Understanding and Demodulating LTE Signals
By Marc Barberis and Graham Freeland, MathWorks
LTE-enabled devices such as cell phones and tablets are now ubiquitous, and LTE is becoming relevant to organizations outside the original cellular market. LTE provides substantially higher transmission speeds than 3G technologies. This improvement, though, comes at a cost in development and implementation complexity, in part because the LTE physical layer uses advanced communication technologies such as multiple input multiple output (MIMO) and turbo coders.
Demodulating LTE signals requires a thorough understanding of the LTE signal structure as well as advanced algorithms to extract information from the raw signal. The complexity of the standard and the algorithms and concepts involved make developing an LTE product very challenging. Analyzing a captured LTE signal, verifying an in-house implementation of an LTE system, and generating an LTE signal are tasks that require considerable effort and careful verification, and they benefit from a consistent design flow and environment.
This article explains how an LTE signal is structured and how information is retrieved from the signal. It then presents a workflow that uses LTE System Toolbox™ to acquire and demodulate an LTE downlink signal—from initial synchronization to the extraction of LTE parameters and data.
LTE Baseband Signal Characteristics
LTE is designed to efficiently transmit packets of information with low latency (a few milliseconds). LTE is based on OFDM modulation, and mandates the use of MIMO techniques. An LTE signal is organized in frames of 10ms.
An LTE frame, in turn, is composed of ten 1ms subframes (Figure 1).
Each subframe comprises14 OFDM symbols. The structure of a subframe is usually represented as a 2D resource grid of time and frequencies. Figure 2 shows the resource grid for a single subframe, which consists of 14 OFDM symbols. The grid includes from 72 to 1200 subcarriers. Each cell on the grid is known as a resource element. A resource block is a 12-by-7 set of resource elements.
When an LTE device such as a phone is turned on, it first has to detect and connect to the LTE network. LTE can be deployed with bandwidths ranging from 1.4MHz to 20MHz (corresponding to the 72 to 1200 subcarriers mentioned above). The LTE standard therefore places all the information required for the phone to connect to the network in the narrowest bandwidth, which is within the middle 72 subcarriers. This information includes:
- Primary synchronization signals and secondary synchronization signals (PSS and SSS), which help determine the frame timing and cell identification. These signals occur every five subframes.
- The broadcast channel (BCH), which carries the Master Information Block (MIB). The MIB includes information such as the actual cell bandwidth (between 1.4MHz and 20 MHZ). The BCH occurs every 10 subframes.
Figure 3 shows the placement of PSS, SSS, and BCH within subframe 0 of a frame.
As mentioned earlier, each subframe includes 14 OFDM symbols. The first few symbols represent the control region. They are reserved for control information, with payload data going into the remaining symbols. The number of control symbols varies from subframe to subframe, and is signaled by the Physical Control Format Indicator Channel (PCFICH).
The network includes three additional channels:
- Physical Hybrid Indicator Channel (PHICH), which carries acknowledgments for data previously sent to the base station
- Physical Downlink Control Channel (PDCCH), which carries information such as which part of the grid is allocated to a particular user and which modulation and coding scheme is used
- Physical Downlink Shared Channel (PDSCH), which carries traffic data
Figure 4 shows the different channels for subframe 0 with a 3MHz bandwidth. Marked in white are Cell-Specific Reference Signals (CRS), which are pilot symbols used for coherent demodulation.
Demodulating an LTE Signal in MATLAB with LTE System Toolbox
In this example we will be simulating what happens when a mobile phone is turned on. A phone must typically perform the following tasks (Figure 5):
- Acquire a signal on a given LTE carrier frequency.
- Determine frame synchronization and cell identification (cell search procedure) based on the PSS and SSS.
- Decode the Master Information Block to get the bandwidth information.
For each subframe it needs to decode, it must do the following:
- Decode the PCFICH to determine the size of the control region.
- Locate control information (PDCCH) so that it can decode the associated data (PDSCH).
In this example, we assume the signal has been acquired and is stored in a file.
Determining Frame Synchronization and Cell Identification
The cell search involves two steps:
- Perform running correlation with three possible PSS and detect a peak in any of the three correlators. The position of the peak provides frame timing with an uncertainty of five subframes, as the PSS is present in both subframe 0 and subframe 5.
- Once a peak is detected, perform correlation with 31 possible SSS in subframes 0 and 5 to find one of 168 possible combinations of two SSS.
The result of these two steps is the cell identification number, a number between 0 and 3*168-1=503 (17 in our example), and the frame timing.
We complete these steps using the
lteCellSearch function in LTE System Toolbox.
lteCellSearch computes all correlations with possible PSS and SSS, and returns the cell ID and frame timing.
% Perform cell search on the input waveform [NCellID, TimingOffset] = lteCellSearch(enb,waveform); % Synchronize input signal knowing the frame timing waveform = waveform (1+ TimingOffset:end);
Figure 6 shows the correlation result obtained after the
lteCellSearch function determined the cell ID for the input signal.
Decoding the Master Information Block (Determine Bandwidth)
Now that we know the frame timing and the cell identification, we can perform OFDM demodulation on the signal to extract the OFDM grid values. We will then be able to perform channel estimation based on the known reference signals (CRS) transmitted by the base station1.
