press '+/-' key (change time scale) on previous screen to change time scale
If you are using the Callbox or UEsim later than the release 2022-02-23, you can get the waterfall plot as shown below. You can get the waterfall plot by pressing 'w' key. +/- keys for color change by shifting the power offset and 'Ctrl and +/-' keys for color contrast change. Use Left/Right arrow key to shift the plot on horizontal axis. Press 'n' key to capture only one radio plot and pause (i.e, capture the snapshot of one radio frame).
Running Spectrum Analyzer with more parameters
Run sdr_spectrum program with more parameters as follows. Notice that sdr1 is used and the center frequency is set to the tx frequency of sdr card to measure
Change rx gain by Up/Down keys from previous screen to get this waveform
Press 'o' key (show sample power) on previous screen to switch to 'power vs time' mode as below
Press '+/-' key (change time scale) on previous screen to change time scale
If you are using the Callbox or UEsim later than the release 2022-02-23, you can get the waterfall plot as shown below. You can get the waterfall plot by pressing 'w' key. +/- keys for color change by shifting the power offset and 'Ctrl and +/-' keys for color contrast change. Use Left/Right arrow key to shift the plot on horizontal axis. Press 'n' key to capture only one radio plot and pause (i.e, capture the snapshot of one radio frame).
Test 2 : LTE on sdr 0 with different frequencies and Spectrum on sdr 1
Configuration
You may use any configuration. In this tutorial, I used the configuration for basic LTE attach as shown here and just change frequency. In this test, I am measuring the spectrum for an LTE cell without any UE connected. It means the cell is just transmitting PSS/SSS/PBCH and SIB messages and there is no user traffic going on in this test.
LTE Band 1 at 2140.0 Mhz
NOTE : The two channels shown on the left side is from the live network. It is captured here since I am using antenna for the test.
LTE Band 2 at 1960.0 Mhz
LTE Band 3 at 1842.0 Mhz
LTE Band 4 at 2130.0 Mhz
LTE Band 5 at 881.5 Mhz
LTE Band 7 at 2680.0 Mhz
LTE Band 20 at 806.0 Mhz
LTE Band 71 at 634.4 Mhz
LTE Band 72 at 463.4 Mhz
Test 3 : LTE on sdr 0 (and 1) with different bandwidth and Spectrum on a remaining sdr
Configuration
You may use any configuration. In this tutorial, I used the configuration for basic LTE attach as shown here and just change channel bandwidth except the last case (the last case in this test is based on gnb-2cell-ho.cfg). In this test, I am measuring the spectrum for an LTE cell without any UE connected. It means the cell is just transmitting PSS/SSS/PBCH and SIB messages and there is no user traffic going on in this test.
LTE with BW 1.4 Mhz in Band 7
LTE with BW 3 Mhz in Band 7
LTE with BW 5 Mhz in Band 7
LTE with BW 10 Mhz in Band 7
LTE with BW 15 Mhz in Band 7
LTE with BW 20 Mhz in Band 7
LTE with 2 x BW 20 Mhz in Band 7
This configuration is based on gnb-sa-ho.cfg with frequency and bandwidth changes as follows.
Test 4 : sdr_test-generated OFDM signal on sdr 0 and sdr_spectrum on sdr 1
Configuration
In this test, I am not using Callbox software. I am using a generic OFDM signal generated by the tool called 'sdr_test' transmitted by sdr 0 and run sdr_spectrum on sdr 1. To get more accurate spectrum, I used RF cable connection between sdr 0 and sdr 1 for this test as shown in Test Setup B.
