Daniel Estévez

URE sells a book which is specific for the exam in Spain tienda.ure.es/libros/39-li... FEDI-EA has exam models www.fediea.org/examen/exerc...

The changelog of the release: Added Added callsign to deframer options Basic support for SigMF input CSP Address Filter block CSP ZMQ blocks Frame counter block Mobitex-NX deframer Support for JINJUSAT-1B Support for Hex20 Nila Support for NUSHSAT-1 Support for TEVEL2 satellites Telemetry decoder for TUBiX20 (TUBIN) Time-dependent delay block Time synchronization tag to Doppler correction block U482C encoder block Uplink argument to tle_to_doppler_file.py example Fixed Callsign '-' handling in Check AX.25 Address Packet size bug in AX100 deframer pybind11 bug in swap_header Timezone handling in PDU to KISS Changed Added callsign in SatYAML to BEESAT-1,-9, TUBIN, NanoFF-A,-B, and TechnoSat Improved version printout in gr_satellites CLI app Updated AX.25 packet radio examples Use GNU Radio crc_check in GNU Radio >= 3.10

I've made new releases of gr-satellites: 5.8.0 (GNU Radio 3.10), 4.15.0 (GNU Radio 3.9), 3.22.0 (GNU Radio 3.8). This will be the last release supporting GNU Radio 3.9 and 3.8. Maintainance for these branches will stop now.

The datasets are available in Zenodo, and I will do detailed analysis in the future.

Read more: destevez.net/2025/07/n78-...

This has been done in collaboration with friends at the Gaia lab, ANTS research group, University of Murcia. We used higher-end USRPs to record large bandwidth. In the post I explain some challenges we found, such as IF interference in a USRP X400 and record to disk performance.

An inspectrum waterfall that shows a 100 MHz 5G cell that is rather busy. We can see 7 SSB repetitions, and mostly empty uplink slots, since this is a TDD band.

New blog post: n78 band 5G NR recordings. I comment on some recordings I have made that are representative of the current state of 5G deployment on this band in Spain (100 MHz cells for Movistar and Orange, 90 MHz cell for Vodafone).

Uncalibrated SAR image

Same image after antenna pattern normalization and polarimetric calibration.

Wrote code for SAR image antenna pattern normalization and polarimetric calibration (channel imbalance and crosstalk). Image looks very nice now.

A photo of a small PCB with an SMA connector connected to an attenuator, two leads to supply power, a green LED, and a bunch of surface mount components, including three QFN chips.

A screenshot of GQRX showing a signal at 3.786 GHz with significant phase noise. This is the output of the VCO without the PLL being configured.

Some months ago I shared my design of a PCB with an ADF4158 PLL/waveform synth and HMC319 VCO intended as an LO source for an FMCW radar in the 10 GHz band. I have finished soldering all the components, and the HMC319 appears to be working. The next step is the ADF4158 config.

The docs don't say whether a receiver may/must use the chain ID without authenticating it via the DSM-KROOT. This is important, because it affects transitioning seamlessly to the new chain, but doing this incorrectly can have security implications.

Read more: destevez.net/2025/07/gali...

I have recorded navigation data for a few days around this test, and I use my galileo-osnma Rust implementation to process and analyze this data. I comment on a few tricky points that are not too clear in the Galileo documentation.

A diagram taken from the ICD that shows how the TESLA chain renewal happens in two steps. In the first step, the KROOTs for both chains are transmitted alternatively and the chain and pubkey status is end-of-chain. In the second step, the system transitions to using the new chain.

New blog post: Galileo OSNMA chain renewal. OSNMA is the Galileo open service navigation message authentication system, which authenticates cryptographically the navigation data broadcast by the satellites. Here I comment on a TESLA chain renewal test done on Tuesday.

A plot of the value of the FLL frequency accumulator during lock-in. The legacy GNU Radio loop filter and the new fixed loop filter are compared. Both converge almost at the same time, but the legacy filter has more noise after convergence.

I compare the legacy loop filter in GNU Radio with a correct implementation of the loop filter, showing that when the bandwidths are adjusted for similar convergence time, the correct loop filter has less noise.

Read more: destevez.net/2025/07/abou...

A plot of the discriminant curves of the GNU Radio and Remez band-edge filters obtained via simulation. They are compared with the slope given by the theoretical gain at zero error.

I calculate the discriminant gain and show how to design loop filter coefficients properly, pointing out what is wrong with the current GNU Radio implementation of the loop filter.

A plot that compares the GNU Radio FIR filter, which extends the ideal quarter-sine band-edge to a half-sine, and a Remez design, which has more ripple but a narrower transition down to zero.

Then I compare ways of realizing band-edge filters as an FIR filter, including an idea by fred harris, which is what GNU Radio uses, and a Remez design.

A plot of the spectrum of an RRC waveform and ideal band-edge filters. The band-edge filters are equal to the derivative of the RRC, so they are non-zero only in the roll-off region.