To perform the OFDM modulation we invoke the
lteDLChannelEstimate functions in LTE System Toolbox:
% Perform OFDM demodulation including cyclic prefix removal rxgrid = lteOFDMDemodulate(enb, waveform); % Estimate the channel on the middle 6 RBs [ChannelEst, noiseEst] = lteDLChannelEstimate(enb,cec,rxgrid);
Figure 7 shows the grid after OFDM demodulation. The signal is heavily corrupted by transmission impairments and noise.
We must now compute the grid positions to which the MIB was mapped, demodulate this information, decode the MIB, and interpret the content of the binary fields.
We can complete all these tasks with just four MATLAB® commands:
% Extract resource elements corresponding to the PBCH from the first % subframe across all receive antennas and channel estimates pbchIndices = ltePBCHIndices(enb); [pbchRx, pbchHest] = lteExtractResources( ... pbchIndices, rxgrid(:,1:L,:), hest(:,1:L,:,:)); % Decode PBCH [bchBits, pbchSymbols, nfmod4, mib, enb.CellRefP] = ltePBCHDecode( ... enb, pbchRx, pbchHest, nest); % Parse MIB bits enb = lteMIB(mib, enb);
And enb, the structure that includes the base station (or eNodeB) parameters is as follows:
NDLRB: 50 NCellID: 17 NSubframe: 0 CellRefP: 2 PHICHDuration: 'Normal' Ng: 'One' NFrame: 404
As a result, we know that the cell bandwidth is 50 resource blocks (NDLRB), or 10MHz. In addition to this value, we obtained further information from the MIB, including the number of antennas (two), the frame number (404), and the PHICH configuration (not covered in this article).
Acquiring System Information
At this point, we have already determined some key parameters:
- Cell identity
- Frame timing
- Cell bandwidth
- Number of antennas in the cell
- PHICH configuration
Before we contact the base station, however, we need to know a bit more about the cell (including whether this cell’s operator is the one that we have a contract with!). These additional pieces of information are included in the various System Information Blocks (SIBs). We will now demodulate System Information Block Type1 (SIB1).
Although SIB1 is transmitted within a fixed time schedule, the resource allocation of the PDSCH carrying SIB1 is dynamic. It is indicated in an associated Downlink Control Information (DCI) message carried on the PDCCH.
The base station encrypts all DCI messages with a Radio Network Identifier (RNTI) that characterizes the intended recipient. SIB1 is of interest to all users, and it has a known RNTI of 65535 (called SI-RNTI or System Information RNTI). This enables all UEs, including unassociated ones, to look for and decode SIB1.
Decoding the SIB1 Control Information
Identifying the PDCCH is quite challenging as, unlike the BCH, the PDCCH has a complex structure: the PDCCH carries a variable number of DCI messages of variable lengths that can start at various locations within the PDCCH space.
For this reason, once we have extracted all the symbols that correspond to the PDCCH, we must perform a blind search for a DCI message that would be scrambled with the SI-RNTI.
LTE System Toolbox contains the functions we need, including the ability to perform a blind search of the PDCCH space. The code below shows how we decode the PCFICH to determine the size of the control region, then extract the PDCCH, perform a blind search of the PDCCH space for the SI-RNTI, and decode SIB1.
% Decode PCFICH cfiBits = ltePCFICHDecode(enb, pcfichRx, pcfichHest, nest); enb.CFI = lteCFIDecode(cfiBits); % Get CFI % PDCCH demodulation. The PDCCH is now demodulated and decoded using % similar resource extraction and decode functions to those shown % already for BCH and CFI reception pdcchIndices = ltePDCCHIndices(enb); % Get PDCCH indices [pdcchRx, pdcchHest] = lteExtractResources(pdcchIndices, rxgrid, hest); % Decode PDCCH [dciBits, pdcchSymbols] = ltePDCCHDecode(enb, pdcchRx, pdcchHest, nest); % PDCCH blind search for System Information (SI) and DCI decoding. The % LTE System Toolbox provides full blind search of the PDCCH to find % any DCI messages with a specified RNTI, in this case the SI-RNTI. pdcch = struct('RNTI', 65535); dci = ltePDCCHSearch(enb, pdcch, dciBits); % Search PDCCH for DCI
Figure 8 shows the constellation corresponding to the PDCCH. Control information is modulated with a QPSK scheme.
Decoding the SIB1 Data
Now that we have decoded the control information associated with SIB1, we can retrieve and decode the actual SIB1 data.
We parse the DCI message to give the configuration of the corresponding PDSCH carrying SIB1, and demodulate the PDSCH. The received bits are DL-SCH decoded to yield the SIB1 bits:
pdschIndices = ltePDSCHIndices(enb, pdsch, pdsch.PRBSet); [pdschRx, pdschHest] = lteExtractResources(pdschIndices, rxgrid, hest); % Decode PDSCH dlschBits = ltePDSCHDecode(enb, pdsch, pdschRx, pdschHest, nest); % Decode DL-SCH [sib1, crc] = lteDLSCHDecode(enb, pdsch, trblklen, dlschBits);
The bit vector sib1 is now ready for export from MATLAB into an ASN.1 decoder to decode the System Information Block Type1 message.
This example showed how LTE System Toolbox can be used to extract system information from a live LTE signal. LTE System Toolbox supports further processing of the signal, including uplink and TDD mode, measurements such as EVM and ACLR, and conformance tests.
You can use LTE System Toolbox to perform link-level and performance simulation, verify your own LTE implementation, generate and analyze LTE waveforms or, as we have shown here, demodulate synthesized or live signals by connecting MATLAB to test and measurement instruments.
1 In LTE, the base station is also known as eNodeB.
Published 2015 - 92271v00