GSM Handset Vulnerabilities, Part I: RF Performance
Time-to-market pressure makes the primary goal of handset development the successful completion of full type approval (FTA). The phase error, transmit power,
RF output spectrum, receiver sensitivity, and blocking performance are addressed.
By Brian Senese and Laurent Ronc
Big money and big risk — these are what you can expect when entering the not so new market of digital cellular phones. In fact, digital cellular has been in commercial existence since 1992 when it made its debut in Europe. With the acceptance of the Global System for Mobile Communications (GSM) standard came FTA, the mandatory 5-week verification process used to force
compliance to the GSM specification and guarantee interoperability with all GSM networks worldwide. Presently, test facilities are located primarily in Europe, an inconvenience for companies developing handsets in North America. With test agencies thousands of miles away, and given the complexities of GSM, mandatory test scenarios are very difficult to execute. However, preparation of the handset for type approval is essential for the successful introduction of a handset to the marketplace. In this
two-part series, the two most problematic areas of FTA testing are examined and discussed, with emphasis given to pre-emptive design or test activity that will hopefully assist in your preparatory efforts before crossing the pond for FTA. RF parametric performance forms the centerpiece of this month’s article, with Layer 1 protocol behavior in the GSM system reserved for next month.
FTA
Despite the importance of quality, time-to-market pressure makes the primary goal of handset development the
successful completion of FTA. GSM test houses are equipped with at least one $3.5 million test system (plus other less expensive test gear), charge approximately $1000/hour for system test time, and require 4-months advance notice for booking test time. Few handset manufacturers can afford such a test system and rely upon less expensive equipment to replicate the required test scenarios; the end result is incomplete test coverage of the handset before attempting FTA. A majority of operational areas of the
handset can be tested, yet problems still tend to remain undetected in the area of RF performance and Layer 1 operation (which is primarily responsible for managing the radio interface). As further proof of this, I was once told during a visit to a European test authority that on the first attempt (a pre-FTA session),“You will fail the RF parametric tests.” He was right.
The first round of agency testing should target defects related to hardware anyway, since they may require a board spin to
correct problems. This is very important because, prior to the final FTA run, the test authority takes a picture of the circuit board!
In this article the phase error, transmit power, RF output spectrum, receiver sensitivity, and blocking performance will be addressed simply because they seem to be the most difficult in passing FTA.
Handset defined
A basic handset is shown in
Figure 1
, which illustrates both hardware and software components. Control software
resides in Layer 3 and is responsible for all control functions, such as call setup, mobility tracking, and handover activity. The man machine interface (MMI) and subscriber ID module (SIM) operations are also managed, yet they can be considered as applications sitting above the stack. Layer 2 is responsible for control-message flow control and retransmission. Layer 1 manages the airlink and controls the RF hardware in response to network messages and airlink conditions. Additionally, all audio functions
are handled by this layer in support of voice traffic. The RF section is shown in
Figure 2
; it is the performance of this hardware that will be the focus of most of the remaining discussion.
As a development facility in North America, it is difficult to use an FTA test house as a debug option; conceivably, such a facility could serve as a source of rental equipment, given the prohibitive cost of owning such hardware. Without this option, there are limited solutions for
comprehensive test coverage. For very basic measurements, the Hewlett Packard (HP) 8922, Rohde and Schwarz CMD 55, or Racal 6103 provide useful insight into fundamental operation and basic RF hardware performance. Bit-error rate (BER), burst shape, and output spectrum in real-time can be assessed using this equipment, yet holes are left in terms of test coverage. Ingenuity is required in stringing together general-purpose test gear to measure RF performance. Basically, without access to the full suite of FTA
test equipment, your purpose will be to build confidence in the RF performance of your handset, which can be done economically.
Transmitter
Operationally, time-division multiple access (TDMA) transmissions are unique, in that they are time limited. Transmit power-amplifier (PA) control, spectral emission resulting from a burst, battery power, and temperature are design issues to be considered very seriously.
Figure 3
is an illustration of a GSM power-time
mask to be applied against the handset’s transmitted signal. Compliance with this mask ensures minimal interference with channels in adjacent time slots. However, as shown by the dashed line in
Figure 3
, bursts falling within mask limits may still exceed spurious emissions requirements outlined in the GSMspecification. As illustrated in
Figure 4a
, transmitted signal energy in the main lobe follows the power profile as outlined in the
power-time mask (which is based upon energy contained in the entire signal). Side lobe activity (
Figure 4b
) shows significant spurious emission during ramp up and ramp down intervals.
Another critical factor to be considered regarding transmitter performance is phase error. Average phase error must be within 5° root-mean-square (RMS) with the peak not exceeding 20°; FTA measurements are taken on a set of 20 transmitted bursts with frequency hopping invoked.
Phase error can be attributed to relative I/Q modulation-phase inaccuracy, a characteristic generally governed by the RF ASIC used for modulation. Modulation spurs originate from the nonlinear up-conversion process, as well as remixed transmitted signals. Phase noise is also associated with the “sources” section (
Figure 2
) and can result from power supply noise, frequency pulling caused by insufficient power during a transmit burst, or the voltage-controlled
oscillator (VCO) settling after being retuned under processor control.
