See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/328146201

Carrier Phase Tracking Considerations for Commodity SDR Hardware

Conference Paper · September 2018

DOI: 10.33012/2018.16117

CITATIONS READS
0 237

2 authors:

Cillian O’Driscoll James T. Curran

Self Employed 70 PUBLICATIONS   298 CITATIONS   
62 PUBLICATIONS   816 CITATIONS   
SEE PROFILE
SEE PROFILE

Some of the authors of this publication are also working on these related projects:

GNSS Interference: Detection, Localization & Mitigation View project

Secure Radio-Navigation View project

All content following this page was uploaded by Cillian O’Driscoll on 08 October 2018.

The user has requested enhancement of the downloaded file.

 Carrier Phase Tracking Considerations for Commodity
SDR Hardware
Cillian O’Driscoll, James T. Curran

Independent Consultants,
Cork,
Ireland

cillian@ieee.org, jamestcurran@ieee.org

BIOGRAPHY

Cillian O’Driscoll received his M.Eng.Sc. and Ph.D. degrees from the Department of Electrical and Electronic Engineering,
University College Cork, Ireland. He was a senior research engineer with the Position, Location and Navigation (PLAN) group
at the Department of Geomatics Engineering in the University of Calgary from 2007 to 2010. He was with the European Com-
mission from 2011 to 2013, first as a researcher at the JRC, and later as a policy officer with the European GNSS Programmes
Directorate in Brussels. From January 2014 to June 2017, Dr O’Driscoll was a research fellow at University College Cork. He
is currently an independent consultant. His research interests are in all areas of GNSS signal processing.

James T. Curran received a B.E. in Electrical & Electronic Engineering in 2006 and a Ph.D. in Telecommunications in 2010,
from the Department of Electrical Engineering, University College Cork, Ireland. He worked as a senior research engineer with
the PLAN Group in the University of Calgary from 2011 to 2013 and as a grant-holder at the Joint Research Center (JRC) of
the European Commission, Italy from 2013 to 2016. From 2016 to 2018 he was a radio-navigation engineer at the European
Space Agency (ESA), in the Netherlands. His main research interests are signal processing, information theory and software
defined radio for GNSS.

ABSTRACT

Software Defined Radio (SDR) is a general technique for processing Radio Frequency (RF) signals in software, and has been an
active area of research and development for about the last twenty years. SDR is attractive to the research community due to the
fast development and test cycles entailed by a largely software based implementation of communications and signal processing
algorithms. However, every SDR requires some hardware to convert the portion of the RF spectrum of interest into a stream
of digital samples. Driven largely by the varied requirements of the telecommunications industry, a number of manufacturers
have developed low cost commodity SDR hardware platforms.

In the GNSS context, SDR, or software receivers, have been widely used in research and development and a large number of
both open source and commercial software receivers are available. Most of these receivers provide interfaces for processing
samples from commodity SDR hardware. However, given that this hardware has not been designed with the GNSS use-case in
mind, it is interesting to investigate what impact using such hardware may have on the achievable navigation performance of a
software GNSS receiver – in particular in relation to carrier phase processing.

Tracking the carrier phase brings many benefits in GNSS signal processing — data demodulation performs better, code tracking
can be improved by carrier aiding, range measurements can be improved via carrier smoothing and, not least, so-called carrier

1
phase (or accumulated delta range) measurements can be made, enabling high precision Carrier Phase Differential GNSS
(CPDGNSS).

In this work we perform a thorough investigation of the capabilities of a number of commodity SDR platforms in relation to
carrier phase tracking. Focus is given to the ability to provide code carrier coherence, a key requirement for carrier aiding,
carrier smoothing and carrier phase measurement generation.

INTRODUCTION

Software Defined Radio (SDR) has emerged as a very interesting paradigm in wireless communications in the last twenty
years. The ever increasing capacity of commercial processors has enabled the transition of communications signal processing
tasks from custom ICs to general purpose processors, thereby opening new possibilities in flexible communications. Emerging
initially from the field of defense communications, the availability of low cost hardware platforms, capable of downconverting
and digitizing raw RF data over a wide spectral range, has opened the field up to researchers, universities and hobbyists outside
of the defense field.

The application of SDR principles to GNSS dates back to the late 1990s and the work of Dennis Akos [1] and others, and a
large number of “software receivers” have since been described in the literature [2, 3, 4, 5]. Of course, a software receiver
requires a hardware front-end SDR platform in order to obtain signals to process, and while a number of GNSS-specific
platforms have been developed and commercialized, the relatively small market for GNSS front-ends compared to general
purpose communications front-ends means that these devices tend to be significantly more expensive than their communications
counterparts.

