Eindhoven University of Technology

MASTER

Experimental setup for Bluetooth low energy ranging application

He, Y.

Award date:2016

Link to publication

DisclaimerThis document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Studenttheses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the documentas presented in the repository. The required complexity or quality of research of student theses may vary by program, and the requiredminimum study period may vary in duration.

General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright ownersand it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

EXPERIMENTAL SETUP FOR BLUETOOTH LOW ENERGY

RANGING APPLICATION Master Thesis

AUGUST 9, 2016 (confidential until 10th August 2017)

DIALOG SEMICONDUCTOR Den Bosch

Yongchang He (No. 0928242)

Embedded Systems, Department of Mathematics and Computer Science

y.he.1@student.tue.nl

Supervisor:

Dr. Majid Nabi Najafabadi (Electronic Systems, TU/e)

Dr. Joek de Haas (Advanced Technology, Dialog Semiconductor)

i

Abstract Nowadays, there are more needs for indoor and small-scale ranging with low-cost consumer devices. Bluetooth Low Energy (BLE) is a short-range wireless standard supported by major smartphones, wearable devices and Internet-of-Things (IoT) manufacturers. With the integration of ranging solutions on BLE devices, people can enjoy all possibilities based on ranging between hundreds of millions of devices. Existing systems for BLE ranging application are mostly based on Received Signal Strength Indicator (RSSI) method only. Until now, no one has yet implemented Time-of-Flight (ToF) solution on a standard BLE product on the market, which shows great commercial and research value of this project.

We need to design ranging methods under the context of BLE specification and upon the hardware from Dialog Semiconductor. Consequently, the general ranging techniques, the BLE specification and the development kit are studied as the basis of our ranging application. In this project, we design and develop three ranging solutions based on Dialog BLE chip DA14681. For each solution, the user case is firstly discussed to ensure that the solution can be integrated on a standard BLE product and will raise enough interest on the market. With attractive user case, the algorithm is developed in mathematics and implemented in MATLAB. After the algorithm is well tested and understood in MATLAB, special BLE application is developed upon the hardware to collect valid data from real BLE transactions. Specific MATLAB script is developed to process these raw data to obtain correct input for the algorithm. In the end, practical measurements are conducted with target ranges and interested environment. The measurement results are analyzed and discussed to understand the characteristics of the solution.

In general, the merits and demerits of all three solutions are well understood through simulation and practical measurements. With this deep-level understanding of BLE ranging, the company can decide which solution to continue with and what improvement to make on current hardware and software design. For the best solution in range accuracy, we achieve 1m under moderate noise condition in MATLAB simulation. 2m accuracy is achieved measuring indoor distance change.

ii

Acknowledgment I thought 8 months is a long time but it is actually not. I would like to thank Dialog Semiconductor to offer this great opportunity to conduct this amazing project. Thanks Joek de Haas for your dedicated supervision. You are the one who leads us to the final fruit. Thanks Majid Nabi Najafabadi to be the campus supervisor and for your monitor of the whole procedure. Thanks Sai Janani Ramachandran for your everyday accompany and great cooperation on this topic. Thanks Jan Prummel for your solid RF knowledge support all the way along the project. Thanks Wessel Lubberhuizen, Wik Roovers, Michail Papamichail and Konstantinos Kottikas for your specific support of the project. Thanks Peter de Vreede, Mohammed Aissi & Catalin Tugui for introducing everyday engineering “fake loops”. Thanks everyone in this company for your help and interesting everyday interactions. I would like to thank my parents for their special and unconditional spiritual and financial support. Thanks Aran, hope you can find your true love one day whether it is me.

iii

Abbreviations GPS – Global Positioning System

IoT – Internet of Things

SIG – Special Interest Group

BLE – Bluetooth Low Energy

RSSI – Received Signal Strength Indicator

ToF – Time of Flight

IQ – In-phase & Quadrature

UWB – Ultra Wideband

TDoA – Time Difference of Arrival

TWR - Two-way Ranging

CRB - Cramer-Rao Bound

ISM - Industrial, Scientific and Medical

ADC – Analog-Digital Converter

AoA – Angle of Arrival

HCI – Host Controller Interface

L2CAP – Logical Link Control and Adaptation

GFSK – Gaussian Frequency Shift Keying

GAP – Generic Access Profile

AGC – Automatic Gain Control

CRC – Cyclic Redundancy Check

PDU – Protocol Data Unit

FHSS - Frequency Hopping Spread Spectrum

DUT – Device Under Test

GPIO – General Purpose Input/Output

DMIPS – Dhrystone Million Instructions per Second

PLL – Phase Locking Loop

RFPT – Radio Frequency Production Test

DMA – Direct Memory Access

RFIO – Radio Frequency Input/Output

LNA – Low Noise Amplifier

VGA – Variable Gain Amplifier

IF – Intermediate Frequency

IDE – Integrated Development Environment

TX – Transmitted

RX - Received

LSE – Least Square Error

SNR – Signal-Noise Ratio

ADV – Advertisement

LOS – Line of Sight

MIPS – Million Instructions per Second

RTOS – Real-time Operating System

1

Contents List of Figures ................................................................................................................................................ 2

List of Tables ................................................................................................................................................. 4

1 Introduction .......................................................................................................................................... 5

1.1 Motivation ..................................................................................................................................... 5

1.2 Goals ............................................................................................................................................. 6

1.3 Contribution .................................................................................................................................. 6

1.4 Outline........................................................................................................................................... 7

2 Background ........................................................................................................................................... 8

2.1 Ranging Techniques ...................................................................................................................... 8

2.2 Bluetooth Low Energy ................................................................................................................. 14

2.3 Development Kit ......................................................................................................................... 22

3 Asymmetric Single Channel Ranging ................................................................................................... 28

3.1 Algorithm .................................................................................................................................... 28

3.2 Simulation ................................................................................................................................... 31

3.3 Experimental Setup ..................................................................................................................... 34

3.4 Raw IQ Data Processing .............................................................................................................. 37

3.5 Results and Analysis .................................................................................................................... 41

4 Symmetric Single Channel Ranging ..................................................................................................... 45

4.1 Algorithm .................................................................................................................................... 45

4.2 Experimental Setup ..................................................................................................................... 46

4.3 Raw IQ Data Processing .............................................................................................................. 48

4.4 Results and Analysis .................................................................................................................... 49

4.5 Initial Time and Energy Profiling ................................................................................................. 56

5 Asymmetric Multiple Channel Ranging ............................................................................................... 59

5.1 Algorithm .................................................................................................................................... 59

5.2 Experimental Setup ..................................................................................................................... 60

5.3 Raw IQ Data Processing .............................................................................................................. 64

5.4 Results and Analysis .................................................................................................................... 65

6 Conclusion and Future Work .............................................................................................................. 69

Literature .................................................................................................................................................... 71

2

List of Figures Figure 2.1 Illustration of TWR concept [8] .................................................................................................. 10 Figure 2.2 CRB as a function of bandwidth [11] ......................................................................................... 11 Figure 2.3 Comparison of CRB to sampling error as a function of sampling frequency [11] ...................... 12 Figure 2.4 Measured noise performance as function of SNR [11] .............................................................. 12 Figure 2.5 ToF and RSSI fusion ranging blocks [3]....................................................................................... 13 Figure 2.6 BLE protocol stack architecture [19] .......................................................................................... 16 Figure 2.7 State diagram of the Link Layer state machine.......................................................................... 17 Figure 2.8 State machine of peripheral role ............................................................................................... 17 Figure 2.9 State machine of central role ..................................................................................................... 18 Figure 2.10 Channel allocation for BLE and Wi-Fi [19] ............................................................................... 18 Figure 2.11 BLE advertising and active scanning procedure [19] ............................................................... 19 Figure 2.12 Advertising packet format [19] ................................................................................................ 20 Figure 2.13 Block diagram of data channel selection algorithm [1] ........................................................... 21 Figure 2.14 BLE test packet format [1] ....................................................................................................... 21 Figure 2.15 PRO development kit ............................................................................................................... 22 Figure 2.16 DA14681 block diagram [21] .................................................................................................... 23 Figure 2.17 Simplified RF block diagram for IQ data capture [22] .............................................................. 25 Figure 2.18 Saleae™ Logic Analyzer ............................................................................................................ 26 Figure 2.19 ComProbe BPA® BLE Packet Sniffer .......................................................................................... 26 Figure 2.20 Debugging wave example from logic analyser ........................................................................ 27 Figure 2.21 BLE traffic information display from the sniffer ...................................................................... 27 Figure 3.1 Ranging concept with advertising and scanning [24] ................................................................ 28 Figure 3.2 Possible phase evolution for GFSK modulated signal [25] ......................................................... 29 Figure 3.3 Correct and wrong phase differentiation .................................................................................. 32 Figure 3.4 TX phase (blue) and RX phase (green) over sample nr. ............................................................. 33 Figure 3.5 Experimental setup .................................................................................................................... 34 Figure 3.6 Flow chart for BLE advertising task ............................................................................................ 35 Figure 3.7 Flowchart for BLE interrupt routine ........................................................................................... 36 Figure 3.8 Flowchart for MATLAB routine .................................................................................................. 37 Figure 3.9 MATLAB script blocks for asymmetric single channel ranging .................................................. 38 Figure 3.10 Raw IQ data for one example SCAN_REQ packet .................................................................... 38 Figure 3.11 Unwrapped phase after IF removal ......................................................................................... 39 Figure 3.12 Data samples of the packet...................................................................................................... 40 Figure 3.13 Cross correlation between RX and TX pattern data samples .................................................. 40 Figure 3.14 Fit curve, TX curve, RX curve and error curve after fitting ...................................................... 41 Figure 3.15 Indoor measurement environment ......................................................................................... 42 Figure 3.16 ToF histogram for 5m measurement ....................................................................................... 43 Figure 3.17 Symbol timing offset and clock offset compensation mismatch ............................................. 44 Figure 4.1 Symmetric single channel ranging concept ............................................................................... 45 Figure 4.2 Symbol timing concept for two-way ranging [27] ..................................................................... 46

3

Figure 4.3 Experimental setup of symmetric single channel ranging ......................................................... 47 Figure 4.4 BLE interrupt routine flowchart for scanner .............................................................................. 48 Figure 4.5 MATLAB script blocks for symmetric single channel ranging .................................................... 49 Figure 4.6 Symbol timing offset on both ends over packet number .......................................................... 49 Figure 4.7 ToF histogram for 15m indoor measurement ........................................................................... 50 Figure 4.8 First indoor measurement ......................................................................................................... 51 Figure 4.9 Long time measurement on 1m ................................................................................................. 51 Figure 4.10 (partial) DA14681 Radio transceiver block diagram [21] ......................................................... 52 Figure 4.11 Internal-developed RF attenuator ........................................................................................... 53 Figure 4.12 AGC effect measurement ......................................................................................................... 53 Figure 4.13 Reset effect measurement....................................................................................................... 55 Figure 4.14 Indoor measurement with AGC compensation ....................................................................... 56 Figure 5.1 Phase relationship on multiple channels [2] .............................................................................. 60 Figure 5.2 Experimental setup for symmetric multiple channel ranging ................................................... 60 Figure 5.4 Example logic analyzer waveform for ADV packet reception .................................................... 62 Figure 5.3 Program flowchart for the scanner in asymmetric multiple channel ranging ........................... 63 Figure 5.5 Raw IQ data for 3 ADV packets .................................................................................................. 64 Figure 5.6 MATLAB blocks for asymmetric multiple channel ranging ........................................................ 64 Figure 5.7 Phase Difference for ADV one packet pair from 5m outdoor measurement ............................ 66 Figure 5.8 RX phase difference for all packet pairs from 5m outdoor ........................................................ 66

4

List of Tables Table 2.1 Sample values for path loss exponent [4] ..................................................................................... 8 Table 2.2 Main difference between BLE and classic Bluetooth .................................................................. 15 Table 2.3 BLE operating states .................................................................................................................... 16 Table 2.4 Advertising packets ..................................................................................................................... 19 Table 2.5 BLE test packet length to packet interval .................................................................................... 22 Table 2.6 Part of possible test signals in RFPT mode [22] .......................................................................... 24 Table 3.1 LSE fitting simulation results ....................................................................................................... 33 Table 3.2 Effect of large time shift .............................................................................................................. 33 Table 3.3 Indoor measurement results ....................................................................................................... 42 Table 4.1 MATLAB time profiling for major functions ................................................................................ 57 Table 4.2 (partial) Time profiling on DA14681 ............................................................................................ 58 Table 5.1 Test modes and user functions in the BLE Direct Test Mode program ....................................... 61 Table 5.2 Indoor Measurement .................................................................................................................. 65 Table 5.3 Outdoor Measurement ............................................................................................................... 65 Table 5.4 Averaged phase difference for all indoor packet pairs ............................................................... 67 Table 5.5 Advertising packet interval in the BLE stack [29] ........................................................................ 67 Table 6.1 Ranging method summary .......................................................................................................... 69

5

1 Introduction Ranging is probably one of the oldest problems faced by human beings. With the evolving of technologies, we determine the range more and more precise with visual inspection, with rulers, with radar and with laser. Nowadays, the development and deployment of Global Positioning System (GPS) allows us to accurately determine outdoor position worldwide with relatively cheap chips. But, there are more needs for indoor and small-scale ranging with low-cost consumer devices. Huge increase has been seen on the amount of these consumer devices and most people are using these devices in an indoor environment like home, office, shopping mall, station, etc. Variety of services (e.g., localization, proximity and tracking) will be possible once we can measure distance accurately between large amount of cellphones, wearable devices and IoT nodes.

Bluetooth Low Energy [1] is a short-range wireless standard supported by major smartphones, wearable devices and IoT manufacturers. The first standard version is released by the Bluetooth SIG to support new applications in the healthcare, fitness, security and home entertainment fields in June 2010. BLE focuses on ultra-low power consumption, which is very suitable for coin cell batteries or energy-harvesting devices. With the integration of ranging solutions on BLE devices, people can enjoy all possibilities based on hundreds of millions of devices.

1.1 Motivation Dialog Semiconductor is one of the main manufacturers of BLE chip. Energy consumption is one of the major differentiators of the wireless portfolio of Dialog. By the end of 2015, they have shipped around BLE chips of 25 million dollars, which is four times as that in 2014. The ranging feature integrated on Dialog chip is expected to add great value for this product and to attract the attention of the market.

Many applications rely on the distance information between two radio nodes. A typical example is key fobs from Tile 1 that can help you find your lost stuff. Besides, with accurate ranging, we can easily calculate the position of the tracker and enable indoor navigation and asset tracking so that movement of users or valuable objects can be tracked in various scenarios. During our development, many customers have already shown their interest in this feature (e.g., Tile, Tesla, Apple).

However, existing systems for BLE devices distance calculation are mostly based on RSSI method only. The receiver measures the power of the received signal which is proportional to the distance of the transmitter. However, RSSI fluctuates significantly in indoor environment and none Line-of-Sight (LOS) scenario which typically has strong multipath and fading effect. So the distance estimation in this way is inaccurate.

