FreeRider: Backscatter Communication Using Commodity …

FreeRider: Backsca�er Communication UsingCommodity Radios

Pengyu Zhang1, Colleen Josephson1, Dinesh Bharadia2, Sachin Katti1

Stanford University1, UCSD2

{pyzhang,skatti}@cs.stanford.edu,[email protected],[email protected]

ABSTRACTWe introduce the design and implementation of FreeRider,the �rst system that enables backscatter communication withmultiple commodity radios, such as 802.11g/n WiFi, ZigBee,and Bluetooth, while these radios are simultaneously usedfor productive data communication. Furthermore, we are,to our knowledge, the �rst to implement and evaluate amulti-tag system. The key technique used by FreeRider iscodeword translation, where a tag can transform a codewordpresent in the original excitation signal into another validcodeword from the same codebook during backscattering.In other words, the backscattered signal is still a valid WiFi,ZigBee, or Bluetooth signal. Therefore, commodity radios de-code the backscattered signal and extract the tag’s embeddedinformation. More importantly, FreeRider does codewordtranslation regardless of the data transmitted by these radios.Therefore, these radios can still do productive data commu-nication. FreeRider accomplishes codeword translation bymodifying one or more of the three dimensions of a wirelesssignal — amplitude, phase and frequency. A tag ensures thatthe modi�ed signal is still comprised of valid codewords thatcome the same codebook as the original excitation signal. Webuilt a hardware prototype of FreeRider, and our empiricalevaluations show a data rate of ∼60kbps in single tag mode,15kbps in multi-tag mode, and a backscatter communicationdistance up to 42m when operating on 802.11g/n WiFi.

CCS CONCEPTS• Networks → Network architectures; Wireless accessnetworks;

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies are notmade or distributed for pro�t or commercial advantage and that copies bearthis notice and the full citation on the �rst page. Copyrights for componentsof this work owned by others than ACM must be honored. Abstracting withcredit is permitted. To copy otherwise, or republish, to post on servers or toredistribute to lists, requires prior speci�c permission and/or a fee. Requestpermissions from [email protected] ’17, Incheon, Republic of Korea© 2017 ACM. 978-1-4503-5422-6/17/12. . . $15.00DOI: 10.1145/3143361.3143374

KEYWORDSBackscatter; WiFi; ZigBee; Bluetooth; Wireless

1 INTRODUCTIONBackscatter communication is well-known for providing anultra-low power wireless link for connecting Internet-of-Things devices. Backscatter radios only consume microwattsof power during data transmission because they passivelyre�ect and modify wireless signals to embed informationinstead of doing active transmission like WiFi. Typicallythere are three components in a backscatter communica-tion system: an excitation signal generator, a backscatterdevice (tag), and a receiver. RFID is a popular example ofbackscatter. In RFID, the reader acts as both the excitationsignal generator and the receiver. This requires a dedicatedinfrastructure of expensive custom hardware (such as RFIDreaders). Hence, despite their power e�ciency, we actuallydo not see a wide deployment of backscatter-based systems.As a result, researchers have recently been exploring us-ing already-deployed commodity radios, such as WiFi andBluetooth, to act as the excitation radio and/or receiver.

There are a number of research projects along these lines.Passive WiFi [16] is a pioneer which enables a tag to talkto an 802.11b WiFi receiver. A special tag transforms a sinewave signal to an 802.11b signal during backscattering. There-fore, the backscattered signal can be decoded by a commodity802.11b WiFi receiver. One inconvenience of using [16] is thatyou have to buy dedicated hardware which emits the sinewave signal. A followup work, Interscatter [13], addressesthis problem by hacking Bluetooth on a smartwatch. [13]forces the Bluetooth radio to transmit a speci�c sequence ofdata bits such that the signal that is emitted is a sine wave.[13] made a signi�cant step toward using commodity radiosfor backscatter. However, the channel occupied by Bluetoothcannot be used for productive data communication becausethe Bluetooth radio itself is generating the excitation signalwith no data (e.g., all zeros). This is non-productive com-munication. In summary, most recent research emulatesthe excitation signal either with a tone generator or commod-ity hardware with non productive communication [13, 16].