In this work, we investigate the use of relatively low-cost “commodity” SDR platforms for carrier phase based processing of
GNSS signals. A detailed analysis of the features required of a front-end to be usable for carrier phase based processing is
conducted and it is shown that even very low cost (USD $30) SDRs can be used in this way. This conclusion is validated by
a demonstration of Real-Time Kinematic (RTK) positioning in a very short baseline configuration using only a low-cost L1
only-antenna and an RTL-SDR USB dongle front-end.

In the next section we describe the various types of carrier-phase based processing that are typically conducted in a GNSS
receiver. It is shown that three different uses of the carrier phase can be considered: data demodulation, carrier aiding and
carrier-phase based differential positioning. In this order, use case places extra burden of requirements on the SDR platform,
which are identified in this paper. Following this, the next section describes the fractional-N PLL – a key enabling technology
for the wide-spectral range of modern commodity SDR platforms. A detailed analysis is then conducted of a subset of three
commonly used SDR platforms: the RTL-SDR, the HackRF and the BladeRF, and it is shown how L1-only phase processing
can be achieved with each. Finally, a short experiment is described in which RTK positioning with fixed integer ambiguities is
demonstrated with an RTL-SDR dongle and a low-cost L1-only patch antenna.

CARRIER PHASE PROCESSING

Positioning by GNSS is based primarily on estimating the pseudorange via measurement of the received code phase. The
code itself consists of a pseudorandom sequence modulated onto a wideband pulse. The structure of the pulse is the primary
determinant of ranging accuracy, while the pseudorandom sequence is chosen to remove timing ambiguity and to enable multi-
access. In most current GNSS signals the code is further coherently modulated by a data bit stream, such that the signal phase
is information bearing. The first benefit of carrier phase processing is therefore in data demodulation. The baseband equivalent
signal model is then given by: X X
xbb (t) = dm ΠTd (t − mT d ) × cn s (t − nT c ) (1)
m n

where dm is a sequence of (in general, complex) data symbols, ΠTd (t) is a rectangular pulse of duration T d the data bit duration,
cn is the pseudorandom chip sequence, s(t) is the code pulse shape and T c is its duration.
The code ranging accuracy is unaffected by modulation by a pure sinusoidal carrier, which simply shifts the frequency content
of the signal. This form of carrier modulation is essential to transmit GNSS signals in frequency bands that are compatible
with trans-ionospheric propagation, and hence are reserved for space-to-earth or earth-to-space communication. In this work
we model the carrier modulation as a complex exponential, such that the signal transmitted by the satellite is given by:

y(t) = xbb (t) exp j 2π fL t + φ0

 

(2)

where fL is the center frequency and φ0 is the arbitrary phase of the carrier at t = 0. In all current GNSS the satellite signal
generator maintains coherence between the code and the carrier. In practice this means that the t variable in the x(t) term and
that in the exponential term are the same – after an interval of δt seconds, the code phase will have advanced by δt/T c chips
while the carrier phase will have advanced by δt fc cycles. This naturally suggests a way to obtain a secondary estimate of
the change, or delta, in the pseudorange measurement, by measuring the change in carrier phase over the same time interval.
For large center frequencies, such as those typical in GNSS signals, it is possible to make carrier phase measurements that are
orders of magnitude more accurate than the code phase measurements. This absolutely requires that the code and carrier are
also generated coherently within the receiver. If this condition is met, then only dispersive channel effects lead to a “divergence”
between the code and the carrier – and in a typical GNSS channel the code and carrier have a coherence time of many seconds.

The commodity SDR hardware platform downconverts and digitizes the raw RF signal according to:

r(trx ) = xbb (ttx ) exp j 2π { fL ttx − fc trx } + φ0 − θ0

 

(3)
= xbb (ttx ) exp j 2πFIF trx + φ(ttx )
 

(4)

where ttx is the signal transmit time at receiver time trx , fc is the SDR set-point center frequency, θ0 is the arbitrary phase of
the local oscillator at trx = 0, FIF = fL − fc is the Intermediate Frequency (IF) and φrx is the total accumulated phase difference
between the local IF and the received signal since trx = 0. Code/carrier coherence requires that the IF frequency is known
precisely so that the remaining φ(t) term estimated by the receiver is coherent with the code-based pseudorange.

This code/carrier coherence is typically exploited in one of two ways:

1. Carrier aiding of the code tracking loop, where the code tracking is driven directly by the carrier PLL and only a low-order
narrow-bandwidth code tracking loop is employed to track residual code/carrier divergence
2. Carrier smoothing of the code measurements, which is essentially the same process, but applied at the measurement level
rather than the tracking level.