The two commands that I used in this test are as follows :
./sdr_test -c <sdr_no> rfic_tx_test <sample rate> <frequency> <tx_gain> ofdm <bw> <== OFDM signal generation
./sdr_spectrum -args "dev0=/dev/sdr1", -rx_freq <frequency> <== spectrum plot
OFDM BW 5 Mhz at Center Frequency = 500 Mhz
OFDM BW 5 Mhz at Center Frequency = 1000 Mhz
OFDM BW 5 Mhz at Center Frequency = 1500 Mhz
OFDM BW 5 Mhz at Center Frequency = 2000 Mhz
OFDM BW 5 Mhz at Center Frequency = 2500 Mhz
OFDM BW 5 Mhz at Center Frequency = 3000 Mhz
OFDM BW 5 Mhz at Center Frequency = 3500 Mhz
OFDM BW 5 Mhz at Center Frequency = 4000 Mhz
OFDM BW 5 Mhz at Center Frequency = 4500 Mhz
OFDM BW 5 Mhz at Center Frequency = 5000 Mhz
OFDM BW 5 Mhz at Center Frequency = 5500 Mhz
OFDM BW 5 Mhz at Center Frequency = 5990 Mhz
Test 5 : sdr_test-generated CW signal on sdr 0 and sdr_spectrum on sdr 1
Configuration
In this test, I am not using Callbox software. I am using a generic CW signal generated by the tool called 'sdr_test' transmitted by sdr 0 and run sdr_spectrum on sdr 1.
The two commands that I used in this test are as follows :
./sdr_test -c <sdr_no> rfic_tx_test <sample rate> <frequency> <tx_gain> tone <tone_offset> <== CW signal generation
./sdr_spectrum -args "dev0=/dev/sdr1" -rx_freq <frequency> <== spectrum plot
- If not specified, it is set to 7.68Mhz by default
- If you want to specify your own offset frequency, consider following limitation
- cannot be 0
- multiple of 100
- sample_rate must be multiple of offset freq
CW at User Defined tone_offset
CW at default tone_offset
Enabling AGC / Finding Optimal Spectrum
Right after sdr_spectrum execution. rx_gain not optimized and you would notice high adjacent power.
After the application of AGC, sdr_spectrum automatically adjust rx_gain and optimum spectrum ( NOTE : press 'a' key to enable / disable AGC).
Power with Frequency Range
You should use the software release 2022-04-01 or later to use this feature.
Time Domain Waterfall Plot
You can get the time domain waterfall plot by higging 't' key from other plots. You should use the software release 2022-04-01 or later to use this feature.
Trigger Mode
sdir_spectrum support level trigger. As an application of the feature, you can detect PRACH using the trigger. This example shows the detected PRACH in LTE.
Mixed Mode
From 2023-09-08 release, a special display mode called 'Mixed Mode' is supported. It shows both waterfall and the frequency waveform on the same display. You can switch back and forth between frequency spectrum and mixed mode by toggling 'x' key as shown below.
Following is a full screen showing the mixed mode display. By default, the 'frequency waveform (the upper plot)' corresponds to the frequency scan line at the top of the waterfall plot.
You can scan (scroll) up and down along the waterfall plot in 'line mode'. You can get in and out of the line mode as shown below. Once you get in the line mode, you can scroll up and down using the up/down arrow key.
Following is an example of showing a waveform corresponding to a specific time indicated by 'red line' in waterfall.
Here you see how it looks in Animation. This example is from one radio frame of LTE radio frame with 5Mhz channel bandwidth. This was captured when eNB is running but no UE is connected. So you see CRS (Cell Reference Signal), PBCH/PSS/SSS and PDSCH for SIBs as it walk down along the radio frame. Since there is no UE connected and no user traffic PDSCH, you would see some empty symbols.
Analyzing LTE CRS
This is a small use case of utilizing sdr_spectrum in a real application, which in this case is spectrum analysis of LTE CRS (Cell Reference Signal). In this example, I will show you the reference signal of LTE 4x4 MIMO. By the 3GPP specification, The type and position of the cell reference signal (CRS) for each antenna is specified as follows. The goal here is to visualize these reference signal using sdr_spectrum.
The test setup that I used for this analysis is as shown below. Here, Callbox is transmitting LTE 4x4 signal without any data meaning that it is just transmitting PSS/SSS, PBCH, PFICH, PDSCH for SIB and CRS (Cell Reference Signal). I ran enb with enb.default.cfg modified for 4 DL antenna (4x4 MIMO). I used UEsim just just as a spectrum analyzer (i.e, just to run sdr_spectrum).
