DecodingLora: Difference between revisions

From RevSpace
Jump to navigation Jump to search
No edit summary
m (Remove non-existing mode)
Line 51: Line 51:


Some thoughts on analysis:
Some thoughts on analysis:
* For simplicity, the output length of the forward error coding parameter CR can be chosen to be equal to the symbol size SF. This way each 4-bit nibble should result in exactly one output symbol. For example use CR=4/5 with SF=5, CR=4/6 with SF=6, CR=4/7 with SF=7, CR=4/8 with SF=8,
* For simplicity, the output length of the forward error coding parameter CR can be chosen to be equal to the symbol size SF. This way each 4-bit nibble should result in exactly one output symbol. For example use CR=4/6 with SF=6, CR=4/7 with SF=7, CR=4/8 with SF=8,
* make the payload equal to the PRNG sequence, such that the whitening effect of the PRNG is cancelled out, possibly making analysis easier.
* make the payload equal to the PRNG sequence, such that the whitening effect of the PRNG is cancelled out, possibly making analysis easier.
* vary the payload with a walking-bit sequence, so the shuffling order of the interleaver can be analysed.
* vary the payload with a walking-bit sequence, so the shuffling order of the interleaver can be analysed.

Revision as of 21:54, 12 January 2016

Project DecodingLora
DecodingLora Project.jpg
Status Initializing
Contact bertrik
Last Update 2016-01-12

This page is about understanding the LoRa RF modulation format.

LoRa is an abbreviation of Long Range, meaning it is an radio modulation format that gives longer range than straight FSK modulation. This is achieved by a combination of methods: it uses a spread spectrum technique called Chirp Spread Spectrum (CSS) and it uses forward error coding (in combination with whitening and interleaving).

To transmit or receive LoRa signals, you need to buy hardware that supports this modulation format.

The goal of this project is to collect more detailed information on the LoRa modulation and packet format. A concrete result could be that someone writes software which makes it possible to receive and decode LoRa signals with a cheap software defined radio, like rtlsdr.


Modulation basics

The LoRa modulation appears to be defined by the following parameters:

  • the bandwidth BW, meaning the difference in minimum and maximum frequency
  • the spreading factor SF, this is a measure for the number of bits encoded per symbol
  • the coding rate CR, this is a measure for the amount of forward error correction

On the air I have seen the following waveforms:

  • a series of up-chirps at the start of a message (preamble)
  • two down-chirps at the end of the preamble (sync-pattern)
  • data-chirps, these consist only of up-chirps (like the preamble), but with a jump in the "phase"/timing of the chirp. The frequency shift of this jump likely encodes one symbol representing several data bits (SF bits per symbol).

One symbol has a length in time of (2^SF)/BW. Chirps seem to have a constant chirp rate for a specific modulation setting, both when going up and down. When the frequency of a chirp reaches the end of the band, it "wraps around" to the other side. One chirp nominally covers the entire bandwidth BW once during one symbol time.

Investigation

Gqrx bw0 cr2 sf12.png

The image on the right shows the LoRa spectrogram for a short message as recorded by gqrx, when sending a 1-byte payload (with settings SF=12,BW=8,CR=4/8, implicit header). At the bottom of the spectrogram you can see the preamble consisting of 10 up-chirps and 2 down-chirps. At the top of the spectrogram you see the data portion of the signal, consisting solely of up-chirps.

Since the LoRa signal is basically a single carrier being swept over a certain bandwidth in a specific way, it is possible to recover the frequency by FM demodulation of the signal generated by a Semtech chip, in my case from a hoperf RFM95 module. This allows for a more compact representation of the signal for analysis.

Audacity bw0 cr4 sf8.png

The image on the left shows the audio captured in audacity from an FM-demodulated LoRa-signal (with settings BW=8kHz, CR=4/8, SF=8, implicit mode, 1-byte payload).

On the top of the image the signal is shown when the payload is 0x00. On the bottom of the image the signal is shown when the payload is 0xFF. In the highlighted area, some differences can be seen between the FM-waveforms.

Some experimentation shows that when the preamble length n is set to 0 through the register interface, we still see 2 up-chirps and 2 down-chirps (plus 1/4th of a up-chirp) in the preamble on-air. This is consistent with the preamble timing formula in the datasheet, which states that the preamble is (n + 4.25) symbols long.

Some thoughts on analysis:

  • For simplicity, the output length of the forward error coding parameter CR can be chosen to be equal to the symbol size SF. This way each 4-bit nibble should result in exactly one output symbol. For example use CR=4/6 with SF=6, CR=4/7 with SF=7, CR=4/8 with SF=8,
  • make the payload equal to the PRNG sequence, such that the whitening effect of the PRNG is cancelled out, possibly making analysis easier.
  • vary the payload with a walking-bit sequence, so the shuffling order of the interleaver can be analysed.

Recordings

See here for some IQ recordings of the LoRa signal.

The filenames contain a code for the LoRa modulation setting which was used for each recording. This should mostly be obvious. For example, a postfix of BW21CR48SF6PL64x00 means the following:

  • BW21: Bandwidth is approximately 21 kHz (20.8 actually)
  • CR48: Code rate is 4/8
  • SF6: Spreading factor is 6
  • PL64x00: Payload is 64 bytes of 0x00

The files were recorded on ms windows using sdr# v1.0.0.1111 at a sample rate of 1024 kHz.

External links

Retrieved from ‘https://revspace.nl/wiki/index.php?title=DecodingLora&oldid=7851