To implement either of these approaches requires that the receiver code and carrier generators are coherent. For an SDR
implementation perspective, this also requires knowingly precisely the ratio between the sampling rate and the IF.

It is critical at this point to highlight the difference here between the typical communications application of carrier phase
processing (demodulating coherently modulated data sequences) and the navigation application (carrier aiding/smoothing to
provide more accurate pseudorange measurements). By far the vast majority of applications for which commodity SDRs are
used are in the field of communications, and so the absolute coherence of the code and carrier are not considered of any great
importance. This is why in most SDR Application Programming Interfaces (APIs) there is no mechanism to determine the
precise setpoint frequency configured.

The final use of carrier phase processing in GNSS receivers is the use of carrier phase differential GNSS to obtain centimeter
level accuracy. This is the basis for the so-called Real-Time Kinematic (RTK) positioning approach, which is effectively a form
of interferometry. Referring to (3), an extra condition on carrier phase processing required for RTK is that the IF wipe-off must
be identical for each signal (i.e. the same phase at the same sample for each signal). This ensures that the receiver carrier phase
clock bias is common across all satellites and hence cancels in differencing.

Table 1 summarizes the requirements on a commodity SDR in order to use it for each of the carrier phase processing applications
discussed above. Note that only the stable frequency reference and low phase noise requirements are needed for coherent
data demodulation, and hence are the only requirements met by default by most commercially available multi-purpose SDR
 Table 1: Requirements for various carrier phase processing applications
Application
Requirement Data Demodulation Carrier Aiding RTK
Low phase noise X X X
Stable frequency reference X X X
Code/carrier coherence X X
Precisely known IF X X
Common IF phase X

platforms. The requirement for code carrier coherence is typically met as a single clock source is typically used to drive both
mixers and Analog to Digital Converters (ADCs). The lack of a requirement for a perfectly known IF means that most SDR
APIs do not provide an interface for accessing the precise setpoint center frequency – typically the API simply returns the center
frequency requested, leading the caller to assume the IF is zero. The last requirement, for identical IF carrier wipe-off across
all signals, must be implemented in the GNSS software receiver and so is independent of the particular SDR hardware used.

FRACTIONAL-N PLLs

The fractional-N PLL is a key enabling technology for all commodity SDRs on the market. The basic concept is to use a
feedback control loop to establish a tunable frequency source from a fixed oscillator. Fractional-N PLLs are typically used
in generating the RF and IF signals input to the mixers in the downconversion chain, and may also be used in generating the
sampling clock for the receiver ADC.

Figure 1 shows the high level block diagram of a fractional-N PLL, consisting of the following components:

• A local reference oscillator – typically a VCXO or VCTCXO in the tens of MHz range.
• An input frequency divider (÷R), an output frequency divider (÷M) and a feedback frequency divider (÷K), typically
tunable to keep the PLL operating in its optimum range.
• A Phase Frequency Detector (PFD), which generates an output error signal proportional to the phase difference between
its two inputs
• A loop filter.
• A Voltage Controlled Oscillator (VCO), which generates an output frequency reference proportional to the input voltage.
• A feedback divider (÷N), which is an integer value that is typically programmable over a large range.
• A control block that is really the heart of the device, described in more detail below .

The feedback control block implements the fractional part of the division by pseudorandomly toggling the feedback divisor
between N and N + 1 such that the divisor is N + 1 for a fraction α : 0 ≤ α < 1 of the time. The fraction α is typically setable
with a resolution of 16 to 32 bits:
P
α = B : 0 ≤ P < 2B (5)
2
The nominal frequency generated by the fractional-N PLL is therefore given by:
FRef × K  P
FOut = × N+ B (6)
R×M 2
The frequency resolution is a function of the setpoint frequency, as it is the setpoint frequency that determines the values chosen
for R and M. Given these choices, then the frequency resolution of the fractional-N PLL is given by:
FRef × K
δf = (7)
R × M × 2B
 VCO

FRef ×K
÷R PFD Loop Filter ÷M M×R [N + α]

÷N ÷K
FRef

Control
α

Figure 1: General model of a fractional-N PLL. All divisions are integer frequency divisions, reducing the frequency by an
integer factor. The control block toggles the feedback divisor between N and N + 1 in a pseudorandom fashion at a rate
sufficiently high that only the average is seen at the output of the loop filter.

Dithering

The control logic employed by the fractional-N PLL is beyond the scope of this work, however, it is worth noting that many
algorithms exist to manage switching the feedback divisor between N an N +1. Typically, the pseudorandom switching between
N and N + 1 is achieved in a manner that shapes the quantization noise, forcing noise power to higher frequencies. The loop
filter then filters out much of the quantization noise, leading to reduced phase noise in the PLL.