Another choice for BLE devices can be the ToF method. The receiver measures the time delay of the received signal which is proportional to the distance of the transmitter. We may choose to calculate in time or phase domain. A lot of work has been done to prove the validity of ToF method based on IEEE

1 https://www.thetileapp.com/

6

802.15.4 devices (see Section 2.1.2). But until now, no one has yet implemented ToF solution on a standard BLE product in the market, which shows great commercial and research value of this project.

1.2 Goals This topic is split into two separate projects but close cooperation is involved practically. The work of practical & experimental project is illustrated in this thesis and the work of algorithmic & simulation project is illustrated in [2].

The goals of this project are listed in below:

• For different ranging solutions, there are different requirements for the input data. Although we have example applications to start with, there is no ready-to-use setup in the company. The first goal is to combine many available software features in the company and develop our own software setup to collect valid data for all ranging solutions.

• We cannot directly input the raw data into every algorithm. Some post-processing steps will be needed to have the valid data input. For the obtained results, we always need some graphs, statistics and metrics to analyze and evaluate the quality or the root cause. The second goal of this project is to develop script for raw data processing and result analysis.

• For typical indoor environment, we only have slow moving objects and a range limit for BLE device. For this scenario, we need to develop solutions that can achieve reasonable distance accuracy so that it will make sense for practical user case. The third goal is to achieve distance accuracy (< 5m) for slow moving objects (< 5km/h) at an indoor range of 30m.

• This project only targets on the latest product of the company. Because of the accuracy we hope to achieve, it will probably suffer from hardware or software design of the current chip. Any advice related to this feature will be well valued by the design team. They can update the design in the next-generation product and maybe release the product on the market very quickly. The last goal is to provide advice for future product.

1.3 Contribution The topic is split into two individual projects with clear separation of tasks and goals although necessary cooperation happens in some parts during the execution of the project. The cooperation parts are listed below:

• Understanding of algorithm for Asymmetric Single Channel Ranging: The algorithm along with MATLAB script is partially provided by the company. We work together to understand algorithm, to learn the script structure, to test it with different inputs and to solve issues.

• Literature study: The current state-of-art approaches from academia and industry are carefully reviewed and studied to inspire the design of our own solutions. Cooperation and discussion happen on key papers and designs.

• Practical results analysis for Asymmetric Single Channel Ranging and Asymmetric Multiple Channel Ranging: We work together to check the validity of data, the intermediate verbose of script and find the root cause for the issues.

7

• Algorithm design for Symmetric Single Channel Ranging: the algorithm and user case are developed by joint discussion.

For the contribution of algorithmic & simulation project, please refer to [2]. The individual contributions of this project are listed below:

• Experimental setup for all three solutions: An example BLE advertiser C application and MATLAB real-time data acquisition script are provided as the start point. Three different software setups are developed to collect valid data for all three solutions.

• Data processing for all three solutions: Develop the post-processing MATLAB script to extract algorithm input from raw In-phase & Quadrature (IQ) data for all three algorithm. The algorithm and analysis part are integrated into the script to obtain the final results.

• Measurements for all three solutions: The indoor measurements for all three solutions are conducted individually. To help the result analysis, some outdoor and special measurements are done.

• Practical data analysis for Symmetric Single Channel Ranging: I check the validity of data, the intermediate verbose of script, find the root cause for the issues and obtain correct results.

1.4 Outline The rest of the report is structured as follows. Chapter 2 (Background) gives an overview of ranging techniques that may be used on low-cost electronic devices, Bluetooth Low Energy standard that our solutions should obey, and development kit from Dialog including hardware, software and debugging tools. Chapter 3 (Asymmetric Single Channel Ranging) introduces all the information for this solution, including algorithm, simulation, software setup, data processing and practical results. Chapter 4 (Symmetric Single Channel Ranging) introduces all the information for this solution, including algorithm, software setup, data processing, practical results and initial profiling. Chapter 5 (Asymmetric Multiple Channel Ranging) introduces all the information for this solution, including algorithm, software setup, data processing and practical results. Chapter 6 (Conclusion and Future Work) presents the conclusion on all three solutions and suggested future work for the company.

8

2 Background This chapter presents background and context information for readers to understand the three ranging solutions. The first section introduces general indoor ranging techniques on low-cost electronic devices. The second section introduces BLE standard which we should consider during BLE compliant solution design. The last section introduces development kit provided by the company and used in this project. The advanced design by the company gives us benefits but also constraints.

2.1 Ranging Techniques Global Positioning System (GPS) provides world-wide positioning capacity with an accuracy of several meters when the device is equipped with GPS receiver. However, satellite system cannot be used for fine-grained needs of indoor location due to the attenuation of the satellite signals. Angle-of-Arrival (AoA) measurement is a method for determining the direction of propagation of a radio-frequency wave incident on an antenna array. But this method requires special antenna array design which the DA14681 BLE chip does not have and support. Due to mentioned reasons, only RSSI and ToF ranging methods are considered and discussed in this section.

2.1.1 Received Signal Strength Indicator RSSI is an indication of the signal strength experienced by the receiver for each reception of BLE packet. For the practical chip used in this project, it is an unsigned 8-bit integer value indicating signal strength varying between -112dBm to -19dBm with a step of 0.47dB/unit, where an increasing value indicates a stronger signal. The value can be easily retrieved in the RX descriptor field of the BLE stack.

The RF power decays as the electromagnetic waves travel through the air. In open space, the relationship between signal strength and distance can be represented by the log-distance path loss model. The model is given in Eq. (2.1) [3], where 𝜌𝜌𝑑𝑑 is the RSSI value at distance d; 𝜌𝜌0 is the RSSI value at a reference distance d0 = 1m, and includes the aggregated effects of transmission power, antenna gains, and frequency attenuation; and α is the path loss exponent that represents the propagation medium properties.

𝜌𝜌𝑑𝑑 = 𝜌𝜌0 − 10𝛼𝛼𝛼𝛼𝛼𝛼𝛼𝛼 𝑑𝑑𝑑𝑑0⇔ 𝑑𝑑 = 𝑑𝑑0 × 10(𝜌𝜌0−𝜌𝜌𝑑𝑑)/(10𝛼𝛼) (2.1) [3]

However, in the presence of interference, multipath, changing of indoor environment and none LOS condition, there will be a variation on 𝛼𝛼 depending on the local statistics that typically ranges from 2 to 5. Some sample values for 𝛼𝛼 in the model are shown in Table 2.1 [4].

Environment Path Loss Exponent

Free space 2 Flat rural 3 Rolling rural 3.5 Suburban, low rise 4 Dense urban, skyscrapers 4.5

Table 2.1 Sample values for path loss exponent [4]

9

This results in the inaccuracy of this method especially for indoor environment. The iBeacon [5] technology developed by Apple Inc. is a proximity service based on RSSI and BLE. But the distance between transmitting iBeacon and receiving device is categorized into 3 distinct ranges instead of accurate meters.

To improve the stability of the RSSI measurements, the online channel estimation can be applied to update the path-loss model parameters to accommodate the dynamic environment. In [6], the stability of RSSI for BLE devices in real scenarios is empirically studied and the data smoothing performance of different filters is evaluated. After data pre-processing, the online channel estimation are done with particle filtering or simply least squares fitting. In an indoor environment with people movements and other BLE devices enabled, the distance error obtained by particle filtering is around 1m while the result by least squares fitting is 2.885m. Although indoor measurement with particle filtering achieves good accuracy, considerable number of samples, time and computation complexity are needed to accommodate the intrinsic instability of RSSI method.

Another way to improve the distance accuracy is to design a calibration scheme to determine the a-priori knowledge about the environment conditions before measurement. In [7], the a-priori knowledge about the environment is gathered offline by fingerprint. It determines between the received power measurements and the corresponding grid of locations. The practical experiment shows the localization accuracy of around 5cm and good tracking ability for moving object, which is very precise compared to online estimation way. However, a-priori data are usually unavailable for unknown environment, which greatly limits the application of this method.

2.1.2 Time-of-Flight Once we can measure the signal ToF from one device to another, we can calculate the distance according to the speed of light (1m = 3.3ns). Measuring the RF signal ToF between nodes avoids stability problem of RSSI method, but it is challenging on its own.

2.1.2.1 Clock Synchronization In the simplest ToF ranging system with two wireless devices A and B, B need to measure the time of arrival of a signal sent by A. To achieve accuracy of 1m, GHz (ns) clock synchronization is required which is not feasible for a low-cost wireless system. Two-way Ranging (TWR) is a good method that mitigates the effect of clock synchronization error [8]. It allows the time offset between transceiver 1 and 2 to be cancelled as is shown in Figure 2.1 [8].

With 100MS/s sampling rate and 50MHz signal in the 2.4GHz ISM band, they achieve 3m range accuracy although no communication standard is compliant. In TWR method, the measurement takes place over a relatively long time. We need to make sure that the clock offset during measurement causes only ns bias on the RF signal.

10

Figure 2.1 Illustration of TWR concept [8] Time-Difference-of-Arrival (TDoA) uses a set of wire-synchronized reference nodes at known locations to determine the time difference of arriving ranging signals to or from a blind node for localization. Its ability to operate well in high multipath environments and provide sub-meter ranging accuracy has been demonstrated using Ultra-Wideband (UWB) technology [9]. However, GHz clock is needed and the base station infrastructures are expensive.

2.1.2.2 Noise A ToF ranging measurement influenced only by white noise has been studied in the context of radar applications. The Cramer-Rao Bound (CRB) [10] provides a lower bound for the variance of the range estimation in white noise . For a one-way ranging system using IEEE 802.15.4 modulation, the CRB is given by Eq. (2.2) [11].

𝜎𝜎𝑟𝑟2 ≥ 𝑐𝑐2

4𝜋𝜋2∗𝐵𝐵2∗𝑆𝑆𝑆𝑆𝑆𝑆 (2.2) [11]

The range variance limit is related to speed of light c, signal bandwidth 𝐵𝐵 and signal to noise ratio SNR. Figure 2.2 [11] shows the CRB as a function of bandwidth for SNR of 10dB and 26dB. We can see that the white noise only does not prevent 1m accuracy for 2MHz bandwidth (BLE and IEEE 802.15.4). In TWR systems, round-trip measurements are made and averaged to obtain range estimation resulting in 𝜎𝜎𝑟𝑟2 reduction of 2 [11].

11

Figure 2.2 CRB as a function of bandwidth [11]

2.1.2.3 Sampling Artefacts It is proved in [12] that the resolution of a ToF measurement suffers from the finite sampling clock-frequency resolution. This occurs when a matched filter is used to estimate the time of arrival with a sampling rate of 𝑓𝑓𝑠𝑠 = 2𝐵𝐵. Sampling adds error to ToF result because the estimate space is divided up into range bins of 𝑐𝑐/𝑓𝑓𝑠𝑠 wide. The range uncertainty added by sampling in each bin is given by Eq. (2.3) [11].

𝜎𝜎𝑠𝑠2 = 𝑐𝑐2

12∗𝑓𝑓𝑠𝑠2 (2.3) [11]

To reduce this error, the signal can be oversampled. Figure 2.3 [11] shows the CRB for a 2MHz bandwidth signal with SNR = 26dB, the standard deviation of the sampling error and the combined effect of both error sources. We can see that in this noise condition, when 𝑓𝑓𝑠𝑠 > 70𝑀𝑀𝑀𝑀𝑀𝑀, the range error caused by white noise will become dominant. It can also be concluded that with better noise condition, large sampling rate is needed to reduce the error. If the signal is sampled above Nyquist (𝑓𝑓𝑠𝑠 > 2𝐵𝐵), the signal’s entire information content is fully captured and better time resolution than 𝜎𝜎𝑠𝑠 is possible. Interpolation between samples can yield significant improvements in resolution [13].

12

Figure 2.3 Comparison of CRB to sampling error as a function of sampling frequency [11]

Code Modulus Synchronization is presented in [11] as one improved TWR method. In this method, a code is transmitted between both ends and proper cross correlation is calculated between the transmitted and received code to determine ToF. Finally, 1m accuracy is achieved for outdoors and 1-3m is achieved for indoors. Besides, the standard deviation of ranging measurements, the CRB for their system as a function of SNR and the previous ranging binning limit are shown in Figure 2.4 [11]. We can see that the practical results approach CRB when the SNR is low and are limited gradually by sampling frequency error.

Figure 2.4 Measured noise performance as function of SNR [11]

2.1.2.4 ToF by Phase Measurement In GPS, there are code-phase and carrier-phase methods that can achieve different level of range accuracy and have different level of cost. The code-phase method calculates the cross correlation between received pseudo random code and code replica generated at the received to determine the time shift and the ToF. This method suffers from all the issues mentioned above and can achieve meter level accuracy [14]. The

13

carrier-phase method is a measure of the range between a satellite and receiver expressed in units of cycles of the carrier frequency. The pseudo random code has a bit rate of about 1 MHz but its carrier frequency has a cycle rate of over a GHz which is 1000 times faster. This method achieves precision varies from 1 mm to 10 cm, depending on the processing strategy [14]. Similarly, the phase shift of transmitted and received RF signals can be used to measure distance more accurately in low-cost devices.

In [15], the full available ISM bandwidth of 80 MHz and 16 ZigBee channels are utilized to estimate distance with phase difference method. With a low-cost oscillator and sampling frequency of 250MHz, a positioning bias error of 16cm and standard deviation of 3cm are achieved. In [16], only two measurement frequencies in ISM band are needed to perform the distance estimations. 30cm range accuracy is achieved with frequency hub of 75MHz, measurement in RF anechoic chamber and at least 250 samples. The Atmel ranging toolbox [17] uses proprietary algorithm based on phase difference to calculate distance. The full 2.4 GHz ISM band is suggested for best performance and the ranging procedure is not compliant with IEEE 802.15.4.

Because of design convenience, all the ToF methods mentioned in this section is based on IEEE 802.15.4 standard. But the BLE standard also shares similar problems as it is designed for low-cost consumer devices. For example on the DA14681 BLE chip of Dialog, it only has low accuracy clock (16MHz), inaccurate synchronization (1µs), low online processing power (96MHz) and low sampling frequency (8MHz). These are fundamental limits to walk around for the design of accurate ToF ranging solutions on BLE devices.

2.1.3 Fusion of ToF and RSSI Both ToF and RSSI methods have their own merits and demerits but we can fuse the data to achieve better resolution and stability. In [3] data fusion of RSSI and two-way ToF are applied to improve ranging accuracy. The general blocks are shown in Figure 2.5 [3] where least squares fitting is used to estimate channel parameters and extended Kalman filter is used for range tracking. Dotted lines apply only when ToF data are available. For the experiment with lab environment, the RSSI method only achieves 2.5m accuracy and the fusion method reaches 1.3m accuracy.

Figure 2.5 ToF and RSSI fusion ranging blocks [3]

In [18], the calculated speed and location information from processed ToF and RSSI are fed into two Kalman filters to track the state change. The final output distance value depends more on term with

14

smaller estimated uncertainty. In their indoor measurement, the RSSI method has accuracy of 0.5m-1.5m and the ToF method has accuracy of 2.5m-3.5m. The fusion algorithm reaches accuracy less than 1m which proves the improvement on individual techniques.

