I just came home from IEEE ICC 2015 in London where I presented our paper Protocol Design for Ultra-Low Power Wake-Up Systems for Tracking Bats in the Wild.

Cool, I just got my poster for the SRIF workshop at ACM MobiCom accepted.

The introduction reads like

These days the Internet of Things is about to come part of our everyday live. Already today we are surrounded by a vast amount of simple low data rate wireless systems. The applications for those systems are manifold and include weather stations, sensors in industrial automation, car key fobs, and alarm systems. Most recently, car and plane manufacturers started replacing wired sensors with wireless systems to save cabling and, thus, weight and fuel. Typically, frame-based single carrier systems are used. These rely on a preamble for synchronizing to the signal followed by a Start of Frame Delimiter (SFD) and the actual data. Due to short frames sizes, the preamble introduces considerable overhead regarding energy consumption and wireless channel occupancy. Using the IEEE 802.15.4 O-QPSK PHY as an example, the minimal preamble length is the equivalent of 4 B com- pared to an ACK size of 5 B or a maximum frame size of 127 B. Another example is a Binary Offset Carrier (BOC) transceiver that we developed in the BATS project [1]. In this project we work towards equipping bats with tiny 2g sensor motes that send 12 B frames, which can be used for combined data transmission and ranging. Since each frame includes a preamble of 2 B the overhead is significant. To avoid this overhead we propose mSync (from mirror sync), a frame format and decoding strategy that does not rely on preamble symbols, as it uses the data symbols instead.

See you in Paris!

I was hiking, when suddenly:

I was just invited to serve as a TPC Member of IEEE Vehicular Networking Conference (VNC) 2015.

I’m very excited as it’s the first time that I’m in any conference committee :-)

Really looking forward!

Currently, I’m in Hong Kong to present my demo Power Matters: Automatic Gain Control for a Software Defined Radio IEEE 802.11a/g/p Receiver at IEEE INFOCOM’15.

I took a projector with me to provide a good view on the outputs that visualize the WiFi signal at different stages of the decoding process. The demo was setup on a small floor between the rooms where the technical sessions were held. So I think it gained some good visibility, especially during the coffee break.

During the last week, I worked on the GNU Radio WiFi transceiver gr-ieee802-11 and implemented some features that were on my todo list for quite some time. Since the performance is really good now, I wanted to share my excitement and give some details about the changes.

Interface for Channel Estimation Algorithms

The initial version only came with a proof-of-concept channel estimation algorithm, which interpolated linearly based on the comb pilots. This algorithm is especially bad when using a N210 with a sampling rate of 20MHz as for IEEE 802.11a channels. The problem is that at this sampling rate the N210 has an uncompensated filter and the spectral shape is sinc like. Linear interpolation obviously fails in this case.

Since I assume that channel estimation is the thing where most people want to play with, I implemented a generic interface where people can plugin their stuff. Of course, it’s now also possible to use the long training sequence to get an initial estimate of the channel.

LMS Estimator

Having this generic interface, I implemented the LMS estimator as a first simple algorithm. With LMS the performance increased considerably. However, I also kept the linear interpolator to show how the algorithms can be changed on the fly. To give an idea of the receivers current state, I made a small video in my office, where I receive frames from a Atheros card. In the video I change the modulation and the channel bandwidth.

Long Frames

Andre Puschmann from Ilmenau worked on the maximum frame size. The transceiver had some strange limitations, mainly since the buffers of GNU Radios Tagged Stream blocks were not adjusted properly. Andre figured this out and now we can send and receive 1500 byte frames with any modulation. Very cool!

Short Frames

Initially, the receiver blindly copied a fixed number of samples into the flow graph once a frame was detected. This caused problems with very short frames sent, right after the other, like for example with RTS/CTS. In the current version, the synchronization block always looks for new frames and marks their start with a tag so that subsequent blocks can decode them.

I hope you give new version a try and let me know how it works for you. Have fun!

Cool! I just got a talk for the Software Defined Radio Academy at HAMRADIO accepted. HAMRADIO is a rather large annual amateur radio exhibition at Friedrichshafen in Germany. Since more and more hams are interested in Software Defined Radio (SDR), there will be a sub-conference about SDR this year — the Software Defined Radio Academy.

According to my understanding, the idea is to have a mix of introductory and hands-on lesson as well as some more research oriented talks. I applied for a talk about reverse engineering digital wireless signals. Following is the abstract I submitted when applying for the talk.

Today, David presented our paper The Scrambler Attack: A Robust Physical Layer Attack on Location Privacy in Vehicular Networks at IEEE ICNC’15 in Anaheim, Canada.

In the paper we use the initial scrambler value as a feature to identify vehicles even though they might use pseudonyms or other potentially privacy preserving mechanisms.

What we did

According to the IEEE 802.11p standard, each data frame is scrambler by a pseudo random sequence generated by a Linear Feedback Shift Register (LFSR). The LFSR is seeded by a random value that is transmitted at the very beginning of each frame, allowing the receiver to reproduce the scrambling sequence and, thus, to descramble the bits. With regard to seeding the LFSR the standard states in Section 18.3.5.5 that

When transmitting, the initial state of the scrambler shall be set to a pseudo random nonzero state.

Reading this, we were curious how these pseudo random states are implemented in practice on real hardware. Since normal WiFi cards don’t expose this information when receiving frames, we used our GNU Radio WiFi transceiver to log the initial scrambler states while decoding the frame.

Today, I gave a talk about RDS/TMC with GNU Radio at FOSDEM’15. FOSDEM is a really fun annual meeting of Open Source developers in Brussels. Besides the main track with a very diverse spectrum of talks, there are so called Developer Rooms where people talk about a certain project or topic. Since 2014 Tom Rondeau, Philip Balister and Sylvain Munaut organize a Software Defined Radio Developer Room. This year I tried to advertise the GNU Radio RDS implementation a bit, hoping to motivate some people to experiment with it and maybe contribute some lines of code.

During the last weeks I worked a bit on the GNU Radio RDS implementation.

In particular I

• got rid of the libxml2 dependency
• refactored encoder and decoder
• split decoder in demodulation and parsing block
• added new parsers for some frame types
• more verbose console output
• the decoder can be extended pretty easy know (there is a dedicated parser function for each frame type)
• blocks have logging and debugging options to configure their output
• ** added TMC messages**
• the encoder can be reconfigured during runtime via UDP