One issue associated with this form of control loop is that the pseudorandom sequence is typically periodic, and this induces
spurs in the generated frequency reference. This effect is often mitigated against by adding a zero-mean “dither” sequence to
one or more of the LSBs of the fractional component.

In our investigations we have identified two classes of dithering:

Class A where the dither sequence is applied to one of the settable bits of the fractional register
Class B where the dither sequence is applied to an apparent extra bit that is not otherwise settable.

For Class B dithering it appears that the extra dithered bit is set to 1 when dithering is disabled, at least for the devices that we
have considered.

When using a fractional-N PLL in a GNSS context it is essential to know precisely the nominal value of the set-point frequency,
so this dithering operation must be accounted for. For example, given the fractional-N PLL model of (6), and assuming that
Class A dithering is applied to the Bth
d bit, then the actual output frequency needs to be adjusted as follows:
" #
FRef × K P Id
FOut = × N + B ± B +1 (8)
R×M 2 2 d
where Id is the dithering indicator function (0 when dithering is disabled and 1 when it is enabled) and the additional term is
positive if the Bth
d bit of P is a zero, and negative if it is a one.

For Class B dithering we obtain " #

FRef × K P 1 − Id Id
FOut = × N + B + B+1 + B+2 (9)
R×M 2 2 2
 a) RTL-SDR b) HackRF c) BladeRF

Figure 2: The three commodity SDR platforms considered in this work.

FREQUENCY SETTING IN COMMON COMMODITY SDR HARDWARE

In the following sections we consider three commonly used commodity SDR platforms, and by careful investigation of their
design, determine the precise IF frequencies obtained when tuning to the GPS L1 center frequency. The three SDRs considered
are, in increasing order of cost: 1) the RTL-SDR v3 [6]; 2) the HackRF[7]; 3) the BladeRF [8]. All three devices are shown in
Figure 2.

While this investigation is not exhaustive, it does cover a range of costs and capabilities, from the $20 RTL-SDR to the $400
BladeRF. Moreover, armed with the techniques demonstrated here, it should be trivial for designers to determine the appropriate
IF frequencies for any other setpoint frequency of their choosing.

RTL-SDR

The RTL-SDR dongle is a small form factor USB dongle based on an original design for providing Digital Video Broadcast
(DVB) capability to laptop computers. It is built around the RealTek RTL2832U chip (which is where it gets its name), which
is a DVB decoder chip designed to operate with a variety of different DVB broadcast frequencies in different parts of the world.
Once these DVB tuner dongles were marketed, a number of hobbyists noticed that the RTL2832U chip provided access to the
raw I/Q samples in addition to the decoded video frames. A custom driver was made available on github and a community built
up around the use of these devices for general purpose SDR.

A number of dongles based on the RealTek chipset have been developed over the years, in this work we focus on the RTL-SDR
v3 device from rtl-sdr.com. This device has a number of advantages for GNSS uses compared with similar dongles, most
notably a relatively high quality 1 ppm Temperature Compensated Crystal Oscillator (TCXO) and a built-in bias-T to provide
power to an active GNSS antenna.

A simplified high-level block diagram of the RTL-SDR v3 is shown in Figure 3, where it can be seen to consist of a wideband
tuner chip (the R820T) and the RTL2832U, both driven by the same 28.8 MHz TCXO. The tuner chip consists of a fractional-N
PLL and quadrature mixer, which is used to bring the desired signal down to a low IF (about 2 to 7 MHz depending on the
desired bandwidth). The RTL2832U then digitizes the low IF and brings the negative frequency side-lobe to baseband using
digital downconversion.

The R820T fractional-N PLL has 8-bit integer and 16-bit fractional resolution, with what appears to be a hidden 17th bit that is
used for dithering (i.e. Class B dithering). This hidden bit seems to have been first identified by Michele Bavaro in a blog post
in 2014 [9]. If dithering is enabled this bit is dithered between zero and one, while if dithering is disabled this bit appears to be
held at one. From (9) the Local Oscillator (LO) frequency at the input to the mixer is given by:
2 × FRef  P 
FLO = N + 16 + 2−17 − Id 2−18 (10)
M×R 2
where Id is the dither indicator, being 1 if dithering is enabled or zero otherwise. Dithering appears to be controlled via bit 4
 Tuner Digitizer

R820T RTL2832U USB

28.8 MHz

Figure 3: Simplified block diagram of the RTL-SDR v3 dongle

(zero indexed) of register 0x24 in the R820T, setting this bit to one disables dithering.

