This page is about understanding the LoRa RF modulation format.
LoRa is an abbreviation of Long Range, meaning it is an radio modulation format that gives longer range than straight FSK modulation. This is achieved by a combination of methods: it uses a spread spectrum technique called Chirp Spread Spectrum (CSS) and it uses forward error coding (in combination with whitening and interleaving).
To transmit or receive LoRa signals, you need to buy hardware that supports this modulation format.
The goal of this project is to collect more detailed information on the LoRa modulation and packet format. A concrete result could be that someone writes software which makes it possible to receive and decode LoRa signals with a cheap software defined radio, like rtlsdr.
The LoRa modulation appears to be defined by the following parameters:
- the bandwidth BW, meaning the difference in minimum and maximum frequency
- the spreading factor SF, this is a measure for the number of bits encoded per symbol
- the coding rate CR, this is a measure for the amount of forward error correction
On the air I have seen the following waveforms:
- a series of up-chirps at the start of a message (preamble), the number of up-chirps corresponds to the PreambleLength registers
- two up-chirps with a chirp-phase corresponding to the contents of the SyncWord register
- two down-chirps at the end of the preamble (sync-pattern)
- data-chirps, these consist only of up-chirps (like the preamble), but with a jump in the "phase"/timing of the chirp. The frequency shift of this jump likely encodes one symbol representing several data bits (SF bits per symbol).
One symbol has a length in time of (2^SF)/BW. Chirps seem to have a constant chirp rate for a specific modulation setting, both when going up and down. When the frequency of a chirp reaches the end of the band, it "wraps around" to the other side. One chirp nominally covers the entire bandwidth BW once during one symbol time.
The image on the right shows the LoRa spectrogram for a short message as recorded by gqrx, when sending a 1-byte payload (with settings SF=12,BW=8,CR=4/8, implicit header). At the bottom of the spectrogram you can see the preamble consisting of 10 up-chirps and 2 down-chirps. At the top of the spectrogram you see the data portion of the signal, consisting solely of up-chirps.
Since the LoRa signal is basically a single carrier being swept over a certain bandwidth in a specific way, it is possible to recover the frequency by FM demodulation of the signal generated by a Semtech chip, in my case from a hoperf RFM95 module. This allows for a more compact representation of the signal for analysis.
The image on the left shows the audio captured in audacity from an FM-demodulated LoRa-signal (with settings BW=8kHz, CR=4/8, SF=8, implicit mode, 1-byte payload).
On the top of the image the signal is shown when the payload is 0x00. On the bottom of the image the signal is shown when the payload is 0xFF. In the highlighted area, some differences can be seen between the FM-waveforms.
Some experimentation shows that when the preamble length n is set to 0 through the register interface, we still see 2 up-chirps and 2 down-chirps (plus 1/4th of a up-chirp) in the preamble on-air. This is consistent with the preamble timing formula in the datasheet, which states that the preamble is (n + 4.25) symbols long.
Some thoughts on analysis:
- For simplicity, the output length of the forward error coding parameter CR can be chosen to be equal to the symbol size SF. This way each 4-bit nibble should result in exactly one output symbol. For example use CR=4/6 with SF=6, CR=4/7 with SF=7, CR=4/8 with SF=8,
- make the payload equal to the PRNG sequence, such that the whitening effect of the PRNG is cancelled out, possibly making analysis easier.
- vary the payload with a walking-bit sequence, so the shuffling order of the interleaver can be analysed.
Something that is not mentioned in the RFM95 datasheet, but is mentioned in the SX1276 datasheet, is the SyncWord setting in register 0x39. The datasheet mentions a default setting of 0x12 and a LoRaWAN setting of 0x34.
Modifying this setting (trying 0x00, 0x12, 0x34, 0xFF) results in the following changes to the FM waveform just before the reverse chirps. From top to bottom: SyncWord = 0x00, SyncWord = 0x12, SyncWord = 0x34, SyncWord = 0xFF. It seems the setting influences the "starting value" of the two chirps just before the reverse chirps. The starting value appears to be closely related to the low nibble of the sync word (with 0xF corresponding to half the symbol time).
The datasheet suggests that CRC can be turned off and on through bit RxPayloadCrcOn in register RegModemConfig2 (0x1E). The image on the right shows the effect of turning it off (top) and on (bottom).
Oddly enough, this doesn't seem to influence the length of the transmission.
Settings: BW=8,CR=4/8,SF=8, 1 byte payload (0x00).
See here for some IQ recordings of the LoRa signal.
The filenames contain a code for the LoRa modulation setting which was used for each recording. This should mostly be obvious. For example, a postfix of BW21CR48SF6PL64x00 means the following:
- BW21: Bandwidth is approximately 21 kHz (20.8 actually)
- CR48: Code rate is 4/8
- SF6: Spreading factor is 6
- PL64x00: Payload is 64 bytes of 0x00
The files were recorded on ms windows using sdr# v22.214.171.1241 at a sample rate of 1024 kHz.
- RFM95 datasheet
- A nice explanation of the preamble and data modulation at link-labs
- Semtech AN1200.22 Lora modulation basics
- rtl-sdrangelove plugins f4exb github
- hexameron github
- Semtech LoRa Calculator, allows you to play with modulation parameters and see the impact on symbol time, sensitivity etc.
- The LoRa patent, which describes mostly the structure of the transmitter side.
- Annotated image of the LoRa signal by Leo Bodnar, clearly showing the preamble, preamble-end-marker and the data bits