I decided to start looking at how UMTS works and obviously the first thing to look at is the CDMA. One thing an ME is looking at when powered on is the synchronisation channels. There are two such channels, the primary one in which PSC (Primary Scrambling Code) is used and a secondary one where SSC (Secondary Scrambling Code) is used.
The BS is sending the frames at 10ms interval and one of the ways to determine whether there is something there or not is to calculate autocorrelation of the signal so that if a periodicity exists it will be shown.
One of the cells I’m using is on UMTS-FDD in the 900Mhz band (see TS 25.101- band VIII) which means DL: 925 – 960Mhz and UL: 880 – 915Mhz. The regular BW is 5Mhz but the standard allows a 200Khz raster. For example, below is the UL respective DL spectrum when when my phone is using W-CDMA in 900Mhz:
Going further, I needed to autocorrelate the signals in order to see whether there are some periodicities there in both UL and DL. Fortunately there is set of packages for gnuradio called FAC (Fast Auto Correlation). The gnuradio block is written in python and is part of the gr-baz package [Ref 1]
Installing gr-baz and creating a GRC flowgraph is as easy as it sounds. See below the GRC flowgraph [Ref 2]:
FAC uses the Wienner-Khinchin theorem which allows obtaining of autocorrelation of a signal by using the FFT of the absolute square of the signal PSD [Ref 3]
The sample rate is 250khz and is obtained from the 4Mhz sample rate by decimating with 16 (I know there should be an anti-aliasing filter there, either before the decimation or after but in this case it is really not necessary).
Using a number of 32768 FFT points and a sampling rate of 250khz will give you a maximum correlation time of (32768/2 * 1/250000=~65mS)
Below is presented the autocorrelation for UL:and now for DL:
It is easy to see the periodicity of 10mS for both UL and DL created by the pilot signals. Also it is obvious the difference between amplitude of the signals between DL and UL since the phone was closer to the USRP.
Note: If the UL channel is observed, then in my case (WCDMA 900) there is for sure a corresponding DL channel so that one can go directly there instead of scanning.
[Ref 1] https://github.com/balint256/gr-baz.git
[Ref 2] http://yo3iiu.ro/archives/cdma-sensing
[Ref 3] http://mathworld.wolfram.com/Wiener-KhinchinTheorem.html