2.2 Bluetooth Low Energy 2.2.1 Overview Bluetooth is a wireless technology allowing electronic devices to perform short range wireless communication between each other. The classic Bluetooth is originally designed for continuous, streaming data applications like voice and has successfully eliminated wires in many consumer as well as industrial and medical applications. The usage and development of Bluetooth technology are regulated by the Bluetooth Special Interest Group (SIG). The group, which has over 20000 member companies, is responsible for defining the Bluetooth specification as well as to certify that the developed products conform to these specified standards. It operates between 2400 MHz to 2485 MHz, which lies within the globally unlicensed ISM band.

Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is the new generation standard designed by the Bluetooth SIG to support new applications in the healthcare, fitness, security and home entertainment fields in June 2010. The latest specification v4.2 was released on December 2014, which is currently supported by company development kit. BLE is the evolution of current so-called “classic Bluetooth” standard. It focuses on ultra-low power consumption, which is very suitable for coin cell batteries or energy-harvesting devices. More detailed information about this section can be found in Bluetooth specification v4.2 [1].

2.2.2 Classic Bluetooth vs BLE The BLE standard is not back-compatible with the classic Bluetooth. Although it reuses existing radio architecture and Host Controller Interface (HCI) transports and Logical Link Control and Adaptation (L2CAP) packets, many new features are introduced such as efficient discovery / connection procedures, very short packets, asymmetric design for peripherals and client server architecture, etc. Table 2.2 lists the main difference between these two Bluetooth standards.

15

Feature Classic Bluetooth BLE Notes

RF Channels 79 40 Less channels

Channel Bandwidth 1MHz 2MHz Double bandwidth

Modulation GFSK GFSK Simple and effective

Modulation Index 0.25 to 0.35 0.45 to 0.55 Wider signal – more robust

Max TX Power +20 dBm (class 1) +4 dBm (class 2)

+10 dBm No “class” structure +10 dBm regulatory limit

Rx Sensitivity (typical)

-85 dBm -85 dBm Pathloss = 90 dB for classic Pathloss = 95 dB for BLE

Range (typical) 30 meters 50 meters Modulation Index, increased power for class 2

Packet Format 6 2 Advertising / Data for BLE

Max Packet Length 2875 μs 328 μs BLE very short

Max Throughput Data Rate

2178.1 kb/s 305 kb/s BLE is slower

Encryption Safer+ AES-128 BLE stronger

Discoverable + Connectable

Inquiry + Page Scan 22.5 ms / 1.25 s

Advertising 1.25 ms / 1.25 s

20x lower energy

Connection time 20 ms (R0 Page Scan) 2.5 ms 8x quicker

Table 2.2 Main difference between BLE and classic Bluetooth

2.2.3 Protocol Stack Architecture The Bluetooth Core system is shown in Figure 2.6 [19], consisting of a Host, a Primary Controller and zero or more Secondary Controllers. A minimal implementation of a BLE-only core system covers the four lowest layers and associated protocols defined by the Bluetooth specification as well as two common service layer protocols: the Security Manager (SM) and Attribute Protocol (ATT). The overall profile requirements are specified in the Generic Attribute Profile (GATT) and Generic Access Profile (GAP). In this project, we mainly focus on Link Layer in the BLE controller which handles advertising, scanning, creating and maintaining connections.

16

Figure 2.6 BLE protocol stack architecture [19]

2.2.4 Operation States & Roles In BLE systems, there are five operating states in the link layer state machine: Standby, Advertising, Scanning, Initiating and Connection. The description is shown in Table 2.3.

State State Description

Standby Does not transmit or receive packets

Advertising Broadcasts advertisements in advertising channels

Scanning Looks for advertisers

Initiating Initiates connection to advertiser

Connection

Master Role

Communicates with device in the Slave role, defines timings of transmissions

Slave Role

Communicates with single device in Master Role

Table 2.3 BLE operating states

The Link Layer may have more than one instance of the state machine at any time. However, the Link Layer state machine allows only one state to be active at a time and a BLE device cannot be master and slave at the same time. The state diagram of the Link Layer state machine is shown in Figure 2.7.

17

Figure 2.7 State diagram of the Link Layer state machine

BLE GAP layer defines four profile roles: Broadcaster, Observer, Peripheral and Central. Here we only introduce Peripheral and Central roles which are most relevant to our project. A peripheral device is assumed to be a low-power device that exposes information and is able to make connections. It uses connectable advertising packets to broadcast information that any other BLE device within range can hear. The state machine is shown in Figure 2.8 with valid states blue.

Figure 2.8 State machine of peripheral role

A central device is usually a powered device, including a rechargeable battery and with a greater processing power with respect to peripheral ones (e.g., a smartphone or a tablet). Central devices implement a scanner modality, in which they listen for the advertisements and initiating connection request. The state machine is shown in Figure 2.9 with valid states blue.

18

Figure 2.9 State machine of central role

Differently from classic Bluetooth, peripheral and central devices are very asymmetric in their resource requirements. This technology has been projected having in mind to minimize complexity, power requirements and costs mainly on the peripheral side. This results in the fact that a peripheral device spends the majority of its life asleep, limiting its consumptions. It only wakes up when it needs to send data or interact with central devices.

2.2.5 Advertising & Scanning The whole 2.4GHz Bluetooth band is allocated for 40 2MHz channels as is shown in Figure 2.10 [19]. 37 of these channels are reserved for data, only used by devices that have paired with each other. The remaining 3 channels are used for advertisements. These three channels were specifically chosen to avoid the main channels used by Wi-Fi access points, to minimize interferences.

Figure 2.10 Channel allocation for BLE and Wi-Fi [19]

19

When a peripheral wants to broadcast, it starts an advertising event, where the same packet is transmitted sequentially on each of the three advertising channels. Devices operating as scanners will detect one of these, and pass the information it contains to the higher level protocol stack and application. Although the primary aim of advertising packets within the specification is to allow for the discovery of devices and make a secure connection, they also permit small amounts of data to be transmitted for other devices to hear. The advertising and active scanning procedure is shown in Figure 2.11 [19].

Figure 2.11 BLE advertising and active scanning procedure [19]

For advertising event, there are totally 7 air interface packets defined, which is shown in Table 2.4.

Type Packet Usage

0000 ADV_IND Connectable undirected advertising event

0001 ADV_DIRECT_IND Connectable directed advertising event

0010 ADV_NONCONN_IND Non-connectable undirected advertising event

0011 SCAN_REQ Scan request for further information from advertiser

0100 SCAN_RSP Response to scan request from scanner

0101 CONNECT_REQ Connect request by Initiator

0110 ADV_DISCOVER_IND Discoverable undirected advertising event

Table 2.4 Advertising packets

The format of advertising packets is shown in Figure 2.12 [19]. The whole packet is defined as Preamble, Access Address, Packet Data Unit (PDU) and Cyclic Redundancy Check (CRC) field. The Preamble (0xaa) is used for frequency synchronization and Automatic Gain Control (AGC) training. The Access Address (0x8e89bedd6) is designed for packet detection. CRC is computed over PDU for error check.

20

Figure 2.12 Advertising packet format [19]

The PDU is composed of payload and header. In the header, packet type, TX/RX address type, payload length and field reserved for future use are defined.

All of our three ranging solutions are based on advertisement & scanning activity for the purpose of convenience. In the next chapters, there are more elaborative descriptions of how these features facilitate our solutions.

2.2.6 Frequency Hopping Due to the unrestricted nature of the ISM band, BLE must overcome interference from other systems (e.g., Wi-Fi) and minimize its interference on other systems. BLE does this by using a Frequency Hopping Spread Spectrum (FHSS) technique. This spreads the RF power across the spectrum which reduces interference and the spectral power density. FHSS occurs while in a connection. The frequency hops among 37 data channels according to the channel selection algorithms.

The master’s Link Layer shall classify data channels into used channels and unused channels which are called the channel map. The slave shall receive the channel map from the master in connection request. The channel map can be updated by the master using a channel update message.

The channel selection algorithm consists of two stages: calculation of the unused channel index and then mapping this index to a data channel index from the set of used channels. The complete procedure is shown in Figure 2.13 [1]. The unmappedChannel is the unmapped channel index for the current connection event. The lastUnmappedChannel is the unmapped channel index of the previous connection event which is 0 for the first connection event. At the start of a connection event, unmappedChannel shall be calculated using the following basic algorithm in Eq. (2.4) [1]:

unmappedChannel = (lastUnmappedChannel + hopIncrement) mod 37 (2.4) [1]

The algorithm then checks if the unmapped channel is used according to the channel map. If it is used, the algorithm will use the unmapped channel. Otherwise the channel is remapped to one of the used channels.

21

Figure 2.13 Block diagram of data channel selection algorithm [1]

2.2.7 Direct Test Mode Direct Test Mode is used to control the Device-Under-Test (DUT) and provides a report back to the tester. The BLE Test packet format shall be as shown in Figure 2.12 [1].

Figure 2.14 BLE test packet format [1]

Test packets are required for physical layer testing using Direct Test Mode. The test packet consists of the following fields: preamble (8 bit), synchronization word (32 bit), PDU header (8 bit), PDU length (8 bit), payload (296-2040 bit) and CRC (24 bit), in total 376-2120 bits. The packets do not have a PDU address field. Depending on the test, the packet payload content may vary. Depending on the test packet length, the test packet interval is defined in Table 2.5.

22

LE Test Packet Length Packet Interval

≤ 376 μs 625 μs

≥ 377 and ≤ 1000 μs 1250 μs

≥ 1001 and ≤ 1624 μs 1875 μs

≥ 1625 and ≤ 2120 μs 2500 μs

Table 2.5 BLE test packet length to packet interval

2.3 Development Kit 2.3.1 Hardware For our development, we use the PRO development kit provided by Dialog Semiconductor, which is shown in Figure 2.15. It consists of the PRO motherboard and the PRO daughterboard. Development kit supports DA14680, DA14681, DA15100 and DA15101 SoCs of Dialog Semiconductor.

Figure 2.15 PRO development kit

The main features of the mother board are [20]:

– DA1468x/DA1510x SoCs can be accessed over UART and/or JTAG with no additional external hardware.

– Access on all GPIOs provided from the chip, when no sensor board is plugged. – Press on Reset function. – General purpose LEDs and Push Button on the PRO motherboard. – Current monitoring circuit associated with appropriate software on PC. – Powered from either USB2 (DBG) port or Battery. Dedicated USB (USB1-CHG) port for charging. – JTAG and UART interfaces over USB2 (DBG) for development purposes – On-daughterboard printed inverted F-type antenna

23

– RF mechanical switch for conducted RF measurements

2.3.1.1 DA14681 Daughter Board For specific functional daughter board, we use DA14681 for the BLE applications. The chip block diagram is shown in Figure 2.16 [21]. The DA14681 is a flexible System-on-Chip combining an application processor, memories, cryptography engine, power management unit, digital and analog peripherals and a BLE MAC engine and radio transceiver. The DA14681 is based on an ARM® Cortex®-M0 CPU delivering up to 84 DMIPS and provides a flexible memory architecture, enabling code execution from embedded memory (RAM, ROM) or non-volatile memory (OTP or external Quad-SPI FLASH). The advanced power management unit of the DA14681 enables it to run from primary and secondary batteries, as well as provide power to external devices. The on-chip charger and state-of-charge fuel gauge allow the DA14681 to natively charge rechargeable batteries over USB. An on-chip Phase Locking Loop (PLL) enables on-the-fly tuning of the system clock between 32 kHz and 96 MHz to meet high processing requirements. Several optimized sleep modes are available to reduce power dissipation when there is no activity.

Figure 2.16 DA14681 block diagram [21]

Here are some important features for this project [21]:

• BLE: Complies to Bluetooth v4.2 • Flexible processing power: 0 Hz up to 96 MHz 32-bit ARM Cortex-M0 with 4-way associative cache • Memories: – 64 kB One-Time-Programmable (OTP) memory

24

– 128 kB Data SRAM with retention capabilities – 16 kB Cache SRAM with retention capabilities – 128 kB ROM (including boot ROM and BLE stack) – 8 MB external FLASH memory • Digitally controlled oscillators and PLL: – 16/32 MHz crystal oscillator – 16 MHz RC oscillator – 32 kHz crystal and RC oscillator – 10.5 kHz RCX oscillator – low power PLL up to 96 MHz • Radio transceiver: – 2.4 GHz CMOS transceiver with integrated balun – 0 dBm transmit output power – -93 dBm receiver sensitivity (BLE) – TX current of 3.4 mA and RX current of 3.7 mA (supply current at 3 V)

2.3.1.2 Radio Frequency Production Test

The DA14681 is equipped with the Radio Frequency Production Test (RFPT) mode which can put different internal test signals on the test bus and transfer them to memory by the Direct Memory Access (DMA) channel. The word length of the RFPT test signal data to be transferred is 32 bits and the maximum speed is 16MHz. The transfers can be controlled with an enable signal. The user should program the length, destination address and the test signal in software to setup the RFPT mode and capture desired internal signal data. The maximum size of data that the RFPT block can write using the embedded DMA channel is 128 Kbytes.

Part of the possible test signals are shown in Table 2.7 [22]. Test mode is a programmable parameter and is set to 0 in normal mode where no test data are generated. The rate of the transfer is listed in the second column, i.e. the frequency of the enable signal. The trigger column is the instant where the first transfer occurs. For the test signals shown in this table, the transfer is activated by the enable signal of the demodulator. The rest of the table shows what internal signals are mapped onto the test bus. The adcout_i and adcout_q shown in test mode 1 are the IQ data we need to capture for all the ranging solutions. More test signals can be added in the future if necessary.

Table 2.6 Part of possible test signals in RFPT mode [22]

The simplified RF block diagram for IQ data capture is shown in Figure 2.17 [22]. The RX front-end consists of a selective matching network (RFIO in the figure), a Low Noise Amplifier (LNA) and an down conversion mixer. The intermediate frequency (IF) complex filter with variable gain amplifiers (VGA) provides the necessary signal conditioning prior to digitalization. The two ADCs for I signal and Q signal convert the analog signal to digital samples that are fed in to the digital demodulator block (DEM) which provides a

31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

1 8 MHz dem_en b2 8 MHz dem_en b3 8 MHz dem_en4 8 MHz dem_en

vga3_in_q vga3_in_i vga3_out_q vga3_out_irssi_raw agc_setting envelope

adcout_i adcout_q hpf output pad outputdnmin dpmin hpf output pad output

Test mode TriggerRateTestbus

25

synchronous bit stream. With the setup of RFPT test mode 1 in software, the IQ samples are put on the test bus and transferred to the RAM through the DMA channel in parallel with the normal functionality.

Figure 2.17 Simplified RF block diagram for IQ data capture [22]

2.3.2 Development Environment Dialog SmartSnippets™ [17] is the integrated development environment we used for two solutions. It is a royalty-free software development platform for Smartbond™ devices. It fully supports the DA1468x family of devices.