The RTL2832U chip first digitizes the IF signal output by the R820T using a sampling rate derived from the 28.8 MHz reference.
The highest rate at which the dongle can reliable stream samples without randomly dropping packets appears to be 2.4 MHz,
which is FRef /12. Given this low sampling rate, the RTL-SDR driver attempts to tune the R820T to an IF of −1.815 MHz
(interestingly, neither the R820T nor the RTL2832U can tune to precisely this frequency). When tuning to the GPS L1 frequency
the driver chooses a reference divisor R = 1 and output divider M = 2, in order to keep the PLL operating in its optimal range.
With these values the tuning resolution of the R820T is approximately 440 Hz.

The RTL2832U digital downconversion has a 22-bit frequency resolution, so the effective IF brought to baseband by the chip
is given by:
Q
FDDC = −FRef 22 : 0 ≤ Q < 222 (11)
2
The true center frequency that the RTL-SDR v3 tunes to is then given by:
Fc = FLO + FIF
"  Q#
2  P
= FRef N + 16 + 2−17 − Id × 2−18 − 22 (12)
M×R 2 2
When a set-point center frequency of 1575.42 MHz is requested through the RTL-SDR driver API, the following parameters
are configured: Q = 264328, N = 54, P = 50142, M = 2, R = 1, Id = 1. Thus, the actual center frequency that is brought
down to DC is given by: 
1575420172.119140625 Hz Id = 1

Fc = 

(13)
1575420281.982421875 Hz Id = 0


Equivalently, the true IF is given by:


512 = −172.119140625 Hz
− 88125 Id = 1

FIF = 

(14)
− 144375 = −281.982421875 Hz Id = 0

512

To demonstrate the accuracy of this approach, two consecutive 5 minute data sets were collected using an RTL-SDR v3 dongle.
An L1-only patch antenna was placed in a restricted view environment (just outside of an office window) and data was recorded
using a slightly modified version of the rtl_sdr program that comes with librtlsdr. The first five minute segment was
recorded with dithering enabled, then a second five minute dataset was collected with dithering disabled. Each data set was
processed twice using gnss-sdr: first assuming that the IF was zero, and secondly correcting for the IF as per (14).

Figure 4 shows the difference between the code and carrier frequencies measured for all (four) satellites in view using gnss-sdr.
The code frequency has been filtered and scaled to units of Hz. The impact of the non-zero IF is clearly visible in Figure 4 a)
and c), while the accuracy of the correction factor can be seen in Figure 4 b) and d).
 300 300
fcode - fcarr [Hz]

fcode - fcarr [Hz]

200 200

100 100

0 0

0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
a) Dithering on, no IF correction b) Dithering on, IF corrected
300 300
fcode - fcarr [Hz]

fcode - fcarr [Hz]

200 200

100 100

0 0

0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
c) Dithering off, no IF correction d) Dithering off, IF corrected

Figure 4: Difference between code and carrier frequencies observed from tracking RTL-SDR data. The code frequency estimate
has been filtered and scaled to units of Hz at L1. In each case four satellites were tracked, each SV is represented by a different
colour.

To further demonstrate the importance of this correction, Figure 5 shows the code minus carrier pseudorange measurements
for all four cases. The y axes are in units of kilometers for the uncorrected plots and meters for the corrected plots, and the
measurements have been arbitrarily set to zero at t = 10 s. It is clear from Figure 5 that the code minus carrier measurement
exceeds 10 km over five minutes for the uncorrected cases, while it remains near zero mean for the entire five minute duration
when the IF correction is applied.

This code/carrier coherence is essential for the receiver to take full advantage of carrier phase processing – without it, carrier
aided code tracking and carrier phase differential positioning are simply not possible.

HackRF

The HackRF is a half duplex transceiver SDR from Great Scott Gadgets built around the MAX2837 wideband RF transceiver
chip and the MAX5864 ADC/DAC both from Maxim Integrated Circuits. The MAX2837 performs direct conversion to zero
IF for RF signals in the range of 2150 MHz to 2750 MHz. The HackRF extends this frequency range to ≈ 30 MHz to 6 GHz
using the wideband RFFC5072 synthesizer/mixer chip from Qorvo. Finally, an Si5351 clock generator chip from Silicon Labs
is used to derive reference clocks for each of the other chips from either an on-board 25 MHz oscillator or from a 10 MHz
external frequency reference.

