About sniff multi bursts in a frame, CCCH_CONF

Aegean Chou aegean2000 at 21cn.com
Wed Sep 28 05:30:22 CEST 2011 

Hi, Sylvain Munaut

	I modified the codes to support 4 TSs in a frame.
	For simplicity, I use bit0 of ul for uplink only, and use bit2-4 of ul for tn temporary.
	following is the sched_set: 

	if (ul & 0x01) {
		l1s_rx_win_ctrl(arfcn | ARFCN_UPLINK, L1_RXWIN_NB, 3);
	} else {
		l1s_rx_win_ctrl(arfcn, L1_RXWIN_NB, (ul >> 1) & 0x07);
	}

const struct tdma_sched_item sniff_ccch4_sched_set[] = {
						SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 0),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 4, 0),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 8, 0),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 12, 0),	SCHED_END_FRAME(),
						SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 1),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 4, 1),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 8, 1),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 12, 1),	SCHED_END_FRAME(),
	SCHED_ITEM(l1s_sniff_resp, -5, 0, 0),	SCHED_ITEM(l1s_sniff_resp, -5, 4, 0),	SCHED_ITEM(l1s_sniff_resp, -5, 8, 0),	SCHED_ITEM(l1s_sniff_resp, -5, 12, 0),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 2),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 4, 2),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 8, 2),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 12, 2),	SCHED_END_FRAME(),
	SCHED_ITEM(l1s_sniff_resp, -5, 0, 1),	SCHED_ITEM(l1s_sniff_resp, -5, 4, 1),	SCHED_ITEM(l1s_sniff_resp, -5, 8, 1),	SCHED_ITEM(l1s_sniff_resp, -5, 12, 1),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 0, 3),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 4, 3),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 8, 3),	SCHED_ITEM_DT(l1s_sniff_cmd, 0, 12, 3),	SCHED_END_FRAME(),
	SCHED_ITEM(l1s_sniff_resp, -5, 0, 2),   SCHED_ITEM(l1s_sniff_resp, -5, 4, 2),   SCHED_ITEM(l1s_sniff_resp, -5, 8, 2),   SCHED_ITEM(l1s_sniff_resp, -5, 12, 2),  SCHED_END_FRAME(),
	SCHED_ITEM(l1s_sniff_resp, -5, 0, 3),	SCHED_ITEM(l1s_sniff_resp, -5, 4, 3),	SCHED_ITEM(l1s_sniff_resp, -5, 8, 3),	SCHED_ITEM(l1s_sniff_resp, -5, 12, 3),	SCHED_END_FRAME(),
	SCHED_END_SET()
};

	and tdma_sched.h "#define TDMASCHED_NUM_CB	10", YES, i can get CCCH Paing at TS0, TS2, TS4 and TS6 now, but the firmware puts many "DSP Error Status: 24"
	according to dsp_error, it's IQ_SAMPLES error and DMA_PEND error, what's wrong?

/* DSP error as per ndb->d_error_status */
enum dsp_error {
	DSP_ERR_RHEA		= 0x0001,
	DSP_ERR_IQ_SAMPLES	= 0x0004,
	DSP_ERR_DMA_PROG	= 0x0008,
	DSP_ERR_DMA_TASK	= 0x0010,
	DSP_ERR_DMA_PEND	= 0x0020,
	DSP_ERR_VM		= 0x0080,
	DSP_ERR_DMA_UL_TASK	= 0x0100,
	DSP_ERR_DMA_UL_PROG	= 0x0200,
	DSP_ERR_DMA_UL_PEND	= 0x0400,
	DSP_ERR_STACK_OV	= 0x0800,
};

======= 2011-09-26 14:10:17 =======

>>        the bts arround me uses MultiCCCH, it's CCCH_CONF = 110 (6), so it uses TS0, TS2, TS4 and TS6 in a frame for PCH/AGCH.
>
>Mmm ,interesting, I had never seen that option being used before. What
>network is this.
>
>>        but the burst_ind only CCCH-CONF 0 & 1 are supported, it can sniff TS0 only, so only catch 1/4 IMM ASS for me.
>>        my OWN phone, it's just not in TS0 (i use nokia netmonitor to check it), so i can't catch it at all (phones use IMSI to decide page group).
>
>Well, it's your own phone (or any known target phone), you know the
>IMSI, hence the paging group ...
>
>
>>        i think the bottleneck is the DSP, as the DSP task (ALLC_DSP_TASK) can only process one TS of a frame (it's enough for phone),
>>        i think maybe backup/restore the DSP task variable patch needed, i'm new to the DSP disassemble and patch, anyone can help? thanks
>
>That's gonna be _very_ hard, the DSP uses _plenty_ of global variables ...
>
>But OTOH, instead of using the normal 'RX task', you can use the sniff
>task to listen to the CCCH. The sniff task will _not_ do the channel
>decoding (i.e. you'll have to call xcch_decode to get the actual 23
>bytes L2 frame), but it can sniff up to 4 bursts in a frame. just look
>at how sdcch sniffing is done, it currently sniff 2 timeslot 0 & 3 (to
>get DL & UL).
>
>This way you won't need any hard DSP patching, just a minor patch on
>the firmware to convert CCCH listening to burst_ind (leave the BCCH
>task as-it is, just mod the CCCH). And then a patch in the host app to
>call xcch_decode appropriately and feed the results 'as if' it cames
>from the phone directly.
>
>Cheers,
>
>    Sylvain

= = = = = = = = = = = = = = = = = = = =
			

Best regards
				 
        Aegean Chou
        aegean2000 at 21cn.com
          2011-09-28

More information about the baseband-devel mailing list