SmartSnippets™ contains:

• SmartSnippets™ Toolbox: A tool suite covering all software developer needs, including: – Power profiling – Programming – Testing

• SmartSnippets™ IDE: Eclipse2 based IDE pre-configured plugins allowing easy out of the box set-up of build/debug environment. The SmartSnippets™ IDE is supported by an on-board debugger from Segger3. This offers standard debug capabilities such as single stepping, setting breakpoints, SW download and many more.

• SmartSnippets™ SDK – Preemptive multitasking via a state of the art real time operating system – Access to the on-chip peripherals via Low Level Drivers and Adaptors – Complete integration of a v4.2 compliant Bluetooth Smart stack and radio – Support for firmware upgrade, including over the air – Structured access to the flash device via a NVMS adaptor that supports wear levelling – Support of the on-chip power management facilities enabling sleep and hibernation

• SmartSnippets™ documentation

Keil μVision44 is another IDE we used for one solution. The µVision IDE combines project management, run-time environment, build facilities, source code editing, and program debugging in a single powerful environment. µVision is easy-to-use and accelerates your embedded software development. It supports multiple screens and allows you to create individual window layouts anywhere on the visual surface. The 2 www.eclipse.org 3 https://www.segger.com/jlink-debug-probes.html 4 http://www.keil.com/uvision/

26

µVision Debugger provides a single environment in which we can test, verify, and optimize your application code. The debugger includes traditional features like simple and complex breakpoints, watch windows, and execution control and provides full visibility to device peripherals.

2.3.3 Debugging Tools During the whole project, we have two important debugging tools: BLE packet sniffer and logic analyzer, which greatly ease the way of debugging. The practical hardware is shown in Figure 2.18 and Figure 2.19.

Figure 2.18 Saleae™ Logic Analyzer5

Figure 2.19 ComProbe BPA® BLE Packet Sniffer6

In DA14681, there are many RF and BLE MAC engine digital diagnostic signals brought out to certain GPIOs on the mother board. Traditionally, we use oscilloscope to display these signals which is not convenient because we need to test it in the laboratory and it only has 2 or 4 channels available. With the small, portable and inexpensive Saleae™ logic analyzer, we can just plug it into a computer and track 8 digital signals at the same time. The logic analyzer works with USB2.0. It has 8 channels with 100MS/s for digital signal and 10MS/s for analog signal. As many as 10 billion samples can be saved to capture more elusive events. Besides, we can start debugging within 5 minutes of opening the software. We can easily record, setup, navigate, measure, trigger and find signals with the software. One example during debugging is shown in Figure 2.20.

5 https://www.saleae.com/ 6 http://www.fte.com/products/BPAlowenergy.aspx

27

Figure 2.20 Debugging wave example from logic analyser

For our ToF solutions, we need to know detailed information about BLE packets in the air, such as information in each field, exact packet bits, packet interval, channels, etc. ComProbe BPA® BLE packet sniffer packs a serious punch, decoding all traffic including advertising packets, data packets and Link Layer control packets, and providing visibility into all three advertising channels concurrently. The BLE traffic information display in the software is shown in Figure 2.21. The left decode pane shows comprehensive layered decoders of each frame. The summary pane in the middle displays a one-line overview of each data frame. The panes below shows exactly the received bits in binary and hexadecimal. Besides we can easily add filters on packets.

Figure 2.21 BLE traffic information display from the sniffer

28

3 Asymmetric Single Channel Ranging In BLE, a device shall first advertise about its own information or scan for connectable devices before entering connection event. Because it always consumes time and energy to initiate and maintain the connection, we first consider the advertising and scanning event for our ranging application.

The ranging concept with advertising and scanning is shown in Figure 3.1 [24]. The advertiser from Dialog transmits ADV_IND packet and receives SCAN_REQ packet from the remote end (e.g., an mobile phone) after 150μs. The remote end can be any BLE-compliant device that is doing active scanning. The payload of SCAN_REQ packet contains 48-bit advertiser address which is known by the advertiser. With this known 48-bit pattern, ToF and range with the remote end can be calculated.

Figure 3.1 Ranging concept with advertising and scanning [24]

In this method, no Dialog chip or software is needed on the remote end. That is why we call it “asymmetric”. The SCAN_REQ can be only received on one channel out of three advertisement channels. That is why we call it “single channel”. The algorithm and software setup will be illustrated in the following sections.

3.1 Algorithm 3.1.1 Mathematical Model for Received signal To determine the ToF with transmitted (TX) signal and received (RX) signal that have the same bit pattern, we need to first find the mathematical relationship between TX and RX signals. Based on the algorithm prepared by the company, the theory in [16] and the cooperation with algorithmic & simulation project, we have the following derivation.

The mathematical description of the TX signal is given in Eq. (3.1). 𝑓𝑓𝑐𝑐 is carrier frequency based on ADV channel, 𝜑𝜑𝑚𝑚(𝑡𝑡) is the phase term due to Gaussian Frequency Shift Keying (GFSK) modulation and 𝜑𝜑𝑡𝑡 is the unknown phase offset from carrier wave.

𝐸𝐸𝑇𝑇𝑇𝑇(𝑡𝑡) = sin [2𝜋𝜋𝑓𝑓𝑐𝑐𝑡𝑡 + 𝜑𝜑𝑚𝑚(𝑡𝑡) + 𝜑𝜑𝑡𝑡] (3.1)

To reduce the complexity of derivation, the details about GFSK modulation and 𝜑𝜑𝑚𝑚(𝑡𝑡) are not explained in detail. Thorough information can be found in Chapter 2 of [25]. The 𝜑𝜑𝑚𝑚(𝑡𝑡) ramps up when the symbol

29

is ‘1’ and ramps down when the symbol is ‘0’. The possible phase value over the first 5 symbol periods is shown in Figure 3.2 [25].

Figure 3.2 Possible phase evolution for GFSK modulated signal [25]

After transmission in the air, the RX signal is given by Eq. (3.2). The time is shifted by ToF given by distance r and speed of light c.

𝐸𝐸𝑆𝑆𝑇𝑇(𝑟𝑟, 𝑡𝑡) = sin [2𝜋𝜋𝑓𝑓𝑐𝑐(𝑡𝑡 − 𝑟𝑟𝑐𝑐) + 𝜑𝜑𝑚𝑚(𝑡𝑡 − 𝑟𝑟

𝑐𝑐) + 𝜑𝜑𝑡𝑡] (3.2)

At the receiver, the local oscillator signal is given by Eq. (3.3) where 𝑓𝑓𝑙𝑙 is the local oscillator frequency and 𝜑𝜑𝑟𝑟 is the unknown phase offset for this wave.

𝐸𝐸𝐿𝐿𝐿𝐿(𝑡𝑡) = sin [2𝜋𝜋𝑓𝑓𝑙𝑙𝑡𝑡 + 𝜑𝜑𝑟𝑟] (3.3)

This signal is multiplied with the RX signal to down-mix it to the intermediate frequency for baseband processing in Eq. (3.4).

𝐸𝐸𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑟𝑟(𝑟𝑟, 𝑡𝑡) = 𝐸𝐸𝑆𝑆𝑇𝑇(𝑟𝑟, 𝑡𝑡) ∗ 𝐸𝐸𝐿𝐿𝐿𝐿(𝑡𝑡) (3.4)

According to basic trigonometric functions that 𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 ∗ 𝑠𝑠𝑠𝑠𝑠𝑠𝐵𝐵 = 12

(cos(𝑠𝑠 + 𝐵𝐵) − cos (𝑠𝑠 − 𝐵𝐵)), we obtain

the result for the down mixing signal in Eq. (3.5).

𝐸𝐸𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑟𝑟(𝑟𝑟, 𝑡𝑡) = 12

{cos [2𝜋𝜋(𝑓𝑓𝑐𝑐 + 𝑓𝑓𝑙𝑙)𝑡𝑡 − 2𝜋𝜋𝑓𝑓𝑐𝑐𝑟𝑟𝑐𝑐

+ 𝜑𝜑𝑚𝑚(𝑡𝑡 − 𝑟𝑟𝑐𝑐) + 𝜑𝜑𝑡𝑡 + 𝜑𝜑𝑟𝑟] −

cos [2𝜋𝜋(𝑓𝑓𝑐𝑐 − 𝑓𝑓𝑙𝑙)𝑡𝑡 − 2𝜋𝜋𝑓𝑓𝑐𝑐𝑟𝑟𝑐𝑐

+ 𝜑𝜑𝑚𝑚(𝑡𝑡 − 𝑟𝑟𝑐𝑐) + 𝜑𝜑𝑡𝑡 − 𝜑𝜑𝑟𝑟)]} (3.5)

The first high frequency cosine component is removed in the IF filter and the remaining signal is shown in Eq. (3.6). ∆𝜑𝜑 = 𝜑𝜑𝑡𝑡 − 𝜑𝜑𝑟𝑟 is the carrier frequency offset induced by the RFPLL on carrier and local oscillator wave.

𝐸𝐸𝐼𝐼𝐼𝐼(𝑟𝑟, 𝑡𝑡) = cos [2𝜋𝜋(𝑓𝑓𝑐𝑐 − 𝑓𝑓𝑙𝑙)𝑡𝑡 − 2𝜋𝜋𝑓𝑓𝑐𝑐𝑟𝑟𝑐𝑐

+ 𝜑𝜑𝑚𝑚(𝑡𝑡 − 𝑟𝑟𝑐𝑐) + ∆𝜑𝜑] (3.6)

Ideally, the intermediate frequency 𝑓𝑓𝐼𝐼𝐼𝐼 = 𝑓𝑓𝑐𝑐 − 𝑓𝑓𝑙𝑙 should be constant. Both carrier frequency and local oscillator frequency are generated by individual PLL driven by the local clock. As the two ends are not

30

perfectly synchronized, there is certain carrier frequency offset ∆𝑓𝑓 added to the IF. So the signal after the IF filter can be expressed as

𝐸𝐸𝐼𝐼𝐼𝐼(𝑟𝑟, 𝑡𝑡) = cos [2𝜋𝜋𝑓𝑓𝐼𝐼𝐼𝐼𝑡𝑡 + 2𝜋𝜋∆𝑓𝑓𝑡𝑡 + 𝜑𝜑𝑚𝑚(𝑡𝑡 − 𝑟𝑟𝑐𝑐) − 2𝜋𝜋𝑓𝑓𝑐𝑐

𝑟𝑟𝑐𝑐

+ ∆𝜑𝜑] (3.7)

If we extract the phase of this signal and ignore the phase term induced by IF, we obtain

φ𝐼𝐼𝐼𝐼(𝑡𝑡) = 𝜑𝜑𝑚𝑚(𝑡𝑡 − 𝑟𝑟𝑐𝑐) + 2𝜋𝜋∆𝑓𝑓𝑡𝑡 − 2𝜋𝜋𝑓𝑓𝑐𝑐

𝑟𝑟𝑐𝑐

+ ∆𝜑𝜑 (3.8)

We can see from Eq. (3.8) that the received phase after IF filtering contains distance information in the GFSK modulated phase term and phase term induced by carrier frequency. The two phase terms related to ToF are separately discussed and tested in single channel and multiple channel ranging methods. In this ranging method, we only consider the distance information in phase term 𝜑𝜑𝑚𝑚(𝑡𝑡 − 𝑟𝑟

𝑐𝑐) and consider phase

term 2𝜋𝜋𝑓𝑓𝑐𝑐𝑟𝑟𝑐𝑐 to be part of the phase offset ∆𝜑𝜑.

There are two more issues to be considered in this model.

• In the BLE specification, the GFSK modulation index is recommended to be 0.5 and shall be between 0.45 and 0.55 [1]. So it is possible that the TX and RX end have a certain modulation index offset Δh on the GFSK modulated phase amplitude.

• As the two ends are not perfectly synchronized and there is clock offset introducing extra shift for

time t. The time on the receiver should be 𝑡𝑡𝑆𝑆𝑇𝑇 = �1 + Δf𝑓𝑓𝑐𝑐� ∗ 𝑡𝑡𝑇𝑇𝑇𝑇 where clock offset is represented

by Δf𝑓𝑓𝑐𝑐

. For the DA14681 chip, the maximum clock offset for crystals is ±20 ppm [21]. Within time

period of 48-bit pattern (48µs), the maximum time shift is only 0.96ns (0.29m). So this issue needs only to be considered when we achieve sub-meter accuracy.

3.1.2 Linear Least Square Error Fitting After the discussion above, we obtain the expression for the received phase. 𝜑𝜑𝑚𝑚(𝑡𝑡) can be seen as the transmitted phase.

φ𝑆𝑆𝑇𝑇(𝑡𝑡) = (1 + Δh) ∗ 𝜑𝜑𝑇𝑇𝑇𝑇 �𝑡𝑡 −𝑟𝑟𝑐𝑐� + 2𝜋𝜋∆𝑓𝑓𝑡𝑡 + ∆𝜑𝜑 (3.9)

With first order Taylor expansion, we have the approximation of

φ𝑇𝑇𝑇𝑇 �t − 𝑟𝑟𝑐𝑐� ≈ φ𝑇𝑇𝑇𝑇(t) − 𝑟𝑟

𝑐𝑐∗ dφTX(t)

dt (3.10)

Thus, Eq. (3.9) can be written as

φ𝑆𝑆𝑇𝑇(𝑡𝑡) = (1 + Δh) ∗ 𝜑𝜑𝑇𝑇𝑇𝑇(𝑡𝑡) − 𝑟𝑟𝑐𝑐∗ dφTX(t)

dt+ 2𝜋𝜋∆𝑓𝑓𝑡𝑡 + ∆𝜑𝜑 (3.11)

In practical, the continuous time t is sampled by 8MHz ADC. So Eq. (3.11) can be written in linear equations

𝒚𝒚 = 𝑿𝑿𝑿𝑿 (3.12)

Where (n is the number of available samples)

31

𝒚𝒚 = �

𝜑𝜑𝑆𝑆𝑇𝑇1𝜑𝜑𝑆𝑆𝑇𝑇2⋮

𝜑𝜑𝑆𝑆𝑇𝑇𝑅𝑅

� ,𝑿𝑿 =

⎝

⎜⎜⎛𝜑𝜑𝑇𝑇𝑇𝑇1𝜑𝜑𝑇𝑇𝑇𝑇2⋮

𝜑𝜑𝑇𝑇𝑇𝑇𝑅𝑅

dφTXdt 1

dφTXdt 2⋮

dφTXdt 𝑅𝑅

𝑡𝑡1 𝑡𝑡2 ⋮

𝑡𝑡𝑅𝑅

1

1

⋮

1⎠

⎟⎟⎞

,𝑿𝑿 =

⎝

⎜⎛

(1 + 𝛥𝛥ℎ)−𝒓𝒓

𝒄𝒄2𝜋𝜋∆𝑓𝑓𝛥𝛥𝜑𝜑 ⎠

⎟⎞

With known 48-bit pattern, GFSK modulated phase 𝜑𝜑𝑇𝑇𝑇𝑇(𝑡𝑡) can be easily calculated. The received phase φ𝑆𝑆𝑇𝑇(𝑡𝑡) can be easily calculated with the captured IQ data at the receiver. So the data points in matrix 𝒚𝒚 and 𝑿𝑿 are known, and the linear coefficients in matrix 𝑿𝑿 need to be known. This is a typical Linear Least Square Error (LSE) fitting problem [26].