The RFFC5072 consists of a fractional-N PLL and a mixer. The fractional-N PLL has a resolution of 9-bits for the integer
part and 24-bits for the fraction part, and a Class B dithering option which is disabled by default. The MAX2837 also contains
a fractional-N PLL, with an 8-bit integer part and 20-bit fractional part. In this case there does not appear to be a dithering
option. The Si5351 can be configured to generate up to 8 clocks from either the on-board or external frequency references. In
the current configuration of the HackRF firmware (from the February 2017 buld onwards) the Si5351 is configured to generate a
50 MHz reference for the RFFC5072 and a 40 MHz reference for the MAX2837. When tuned to the GPS L1 center frequency,
the HackRF selects the following parameters:
 20
50
10
CMC [km]

CMC [m]
0 0

-10
-50
-20
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
a) Dithering on, no IF correction b) Dithering on, IF corrected
20
50
10
CMC [km]

CMC [m]
0 0

-10
-50
-20
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
c) Dithering off, no IF correction d) Dithering off, IF corrected

Figure 5: Difference between code and carrier range measurements observed from tracking RTL-SDR data. The measurements
have been scaled to units of metres and arbitrarily set to zero at 10 s. In each case four satellites were tracked, each SV is
represented by a different colour. Note that without the IF correction, the code carrier divergence exceeds 10 km after five
minutes. Note also that the left hand plots have units of km while the rand hand plots have units of m.

Mixer Transceiver Digitizer

RFFC5072 MAX2837 MAX5864 USB

25 MHz (On Board) Si5351 10 MHz (External)

Clock Gen

Figure 6: Simplified block diagram for the HackRF receive chain

 50 50
fcode - fcarr [Hz]

fcode - fcarr [Hz]

0 0

-50 -50
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
a) Dithering on, no IF correction b) Dithering on, IF corrected
50 50
fcode - fcarr [Hz]

fcode - fcarr [Hz]

0 0

-50 -50
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
c) Dithering off, no IF correction d) Dithering off, IF corrected

Figure 7: Difference between code and carrier frequencies observed from tracking HackRF data. The code frequency estimate
has been filtered and scaled to units of Hz at L1. In each case seven satellites were tracked, each SV is represented by a different
colour. Note that in a) one of the satellites loses lock after about 180 s.

• RFFC5072: FRef = 50 MHz, N = 19, P = 16693329, B = 24 R = 1, M = 1, K = 4, Class B dithering (disabled by

default). Inserting into (9) yields:
FRFFC = 3998.999999499321 MHz

• MAX2837: FRef = 40 MHz, N = 80, P = 824180, B = 20, R = 4, M = 1, K = 3, no dithering. Inserting into (6) yields:

FMAX = 2423.57997894287 MHz

As can be seen, this results in a high side injection (the mixer brings the negative frequency component of the RF signal
into the bandwidth of the MAX2837), which is subsequently corrected for by complex conjugation in the on-board Complex
Programmable Logic Device (CPLD). The resulting tuned center frequency is:

Fc = FRFFC − FMAX = 1575.42001605034 MHz (15)

which is just over 16 Hz higher than the setpoint frequency. A little algebra shows that the exact IF is:
1051875
HackRF
FIF =− = −16.0503387451172Hz (16)
216
Interestingly, while the RFFC5072 has an option to enable dithering by setting bit 14 of register 0x12, doing so does not appear
to affect the setpoint IF. It is unclear whether setting this bit actually enables dithering or not.

Again, the validity of this result was tested by collecting two consecutive five minute datasets, one with dithering enabled, and
one with it disabled. The resulting datasets were again processed using gnss-sdr. Figure 7 shows the difference in scaled
code and carrier frequencies for all satellites in view. In this case, contrary to the RTL-SDR, the IF term is small relative to the
noise and so it is hard to see an benefit to the correction. Note also that one of the satellites loses lock after about 180 s when
dithering is on and no IF correction is applied – it is not fully understood why this happened only in this case, but it should not
be considered a reflection on the approach proposed.
 50
500
CMC [m]

CMC [m]
0 0

-500
-50
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
a) Dithering on, no IF correction b) Dithering on, IF corrected
50
500
CMC [m]

CMC [m]
0 0

-500
-50
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
c) Dithering off, no IF correction d) Dithering off, IF corrected

Figure 8: Difference between code and carrier range measurements observed from tracking HackRF data. The measurements
have been scaled to units of metres and arbitrarily set to zero at 10 s. In each case seven satellites were tracked, each SV is
represented by a different colour. Note that in a) one of the satellites loses lock after about 180 s. Note also the difference in
scale between the left hand and right hand plots.

Figure 8 shows the code minus carrier pseudorange measurements for the same data. Again, the impact of the IF correction
is immediately clear. Even over an interval as short as five minutes a residual IF term of only 16 Hz very rapidly leads to
code carrier divergence of many hundreds of metres. Once the IF correction is applied, the code/carrier drift can be seen to be
completely eliminated.