389

CoNEXT ’17, December 12–15, 2017, Incheon, Republic of Korea P. Zhang1, C. Josephson1, D. Bharadia2, S. Ka�i1

frequency shifting

codeword translator low power tagMAC control XOR decoder

FreeRider tagtransmitter receiver

exciting signal

tag data 010111..

exciting radio

receiver 1

receiver 2

exciting signalbackscatter signal

tag decoder tag data

010111..

Figure 1: FreeRider system overview. An example sce-nario could be o�ce setting where our smart-phonecan act as exciting radio, and the WiFi APs as receiver1 and receiver 2. TheWiFi APs are connected by Ether-net backhaul which performs the decoding operationand sends tag data to the Internet.

The ISM band is crowded with numerous devices; deployingbackscatter systems that rely on non-productive communica-tion results in decreased data rates and increased congestionfor wireless connectivity. Ideally, we would like the excita-tion signal transmitter to communicate productively withnormal non-backscatter clients while simultaneously provid-ing a signal that tags can backscatter.

To this end, a recent work HitchHike [25] enables backscat-ter communication using commodity 802.11b WiFi radioswhile the 802.11b radio itself does productive communication.However, [25] only works with 802.11b WiFi. Most modernWiFi clients use 802.11g/n where OFDM signals are transmit-ted. This means HitchHike devices will see little WiFi tra�cthey can use to backscatter. Therefore, there is a strong needto design a system that can do backscatter communicationwith widely deployed commodity radios (such as 802.11g/nWiFi, Bluetooth, and ZigBee) while these radios continuecommunicating normally with their intended clients. Since aspeci�c type of radio wave might not be available or has badsignal quality at one particular location, the technique we in-vent should be general enough such that the tag can rely onmultiple types of radios for backscattering its information.

This paper presents the design and implementation ofFreeRider, the �rst system that enables backscatter commu-nication using commodity 802.11g/n WiFi, Bluetooth, andZigBee radios while these radios themselves are doing pro-ductive communication. Furthermore, we are the �rst, to ourknowledge, to implement and evaluate a multi-tag systemthat works with commodity radios.

We overcome two key challenges in designing FreeRider.The �rst challenge is designing a system that can do backscat-ter communication with various commodity radios whilethey are still performing productive communication. To ad-dress this, we use a technique called codeword translationthat originated in HitchHike [25] (which only works with802.11b WiFi), and extend the technique such that it workswith OFDM and other various commodity radios. The keyobservation here is that any wireless signal on the ISM band

is generated using a set of known codewords from a �xedcodebook. For example, Bluetooth uses FSK modulation andhas two codewords in its codebook: it transmits a tone atone frequency to send data one, and a di�erent frequency tosend zero. Similarly, WiFi and ZigBee also have �nite setsof codewords that vary in combinations of phase, amplitudeor frequency. To do codeword translation, a tag transformsthe ongoing excitation signal’s codeword into another validcodeword in the same codebook during backscattering. Thisis done by modifying one or more of the amplitude, phase,and frequency of the excitation signal. The speci�c transla-tion depends on the data that the tag wants to communicateand the type of the excitation signal. Because the codewordin the backscattered signal is a valid codeword from thesame codebook as the original excitation signal, we can usea commodity radio to receive the backscattered signal. Fig-ure 1 shows an overview of FreeRider. An existing ISM bandradio (WiFi, Bluetooth or ZigBee) transmits data to clientsas it normally would. The IoT device (which we will referto as a tag to be consistent with prior backscatter litera-ture) backscatters this signal and embeds the information itwants to communicate. The backscattered signal arrives ata commodity receiver that uses the same technology (WiFi,Bluetooth or ZigBee) as the transmitting radio, but sits on anadjacent channel. The intended client of the original commu-nication decodes the original signal, and the second receiverdecodes the backscattered signal. The decoded bits streamsfrom the two receivers are compared to obtain the tag data.

The second challenge is gracefully supporting multipletags on the same wireless channel. FreeRider addresses thisissue by leveraging a technique called packet length mod-ulation to transmit necessary information to the tags forcoordination. Its core idea is using the length of the excita-tion packets to encode 0s and 1s, which can be arranged toform messages to the tags that implement a backscatter MACprotocol. This protocol sends control messages to the tagsthat coordinate tag transmissions to avoid collisions.