Eq. (3.12) usually has no solution, so the goal is instead to find the coefficients 𝑿𝑿 which fit the equations best in the sense of solving the quadratic minimization problem.

𝑿𝑿� = 𝑎𝑎𝑟𝑟𝛼𝛼min𝑿𝑿𝑆𝑆(𝑿𝑿) (3.13)

where the objective function 𝑆𝑆(𝑿𝑿) is given by

𝑆𝑆(𝑿𝑿) = ‖𝒚𝒚 − 𝑿𝑿𝑿𝑿‖2 (3.14)

By solving the problem in Eq. (3.13), it leads to a closed-form expression for the estimated value of the unknown coefficients β which contains modulation index offset, ToF, carrier frequency offset and carrier phase offset.

𝑿𝑿� = (𝑿𝑿𝑻𝑻𝑿𝑿)−1𝑿𝑿𝑻𝑻𝒚𝒚 (3.15)

3.2 Simulation The BLE signal generator and the LSE fitting routine are prepared by the company in MATLAB. In the script, random 48-bit symbol pattern is used to generate GFSK modulated complex signal. RF impairments namely white noise, modulation index offset, ToF, carrier frequency offset and carrier phase offset are added to the TX signal to create the RX signal. After this, the TX and RX phase pattern are fed into the fitting routine to obtain four estimated parameters.

3.2.1 Bit Pattern Issue In the beginning, simulation only returns correct results for symbol pattern with equal number of 1s and 0s. This issue is caused by inappropriate phase differentiation calculation. The problem is caused by the usage of diff([phi1 0]) which means to append 0 to phi1 and calculate differentiation. If the unwrapped phase phi1 ends with 0 which means it has balanced number of 0s and 1s, the results is not influenced. But if the phi1 ends with other value (unbalanced), then this calculation will give very wrong value, which results in wrong fitting results. After I change it to

fm1 = diff(phi1); fm1(end+1)=fm1(end);

32

which appends the last differentiation result, any bit pattern works perfectly in simulation. The result of correct and wrong phase differentiation is shown in Figure 3.3. This partially shows the vulnerability of this algorithm because one largely deviated sample in the phase pattern will impact the whole estimation.

Figure 3.3 Correct and wrong phase differentiation

3.2.2 LSE Fitting Simulation Results The whole LSE fitting simulation is done under different SNR values to understand the influence of white noise. For each SNR value, we simulate 1000 times of LSE fitting to obtain fine statistics. The TX phase and RX phase pattern example under SNR = 5dB is shown in Figure 3.4. The phase ramp 2𝜋𝜋∆𝑓𝑓𝑡𝑡 due to carrier frequency offset can be clearly seen.

The simulation results are shown in Table 3.1. The first row shows the RF impairments we add to the RX signal. The rest rows shows the estimated parameter by LSE fitting in average and standard deviation. When SNR = 5dB which is very bad signal condition and even packet reception may be influenced in practical, the fitting gives error of 4.6ns (1.38m) along with huge spread. With relatively low SNR =10dB in practical, the algorithm can give good estimation of four parameters with small average error and achieve distance accuracy of 3.5m. If we increase the SNR, the distance accuracy can be further improved to 1m when SNR = 20dB and to 0.33m when SNR = 30dB. Meanwhile the ToF average error is very small.

0 50 100 150 200 250 300 350 400-0.04

-0.03

-0.02

-0.01

0

0.01

0.02

0.03

0.04Correct Phase Diff

0 50 100 150 200 250 300 350 400-1

0

1

2

3

4

5

6

7Wrong Phase Diff

sample nr.

Wrong value

Correct Phase Diff W

rong Phase Diff

Sample nr.

33

SNR Modulation Index ToF/ns Carrier Frequency

Offset/kHz Phase Offset/°

Ideal 0.51 30 (9m) 25 (10ppm) 10 5dB 0.5058 ± 0.0431 34.584 ± 148.220 25.248 ± 13.227 11.310 ± 42.144

10dB 0.5100 ± 0.0011 30.561 ± 10.567 25.008 ± 0.296 9.638 ± 1.739 20dB 0.5100 ± 0.0003 30.202 ± 3.333 25.004 ± 0.092 9.757 ± 0.538 30dB 0.5100 ± 0.0001 30.239 ± 1.084 24.999 ± 0.028 9.740 ± 0.168

Table 3.1 LSE fitting simulation results

Figure 3.4 TX phase (blue) and RX phase (green) over sample nr.

3.2.3 Two Important Flaws Later on we detect two important flaws of this algorithm. The first flaw is that the fitting becomes more and more inaccurate when the RX signal is delayed by more than 1 sample that equals 125ns under 8MHz RF-ADC. To prove the flaw, we set the ToF to 83ns, other RF impairments to normal level and delay RX signal from 0 to 8 samples, it can be seen from Table 3.2 that the result is only accurate with 0 and 1 sample delay. This means that before feeding the RX phase pattern into the fitting routine, we need to bring the pattern delay down to at most 1 sample. This sets the range limit to 37.5m (125ns) which luckily does not influence our goals.

Phase Shift/sample 0 1 2 3 4 5 6 7 8 ToF Fitting/ns 83.15 206.51 318.97 416.47 497.66 563.02 614.24 655.08 688.91

ToF Ideal/ns 83 208 333 458 583 708 833 958 1083

Table 3.2 Effect of large time shift

0 50 100 150 200 250 300 350 400-7

-6

-5

-4

-3

-2

-1

0

1Phase

sample nr.

phas

e/cy

cle

TX phaseRX phase

Sample nr.

Phase/cycle

34

Another flaw is about the concept of ToF in this model. We capture the IQ signal after the IF filter and before the demodulator. The TX phase is actually delayed by the whole reception chain instead of ToF only. We should consider the delay in the RF front-end circuits. These two factors are not considered in the simulation and prove to be headache issues in our practical test. This will be elaborated in the following chapters.

3.3 Experimental Setup To achieve the concept described in the beginning, we design a dedicated software experimental setup which is shown in Figure 3.5. In this setup, we use two DA14861 boards as advertiser and scanner doing packet transactions. At the same time, a laptop with MATLAB running is connected to the advertiser and is acquiring necessary practical data for the algorithm.

Figure 3.5 Experimental setup

The characteristics for three ends in this setup are:

• MATLAB – Data acquisition for IQ data, timestamp and RSSI – Avoid conflict with ADV

• Advertiser – Whitening disabled – One button to start the ADV and filter target SCAN_REQ packet – No sleep to avoid power management issue – Proper settings to capture IQ data and read it from RAM – Record packet timestamp and RSSI

• Scanner – Whitening disabled – Continuously scanning

3.3.1 Scanner Theoretically, the scanner can be any BLE-compliant device that is doing active scanning. Currently, we use scanner application in the provided SDK doing continuously scanning without sleep. In the BLE Link Layer, whitening is used to avoid long sequence of 0 and 1 with fixed and known polynomial. It is performed over PDU and CRC fields. Whitening and De-whitening are performed using the same polynomial. Whitening initialization value depends on the channel index for each advertising / connection event.

35

If whitening is enabled, it will mess up the 48-bit information in the payload with other symbols. Altough the whitening polynomial is known, we need to know all the symbols in PDU and CRC fields and the channel number to recover the packet information. To avoid the trouble in the beginning, we disable whitening function on both scanner and advertiser.

3.3.2 Advertiser The BLE advertiser application example is provided by the company as a basic start point. Most mentioned characteristics are completed individually. First, enough memory (16 Kbytes) needs to be pre-allocated at fixed memory address as shared memory between C program and MATLAB script. The main() function performs all necessary initialization of the system, creates advertiser application task and starts the task. The program flow chart for advertiser task is shown in Figure 3.6.

Figure 3.6 Flow chart for BLE advertising task

36

In the BLE advertiser task, the program is configured as peripheral role. The task then waits in an infinite for-loop for task notifications from the RTOS. When the button is pressed, the system will start advertising only one packet and filter the SCAN_REQ packet from target device. When the packet timestamp, RSSI and IQ data are ready. Target_Device_FLAG is used to indicate target device and trigger the processing in MATLAB. ReadIQ_Ready is used to block MATLAB acquisition before next advertisement. In this way, we have continuous advertisement (the interval is not deterministic) with synchronized real-time MATLAB acquisition.

In this setup, I force BLE stack to be always active. The RFPT mode introduced in Section 2.3.1.2 requires correct setting of several registers. These registers are located in Radio power domain which will be automatically switched off in the gap of ADV event to save energy. They are not designed as retainable registers and the RFPT mode will not start.

Besides the main() routine, there is BLE stack interrupt routine which is always running when the BLE task is started. The interrupt generated from this routine has higher priority than OS notification. The program flowchart for this routine is shown in Figure 3.7. Whenever there is interrupt for the end of ADV event, one SCAN_REQ packet is possibly to be captured and the information of which is stored in the corresponding RX descriptor. If the address is successfully matched, then we can extract RSSI and payload information for main routine usage, and give suitable OS notifications.

Figure 3.7 Flowchart for BLE interrupt routine

37

3.3.3 MATLAB An example MATLAB program is provided by the company to access memory and registers through a block on mother board and driver on laptop called JLink. In the beginning, identification and initialization of the chip are done. During the procedure, the C library “JlinkARM.h” is loaded to use all functions in MATALB and shared memory addresses are set. After the basic configuration, the script enters the main loop. ReadIQ_Ready is used to indicate the end of packet reception. Only after the flag is set, the MATLAB program starts to read the memory to avoid collision. Target_Device_FLAG is added to filter the scanner device addresses. The flag is set only for right device address and the MATLAB will start to process the RFPT data word and obtain 8-bit I data and 8-bit Q data. The MATLAB program flowchart is shown in Figure 3.8.

Figure 3.8 Flowchart for MATLAB routine

3.4 Raw IQ Data Processing From previous setup, we obtain 1600 IQ samples for SCAN_REQ packet but the input for fitting routine should be 48-bit RX and TX phase pattern. To extract the RX phase pattern from raw IQ samples, following steps are designed and tested in MATLAB. The script for LSE fitting and clock offset compensation are

38

integrated to obtain the range in the end. The script blocks with input and output for the whole asymmetric single channel ranging method are shown in Figure 3.9. All the steps are explained in detail as follows.

Figure 3.9 MATLAB script blocks for asymmetric single channel ranging

a. The raw IQ data for one example SCAN_REQ packet is shown in Figure 3.10. The amplifier is set to the largest gain to receive the packet preamble so that the values in the beginning are saturated. After some time, the Automatic Gain Control (AGC) starts working and the amplitude falls into amplifier linear range. If we zoom in on I and Q signal, we can see they are frequency modulated. Obviously, there are DC offset and amplitude distortion for both I and Q. Only after the DC offset is removed and amplitude normalization process is done, we can calculate the phase correctly in the next step.

Figure 3.10 Raw IQ data for one example SCAN_REQ packet

0 200 400 600 800 1000 1200 1400 1600-150

-100

-50

0

50

100

150

sample nr.

ampl

itude

I signalQ signal

950 1000 1050 1100 1150

-40

-30

-20

-10

0

10

20

30

40

50

60

sample nr.

ampl

itude

I signalQ signal

39

b. The phase is calculated with arctan(Q/I) and unwrapped for the removal of intermediate frequency. According to Eq. (3.7), by subtracting 2𝜋𝜋𝑓𝑓𝐼𝐼𝐼𝐼𝑡𝑡 from the unwrapped phase, we get results shown in Figure 3.11. We can observe the noise in the beginning and the end. In the packet, the GFSK modulated phase ramps up with symbol 1 and down with symbol 0 by 0.25cycle.

Figure 3.11 Unwrapped phase after IF removal

c. Next step is GFSK demodulation to obtain data samples which is shown in Figure 3.12. In BLE, two different frequencies are used to transmit a binary ‘1’ or ‘0’: fc + 250kHz for symbol 1 and fc - 250kHz for symbol 0. So the transmit frequency oscillates back and forth around the center channel frequency between each symbol time (1μs). We first calculate phase differentiation over time to get the frequency deviation and then translate the deviation into samples bits. According to the modulation, positive deviation is 1 and negative deviation is 0.

0 200 400 600 800 1000 1200 1400 1600-6

-5

-4

-3

-2

-1

0

1

2

3

4

sample nr.

unw

rapp

ed p

hase

(IF r

emov

al)

40

Figure 3.12 Data samples of the packet

d. Because of the clock offset, the start of RX phase pattern is not fixed against the IQ data capture anchor point (DEM_EN signal). As the fitting does not work when RX phase pattern has more than 1 sample shift compared to TX phase pattern, we use cross correlation between RX and TX pattern data samples to locate the pattern with accuracy of 1 sample. The cross correlation result is show in Figure 3.13 with clear peak that is the start sample of the pattern. But In this way, every symbol timing offset larger than 1 sample time (125ns) will be wrapped.

Figure 3.13 Cross correlation between RX and TX pattern data samples

0 200 400 600 800 1000 1200 1400 1600-1

-0.5

0

0.5

1

1.5

2

cat. sample nr.

reco

vere

d da

ta

-2000 -1500 -1000 -500 0 500 1000 1500 2000-40

-20

0

20

40

60

80

100

lag

corr

elat

ion

41

e. After this, we can feed the RX and TX phase patterns into the fitting routine to get estimated parameters. Based on these parameters, we can reconstruct the fit curve and calculate the fitting error. Figure 3.14 shows the fit curve, TX curve, RX curve and error over sample number. We can see that the RX curve is closed aligned with fit curve with small level of error. When the average error is large than an empirical threshold, the fitting results for this packet are discarded.

Figure 3.14 Fit curve, TX curve, RX curve and error curve after fitting

f. It is proved in Section 3.1.1 that within time period of 48-bit pattern (48µs), the time shift caused by clock offset does not have big impact on our ToF result. But the time drift caused by clock offset during packet interval is not considered in our model. In BLE, the smallest ADV event interval is 20ms [1], the time shift between packets can be 400ns which needs to be well compensated! Assuming the symbol timing offset happened to TX phase is ∆𝑡𝑡 which contains ToF and clock offset, ∆𝑡𝑡 can be defined as

∆𝑡𝑡 = (𝑇𝑇𝛼𝛼𝑇𝑇 + 𝑇𝑇 ∆𝑓𝑓𝑓𝑓𝑐𝑐

)𝑚𝑚𝛼𝛼𝑑𝑑 125 (3.16)

The modulo of 125ns comes from the effect of cross correlation step which wraps symbol timing offset larger than 1 sample. So, with estimated frequency offset ∆𝑓𝑓 and packet interval 𝑇𝑇, we can compensate the delay due to clock offset and get the correct ToF.

3.5 Results and Analysis 3.5.1 Indoor Measurement We did 1000 packets indoor measurements with distance of 5m, 10m, 15m and 20m. The distance is measured with tape. The location is office corridor with LOS, wall only on one side and low people movement. Two boards have around 1m height from the ground. The environment picture is shown in Figure 3.15.

