Geek DIY: cheap TV rod play GNSS-SDR, real-time GPS Positioning
0 × 00 Preface
FreeBufPopular Science:
GPS is short for Global Navigation Satellite System. Chinese name: global satellite navigation system and global navigation satellite system.
GPS refers to all satellite navigation systems, including global, regional, and enhanced systems, such as GPS in the United States, Glonass in Russia, Galileo in Europe, and Beidou satellite navigation system in China, and related enhancement systems, such as the us waas (Wide Area Enhancement System), the European EGNOS (European static navigation overlapping system), and the Japanese MSAS (multi-function Transport Satellite enhancement system, it also covers other satellite navigation systems to be built in the future.
0 × 01 Summary
This paper describes the cheapest way to use GNSS-SDR to play around wireless signals. As this product is the result of the joint efforts of many people, it cannot be listed one by one. Here we will only mention the pioneer of this product, Antti palw.ari, The V4L/DVB kernel developer, he found that an undisclosed operating mode exists for a usb TV rod Based on the realtek ruijing (also called crab) RTL2832U chip, which can be used as a front-end of a cheap software radio. This important feature is that the chip allows devices to send native I/Q sampling signals to the host, and then the host is responsible for demodulation of the DAB/DVB +/FM signals. This is good news for the GPS software receiver because it covers the target frequency bandwidth.
According to the specification, RTL2832U can output 8-bit I/Q Sampling Signals at up to 3.2 MSPS baseband sampling frequency. However, tests showed that the maximum lossless sampling frequency was 2.8 MSPS. The frequency range is heavily dependent on the tuner Used. The TV bar using the Elonics E4000 tuner may provide the widest frequency range (64-1700 MHz, while the sampling blind zone exists between 1100-1250MHz ). When used in excess of the specifications, the tuner can cover 50 MHz-2.2 GHz (including blind spots ). For more information about the compatibility of this device, see OsmocomSDR Wiki.
The central frequency of the global satellite navigation system (GPS) Galileo-E1 and GPS-L1 links is 1575.42 MHz, and the E400 tuner chip can cover this band. We can configure the GNSS-SDR and use RTL2832U as the real-time signal source to provide a low-cost option for building a GPS-L1 signal receiver (dozens ). This article describes operation details and some performance tests about the new feature of GNSS-SDR.
0 × 02 OsmoSDR driver
The GNSS-SDR needs to use the OsmoSDR GNU Radio data source module (source block) and its driver to support the realtek Referer RTL2832U chips. The researchers implemented the new GNSS-SDR data source adapter, which is actually a class instance of gr_hier_block2 on OsmoSDR, and the associated GNSS-SDR data source name is Osmos dr_signal_source. The source code of the adapter is located:
trunk/src/algorithms/signal_source/adapters/osmosdr_signal_source.htrunk/src/algorithms/signal_source/adapters/osmosdr_signal_source.cc
Call the libgnuradio-osmosdr function library by including the following header files:
#include
#include
Added GNSS-SDR support for RTL2832U during compilation is optional and the OsmoSDR library needs to be installed. For the step-by-step build procedure, see the GNSS-SDR instructions at trunk/README.
0x03 set GNSS-SDR to enable GPS-L1 in real time mode
To be compatible with USB DVB-T devices, we must select Osmos dr_signal_source as the signal source module (SignalSource block) in the GNSS-SDR profile (gnss-sdr.conf ). In addition, we also need to configure the following parameters:
Baseband sampling frequency // the baseband sampling frequency RF center frequency // the RF center frequency RF gain (IF gain) // the RF gain automatic gain control (AGC) mode // the AGC operation
The valid configuration for receiving the GPS-L1 C/A signal is as follows:
[GNSS-SDR];######### GLOBAL OPTIONS ##################GNSS-SDR.internal_fs_hz=2000000;######### CONTROL_THREAD CONFIG ############ControlThread.wait_for_flowgraph=false;######### SIGNAL_SOURCE CONFIG ############SignalSource.implementation=Osmosdr_Signal_SourceSignalSource.item_type=gr_complexSignalSource.sampling_frequency=2000000SignalSource.freq=1575420000SignalSource.gain=60SignalSource.AGC_enabled=trueSignalSource.enable_throttle_control=false
The security researcher suggested setting the sampling frequency to 2 MSPS. In the case of Core 2 quad-core Q9000 processor @ 2.66GHz clock speed and 4G memory hardware, this configuration can implement real-time receiving operations on eight satellite channels. In addition, enable the automatic control gain (AGC) of E4000 to achieve the best effect.
Accuracy and stability of 0 × 04 RTL2832U Oscillator
As stated by Michelle Bavaro on his blog on the ground that the precision of the crystal oscillator used by the RTL2832U TV rod is very low. The problem was confirmed by experiments on two devices (EzCap666 and Generic P160. The authors use high-precision signal generators to generate unmodulated carrier signals on the GPS-L1 link and then measure carrier frequency errors in captured signals. The deviation on the EzCap device is 80 KHz, while on the P160 device is 14.8 KHz.
The error of the local crystal oscillator has two effects on the GPS receiver:
1. the baseband signal is offset to an Intermediate Frequency (Intermediate Frequency // IF // medium Frequency; middle Frequency;), which is equivalent to the deviation of the voltage controlled oscillator (VCO deviation ). It can also be seen as a significant Doppler shift. If the superimposed Doppler shift (actual signal Doppler Shift + offset intermediate frequency) exceeds the identifiable Doppler search interval, the signal recognition will fail. 2. Because the sampling clock of the analog-to-digital converter should also refer to the local oscillator, the sampling frequency may also be deviated. This problem affects the trace latency Phase-lock Loop (Delay Locked Loop DLL), because the theoretical sampling clock frequency set in the configuration file is different from the actual sampling clock frequency. If the deviation is too large, the trace delay Phase-lock loop (DLL) will also fail to lock.
