*****************************************
Editor's Note: You can view David's dynamic step-by-step video demonstration of the method described below by clicking here.
******************************************

Considerations for Demodulating Off the Air
Before demodulating the over-the-air transmission, review some of the basic characteristics of the GSM physical layer. According to the standard's specifications, GSM uses the Gaussian minimum shift keying (GMSK) modulation scheme. With a Gaussian filter (alpha = 0.3) and a symbol rate of 270.833 kS/s, GSM has a total RF bandwidth of slightly less than 200 kHz. One interesting difference between the 2G and 3G cellular standards is the channel bandwidth. In contrast with GSM, wideband code division multiple access (WCDMA) has a symbol rate of 3.84 MS/s. Using a root-raised cosine with an alpha of 0.22, we can calculate the RF bandwidth to be ((1+0.22) x 3.84) = 4.68 MHz. In fact, it's an interesting exercise to view this in light of Shannon's theorem, which estimates the maximum data throughput as a function of bandwidth and SNR (signal-to-noise ratio). The equation is shown below:

Capacity=Bandwidth x log(1+SNR)
Equation 1: Shannon's Theorem

As Shannon's theorem suggests, wider bandwidth channels used in 3G networks should provide significantly higher data throughput than the 200 kHz channels in GSM.

Spectrum Analysis
Now that we are familiar with some of the basic characteristics of GSM, we can begin the process of demodulating data packets. The first step is identification of the appropriate carrier. We know that each channel in both the uplink and downlink bands of a cellular network is spaced 200 kHz apart. In the United States, which uses GSM850, we can find the GSM downlink band between 869 and 894 MHz. Using a vector signal analyzer in spectrum analysis mode, we can find a modulated GMSK carrier with the guidance provided above. Using this tool, we are able to visualize modulated carriers in the frequency domain, as illustrated in Figure 1.

Figures 1 and 2 show the difference between GSM and WCDMA in the frequency domain. As the images illustrate, GSM channels occupy 200kHz of bandwidth, and we can easily spot a carrier at 877.4MHz. In the United States, we can spot a WCDMA carrier at around 1.882GHz. Upon quick inspection, we can visually estimate that it occupies slightly less than 5MHz of bandwidth, fitting with our earlier calculation of 4.68MHz. Through basic spectrum analysis, we have performed the first of several sanity checks by verifying that the carrier we want to demodulate is indeed GSM. This exercise also uncovers potential challenges we might face in demodulating the GSM transmission. As we observed in the frequency domain, interference from adjacent channels can potentially distort our results if it is not adequately filtered. In the next section, learn about the effectiveness of filtering at removing adjacent channel interference.

Gabor Spectrogram
The second tool we'll use to analyze the airwaves is the Gabor spectrogram. Because GSM uses a time-division multiple-access channel timing model, this tool will help us visualize both the frequency of GSM bursts and the trigger level that we will need to set later. Note that a Gabor spectrogram is a signal processing tool used for joint time-frequency analysis. It operates by dividing a time-domain IQ signal into "slices" and performing a fast Fourier transform (FFT) on each subset of data. The resulting FFT data is then pieced together in a 3D view, which plots the time, frequency, and power of an RF signal. This is often visualized on a color-coded waterfall graph, as illustrated in Figure 3.

Click for larger image

In Figure 3, we can observe the timing information in the downlink band. As a TDMA (time-division multiple access) protocol, each GSM frame period lasts for 4.615ms and is divided into eight sub frames. Thus each sub frame has a duration of precisely 567.875¼s. Also note that the Gabor spectrogram provides insight into the peak-power of a GSM burst. According to the graph, setting our power level above -25dBm is essential to ensure that you trigger on a burst with sufficient SNR. Using a spectrogram, we can evaluate the effectiveness of a digital filter at rejecting adjacent channel power. In this case, use a third-order complex bandpass elliptic filter (400kHz bandwidth) to remove interference. While this filter is not as aggressive as a fifth or seventh order, it should provide a more uniform phase response, resulting in less intersymbol interference (ISI). While the use of most filters introduces ISI (raised cosine and root-raised cosine filters are exceptions), a small amount of ISI is actually tolerable when demodulating GMSK. In fact, the Gaussian filter (alpha = 0.3) of a GSM transmitter introduces ISI before the signal ever hits the airwaves. In the joint time-frequency domain, we can evaluate the effectiveness of the bandpass filter, as shown in Figure 4.