BladeRF

The BladeRF is one of a new generation of commodity SDRs built around fully integrated Radio Frequency Integrated Circuits
(RFICs) that perform frequency synthesis, downconversion and digitisation in one package. The BladeRF is based on the
LimeMicro LMS6002D chip, which has a frequency range of 0.3 to 3.8 GHz, 12-bit ADC/Digital to Analog Converter (DAC),
up to 28 MHz of RF bandwidth and sampling rates up 40 Msps.

A simplified block diagram is shown in Figure 9, which shows the components of primary interest from a carrier phase pro-
cessing perspective. The most significant difference between the BladeRF and the other devices considered in this work is that
the frequency synthesis, downconversion and sampling are all implemented in the monolithic LMS6002D IC. In addition there
is a Si5338 clock generator, which is used to generate the sampling clock for the ADCs on the LMS6002D. Of interest also is
that the both the on-board oscillator and the optional external frequency reference have a frequency of 38.4 MHz, which is not
a common frequency standard used in GNSS.

The LMS6002D frequency synthesizer is a fractional-N PLL with 23 bit fractional resolution and 16 bit integer resolution. The
device has an optional dithering setting that appears to dither the LSB by default (other dithering options are available). This is
a Class A dithering device.

When tuned to L1 the BladeRF sets the following parameters: N = 164, P = 891290, R = 4, M = 1, K = 1, B = 23, Class A
 Transceiver

LMS6002D USB

38.4 MHz (On Board) Si5338 38.4 MHz (External)

Clock Gen

Figure 9: Simplified block diagram for the BladeRF receive chain

dithering, enabled by default. Substituting into (8) yields:

!
38.4MHz 891290 1
Fc = × 164 + 23
+ 24
4 2 2
= 1575.42000102997MHz. (17)
Dithering can be easily disabled by setting the MSB of register 0x24 on the LMS6002D to zero (easily achievable using the
bladeRF-cli command). When dithering is disabled the true center frequency is given by inserting the LMS6002D parameters
into (8):
!
38.4MHz 891290
Fc = × 164 +
4 223
= 1575.42000045776MHz. (18)
So the true IF for the BladeRF when tuned to L1 is given by:

−1.02996826171875 Hz
 Id = 1
FIF = 

(19)
−0.457763671875 Hz
 Id = 0

Once again, the validity of these results were tested by recording two consecutive 5 minute datasets, one with dithering enabled
and the other with it disabled. In this case, as the frequency difference is almost impossible to see. Figure 10 shows the code
minus carrier pseudorange measurements for the same datasets, where the impact of the residual IF becomes immediately clear,
with a code carrier divergence of approximately 60 m over the five minute interval when dithering is enabled and approximately
25 m when dithering is disabled. While this level of divergence may not cause significant stress in the carrier-aided code tracking
loop, it does have the potential to cause problems for the Kalman filter used in RTK positioning.

RESULTS: RTK POSITIONING USING AN RTL-SDR AND A RASPBERRY PI

Real-Time Kinematic positioning is a carrier phase based differential approach yielding centimeter level accuracy. It is typi-
cally implemented in high end receivers specifically designed for the high precision market. In recent years the open source
RTKLIB software has enabled centimeter level positioning without the need for high end hardware, though receivers capable
of generating usable carrier phase observations are required to use this software.

In this section we present some results of using a fully software GPS L1 C/A receiver, running on a Raspberry Pi single
board computer connected to an RTL-SDR v3 dongle and a low cost patch antenna, to generate a real-time Radio Technical
 50 50
CMC [m]

CMC [m]
0 0

-50 -50
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
a) Dithering on, no IF correction b) Dithering on, IF corrected
50 50
CMC [m]

CMC [m]
0 0

-50 -50
0 50 100 150 200 250 300 0 50 100 150 200 250 300
Time [s] Time [s]
c) Dithering off, no IF correction d) Dithering off, IF corrected

Figure 10: Difference between code and carrier range measurements observed from tracking BladeRF data. The measurements
have been scaled to units of metres and arbitrarily set to zero at 10 s. In each case seven satellites were tracked, each SV is
represented by a different colour.

Commision Maritime (RTCM) 3 stream of code and carrier observations that are fed as rover measurements to a real-time
running instance of RTKLIB. In this real-time mode, RTKLIB is able to achieve a fixed integer ambiguity solution over a very
short baseline (a few meters), and also over a longer 6 km baseline in post-processing. A u-blox M8-P receiver was used to
generate the base-station measurements in the short-baseline test, while an Ordnance Survey Ireland (OSI) permanent reference
station was used for the longer baseline. Unfortunately no real-time stream is available from the OSI station, which is why this
data was post-processed.