Thanks to the flexibility of the GNSS-SDR, security researchers can eliminate these two negative effects by modifying the Software Receiver configuration. On the one hand, you can enable the following frequency conversion FIR filter to use the Signal adjustment module (Signal Conditioner block) to offset the IF ):
;######### SIGNAL_CONDITIONER CONFIG ############SignalConditioner.implementation=Signal_ConditionerDataTypeAdapter.implementation=Pass_Through;######### INPUT_FILTER CONFIG ############InputFilter.implementation=Freq_Xlating_Fir_FilterInputFilter.input_item_type=gr_complexInputFilter.output_item_type=gr_complexInputFilter.taps_item_type=floatInputFilter.number_of_taps=5InputFilter.number_of_bands=2InputFilter.band1_begin=0.0InputFilter.band1_end=0.85InputFilter.band2_begin=0.90InputFilter.band2_end=1.0InputFilter.ampl1_begin=1.0InputFilter.ampl1_end=1.0InputFilter.ampl2_begin=0.0InputFilter.ampl2_end=0.0InputFilter.band1_error=1.0InputFilter.band2_error=1.0InputFilter.filter_type=bandpassInputFilter.grid_density=16InputFilter.sampling_frequency=2000000InputFilter.IF=14821;######### RESAMPLER CONFIG ############Resampler.implementation=Pass_ThroughResampler.dump=falseResampler.item_type=gr_complex
On the other hand, the sampling frequency error can be measured and considered by setting the predicted sampling clock frequency parameter in the GNSS-SDR.
GNSS-SDR.internal_fs_hz=corrected_valueInputFilter.sampling_frequency=corrected_valueResampler.sample_freq_in=corrected_valueResampler.sample_freq_out=corrected_value
0x05 GPS active antenna
The security researcher uses a Low Noise Amplifier (Low Noise Amplifier LNA) antenna with a ceramic patch day as an active GPS antenna to reduce the overall Noise. Display Garmin GA27C GPS antenna. We can see a ceramic patch on its PCB:
Garmin GA-27 active antenna with plastic case removed
To connect the antenna to a DVT-T TV stick, security researchers need to make some hardware modifications:
1. Assuming that the GPS antenna is configured with SMA connectors, in order to allow the GPS antenna to connect to the DVB-T TV rod, we need to make our own RF (RF) cable to convert the SMA connector into MCX connectors. 2. You need to use the Bias-T network (Bias-T network) feed low noise amplifier (LNA ).
0 × 06 performance measurement and conclusion
To receive and process GPS signals in real time, the security researcher evaluated two different configurations.
Method 1: The security researcher uses a self-made 20dB amplifier and filter circuit to connect the dvb TV rod to the active SMD antenna. The gain module (gain block) provides + 5 v dc voltage to power the low noise amplifier (LNA) inside the active antenna.
It is a combination of dvb TV stick (generic P160), low noise amplifier (LNA) and active antenna:
DVB-T antenna connecting a universal P160 GA-27 TV rod with an external LNA Circuit
Another method: the security researcher uses the bias-T network (standard bias-T network) to directly connect the active GPS antenna with the dvb TV rod. This setting is shown in:
Connect a universal P160 DVB-T TV rod to a GA-27 Antenna Using a bias-T network
In these experiments, the security researcher used the Dell XPS M1530 notebook and configured it:
Intel Core 2 dual-Core T9300 CPU (Intel Core 2 Duo T9300 CPU) memory: 4 GB Operating System: Ubuntu 12.04 GNU Radio version 3.6.0
At the time of writing this article (SVN rev. 227), when the RtlsdrSignalSource sampling frequency is reduced from 2MSPS to 1MSPS, the above devices can support real-time operations on four satellite channels. Although limited bandwidth is supported, the GNSS-SDR can be obtained, tracked, and located through both of the preceding configurations. The antenna is placed on the roof of the CTTC building, which is invariably maintained during the experiment.
Tracking.dump=trueTracking.dump_filename=./tracking_ch_
In subsequent analysis, the researchers used the Matlab script for the integrity check. The script location is as follows:
trunk/src/utils/matlab/gps_l1_ca_dll_pll_plot_sample.m
The image clearly shows the gps c/A navigation signal. The output of the PLL and DLL phase detector is very messy.
Tracking Data Analysis
Finally, you can use Google Maps to depict the obtained KMV location file, as shown in. The yellow line code indicates the location change within the 10-second interval, while the red arrow indicates the actual location of the antenna. In addition, we have also drawn the changes in height. With 4 satellites and a very low sampling frequency of-1.2 MSPS, the researchers can estimate the Position Velocity and Time PVT ), the estimated positioning error is within the range of 200 meters.
Using Google Maps to analyze locations estimated by GNSS-SDR
0 × 07 Summary
Summarizing this preliminary experiment, the researchers concluded that it is feasible to use a low-cost Realtek DVB-T TV rod to implement GPS positioning. It is said that this is the first time that the GPS software receiver uses the RTLSDR device for real-time locating. This milestone allows us to use our laptops and extremely low-cost hardware to gain the potential of the GPS service. Researchers are planning to further test and enhance support for the RTLSDR device.