0 50 100 150 200 250 300 350 400-7

-6

-5

-4

-3

-2

-1

0

1

2Fit Phase

time (sample)

unw

rapp

ed p

hase

idealreceivedfiterror

42

Figure 3.15 Indoor measurement environment

The results are shown in Table 3.3.

Actual Distance/m

Packet Interval/s ToF/ns Frequency

Offset/Hz Estimated Distance/m

5 0.255 ± 0.129 87.823 ± 60.522 8432.095 ± 605.615 26.347 ± 18.157

10 0.253 ± 0.131 92.233 ± 56.162 8469.498 ± 581.883 27.670 ± 16.849

15 0.233 ± 0.108 86.790 ± 64.740 8810.818 ± 582.894 26.037 ± 19.422

20 0.242 ± 0.110 88.002 ± 62.455 8571.000 ± 600.709 26.401 ± 18.736

Table 3.3 Indoor measurement results

The ToF histogram for 5m measurement is shown in Figure 3.16 as an example. It follow a nice Gaussian-like distribution.

Advertiser with laptop

Scanner

43

Figure 3.16 ToF histogram for 5m measurement

Here are the observations:

• The packet interval is around 250ms which is relatively large compared to minimum ADV event interval 20ms.

• For all the measurements, we see very large standard deviation (50ns~60ns) and no expected ToF change with ranges. Distance offset is not a fatal issue for the moment.

• Carrier Frequency offset estimation is good. The standard deviation is only 500~600Hz compared to 2.4GHz carrier frequency. This means we can estimate clock offset down to 0.21~0.25ppm.

3.5.2 Analysis According to Eq. (3.16), the accuracy of ToF is influenced by both LSE fitting and clock offset. In the following analysis, we can see that the error caused by clock offset is normally dominant. If we only consider error from clock offset, the standard deviation of ToF is defined by

𝜎𝜎𝑇𝑇𝑇𝑇𝐼𝐼 = 𝜎𝜎∆𝑓𝑓𝑓𝑓𝑐𝑐∗ 𝑇𝑇 (3.17)

Here is the analysis for unexpected ToF spread. Assume the packet interval 𝑇𝑇 is 250ms and clock offset 𝜎𝜎∆𝑓𝑓𝑓𝑓𝑐𝑐

accuracy is 0.25ppm, the time shift spread due to clock offset should be 62.5ns. This is what we see in

practice. In BLE, the smallest ADV event interval is 20ms [1]. So in the best case we may achieve ToF accuracy of 5ns and range accuracy of 1.5m.

However, in our BLE advertising application, the MATLAB real-time data acquisition is the bottle neck to improve packet interval. The fastest interval with still 1600 IQ samples acquisition is 100ms. Next, another measurement is done with two new boards that have very small clock offset. After some optimization in MATLAB, we have packet interval of 100ms. Now the ToF spread is decreased to 40ns which proves our

-150 -100 -50 0 50 100 150 200 250 3000

5

10

15

20

25

30

35

Time of Flight(ns)

coun

t

44

analysis. Unfortunately, this proves the current unavailability of this experimental setup to achieve reasonable ToF spread.

Another issue is that the ToF average does not move with different ranges. To look into this issue, we plot

symbol timing offset ∆𝑡𝑡 and clock offset compensation 𝑇𝑇 ∆𝑓𝑓𝑓𝑓𝑐𝑐

results over packets in Figure 3.17. From the

symbol timing offset result, we can clearly see the effect of clock offset. The result keeps drifting to negative side and getting wrapped by cross correlation every 125ns. Our clock offset compensation should exactly match with the result to cancel the sawtooth shape clock offset and leave with the ToF. But there is obvious mismatch between these two results and it is not a constant offset.

Figure 3.17 Symbol timing offset and clock offset compensation mismatch

This solution provides very attractive user case that we can calculate distance with remote BLE devices that may not have Dialog chip or software. The fitting algorithm in simulation can estimate symbol timing offset up to 0.3-3m accuracy. But in practical, we suffer from large ToF spread and clock offset compensation mismatch that cannot be solved for the moment. If these issues are solved, it is expected to achieve 1.5m range accuracy for indoors.

0 200 400 600 800 1000 1200 1400 1600 1800 2000-200

-150

-100

-50

0

50

100

150

packet nr

Tim

e of

Flig

ht(n

s)

fitcomp

Symbol tim

ing offset/ns Clock offset com

pensation/ns Packet nr.

45

4 Symmetric Single Channel Ranging In the asymmetric single channel ranging, we are not able to compensate the clock offset sufficiently accurate and reduce the ToF spread due to clock offset on one end only. Now we turn to symmetric single channel ranging based on advertising and scanning. The concept of this ranging method is shown in Figure 4.1. The advertising node transmits ADV_IND packet, receives SCAN_REQ packet from the active scanning node and transmits SCAN_RSP packet. The packet interval within one event is defined as 150μs by the standard. After some processing on received packets, both ends have important data for the final range. During the next ADV event, the same transaction is done but previous data will be carried in ADV_IND packet and SCAN_RSP packet. Then range can be known on both ends. Both ends need to have Dialog chip and software. That is why we call it “symmetric”. The ADV event still happens on one of three ADV channels and so we call it “single channel”.

Figure 4.1 Symmetric single channel ranging concept

4.1 Algorithm The symbol timing concept for two-way ranging is shown in Figure 4.2 [27]. With the asymmetric single channel ranging algorithm (see Section 3.1.2) running on both ends, they can estimate their symbol timing offset during one ADV event. Assuming during this short transaction with 150μs interval, there is only low frequency clock jitter in microsecond scale so that the time shift due to clock offset Δclk is the same on both ends. Tremote and Tlocal are the symbol timing offset obtained on remote and local end with LSE fitting in Eq. (3.15). Then both ends suffer from the same clock offset with different sign as is shown in Eq. (4.1). The symbol timing 𝑇𝑇𝑠𝑠𝑠𝑠𝑚𝑚 can be easily removed and ToF can be obtained by Eq.(4.2). In this way, the ToF accuracy only depends on the estimation accuracy of LSE fitting on both ends. The LSE fitting accuracy result is shown in Table 3.1.

𝑇𝑇𝑟𝑟𝑚𝑚𝑚𝑚𝑇𝑇𝑡𝑡𝑚𝑚 = ∆𝑐𝑐𝛼𝛼𝑐𝑐 + 𝑇𝑇𝛼𝛼𝑇𝑇, 𝑇𝑇𝑙𝑙𝑇𝑇𝑐𝑐𝑙𝑙𝑙𝑙 = 𝑇𝑇𝑠𝑠𝑠𝑠𝑚𝑚 − ∆𝑐𝑐𝛼𝛼𝑐𝑐 + 𝑇𝑇𝛼𝛼𝑇𝑇 (4.1)

46

𝑇𝑇𝛼𝛼𝑇𝑇 = 12

(𝑇𝑇𝑟𝑟𝑚𝑚𝑚𝑚𝑇𝑇𝑡𝑡𝑚𝑚 + 𝑇𝑇𝑙𝑙𝑇𝑇𝑐𝑐𝑙𝑙𝑙𝑙) (4.2)

Figure 4.2 Symbol timing concept for two-way ranging [27]

4.2 Experimental Setup To achieve the concept described in the beginning, we design a dedicated software experimental setup which is shown in Figure 4.3. In this setup, we use two DA14861 boards as advertiser and scanner doing packet transactions. At the same time, two laptops with MATLAB running are connected to the boards and are acquiring the data of the SCAN_REQ and SCAN_RSP packets from the same event for the algorithm. The ADV_IND packet only serves as the trigger of RFPT capture. The data communication part is not included because we have the data on both ends right now.

The characteristics of four programs in this experimental setup are:

– MATLAB (advertiser) • Data acquisition for IQ data, timestamp and RSSI • Avoid conflict with ADV

– Advertiser • Whitening disabled • One button to start the ADV and filter target SCANREQ • Append packet count in SCANRSP • No sleep to avoid power management issue • Proper settings to capture IQ data • Record packet timestamp and RSSI

– Scanner • Whitening disabled • Continuously scanning • Filter target SCANRSP and record packet count • Proper settings to capture IQ data

– MATLAB (scanner)

47

• Data acquisition for IQ data, timestamp and packet count • Avoid conflict with Scanning

Figure 4.3 Experimental setup of symmetric single channel ranging

In this setup, the two MATLAB programs are reused from the previous method (see Section 3.3.3). Only the acquisition parameters are updated for this method.

The advertiser is also reused from the previous method (see Section 3.3.2). The major change is that it sends the counter for received SCAN_REQ packet back in the SCAN_RSP packet payload as event sequence number. In the MATLAB data processing, we can pair the packets from the same ADV event by this sequence number.

Major changes are made on the scanner to capture IQ data of SCAN_RSP packet. The BLE interrupt routine flowchart for scanner is shown in Figure 4.4. For each packet reception, the ble_rx_irq signal is generated and the program enters the BLE interrupt routine. If connectable undirected advertising packet is received, we enable the RFPT capture settings for the coming SCAN_RSP packet. If SCAN_RSP packet is received, we read the AGC setting and the counter, and set flag for MATLAB acquisition.

48

Figure 4.4 BLE interrupt routine flowchart for scanner

4.3 Raw IQ Data Processing The MATLAB script blocks for symmetric single channel ranging is shown in Figure 4.5. Before the processing of SCAN_RSP packet data, we need to carefully screen and pair the packets that belong to the same ADV event as the SCAN_REQ packet with the event sequence number. For the raw IQ data processing and LSE fitting block, we reuse the blocks from the previous method to extract symbol timing offset. The details for this block are described in Section 3.4 and the clock offset compensation block is not needed in this symmetric method. Next, the fit curve for RX phase is reconstructed and the fit error is calculated with RX phase. If the error is larger than the threshold, the corresponding events are discarded. In the end, with symbol timing offset from both ends, we can calculate ToF and range with Eq. (4.2).

49

Figure 4.5 MATLAB script blocks for symmetric single channel ranging

4.4 Results and Analysis 4.4.1 Correct Functionality We conduct initial indoor measurements first to verify the functionality of the whole concept. The symbol timing offset for SCAN_REQ packet data and the reverse one for SCAN_RSP packet data over packet number are shown in Figure 4.6. As expected, two sawtooth shapes strictly follow each other which proves that the SCAN_REQ packet and SCAN_RSP packet are correctly paired up and clock offset does not change during 150μs packet interval. So the subtraction of these two should remove the clock offset successfully.

Figure 4.6 Symbol timing offset on both ends over packet number

0 200 400 600 800 1000 1200 1400 1600 1800 2000-100

-80

-60

-40

-20

0

20

40

60

80

100

Packet Nr.

Tim

e of

Flig

ht(n

s)

SCANRSPSCANREQ

Packet nr.

Symbol tim

ing offset/ns

50

4.4.2 Two Distributions The ToF histogram for 15m indoor measurement is shown in Figure 4.7. There are two distributions with 6ns standard deviation which is good for indoor environment. The small spread proves that we get rid of the large ToF spread issue with symmetric method. The distribution gap is 62.5ns. For some measurements, there are even more than two distributions with gap of 62.5ns.

Figure 4.7 ToF histogram for 15m indoor measurement

Here is the explanation. The ToF is calculated with Eq. (4.2) by average symbol timing offset on both ends. However, in the raw IQ data processing procedure, cross-correlation is used to locate the RX phase pattern in the whole packet. This will result in 125ns modulo effect on both symbol timing offset, which is clearly shown in Figure 4.6. So the ToF is actually calculated with Eq. (4.3).

𝑇𝑇𝛼𝛼𝑇𝑇 = (𝑇𝑇𝑟𝑟𝑚𝑚𝑚𝑚𝑇𝑇𝑡𝑡𝑚𝑚 𝑚𝑚𝛼𝛼𝑑𝑑125 + 𝑇𝑇𝑙𝑙𝑇𝑇𝑐𝑐𝑙𝑙𝑙𝑙 𝑚𝑚𝛼𝛼𝑑𝑑125)/2 (4.3)

In this way, it is expected to see peaks that have multiple of 62.5ns gap.

4.4.3 First Measurement The first indoor measurement is done from 1.25m to 15m with 12 data points. Each measurement takes 1000 events. The actual distance versus measured distance is shown in Figure 4.8. The standard deviation shown by error bar is 2~3m which is good for indoors. Ideally, the data points should fall around a line with slope of 1 but here the results spread everywhere from -4m to 12m. As is discussed in Section 3.2.3, the delay caused by the whole reception chain is not well considered in the solution. For each distance, the reset is performed and AGC setting is changed along with signal strength. It is very likely that these two factors have influence on the RF front-end circuits delay and the ToF results are impacted.

-60 -40 -20 0 20 40 60 80 1000

5

10

15

20

25

30

35

40

45

ToF

coun

t

51

Figure 4.8 First indoor measurement

Figure 4.9 Long time measurement on 1m

-8

-6

-4

-2

0

2

4

6

8

10

12

14

16

0 2 4 6 8 10 12 14 16

Mea

sure

d Di

stan

ce/m

Actual Distance/m

0 1000 2000 3000 4000 5000 6000 7000 8000-250

-200

-150

-100

-50

0

50

100

150

Packet Nr.

Tim

e(ns

)

SCANRSPSCANREQToF-150

Packet nr.

Symbol tim

ing offset/ns ToF-150ns

52

Before we analyze the effect of reception chain delay, we conduct long time measurement for fixed distance (1m) to make sure that the ToF result is stable during relative long time. In total 8000 events are captured within 34 minutes. The result is shown in Figure 4.9. For the purpose of better interpretation, the ToF result is subtracted by 150ns in red plot. We can see that over relatively long time, the variation of ToF result is very small. Besides, the effect of three distributions with gap of 62.5ns are seen clearly.

4.4.4 AGC Calibration The (partial) DA14681 Radio transceiver block diagram is shown in Figure 4.10 [21]. The PLL and test-mux are not included. This is a detailed version of Figure 2.17. The IQ data are read at the input of demodulator. So the symbol timing offset also contains the delay in the RF front-end reception chain. We need to fix and calibrate this delay accurately to have the correct ToF.

For different ranges, the signal strength (RSSI) is different. Automatic Gain Control (AGC) is applied for each reception on LNA, Variable Gain Amplifier 1 (VGA1) and Variable Gain Amplifier 2 (VGA2) according to RSSI. In this way, the signal strength can be kept in linear range for all the blocks without saturation. The IF filter is a complex band-pass filter including two programmable gain amplifiers: VGA1 and VGA2. In this way, the wanted signal can be provided to ADC at an almost constant level independent of the power of the received signal. But the IF filter has group delay of around 500ns. Because of imperfection of the operational amplifier, the filter delay variation may be introduced when switching AGC setting on different levels of signal strength.

Figure 4.10 (partial) DA14681 Radio transceiver block diagram [21]

AGC setting has 10 levels from 9 (low gain) – 0 (high gain). For each setting, the gain of one of the three amplifiers is adjusted. To understand the effect of AGC setting, we conduct one experiment. In this experiment, the RF attenuator is used to connect two boards with certain attenuation. The internal-developed RF attenuator is shown in Figure 4.11. It has knob controlled and serial port controlled RF attenuation.