It should be noted that the FTA tester will log excessive phase error if transmit burst timing is inaccurate with respect to the assigned TDMA time slot, since test results are based upon readings taken at the beginning of a time slot. If the burst is not present, noise is measured as signal and phase errors are registered. While the handset is in a call, burst timing for each transmission is difficult to measure since economical in-house
testing cannot mimic the FTA system test.
Three types of test measurements can be made in-house to increase confidence in achieving success during pre-FTA testing. RMS phase-error measurements, made by taking singular samples at fixed frequencies and using the maximum phase-error values, is an adequate measure of phase performance. These measurements are to be made at different frequencies in the GSM band. Varying the supply voltage from minimum to maximum is mandatory during phase-error testing. It is
recommended that phase-error margins be at least 1.5° for RMS phase error and 5° for peak phase error. The dynamics of frequency hopping, as used by the system tester in Europe, tend to affect these measurements somewhat; adding up to 0.5° to measurements taken in house is very likely.
Another measurement worth taking is the verification of settling time after retuning the local oscillator (LO), preferably over the broadest range of frequencies. This will ensure that the settling time is
well within the time required before the transmitter is turned on in preparation to transmit a burst. Layer 1 protocol software tunes the LO frequently since it is responsible for exploring the GSM band for adjacent cells (as will be explained next month in Part 2) and LO settling time must expire before the PA is activated.
Finally, burst timing during a call (or control channel session) must be measured. The Rohde and Schwarz CRTC02 is very useful for looking at transmit timing issues since it creates a
log of protocol activity based upon a complete test session. Examining this log can reveal burst timing problems not captured by other types of equipment that are primarily designed to operate in real-time only.
As a matter of design, the VCO must be centered so that its operation is linear across the range of frequencies that it tunes. This becomes critical when testing over the range of temperatures required by specification. Shielding and isolation of the VCO through the possible use of additional
amplifiers in the control loop may be necessary to prevent transmitted energy from entering the VCO and being remixed, causing unwanted intermodulation components. And finally, power supply isolation of the sources section from the remaining RF circuitry is mandatory. Voltage regulators with very good isolation segregate the sources section from both digital and RF contamination, which is coupled onto the power lines. Keep in mind that the voltage regulators that are chosen should not inhibit large amounts of
current from being drawn from the battery during a transmit burst.
During FTA, a modified “battery” must be attached to the mobile unit (in place of the actual one), providing an interface between the system tester variable-dc power source and the handset itself (allowing automated adjustment of power). A large capacitor (10,000 µF) placed across the power supply lines at the handset is required to reduce noise, ensuring a steady source of power during transmit cycles when the unit is
drawing significant current. Without this modification, significant potential exists for increased LO phase noise resulting from dirty power supply lines or an inadequate current supply. The test authority allows such modifications because they understand the need for an interface to account for a noise or voltage drop that results from line resistance during a large current draw.
As mentioned earlier, the transmit burst must fall within mask limits with emissions not exceeding those set out in the GSM
specification, and they vary depending on the frequency band examined. Burst shape is defined by values in processor memory that are used in controlling the transmit PA. A DAC converts these values, which then ramp up and ramp down the PA power output. Determination of the ramp values is a delicate operation and is part of the calibration process. Several sets of DAC values are required to support many different power time masks. Maximum power output, minimum power output, and all levels in between have their
own DAC table in memory. Additionally, a correction factor can be applied to these values when temperature is taken into account or when the battery voltage is on the low side; the applied factor acts to compensate for these dynamics.
Several concomitant test problems arise in Europe — one is that the FTA system tester is very finicky regarding burst shape within the time slot assigned for the transmission. If there is any significant deviation from the specified slot time, the FTA tester eagerly
proffers an “error” verdict, with no debug information provided. Typically, a pass or fail verdict is given based upon the test results obtained; ‘error’ is an indication that the test cannot be executed as a result of unexpected handset behavior
.
Because debug information from the test system is nonexistent, there is a great need for good debug tools on the target side. In some instances, even these tools are inadequate, as they do not provide insight into spectral performance or
burst timing. While in Europe, setting up a “mini lab” at the test site to investigate RF problems is suggested — as is a lot of thinking and trial-and-error testing.
Preparatory activity to heighten confidence in burst performance measurements prior to going to FTA includes measuring both short and normal transmit bursts, making sure they meet the power time mask. If the mask is met, an examination of the spectral emission is next. The only safeguard to gain confidence in meeting
the emission is to have sufficient margin between the in-house measured emission and the specified emission mask — 3 dB margin is recommended. There is a reason for such a healthy figure. During FTA, the transmitter is tested in a dynamic environment that tends to accentuate emissions slightly. From experience, it has been found that a margin of 1 dB within the tested emissions band is very risky.
Temperature compensation of the burst shape, if required, can be supported through the use of a
thermistor. As different temperature levels are detected in the transmitter, different ramp up and ramp down curves can be calculated through the application of a correction factor to pre-existing ramp tables. Also, as battery depletion progresses, a correction must be applied to the ramp values to account for lower levels of delivered power. By monitoring the battery voltage during a transmit cycle, the handset can make a correction to the burst shape that will take effect on the next transmit cycle.
