HOW TO CONFIGURE SNIFFER FOR TDD NOT FDD

[ivyselly]

hello @NorbLd @gnoubir

please i am trying to use the 5gsniffer sniffer for TDD cells rather than FDD and i'd like to know if this is possible and which config files i need to make changes to in order to get this done.

any pointers will be very much appreciated.

[NorbLd]

Hello,

We have not tested the sniffer with TDD, as when we developed the sniffer we only had access to FDD in our area. I believe it might need some tweaking but it should be in principle doable. Do you have any file recording of a TDD cell that you can share so I might debug it?

Thank you,

[pricalinat]

Hello,My region only has TDD for 5G service. Is your project compatible with TDD now? Also, how difficult would it be to adapt it to support TDD? Thank you @NorbLd

[ivyselly]

hi, i want to leave a quick update here please, testing the sniffer using 5G test bed from SRSRAN and open5gs yield no results for the live capture, for both tdd and fdd. we also tested with captured file but got no results

however when we generated 5g waveform using MATLAB's apps, the sniffer was able to accurately decode the cell ID in the live capture and recorded file.

however in both cases, we had trouble decoding the pdcch, i guess due to issues with determining and setting the needed parameters in the config file, or maybe because we weren't actually tansimtting any data between UE and gnb?

thank you @NorbLd

[NorbLd]

Hi ivyselly,

Thank you for your update.

First, for the issue of not being able to decode over the air transmissions, but being able to obtain MIBs from a Matlab 5G waveform, I believe it could be due to a mismatch between the receiving center frequency and the over the air SSB frequency. The sniffer will try to find the SSB (3.84MHz wide for 15KHz SCS and 7.68MHz wide for 30 KHz SCS) around the center frequency. If the center frequency is off by enough KHz, the sniffer will fail to correlate with the PSS/SSS and thus it will fail to synchronize. Could you make sure that the receiver center frequency is center with the SSB?

As for not being able to find PDCCHs, I think it is likely that the reason is an incorrect configuration parameter. Unfortunately, with the added flexibility in 5G, the CORESET region can have different frequency offsets to the SSB, depending on multiple parameters (offsetToPointA, K_SSB, PointA, ...), and the CORESET itself has multiple parameters. I added some detailed instructions in the README some time ago, did that help?

I can help you find the issue if you send me the logs and a sample recording over email.

Thank you,

[andreaterni7]

Hi @NorbLd, are there any news/updates about the tool working in TDD? I have been trying it for the last few weeks but it does not seem to work.

[DancingSW]

Hello!

I also tried to sniff TDD signals, but it did not work (Currently, I am forcing my cellphone to connect to FDD gNB to use the sniffer). The following is the output I got when I tried to decode TDD signal.

[info] [18:07:54.514523 thread 27791] [config.h:74] Loading configuration file ../t-mobile.toml
[error] [18:07:54.750748 thread 27791] [syncer.cc:278] Timing error smaller than cp

If I understand correctly, it should be able to find a MIB signal at least, but it failed. I would like to debug and contribute to extending TDD support. @NorbLd By any chance, can you suggest where I can start? I have not looked into all the details (like the difference between FDD and TDD) but I plan to dive in soon. Before that, I would like to hear your intuition and opinion first. Below, I have also attached the spectrum file and configuration messages (MIB, SIB1, and RRC-setup). SSB-ARFCN is 521310 (i.e., n41).

fc32_file MIB/SIB1/rrc-setup

[andreaterni7]

Hello @DancingSW, I managed to connect srsue (srsRAN 4G) with srsgnb (srsRAN Project) in FDD with the following cell config: dl_arfcn: 388000 band: 2 channel_bandwidth_MHz: 10 common_scs: 15 plmn: 00101 tac: 40960 pci: 1 I tried to use the tool but all I got is Active RF plugins: libsrsran_rf_uhd.so Inactive RF plugins: [info] [10:07:25.292667 thread 951008] [config.h:76] Loading configuration file ../andre.toml Do you have any ideas why it behaves this way? P.S. I checked the .fc32 file and it does include information. Thank you in advance for your help

[NorbLd]

Hello,

I did not have much time to test with TDD, but I ran an srsRAN gNB on band 78 and I was able to decode some MIBs. Please note that 5G NR has different numerologies, which translates to different subcarrier spacings. This parameter should be specified as "ssb_numerology", please see the README. Furthermore, keep in mind that the SSB and different bandwidth parts can have different numerologies, the numerology of the bandwidth part is specified under the [pdcch] config as "numerology". I do not think the sniffer would require very big changes to make it work for TDD, as the frame structure remains similar, except that now the slots are allocated to either DL or UL. However, there might be some small details that I am missing. Furthermore, at the time I tested mostly with numerology 0 (15 kHz spacing), do you know if srsRAN supports 15 kHz TDD configuration? Maybe we could start testing with that setup as an intermediate step to minimize the number of variables.