VGA1 VGA2

53

Figure 4.11 Internal-developed RF attenuator

In this experiment, we collect 5000 packets continuously with AGC setting sweep from 9 to 0 in between. To avoid amplifier saturation, the MATLAB-controlled RF attenuator also sweeps the attenuation accordingly. The ToF results and scanner received signal amplitude (indicating the AGC change) for the whole measurement is shown in Figure 4.12.

Figure 4.12 AGC effect measurement

54

We can see from the signal amplitude that AGC setting changes around every 500 packets and it is within linear amplifier range. The green line shows that the ToF result steps with different AGC settings with small standard deviation (4~6ns) and range of about 20ns. The average is marked with red line. In the bottom we show which amplifier is switched to a new gain for each AGC setting. When VGA1 is switched, the ToF increases. When VGA2 is switched, the ToF decreases. When LNA is switched, the ToF remains the same. This AGC effect measurement basically conforms to the simulation condition which can be found in [2].

Several measurements are done with same or different boards to confirm this measurement result is reproducible for current hardware design. The ToF results have the same staircase shape as above with only certain offset caused by reset. We can explain the first result in this way. With different ranges, the signal strength as well as the AGC setting is different. For each AGC setting, corresponding delay happens in the circuits and distorts our ToF results. Now as the AGC effect measurement result is reproducible, we can make it a AGC calibration table which calibrates the ToF result according to recorded AGC setting during our range measurement. We should be able to remove RF front-end circuits delay due to AGC setting and resume correct ToF information.

4.4.5 Reset Effect One significant delay effect comes from reset of the whole ARM C application. There is an RF calibration routine in the reset function which is composed of modulation gain, DC offset and IF capacitance calibration. For every reset operation, three RF parameters are calibrated and updated, which may cause variation in RF front-end circuits delay. To measure the effect, two boards are connected with RF attenuator of 90 unit and the AGC setting is fixed to 5 to have IQ signal amplitude in linear amplifier range. In this way, reset will be the only difference for the results between measurements. In total, 10 measurements are done, where only first three have no reset in between. The result of reset effect measurement is shown in Figure 4.13. When there is no reset in between, the solution can give consistent result on distance. When the reset is performed, it will give random distance result in range of 10m.

To understand the effect, I try to fix all three RF parameters to a normal value instead of dynamic calibrated value. So they will not be updated during the same experiment. But still the measured distance varies largely. For the moment, we shall not reset in any distance measurement and the relative ToF change with different ranges should be seen.

55

Figure 4.13 Reset effect measurement

4.4.6 Final Results In our indoor office corridor environment, two measurements are done from 1.25m to 5m with step of 1.25m and from 5m to 20m with step of 5m. Reset is performed in between. The reset offset gap is removed for the second measurement that use 5m measurement as reference. The result is shown in Figure 4.14. We can see for most ranges, the standard deviation is 1.5m-1.6m. The spread is 3.2m and 2.7m respectively on 10m and 20m. If we do linear fitting for all data points, the slope is 1.06 which is very close to ideal slope of 1. From this we conclude that it can measure distance change accurately for indoor environment with certain reset offset.

For this solution, the user case is not as attractive as previous one because we need to have both Dialog chips. After successfully removal of clock offset and understanding of RF front-end circuits delay, we achieve less than 2m accuracy measuring indoor distance change.

56

Figure 4.14 Indoor measurement with AGC compensation

4.5 Initial Time and Energy Profiling For a successful solution, we need to consider range accuracy as well as execution time and energy consumption. So initial time and energy profiling is done for this ranging method to understand the feasibility for practical implementation.

To understand the execution time for different functions in MATLAB, firstly profiling is done with current MATLAB script to process 1000 events. Ignoring AGC compensation and generation of ideal samples and signals, the time profiling results are shown in Table 4.1. We can see that significant time is consumed on cross correlation and phase unwrapping. These two parts need special optimization in MATLAB. Instead, the LSE fitting only takes 6.31% of the time.

-20

-15

-10

-5

0

5

10

15

0 5 10 15 20 25

Mea

sure

d Di

stan

ce/m

Actual Distance/m

reset

57

Function time/ms portion

Process raw IQ 0.0857 13.38% Calculate angle 0.0383 5.98% Unwrap phase 0.1544 24.10% IF removal 0.0039 0.61% Sample recovery 0.0200 3.12% Correlation 0.2980 46.51% Fitting 0.0404 6.31%

Table 4.1 MATLAB time profiling for major functions

Firstly, the speed of the CPU running the MATLAB and the speed of the ARM core on DA14681 are shown in below by Millions of Instructions per Second (MIPS).

Intel CPU speed: SCPU = 27,079 MIPS@2.93 GHz

ARM M0 speed: SARM = 84 MIPS@96MHz

If we assume the ARM C compiler has the same efficiency as the MATLAB compiler, then the number of instructions generated by each compiler for the same algorithm should be the same. With the MATLAB time profiling result, the ideal estimation for execution time on ARM core is done in below.

Total execution time in MATLAB (Intel CPU): tCPU = 0.6407ms

Execution time ratio R = tARM/ tCPU = SCPU/ SARM = 322

Estimated time in C (ARM): tARM = tCPU * R = 206.5ms

With the power information of ARM core, the energy to calculate one range result is shown in below.

ARM M0 power: PARM = 1.2mW@96MHz

Energy for one range calculation: EARM = tARM* PARM = 247.8µJ

The Dialog chip has very low energy consumption for TX and RX. For each range measurement, two ADV events are required: one for IQ data capture and one for data exchange. With known energy for ADV event [21], we know the energy to for one range measurement.

ADV event energy: EADV = 30 µJ

Energy for one range measurement: Erange = 2* EADV + EARM = 307.8µJ

The energy consumption and execution time constraints for one distance calculation on Dialog chip is estimated to be 500µJ and 500ms [28]. Under the ideal consumption that the ARM C compiler has the same efficiency as the MATLAB compiler, our algorithm is feasible for implementation.

58

Secondly, the (partial) time profiling result on DA14681 is shown in Table 4.2. I implement four processing routines on the DA14681 chip at 96MHz processing speed. The execution time for each routine is calculated with the OS timer.

Function Execution time in MATLAB/ms

Execution time in C/s

Execution Time Ratio

Comment

Process raw IQ 0.0857 0.0664 775 no optimization Calculate angle 0.0383 0.0332 867 atan2()from “math.h” Unwrap phase 0.1544 0.1764 1142 directly ported from MATLAB Unwrap phase1 0.1544 0.0199 129 improved from MATLAB way Correlation 0.298 13.89 46611 slow way of O(n2) Correlation1 0.298 1.5624 5243 use FFT and IFFT to have O(n logn) Whole algorithm (ideal)

0.6407 0.2065 322 Ideal estimation in above

Table 4.2 (partial) Time profiling on DA14681

It shows us that in the current straight forward way of implementation with limited optimization, most of the routines have larger execution time ratio than ideal case. This means for the current implementation, the ARM C compiler is not as efficient as the MATLAB compiler. As an immature estimation: if we take execution time ratio of 129 for the whole algorithm as the best case, we will have execution time of 82.7ms and energy consumption of 99.3uJ. If we take execution time ratio of 5243 as the worst case, we will have execution time of 3.36s and energy consumption of 4045uJ which is much larger than our application constraints.

In general, the practical time and energy constraints for this ranging method is possible to be achieved. But either deep optimization for ARM core or implementation on hardware is needed to integrate this method on DA14681 with reasonable constraints.

59

5 Asymmetric Multiple Channel Ranging In previous chapters, single channel methods based on LSE fitting are introduced and discussed. In BLE standard, the advertising always happens on three channels. It is natural to think and use this feature for multiple channel ranging method. For this purpose, we need a special scanner that receives all three ADV packets from the same event. Because the special changes and ranging algorithm only run on the scanner side and the advertiser can be any BLE device, we call this method “asymmetric”. New algorithm and experimental setup are needed for asymmetric multiple channel ranging.

5.1 Algorithm In Section 3.1.1, we establish the mathematical model for the BLE RX signal. The RX phase is given by Eq. (3.8).

φ𝐼𝐼𝐼𝐼(𝑡𝑡) = 𝜑𝜑𝑚𝑚(𝑡𝑡 − 𝑟𝑟𝑐𝑐) + 2𝜋𝜋∆𝑓𝑓𝑡𝑡 − 2𝜋𝜋𝑓𝑓𝑐𝑐

𝑟𝑟𝑐𝑐

+ ∆𝜑𝜑 (3.8)

We can see from Eq. (3.8) that the received phase after IF filtering contains distance information in the GFSK modulated phase term and phase term induced by carrier frequency. The first phase term 𝜑𝜑𝑚𝑚(𝑡𝑡 −𝑟𝑟𝑐𝑐) has been discussed and tested in single channel ranging. In this ranging method, we study phase term

2𝜋𝜋𝑓𝑓𝑐𝑐𝑟𝑟𝑐𝑐 for range information.

In this method, we receive at least two identical ADV packets on different channels. Because the packet contents are identical (without whitening), the GFSK modulated phase is identical and can be cancelled. Assuming the carrier phase offset ∆𝜑𝜑 is constant during the ADV event, the phase difference for two ADV packets are

∆𝜑𝜑𝑆𝑆 = ∆𝑓𝑓𝑐𝑐 ∗𝑟𝑟𝑐𝑐

+ ∆𝑓𝑓 ∗ 𝑡𝑡𝐴𝐴𝐴𝐴𝐴𝐴 (5.1)

∆𝑓𝑓𝑐𝑐 is the frequency gap for two channels and 𝑡𝑡𝐴𝐴𝐴𝐴𝐴𝐴 is the interval of ADV packets. The phase is in unit of cycle (2𝜋𝜋). The phase relationship on multiple channels is shown in Figure 5.1. The phase difference is composed of phase ramp due to clock offset, phase offset due to range and a constant phase offset.

Then we can extract distance information by

𝑟𝑟 = 𝑐𝑐∆𝑓𝑓𝑐𝑐

∗ (∆𝜑𝜑𝑆𝑆𝑇𝑇 − ∆𝑓𝑓 ∗ 𝑡𝑡𝐴𝐴𝐴𝐴𝐴𝐴) (5.2)

The RX phase difference and the carrier frequency offset can be easily obtained based on previous ranging methods. As the ADV packet interval and channels are known, we are able to obtain the range with Eq. (5.2).

For detailed MATLAB simulation of this algorithm, please refer to [2].

60

Figure 5.1 Phase relationship on multiple channels [2]

According to Eq. (5.2), the range variance is defined by

𝜎𝜎𝑟𝑟2 = ( 𝑐𝑐∆𝑓𝑓𝑐𝑐

)2 ∗ (𝜎𝜎∆𝜑𝜑2 − 𝜎𝜎∆𝑓𝑓2 ∗ 𝑡𝑡𝐴𝐴𝐴𝐴𝐴𝐴2 ) (5.3)

𝜎𝜎∆𝜑𝜑2 stands for the variance of RX phase difference. It is influenced by the phase noise level in the wireless channel and receiver circuits. 𝜎𝜎∆𝑓𝑓2 is the variance of frequency offset estimation. It is usually the bottleneck for accuracy improvement assuming phase noise is relatively small. So better estimation accuracy of carrier frequency offset, shorter ADV packet interval, larger channel frequency gap and smaller phase noise level can improve the distance accuracy in this method.

5.2 Experimental Setup For multi-frequency algorithm, we use a normal BLE advertiser in current SDK and a special test mode scanner to capture 3 ADV packets from one ADV event. The concept is shown in Figure 5.2.

Figure 5.2 Experimental setup for symmetric multiple channel ranging

The characteristics for three ends in this setup are:

61

• MATLAB – Data acquisition for IQ data, RSSI and AGC – Avoid conflict with scanning

• Advertiser – Whitening disabled – Continuously advertising with packet interval of 1.5ms

• Scanner – Whitening disabled – Only receive error-free ADV packet from target device – Receive all 3 ADV packets from the same ADV event – Enable RFPT capture for packets on channel 38 and 39 – Timeout to discard corrupted event

The MATLAB script is basically reused and advertiser is the example from SDK, only scanner program is newly developed.

5.2.1 Scanner A BLE Direct Test Mode program in Keil environment is provided as the start point. In this program used by internal test team, various RF test modes and user functions are defined to facilitate different test scenarios. These are descripted in Table 5.1.

Test Modes Description

NO_TEST No test is running START_TX Continuous transmission of test packets with certain period and

predefined payload pattern on one channel START_RX Continuous reception of test packets N_BURST Transmit N bursts STOP Stop the current test RF_CALIBRATION Calibrate all RF settings CONTINUOUS_WAVE (UNMODULATED)

Transmit continuous unmodulated wave on one channel

CONTINUOUS_WAVE (MODULATED)

Transmit continuous modulated wave on one channel

User functions Description rwble_diagport_init() Initiate diagnostic signal settings so that we can map TX_EN, RX_EN,

TX_DATA, RX_DATA etc. to port pins for debugging check_rx_packet() Check the received packets for certain payload pattern enable_rf_diag_irq_user () RF_DIAG_Handler()

Enable the interrupt on RX_EN and TX_EN rising and falling edges

start_timer() stop_timer() SWTIM0_Handler()

Define timer and interrupt handler

lld_data_rx_check() For each reception, check errors and payload, update packet counter

Table 5.1 Test modes and user functions in the BLE Direct Test Mode program

62

In our scanner, START_RX mode is used for packet reception and the Access Address field of packet needs to be set to 0x8e89bed6 to receive the ADV packets. For each packet reception, the function lld_data_rx_check() will check different type of errors and return the contents of payload. If it is the correct target packet, we record RSSI and update packet counters. There are two ways to switch the channel. If you stop and restart the RX, it will take 3ms which is too long to capture the next packet. Register setting SetBits16(RF_BMCW_REG, CN_WR, 0) will bypass the MAC layer and switch channel immediately. In this way, we can receive three target ADV packets from one event.

In the main routine, first of all, enough memory for the IQ data of 3 ADV packets is allocated. During the first reception, it tries to receive one packet on channel 37 to roughly synchronize with the advertiser. Then it restarts the RX on three ADV channels and programs the IQ capture settings properly. If all three packets from one ADV event are correctly received, then the program waits for MATLAB to finish data acquisition and restarts the RX for next ADV event. If there is a timeout after 18ms which means a packet is missed on one channel, the program will quit the current RX procedure, reset the stack and start next reception. The program flow chart is shown in Figure 5.3.

The logic analyzer waveform example for ADV packet reception is shown in Figure 5.4. This proves the correct functionality of the application. The TX_DATA and TX_EN shows the three transmitted ADV packets. The packet interval is fixed to 1.5ms. For the first ADV event, the first packet is missed. So there is RX timeout after 18ms. The BLE stack is reset for another reception. From the signal of RX_EN, we can see that all three ADV packets are correctly received from the next two events and the timer is stopped immediately. Due to random ADV event interval defined by BLE, we can see from two correct events that the receiver needs to open for a long time until the first packet is received. In this way, we must use the circular mode of RFPT capture to get packet IQ data within limited memory space.