The u-blox base station and RTL-SDR rover antennas were configured in a relatively clear-sky environment, approximately
aligned north-south and vertically, and with a baseline of approximately 122 cm (the rover antenna being approximately due
east of the base). The OSI reference station is located approximately 6.4 km from the rover. The base station location was first
surveyed using the OSI reference and RTKLIB. A real-time test was conducted wherein a custom software receiver running
on the Raspberry Pi was programmed to generate RTCM3 messages, which were broadcast over a LAN. The u-blox base
station was connected via serial port to a server on which RTKLIB was installed. RTKLIB read the RTCM messages from
the Raspberry Pi and the raw u-blox messages from the base station and computed an RTK kinematic position fix. Both the
base station and rover data were also logged and both were post-processed, again using RTKLIB, using the OSI station as a
reference.

The results are illustrated in Figure 11, on the left the scatter plot of the north and east baselines relative to the surveyed-in base
station location are shown for both the real-time (UBX-RTL) and post-processed (OSI-RTL) rover data when the ambiguities
were fixed. On the right, the full time series baseline north, east and up components are shown for the three RTK solutions
(including this time the post-processed position of the base-station). Note that all the solutions achieve fixed ambiguities within
15 minutes, and indeed much faster than this for the short baseline.

From the figure we can see that the data from the RTL-SDR has been sufficient to compute a fixed ambiguity RTK solution
over short baselines. The longer baseline results are less encouraging, being noticeably noiser and requiring almost 15 minutes
convergence.
 6
2

N [m]
4 0

-2
2 0 1000 2000 3000
North [cm]

E [m]
0
0

-2 -2
0 1000 2000 3000
2

U [m]
-4 OSI-RTL
OSI-RTL 0 OSI-UBX
UBX-RTL
UBX-RTL
-6 -2
116 118 120 122 124 126 128 0 1000 2000 3000
East [cm] Time [s]
a) b)

Figure 11: Scatter plot of computed north and east offset relative to the computed base-station coordinates. The base station is a
u-blox M8-P (UBX) and the rover is an RTL-SDR v3 dongle attached to an L1-only patch antenna and processed on a Raspberry
Pi 3. The UBX to RTL-SDR short baseline was cross checked against a longer (6.4 km) baseline to an OSI permanent reference
station (shown in blue).

CONCLUSION

In this paper we have presented an analysis of carrier phase processing using commodity SDR hardware. A detailed analysis
of the fractional-N PLL has been performed and a methodology for establishing the true nominally tuned center frequency has
been provided. The utility of this approach has been demonstrated by the determination of the exact center frequency tuned for
three common SDR platforms when the desired setpoint is the GPS L1 frequency. In each case the ability to produce perfectly
coherent code and carrier measurements has been demonstrated. Finally, in what appears to be a first, the ability to perform
RTK positioning using an extremely low cost RTL-SDR dongle has been demonstrated.

References

[1] D. M. Akos, A software radio approach to global navigation satellite system receiver design. PhD thesis, Ohio University,
1997.
[2] B. M. Ledvina, S. P. Powell, P. M. Kintner, and M. Psiaki, “A 12-channel real-time GPS L1 software receiver,” in Proc. of
ION NTM 03, pp. 22–24, 2003.

[3] K. Borre, D. M. Akos, N. Bertelsen, P. Rinder, and S. H. Jensen, A software-defined GPS and Galileo receiver: a single-
frequency approach. Springer Science & Business Media, 2007.
[4] M. G. Petovello, C. O’Driscoll, G. Lachapelle, D. Borio, and H. Murtaza, “Architecture and benefits of an advanced GNSS
software receiver,” Journal of Global Positioning Systems, vol. 7, no. 2, pp. 156–168, 2008.

[5] C. Fernandez-Prades, J. Arribas, P. Closas, C. Aviles, and L. Esteve, “GNSS-SDR: an open source tool for researchers and
developers,” in Proc. ION GNSS 2011, pp. 780–0, 2011.
[6] “Rtl-sdr website.” https://www.rtl-sdr.com/. [Online; accessed 24-August-2018].
[7] “HackRF github page.” https://github.com/mossmann/hackrf/. [Online; accessed 24-August-2018].

[8] “ BladeRF web page.” https://www.nuand.com/bladerf/. [Online; accessed 24-August-2018].

 [9] M. Bavaro, “GNSS carrier phase, RTLSDR, and fractional PLLs (the necessary evil).” http://michelebavaro.
blogspot.com/2014/05/gnss-carrier-phase-rtlsdr-and.html, 2014. [Online; accessed 24-August-2018].

View publication stats