One very
important point needs to be made: Stable software, with respect to all levels of protocol operation, is mandatory for transmitter testing, since the handset must hold a call for at least 7 hours to allow the completion of one very long test (for transmitter output RF spectrum). It is easy to believe that because hardware performance is being tested, the need for supporting software is not that great, but nothing could be further from the truth — software plays very heavily in the equation and has to be
very stable.
Receiver
Receiver performance measurements under static conditions are all easily verified through several means. Parameters measured include sensitivity, blocking, dynamic range, selectivity, and intermodulation. Performance degrades noticeably once frequency hopping is invoked, a feature prevalent in GSM that is used to improve BER performance while in a fading environment. FTA invokes frequency hopping as a means of verifying RF performance across the GSM receive band.
Operations internal to the handset, such as low noise amplifier (LNA) cycling and automatic gain control (AGC) adjustment, can degrade receiver performance. For the purposes of this discussion, only sensitivity and blocking are reviewed, as they seem to be the most problematic.
Sensitivity is the ability of the receiver to decode a signal with a low signal-to-noise ratio (SNR), which can also be translated as a maximum acceptable BER at a given level. Under static conditions BER must be less than 2.44%
at a signal input level of -102 dBm. FTA testing proceeds under varying propagation conditions. A single test can take 5 hours and encompass both temperature and voltage extremes. Signaling channel performance, for example, is measured as frame-error rate (FER). With support from Layer 2 signaling, the system simulator can estimate the FER from lost frames. Without software stability, test results can be inconsistent or even worse — unexecutable.
Receiver sensitivity is generally governed by the
noise figure of the front-end LNA. Contributing to SNR degradation is the purity (or lack thereof) of the LO source. Referring back to
Figure 2
, the spectral purity of the sources section can be contaminated by the effects of the loop filter used in maintaining lock to the reference signal. Filter response can raise the noise floor within the passband, desensitizing the receiver. Desensitization can also occur on particular channels, due to interfering signals generated by
the phone itself. These signals are usually harmonics of on-board clocks. For example, channel 5 (936 MHz) and channel 70 (949 MHz) correspond to the 72nd and 73rd harmonics of the 13-MHz reference clock used in a GSM mobile phone and are likely to be desensitized.
Careful routing of the 13-MHz reference and power supply decoupling can help minimize the source of interference and improve receiver sensitivity on these channels.
Blocking
In-band blocking refers to receiver immunity
when interference is present. Because the LNA filter is wide enough to allow signal energy in between 935 MHz and 960 MHz, the interference must be eliminated at IF. It is this blocking ability that is examined. Out-of-band blocking refers to interfering signals appearing outside of the receive band. Front-end filtering reduces the amount of energy entering the handset to begin with. There is one significant element that has to be considered when making these measurements — the sideband noise component
associated with the signal generator acting as the interfering noise source. Interfering signal levels are very high (0 dBm), and any noise falling within the receiver passband (935 MHz to 960 MHz) is amplified by the handset. The net result is that extraneous noise from the interfering signal generator heightens the noise floor in the receiver itself, giving rise to inaccurate BER readings. By placing a notch filter (tuned to the channel under test) at the output of the interfering signal generator, the
noise introduced into the front end of the handset is eliminated.
As was mentioned, LO harmonics, frequency products internal to the sources circuitry, or the reference frequency itself contribute unfavorably to blocking performance. Two issues must be addressed when investigating blocking characteristics: the actual frequency plan of the transceiver under test and the performance characteristics of the test equipment in use. Frequency components used in deriving different LO frequencies can find their
way through power lines or leakage as a result of close proximity to sensitive circuits. The result is that interfering signals conveniently located will be downconverted and appear in the baseband, degrading performance.
Making the trek
Having experienced the trials of pre-FTA on foreign soil, this discussion does not do justice to the challenges to be expected when time-to-market is pushing development. A distilled set of issues relating to RF hardware has been presented, with the intention
of informing handset developers targeting the GSM world market or PCS1900 domestic market prior to making the trek overseas. Part 2 of this article will deal with specific protocol test issues as they are related to airlink control and will build on the information presented here, taking on more of a systems flavor. Interoperation of RF hardware and protocol will be examined in order to provide insight into the workings of GSM with respect to airlink management.
Brian Senese is a senior engineering
manager at Uniden Research and Development in San Diego, CA, where he is involved in the development of wireless handsets. He has an MSEE from the University of Western Ontario in Canada and has worked for telecommunication companies such as Nortel, PCSI, and Lucent Technologies. He can be reached at bpsdsp@incom.net.
Laurent Ronc is a senior staff engineer, leading the GSM handset integration effort at Uniden Research and Development. He worked in GSM systems integration for Alcatel Mobile
Phones in France for 3 years. He received a masters degree in electrical engineering from Ecole Supérieure D’Electicité in France. He can be reached at lronc1@san.rr.com.
Puzzled by a network processing design issue?