Figure 5.3 Example logic analyzer waveform for ADV packet reception

63

Figure 5.4 Program flowchart for the scanner in asymmetric multiple channel ranging

The final captured IQ data for 3 ADV packets are shown in Figure 5.5. Because of circular RFPT mode, the start of packet is not in the beginning of samples. Besides, the start of the first ADV packet is not fixed so that we can only use IQ data of packets on channel 38 and 39 for our algorithm for the moment.

64

Figure 5.5 Raw IQ data for 3 ADV packets

5.3 Raw IQ Data Processing The MATLAB blocks for asymmetric multiple channel ranging is shown in Figure 5.6. From Figure 5.5, we can see that the noise part is located in the middle. If we start the whole processing from the first sample, we experience unknown and large phase error for the unwrapped phase. So in this method we need to start the raw IQ data processing with proper sample offset. For the “Process IQ data” block, we reuse the previous blocks shown in Figure 3.9 to obtain RX phase pattern.

Figure 5.6 MATLAB blocks for asymmetric multiple channel ranging

0 500 1000 1500 2000 2500 3000 3500

-100

0

100

0 500 1000 1500 2000 2500 3000 3500

-100

0

100

0 500 1000 1500 2000 2500 3000 3500

-100

0

100

Iteration 1

Sample nr.

Amplitude

65

According to Eq. (5.2), phase difference ∆𝜑𝜑𝑆𝑆𝑇𝑇 for each ADV packet pair is calculated. Next, we do LSE fitting on only packets from channel 39 to obtain the carrier frequency offset ∆𝑓𝑓 and the phase ramp. After removing this phase ramp, we can extract range information.

5.4 Results and Analysis 5.4.1 Measurement Results For this method, we conduct both indoor and outdoor measurements. The indoor environment is the office corridor shown in Figure 3.15 and the outdoor environment is the field which is far from all buildings. The results are shown in Table 5.2 and Table 5.3.

Actual Distance/m

2.5 5 7.5 10 15

Estimated Distance/m

8.679 ± 4.173

11.794 ± 4.551

9.431 ± 4.334

9.385 ± 4.439

9.683 ± 4.366

Table 5.2 Indoor Measurement

Actual Distance/m

1 2 3 4 5 7.5 10 15

Estimated Distance/m

28.634 ± 5.342

29.353 ± 4.101

32.673 ± 4.080

31.942 ± 4.339

36.404 ± 4.738

29.120 ± 6.289

35.534 ± 4.571

28.905 ± 5.254

Table 5.3 Outdoor Measurement

The estimation of the carrier frequency offset has standard deviation of around 600Hz, the ADV packet interval in the experimental setup is 1.5ms and the carrier frequency difference between channel 38 and 39 is 54MHz. According to Eq. (5.3), the expected distance accuracy is calculated as 5m assuming phase noise level is small. The distance variation is 4-5m which is as expected. But the average distance in both measurements give confusing result :

• We cannot see expected change with different ranges • There is large difference in average distance between outdoor and indoor measurement

5.4.2 Problem Locating To locate the problem, we first check the phase difference for ADV packet pairs in channel 38 and 39. The result for one packet pair from 5m outdoor is shown in Figure 5.7. This plot is as expected that noise only causes small variation on phase information. We also check other packet pairs in the same or different measurements. They all return similar small spread. In this case, the standard deviation is 0.016 cycle.

66

Figure 5.7 Phase Difference for ADV one packet pair from 5m outdoor measurement

In Eq. (5.2), the RX phase difference ∆𝜑𝜑𝑆𝑆𝑇𝑇 we need is the phase difference average for one packet pair. But when we plot the histogram of ∆𝜑𝜑𝑆𝑆𝑇𝑇 for all packet pairs from 5m outdoor measurement, the result is shown in Figure 5.4. The number is spreading everywhere between -1 cycle to 1 cycle.

Figure 5.8 RX phase difference for all packet pairs from 5m outdoor

0 50 100 150 200 250 300 350 400-0.33

-0.32

-0.31

-0.3

-0.29

-0.28

-0.27

-0.26

-0.25

-0.24

-0.23Phase Diff of one packet pair (48-bit)

Phas

e/2*

pi

samples

-2 -1.5 -1 -0.5 0 0.5 1 1.50

5

10

15

20

25

30

35

Phase Diff/2*pi

coun

t

67

This spreading happens on all indoor measurements, which is shown in Table 5.4. With this large spread for phase difference average, we lose the ToF-related phase information.

Actual Distance

1m 2m 3m 4m 5m

Phase Diff/cycle

-0.00067 ± 0.408

-0.05924 ± 0.400

0.00671 ± 0.417

-0.00302 ± 0.401

-0.07071 ± 0.456

Table 5.4 Averaged phase difference for all indoor packet pairs

To obtain the phase difference in Eq. (5.1), we assume the GFSK modulated phase and the carrier phase offset are identical and can be cancelled. The exact bits of three ADV packets are confirmed to be identical without whitening. So we conclude that the carrier phase offset is not constant for each ADV event. This term is derived from phase offset difference of TX carrier wave and RX local oscillator wave. Both radio waves are generated by the RFPLL from the local 16MHz clock. The key role of the PLL is to generate signal with required high frequency and low phase noise. But for the RFPLL used on DA14681, it cannot preserve the phase information while switching in different channels. Same condition happens on both TX and RX ends which causes the trouble. We make suggestions to the design team of next generation PLL to preserve the phase information while switching channels. Besides, to make sure the carrier phase offset is constant, we need to have special designed RFPLL on both ends. So this method will not work for asymmetric concept.

5.4.3 Further Discussion on Range Accuracy Although this method does not work on the DA14681, it is still interesting to discuss the range accuracy. In the last section, we find that the expected distance accuracy on the current experimental setup is 5m. The estimation of clock offset with LSE fitting is down to accuracy of 0.25ppm which is difficult to be largely improved. The ADV packet interval defined in the BLE stack is shown in Table 5.5 [29]. The minimum interval among four ADV types is 0.526ms for the none-connectable advertising. If we can fix the PLL issue, it is possible to achieve accuracy of 1.75m on Dialog chip.

Table 5.5 Advertising packet interval in the BLE stack [29]

Although this method does not work for the current PLL issue, we can estimate the theoretical limit according to the phase difference result in Figure 5.7. In the ideal case, the phase ramp due to clock offset in Eq. (5.2) can reach very small value assuming there is very tiny clock offset or the packet interval on multiple channels is very short. Then the distance accuracy only depends on RX phase difference variance. This value is around 0.016 cycle in our measurement, so the range accuracy in ideal case can achieve 9cm which is very impressive.

68

Among all the ranging methods, the clock offset is the major source of range error. The ToF variation introduced by clock offset for asymmetric single channel ranging method is give in Eq. (3.17). It can be re-written as

𝜎𝜎𝑟𝑟′ = 𝑐𝑐𝑓𝑓𝑐𝑐∗ 𝜎𝜎∆𝑓𝑓 ∗ 𝑇𝑇 (5.4)

The range accuracy introduced by clock offset for asymmetric multiple channel ranging method is give in Eq. (5.5) according to Eq. (5.3).

𝜎𝜎𝑟𝑟′ = 𝑐𝑐∆𝑓𝑓𝑐𝑐

∗ 𝜎𝜎∆𝑓𝑓 ∗ 𝑡𝑡𝐴𝐴𝐴𝐴𝐴𝐴 (5.5)

If we ignore the packet interval difference between 𝑡𝑡𝐴𝐴𝐴𝐴𝐴𝐴 and 𝑇𝑇, the key difference lies on ∆𝑓𝑓𝑐𝑐 and 𝑓𝑓𝑐𝑐 in the denominator. In BLE standard, 𝑓𝑓𝑐𝑐 = 2.4GHz and the largest ∆𝑓𝑓𝑐𝑐 = 80𝑀𝑀𝑀𝑀𝑀𝑀. If the variation of carrier frequency offset is the same, the single channel method can achieve x30 better range accuracy introduced by clock offset than multiple channel method. In another word, the single channel method is more robust against the clock offset.

69

6 Conclusion and Future Work In this project, we develop and test three range ranging methods on Dialog’s latest BLE chip. The summary is shown in Table 6.1.

Single Channel Multiple Channel

Asymmetric X

Due to clock offset ~2m (expected)

X PLL improvement ~5m (expected)

Symmetric

With AGC calibration 2m

? PLL improvement

Table 6.1 Ranging method summary

The asymmetric single channel ranging provides very attractive user case that we can calculate distance with any remote BLE devices. The algorithm in MATLAB simulation can achieve range accuracy of 1m under moderate noise condition. In practical, we suffer from clock offset between nodes which causes large ToF spread and clock offset compensation mismatch. If these problems are solved, we can achieve range accuracy of 1.5m for indoor environment.

For symmetric single channel ranging, we need to have Dialog chips on both ends which limits its practical user case. After successfully cancellation of clock offset and understanding of RF front-end circuits delay, we achieve less than 2m accuracy measuring indoor distance change.

The asymmetric multiple channel ranging has similar attractive user case as the first method. The algorithm in MATLAB simulation can achieve range accuracy of 1m under moderate noise condition. It is expected to achieve 5m indoor range accuracy on current experimental setup. However, the intrinsic issue of the RFPLL used on DA14681 stops us from verifying this method. From our mathematical model, the single channel method can achieve much better accuracy than multiple channel ranging under the same condition.

Although this project gives good understanding of BLE ranging application and obtains good ranging results, there is still future work to be done.

• For all three ranging methods we have developed, clock offset is the major error source for range measurement. Now we estimate it by LSE fitting or cancel it by two-way ranging. If we hope to increase the range accuracy, better method to mitigate clock offset is needed.

• The design team from Dialog have started discussing the feasibility to integrate new feature on RFPLL. It is possible that we have the required PLL in the next-generation chip. Then we can test and verify asymmetric multiple channel ranging.

• For symmetric single channel ranging, we did initial time and energy profiling in MATLAB and partially on chip. The algorithm in MATLAB needs to be implemented on DA14861 to have the

70

complete profiling information. With this information, software optimization or hardware implementation can be done to achieve the application constraints.

• In Table 6.1, the symmetric multiple channel ranging is mentioned but not studied in this thesis. When the PLL improvement is available, we may study and test this method on chip.

71

Literature [1] Bluetooth, S. I. G. (2010). Bluetooth core specification version 4.2. Specification of the Bluetooth System.

[2] Ramachandran, S. J. (2016). Algorithms for Indoor Ranging with Bluetooth Low Energy Technology. Den Bosch: Dialog Semiconductor.

[3] Oliveira, L., Di Franco, C., Abrudan, T. E., & Almeida, L. (2013, November). Fusing time-of-flight and received signal strength for adaptive radio-frequency ranging. In Advanced Robotics (ICAR), 2013 16th International Conference on (pp. 1-6). IEEE.

[4] Haykin, S. S., Moher, M., & Koilpillai, D. (2011). Modern wireless communications. Pearson Education India.

[5] Newman, N. (2014). Apple iBeacon technology briefing. Journal of Direct, Data and Digital Marketing Practice, 15(3), 222-225.

[6] CINEFRA, N. (2014). An adaptive indoor positioning system based on Bluetooth Low Energy RSSI.

[7] Blumrosen, G., Hod, B., Anker, T., Dolev, D., & Rubinsky, B. (2013). Enhanced calibration technique for RSSI-based ranging in body area networks. Ad hoc networks, 11(1), 555-569.

[8] Karalar, T. C., & Rabaey, J. (2006, June). An RF TOF based ranging implementation for sensor networks. In 2006 IEEE International Conference on Communications (Vol. 7, pp. 3347-3352). IEEE.

[9] Fontana, R. J., & Gunderson, S. J. (2002, May). Ultra-wideband precision asset location system. In Ultra Wideband Systems and Technologies, 2002. Digest of Papers. 2002 IEEE Conference on (pp. 147-150). IEEE.

[10] Urkowitz, H. (1983). Signal theory and random processes. Artech House.

[11] Lanzisera, S., Zats, D., & Pister, K. S. (2011). Radio frequency time-of-flight distance measurement for low-cost wireless sensor localization. IEEE Sensors Journal, 11(3), 837-845.

[12] Ahmed, K. I., & Heidari-Bateni, G. (2006, November). Wsn06-3: Improving two-way ranging precision with phase-offset measurements. In IEEE Globecom 2006 (pp. 1-6). IEEE.

[13] Lanzisera, S., & Pister, K. S. (2009). RF ranging methods and performance limits for sensor localization. Localization Algorithms and Strategies for Wireless Sensor Networks, 526.

[14] Kaplan, E., & Hegarty, C. (2005). Understanding GPS: principles and applications. Artech house.

[15] Schwarzer, S., Vossiek, M., Pichler, M., & Stelzer, A. (2008, January). Precise distance measurement with IEEE 802.15. 4 (ZigBee) devices. In 2008 IEEE Radio and Wireless Symposium (pp. 779-782). IEEE.

72

[16] Pelka, M., Bollmeyer, C., & Hellbrück, H. (2014, October). Accurate radio distance estimation by phase measurements with multiple frequencies. In Indoor Positioning and Indoor Navigation (IPIN), 2014 International Conference on (pp. 142-151). IEEE.

[17] Atmel Corp. (2013). Atmel AVR2150: RTB Evaluation Application - User’s Guide. Atmel Corp.

[18] Macii, D., Colombo, A., Pivato, P., & Fontanelli, D. (2013). A data fusion technique for wireless ranging performance improvement. IEEE Transactions on Instrumentation and Measurement, 62(1), 27-37.

[19] Philips, M. (2013). Bluetooth Smart 101. Dialog FAE Conference. Edinburgh: Dialog Seimiconductor.

[20] Dialog Semiconductor. (2015). DA1468x/DA1510x PRO-Development kit User Manual v1.0. Den Bosch: Dialog Semiconductor.

[21] Dialog Semiconductor. (2015). DA14681 Datasheet v1.4. Den Bosch: Dialog Semiconductor.

[22] Dialog Semiconductor. (2016). DA14680 Objective Specification. Den Bosch: Dialog Semiconductor.

[23] Dialog Semiconductor. (2016). DA1468x Software Developer’s Guide (draft). Den Bosch: Dialog Semiconductor.

[24] Prummel J. (2016). Graduation Assignments_v1 – BLE/802.15.4 Ranging Application. Den Bosch: Dialog Semiconductor.

[25] Tibenderana, C. (2005). A High-Performance, Efficient, and Reliable Receiver for Bluetooth Signals (Doctoral dissertation, University of Southampton).

[26] Lawson, C. L.; Hanson, R. J. (1974). Solving Least Squares Problems. Englewood Cliffs, NJ: Prentice-Hall. ISBN 0-13-822585-0

[27] Lubberhuizen W. (2015). Time of flight. Den Bosch: Dialog Semiconductor.

[28] De Haas J. (2016). Graduation Assignments_v2 – BLE/802.15.4 Ranging Application. Den Bosch: Dialog Semiconductor.

[29] RiveiraWaves Corp. (2015). RW-BLE Functional Specification (version 7.1.0). RiveiraWaves Corp.