We prototyped our FreeRider tag, and used a MacBook Prolaptop as the backscatter decoder. Our empirical evaluationshows the following results:

• We can decode backscattered OFDM WiFi signalsfrom 42m in a line-of-sight (LOS) deployment, and22m in a non-line-of-sight (NLOS) deployment.• We achieve a maximum throughput of ∼60kbps from

a backscattered OFDM WiFi signal when a LOS re-ceiver is 18m or closer. For further distances, weachieve an average of 32kbps (LOS) and 20kbps (NLOS).• We demonstrate that our FreeRider tag can backscat-

ter ZigBee signals from up to 22m, achieving 15kbps.It can backscatter Bluetooth up to 12m, achieving

390

FreeRider: Backsca�er Using Commodity Radios CoNEXT ’17, December 12–15, 2017, Incheon, Republic of Korea

55kbps. We also show that our system co-exists peace-fully with WiFi networks no matter what type ofexcitation signal the tag is backscattering.• We evaluate FreeRider’s performance with up to

twenty tags and show that our MAC scheme cancommunicate successfully with each of the twentytags and ensure uplink fairness among them.

2 DESIGN2.1 Understanding backscattered signalsWhen a tag backscatters an excitation signal, modi�es thethree degrees of freedom of a signal: amplitude, phase, andfrequency. Such modi�cation is shown below where S(t) isthe excitation signal, T(t) is the tag signal, and B(t) is thebackscattered signal. The backscattered signal B(t) is the timedomain product between the excitation signal S(t) and the tagsignal T(t). Therefore, a tag changes its signal T(t) to modifythe amplitude, phase, and frequency of the backscatteredsignal B(t).

S(t) = Asej(2π fs t+θs )

T (t) = Atej(2π ft t+θt )

B(t) = S(t)T (t)= Ase

j(2π fs t+θs )Atej(2π ft t+θt )

= AsAtej(2π (fs+ft )t+(θs+θt ))

(1)

A tag modi�es the amplitude of the backscattered sig-nal by tuning the terminating impedance of the tag an-tenna. The backscattered signal strength is a function ofΓ =

ZT −Z ∗AZA+ZT

where ZA is the tag antenna impedance and ZTis the impedance across tag antenna terminals. The exactformulation between the backscattered signal strength andΓ can be found in [21]. In traditional backscatter systems,a tag switches between ZT1 = ZA and ZT2 = 0 to encodeinformation. Therefore, we observe two levels of amplitudeon a backscattered signal. Instead of switching between twoimpedances, as [21] does for creating the analog backscattersignal, our tag switches across multiple impedances to �netune the amplitude of the backscattered signal.

A tag changes the phase of the backscattered signal bydelaying the tag signal in the time domain. In order to intro-duce an additional phase o�set ∆θ at the tag, we delay thetag signal by ∆θ

2π ft . Such ∆θ phase o�set introduced at thetag leads to a ∆θ phase o�set on the backscattered signal.Changing the frequency of the backscattered signal is evensimpler. The tag just changes the frequency of toggling itsRF transistor. Therefore, a tag is able to modify the ampli-tude, phase, and frequency of the backscattered signal bychanging the tag signal. We next explain how a tag leveragesthis ability to enable backscatter communication betweencommodity radios.

decoded codeword excitation signal codeword tag bitsC2 C1 1C1 C2 1C1 C1 0C2 C2 0

Table 1: Logic table between the backscatter signalcodeword, excitation signal codeword, and tag databits.2.2 Codeword translationThe key technique for backscatter communication betweena tag and commodity radios is codeword translation. In thissection, we describe what codeword translation is and howa tag does it.

2.2.1 Codeword translation overview. We �rst de�netwo key concepts in our system — codewords and code-books. A codeword Ci is a signal symbol on the physicallayer that represents speci�c data transmitted. For example,Bluetooth uses binary FSK modulation to embed informa-tion. Therefore, it only uses two codewords,C1 = e j2π f1t andC2 = e j2π f2t , to represent data one and data zero respectively.A codebook B is the set of valid codewords used by a radio.The codebook of Bluetooth is B = {C1,C2} because only twocodewords are used. Similarly, 802.11g/n WiFi uses a code-book B = {C1,C2, ...,Cn}whereCi is an OFDM symbol. WiFi,ZigBee and Bluetooth all use di�erent sets of codewords andcodebooks.