Regarding not finding the MIB, the most likely reason is a slightly wrong dl_arfcn. Currently the sniffer does not correct for integer CFO values, i.e. the CFO can not be bigger than the subcarrier spacing (15, 30, ... kHz, depending on numerology). If your center frequency is more than this kHz away from the center of the SSB, it will not find a correct peak. This is due to downsampling the sequence to the minimum SSB BW to find the SSB. Please double-check that the dl_arfcn corresponds to the SSB center frequency, you can find more information in the README. Other possibility could be that the TX/RX power level is not high enough, but if you connected a phone and you have a reasonable gain in the SDR recording, it should be fine. If you do not manage to find the correct SSB center frequency let me know.

Thank you.

[DancingSW]

@NorbLd Thank you for sharing your intuition! Regrading TDD srsRAN. I have not tested 30kHz TDD with srsRAN. But, I guess srsRAN supports 30kHz TDD because srsRAN is known to support TDD and 30kHz subcarrier spacing. common_scs: 15 # Sets the subcarrier spacing in KHz to be used by the cell. Supported: [15, 30]. Yes, I agree with you. I will set up 30kHz TDD with srsRAN and see what I can get. Regarding not finding the MIB Thank you for your advice. I will double-check CFO and dl_arfcn. At the time I tried, I translated/used ssb-arfcn shown in NSG and set ssb_numerology as 1.

---

@andreaterni7 I have not encountered the same issue. I guess it can be either usrp library config or sniffer config issue. Please check the recent discussion.

[NorbLd]

Hi,

I meant to test it with TDD and 15 kHz subcarrier spacing first :) 30 kHz is the default in srsRAN for n78 I believe.

[NorbLd]

Hi,

I took a look over the weekend, and I was able to also obtain DCIs for a TDD config. I have uploaded the trace I took to the same link as the FDD one: https://drive.google.com/drive/folders/16YMVftlxgPgA8O3zwtno4VHCPzVWXFbX?usp=share_link

I am also attaching the toml file and some screenshots of the information used to infer the PDCCH/BWP information.

The SSB center frequency is 3483.840 MHz. absoluteFrequencyPointA is 632016 -> 3480.240 MHz. BWP is 48 RBs at 30 kHz, thus the subcarrier offset is (3483840000 - (3480240000 + 24 12 30000))/30000 = -168 subcarrier offset. The rest of the PDCCH parameters can be seen explicitly in the screenshots. Please note that the DCI formats are 0_1 and 1_1 for user data, with sizes 38 and 42 respectively. The PDCCH for SI-RNTI is different and it requires to look into TS 38.213 Tables 13-11 and 13-4.

The TDD decoding is currently suboptimal because we are assuming that all subframes/slots are downlink (as FDD), so we are looking for DCIs even on UL slots, but it seems that it also works with almost no modifications. I fixed an issue when counting symbols in the ofdm block due to a typo. Also, it seems that the PBCH decoding is failing sometimes with this config, losing synch, but I am not sure why, I will look into that.

Best,

DCI_information_TDD.zip

[andreaterni7]

I have tried your configurations but unfortunately I still have nothing. I am attaching my config files so that, if you have them, you can help me and the others who are stuck like me. PS: In order to get the file .fc32, I run "uhd_rx_cfile --args type=b200 -r 23040000 -f 3483840000 andre.fc32" Thank you in advance configFiles.zip

[DancingSW]

@andreaterni7 I did not test your configurations, but I am just curious if you got MIB?

[andreaterni7]

@DancingSW the only thing I get is the following line: [info] [08:33:47.342902 thread 5411] [config.h:77] Loading configuration file ../myToml.toml

[DancingSW]

@andreaterni7 I guess you entered the wrong frequency. frequency parameter in the config file should be ssb frquency. I think 632256 (i.e., 3483.84 MHz) is not a ssb-frequency. When you run srsRAN gNB, you can see the arfcn for ssb.

[andreaterni7]

@DancingSW Yes, you are right, although I modified it and forgot to update it. In fact, changing the frequency partially solved the problem: now I have the MIB, but I am still unable to decode the RNTI. I attach my output. output.txt Why can the tool only decode the MIB and not the RNTI?

[DancingSW]

@andreaterni7 SSB consists of PSS, SSS, and PBCH. The MIB is transmitted on the PBCH. Therefore, if you can find the SSB, you will also be able to find the MIB.

RNTI (Radio Network Temporary Identifier) is a temporary user identification assigned by the gNB. It seems you want to decode the DCI, which is transmitted on the PDCCH. Please note that SSB and PDCCH use different frequency resources. In other words, they operate on different frequencies.

To ensure correct decoding, you must enter the correct parameters in the [pdcch] section of the 5gsniffer configuration file. For guidance on how to configure this, please refer to the README, which provides an example configuration.