In Figure 4, observe that the resulting baseband waveform is susceptible to interference in a neighboring channel. In fact, we can see this at an offset of -400 kHz (relative to the carrier). After this data has been filtered, the power in adjacent bands has been reduced from 15dB below the power of the desired carrier to at least 60dB below. This should be more than sufficient for demodulation, as the next section explains.

Time Domain IQ Visualization
With any modulated waveform, demodulation requires the baseband IQ waveform to be sampled at a multiple of a precise symbol rate. We can think of demodulation as decimation of a baseband IQ signal to the symbol rate (slightly more involved, but decimation is the basic idea). After decimation, we can map the remaining samples directly into a digital bitstream as specified by the symbol map. Using our vector signal analyzer, we need to first sample the packet of data (with a trigger level at -25dBm) at an IQ sample rate of 1 MS/s. Once we have acquired the data, we must fractionally resample it to ensure that the demodulator sees a waveform where the sample rate is a multiple of the GSM symbol rate. At 16 samples per symbol, our new symbol rate is 16 x 270.833kS/s (symbol rate of GSM) = 4.333MS/s. In an actual cell phone, this step is often avoided by clocking the ADCs (analog-to-digital converters) at a multiple of the symbol rate.

As a sanity check, we can also view I and Q versus time as a waveform (see Figure 5).

By observing the time domain of IQ data, we can see two signs that show we are on the right path. First, both I and Q seem to transition between one of two discrete values. This is as expected because that behavior occurs in every variant of a QPSK (of which GMSK is one) modulation scheme. Second, we can clearly see the half-sine pulse shaping in the time domain. Based on these indications, the next step is to demodulate into the final bitstream.

GMSK Demodulator Algorithm
In NI LabVIEW software, we can perform demodulation of a GMSK waveform with an MSK demodulation function in the Modulation Toolkit. Various inputs to this demodulator include the raw baseband, system parameters such as sample per symbol, and filter coefficients for the Gaussian filter. The block diagram flow is illustrated in Figure 6.

Click for larger image

Once we've demodulated the GSM packet, it's still important to check our result to ensure that our bitstream is correct. Without information on what is actually in the packet, the best way to double-check our result is using a constellation plot, as shown in Figure 7.

The main characteristic we're looking for when observing a constellation plot is that each symbol (shown in white) appears in a distinct quadrant on the graph. In other words, we are verifying that all symbols align to one of four distinct phases. From Figure 7, we can conclude that bitstream is relevant because each symbol appears to be appropriately aligned.

Note that one unique characteristic of GMSK is that all of the transitions between symbols (shown in red) appear around the perimeter of the graph. This characteristic is actually an intentional design decision of the GMSK modulation scheme. By avoiding symbol transitions through the center of the graph, GSM transmitters are able to maintain a more constant power level. This reduces the requirements on amplifier linearity and allows cell phones to use non-linear power amplifiers, which typically consume less power than more linear ones.

Conclusion
Demodulation of a GSM signal is a straightforward process that we can accomplish easily with a few signal processing tools. Using these tools along with our knowledge of GSM, we are able to identify various receiver characteristics such as sample rate, symbol rate, and even filter specifications. In addition, a few basic signal processing algorithms can provide us with valuable data about signal characteristics such as time, frequency, and power information. As a result, we are able to demodulate GSM packets and return encoded digital bitstreams —just like the demodulator on a cell phone.

About the Author
David A. Hall is a product manager for the modular instruments product line at National Instruments. His areas of expertise include signal generation and communications. David graduated from Pennsylvania State University in 2005 with a Bachelors of Science in Computer Engineering.

Related Articles

• Flexible upconversion architectures satisfy global wireless standards
• Under the Hood: Samsung phone dials up digital TV
• Understanding the basics of image and carrier suppression measurements