Our key observation is that di�erent codewords in thesame codebook are related to each other by shifts in phase,amplitude, frequency or a combination of them. For example,the codeword C1 used by Bluetooth only di�ers from C2 inthe frequency domain, where a frequency di�erence f2 − f1is observed.

Codeword translation is transforming a valid codewordCito another valid codeword Cj where both codewords belongto the same codebook, meaning Ci ∈ B and Cj ∈ B. If sucha transformation can be done by a backscatter tag in a lowpower fashion, then we are able to leverage WiFi, ZigBee, andBluetooth signals for backscatter. Because the transformedcodeword is still a valid codeword in the same codebook, acommodity WiFi, ZigBee, or Bluetooth radio can be used todecode the backscatter signal. The tag data is encoded by thespeci�c codeword translations described below:

An simple example codeword translation protocol is tagsummarized by Equation 2, where the codeword of the exci-tation signal is Ci . To encode data one, the tag translates theexcitation codeword Ci to Cj before re�ection. To encodedata zero, the tag leaves the codeword untranslated, whichmeans the backscatter signal has the same codeword as theexciting signal.

backscatter codeword ={Cj Tag data one

Ci Tag data zero(2)

391


0 1 2 3 4 5 6

whitened data

input data

I

Q1000

1101

Subcarrier i

I

Q

0101

Subcarrier mFigure 2: Invalid codewords created by amplitudemod-i�cation on an OFDM signal.

By using codeword translation, we can decode the backscat-ter signal using commodity WiFi, ZigBee, or Bluetooth radiosto extract the tag data. Table 1 shows the logic table for de-coding a backscatter signal. We see that in this case the tagbits are the XOR of the backscattered codeword and the orig-inal codeword. Therefore, we can extract the tag data simplyby computing the XOR of the original excitation bit-streamand the backscatter bit-stream. More complicated schemesyielding faster data rates are described in later sections.

2.2.2 How the tag does codeword translation. As wedescribed before, a tag does the codeword translation by mod-ifying the amplitude, phase, or frequency of the excitationsignal. Such modi�cation transforms the excitation code-word from Ci to Cj in the backscattered signal. When a tagdoes codeword translation it is frequency agnostic, mean-ing that the tag will apply the same modi�cation on signalsacross all frequencies. This is not a problem for a signal thatuses a single carrier wave, such as Bluetooth, ZigBee, and802.11b WiFi. However, introduces issues in 802.11n WiFibecause the OFDM signal used by 802.11n has multiple sub-carriers. When a tag changes the amplitude of a signal onsubcarrier i , it will introduce the same amplitude modi�ca-tion on another subcarrierm. However, the modi�ed signalon subcarrier m might not be a valid codeword. An exampleof this is shown in Figure 2 where the data modulated onsubcarrier i is 1000 while the data modulated on subcarrierm is 0101. When the tag transforms the signal on subcarrieri from 1000 to 1101 by reducing the signal amplitude, thetag applies the same operation on subcarrier m, reducingthe strength of the signal that represents 0101. As a result,the tag creates an invalid codeword on subcarrierm. There-fore, when a tag does codeword translation, it has to lookfor a dimension (either amplitude, phase, or frequency) todo the signal modi�cation such that the modi�ed signal stillhas a valid codeword. We next explain how to do codewordtranslation for WiFi, Bluetooth, and ZigBee radios.

2.3 Backscatter with commodity radios2.3.1 BackscatterwithOFDMWiFi. Equation 3 shows

the mathematical formulation of an OFDM modulated signalwhere {Xk } are the data symbols modulated on subcarriers,

N is the number of sub-carriers, and T is the OFDM symboltime. For 802.11g/n WiFi, an OFDM symbol lasts for 4µs andcontains 64 subcarriers. The data symbols {Xk } are gener-ated using BPSK, QPSK, 16-QAM, or 64-QAM modulationdepending on the WiFi bit rate.

S(t) =N−1∑k=0

Xke2πktT (3)

When backscattering with OFDM WiFi, a tag cannot mod-ify the amplitude or frequency of the excitation OFDM signalbecause such modi�cation creates an invalid codeword inthe backscattered signal. Therefore, the tag modi�es only thephase of the backscattered signal. A binary example is shownin equation 4. The tag introduces phase o�set ∆θ to transmitdata one. It introduces no o�set to transmit data zero. Thevalue of ∆θ depends on the tag bit rate. For example, if thetag transmits at lower data rate, it uses the binary schemewhere ∆θ is 180o . If the tag wants to transmit at higher datarate, it can choose ∆θ as 90o and use equation 5 to encodeits information.