Now let's start the analysis. I will display the spectrum from all 4 RX antenna by running following command :
./sdr_spectrum -args "dev0=/dev/sdr0.dev1=/dev/sdr1" -channel 4 -rx_freq 2680e6 -rx_gain auto
The default display shows frequency spectrum for each RX channel (i.e, signal from each eNB antenna port).
If you press 'w', you can get the time domain spectrum (power vs time, often called Zero-span plot in spectrum analyzer world). As illustrated below, you may easily figure out the pulse for R0, R1, R2, R3 by comparing the time domain location and Resource Grid shown in 3GPP document. (
To get some visualization in both time domain and frequency domain, you can switch to waterfall mode (spectrogram mode) by pressing 'w' key. Then you can get the plot as shown below. In this plot, x axis indicates frequency and y axis indicates time.
To get higher resolution for time domain, press 'x' key to change the direction of the spectrogram. In this plot, x axis represent time and y axis represent frequency. Here you may easily identify R0, R1, R2, R3 in time domain. But you can get only high level outline of the frequency domain profile. (
Full Frequency Spectrum
you can plot the spectrum for the full frequency range that the sdr card support using -zoom option as shown below.
Channel Scan
You can scan and detect all the active channel within a specified band as shown below.
After the scan is completed, sdr_spectrum prints out all the detected channels in text.
You can save the result of the scan into a file by running with a redirection to file as shown below.
When the Channel scan is done, the result is saved in the specified file as shown below.
You can specify the range of the scan in frequency rather than band using the options -scan_start and -scan_end as shown below.
Saving I/Q Data into a file
You can save the IQ data into a binary file and you can analyze it with your own program (e.g, Matlab etc)
Saving I/Q with command
Save a file in command line as shown below
The command will popup the spectrum window first and collect / save the IQ data into the specified folder (/tmp in this case).
NOTE : The I/Q samples are saved as little endian 32 bit float values, in I/Q order. The sample values are between -1 and 1
Saving I/Q in Spectrum Plot
You can save I/Q directly from the spectrum plot usng 's' key as shown in the Keys menu in the plot. A good way to capture the I/Q in a good quality are as follows.
i) Check if you see any form of spectrum with a certain bandwidth (If you don't see any spectrum with bandwidth and everything looks like noise floor, it would be likely that there is no signal or the signal is weaker than noise floor)
ii) If you see any signal with a certain bandwidth, press 'a' key to allow sdr_spectrum software perform AGC and find the best rx_gain and best spectrum. It will take several seconds to complete AGC.
iii) then press 's' key to save the signal into file. Every time you press 's' key, the signal with the duration of 1 sec will be saved in /tmp directory.
Spectrum from a file
Assume that you have a binary file captured as shown below.
You can get the spectrum by following command. NOTE : in this case you don't have to specify any sdr card since this is not using any hardware
In the spectrum from file, you would notice there is only a few menu available. Most of other menus especially related to hardware (e.g, rx_gain, AGC etc) are not available
If you want to plot the file in 'time vs power' mode, you have to speficy it at the command line as shown below ('-t 1' indicates 'time vs power' mode)
If you are using the Callbox or UEsim later than the release 2022-02-23, you can get the waterfall plot as shown below. You can get the waterfall plot by pressing 'w' key. +/- keys for color change by shifting the power offset and 'Ctrl and +/-' keys for color contrast change. Use Left/Right arrow key to shift the plot on horizontal axis. Press 'n' key to capture only one radio plot and pause (i.e, capture the snapshot of one radio frame).
Signal Generation from a file
You can play the binary file (IQ file) in the hardware (i.e, generating physical signal from sdr card) using a program called sdr_play as shown below.
This command plays the file only once and quit the program
This command (with -loop option) continuously playing the file.
And you can plot the spectrum using sdr_spectrum as shown below.