New blog post: About FLLs with band-edge filters. This post is motivated by some bugs in the @gnuradio.org FLL that I've been working on fixing. I explain what band-edge filters are, and how they can be used in an FLL.

I find that it is 9k6 GMSK, and that it constantly transmits a pseudorandom sequence generated by feeding a G3RUH scrambler with zeros. Perhaps this is caused by a failed transmitter. Read more: destevez.net/2025/06/z-sa...

A screenshot of a GNU Radio GUI where we can see the soft symbols in the time domain and the output of a G3RUH descrambler. The descrambler output is all zeros.

New blog post: Z-Sat VHF transmissions. Recently Daniel Ekman has noticed that Z-Sat, a Japanese satellite launched in 2021 that has an amateur radio payload, is transmitting a digital signal continuously. Here I analyze a recording of this signal.

Sure! (Sorry for the late reply; I don't know why I only saw the notification just now)

A screenshot in Wireshark that shows part of the SIB1 message parsed out. The PCAP file also contains the MIB transmission from the PBCH, which happen every 10 ms.

Finally I spend some time discussing some of the parameters that appear in the SIB1, which can be parsed with Python or in Wireshark.

Read more: destevez.net/2025/06/5g-n...

A plot of the LLRs after the first LDPC decoder iteration. Many punctured bits are still not solved and have an LLR of zero.

A plot of the LLRs after the second LDPC decoder iteration. Now all the punctured bits are solved and the codeword is correct.

I have added support to generate alists for the 5G LDPC codes to my ldpc-toolbox. I use this and a simple sum-product algorithm implementation to decode the PDSCH. I show how the LLRs evolve during the decoding iterations and how all the punctured bits get recovered.

A waterfall of the IQ recording, which shows annotations marking the PDSCH, and other transmissions such as the PDCCH, the PSS, SSS and PBCH, and the CSI-RS.

New blog post: 5G NR PDSCH. In this post I show how to decode the 5G PDSCH (downlink data) by using the SIB1 from an srsRAN gNB recording as an example. I go into the details of how LDPC and the rest of rate matching and other encoding work.

Global backprojection vs fast factorized backprojection image quality. The biggest difference is larger sidelobes on the brightest target in the FFBP image.

Found motivation to write some SAR processing code. Fast factorized backprojection generates several small polar format images and then interpolates them to one big image. It's faster, but has slightly worse image quality due to all the interpolations.

H116⍺ RRL as measured in Dwingeloo.

Measuring Radio Recombination Lines (RRL) with the Dwingeloo telescope (@radiotelescoop.bsky.social), in the Omega Nebula (M17/W38).

Finally, I parse the fields of this DCI format 1_0 that contains the SIB1 PDSCH scheduling and show how the values match what we see in the waterfall.

Read more: destevez.net/2025/05/5g-n...

An advantage of 5G compared to LTE is that the DCI CRC is a CRC-24 instead of a CRC-16, so there are 8 bits which are not scrambled by the RNTI. We can use these 8 bits as a check even if we don't know the RNTI.

A plot of the output LLRs of Polar decoding for a DCI candidate size of 34. Some LLRs are very close to zero, which means that decoding has failed.

A plot of the output LLRs of Polar decoding for a DCI candidate size of 35. We can see that all the LLRs are well away from zero, meaning that decoding has succeeded, and the correct DCI size is either this one, or slightly larger.

I explain some heuristics to find the appropriate DCI size. In particular, Polar decoding will likely fail if we assume a too small DCI size. By using this property and checking the CRC for a few DCI candidate sizes, we can find the correct size.

The PDCCH is encoded using Polar coding, in the same way as the PBCH. However, one challenge is that the message size (the DCI size) is not fixed and is unknown in general, specially in a sniffing scenario where we only have access to the downlink signal.

A table from an online calculator that shows how CCEs are mapped into REGs by forming REG bundles and applying a permutation.

I explain how all these parameters define which resource elements are occupied by the PDCCH, and why this PDCCH transmission is formed by two disjoint segments in frequency, due to the interleaved mapping of the CCEs to REG bundles.

A constellation plot of the two symbols of the PDCCH. It shows a QPSK constellation for the data and a wipe-off pilot signal for the DM-RS.

I had already shown how to demodulate the PDCCH and process its DM-RS (demodulation reference signal) in previous posts. I had also decoded the PBCH, which contains the MIB, that has some configuration parameters required to process the PDCCH.

A waterfall of a 5G downlink signal. We can see the PBCH/SS block on the left, then a PDCCH transmission split into two segments in frequency, a PDSCH transmission immediately afterwards (which is the SIB1), and finally a CSI-RS which is sparse in frequency.

New blog post: 5G NR PDCCH. In this post I show how to decode the Physical Downlink Control Channel, by using as example the PDCCH for the SIB1 in a srsRAN gNB recording. The PDCCH is used to transmit control information such as downlink scheduling and uplink grants.

In the post I explain some of the implementation details of this Time-dependent Delay block, and how to use it. Read more: destevez.net/2025/05/time...