B(t) ={S(t)e j0 Tag data 0S(t)e j∆θ Tag data 1

(4)

B(t) =

S(t)e j0 Tag data 00S(t)e j∆θ Tag data 01S(t)e j2∆θ Tag data 10S(t)e j3∆θ Tag data 11

(5)

2.3.2 Backscatter with ZigBee. We now describe howa tag does backscatter communication with ZigBee radios.ZigBee radios use O�set QPSK (OQPSK) modulation. Similarto QPSK modulation, data is encoded in the phase of thetransmitted signal. Therefore, a tag embeds data in an OQPSKsignal by modifying the phase during re�ection. When thetag transmits data one, it introduces a ∆θ phase o�set on there�ected signal. When the tag transmits data zero, it doesnot change the phase. Note that the formula for embeddingtag bits in ZigBee is the same for an 802.11g/n WiFi signal(equation 4 or equation 5 depending on the tag bit rate).

2.3.3 BackscatterwithBluetooth. We now discuss howto backscatter with Bluetooth. A Bluetooth radio modulatesinformation by changing the carrier signal frequency be-tween f1 and f0 depending on the codeword transmitted.When the radio transmits data one, it sends a sine wave withfrequency f1. When transmitting data zero, it sends a sinewave with frequency f0.

A FreeRider tag uses the formula shown below to embedits information. When transmitting data one, it produces anadditional frequency o�set ∆f in the backscattered signal bytoggling its RF transistor at frequency ∆f . When transmit-ting data zero, it does not produce the additional frequency

392


o�set. If we select ∆f carefully, we can ensure that B(t) is stilla valid Bluetooth signal and can be decoded by a commercialBluetooth radio.

B(t) = S(t)T (t) ={S(t)e j(2π∆f t ) tag data oneS(t) tag data zero

(6)

One possible ∆f is | f1 − f0 |. Let the Bluetooth radio trans-mit data one with frequency f1. For the tag to transmit dataone, it shifts the signal by ∆f so the backscattered codewordbecomes e j(2π f0t+θs ). This is still a valid Bluetooth FSK code-word because it is a sine wave with frequency f0. However,a commercial Bluetooth radio will decode it as zero ratherthan one. Conversely, to encode a data zero the tag does notfrequency-shift the Bluetooth signal. The case is symmetricwhen the Bluetooth radio transmits data zero with frequencyf0 instead. In summary, to transmit data one a FreeRider tagtransforms a Bluetooth codeword with frequency f1/f0 toa backscattered codeword with frequency f0/f1. To trans-mit data zero, the tag produces a backscattered codewordwith the same frequency as the original Bluetooth codeword.Therefore, by choosing ∆f properly, a FreeRider tag can pro-duce a backscattered signal that is a valid Bluetooth signalwhile still embedding its information.

2.3.4 Avoiding interference from active radios. When a tagre�ects the excitation signal to a receiver, the receiver willsee severe interference from the exciting signal because boththe backscattered signal and the exciting signal share thesame channel [27]. To avoid such interference, FreeRiderleverages techniques developed by [27] and [13] where thebackscattered signal is shifted in the frequency domain toensure that it occupies a di�erent channel than the excitingsignal. Such frequency shifting can be done by toggling theRF transistor at the desired frequency o�set. For example, ifwe want to move the backscattered signal 20MHz away fromthe exciting signal, we toggle the RF transistor at 20MHz.

When backscattering a WiFi signal, our tag does the fre-quency shifting such that the backscattered signal sits onchannel 13, which is the least used channel in the 2.4GHzISM band. This reduces interference to and from other ac-tive radios. When backscattering Bluetooth or ZigBee, tagsbackscatter on channels close to 2.48GHz because these chan-nels experience less interference from WiFi.

2.4 MAC protocolTo facilitate e�ective sharing of the wireless medium be-tween multiple tags, a media access (MAC) scheme is needed.Our MAC protocol serves two purposes: it tells the tag whatsignals to backscatter with and allows our system to supportmultiple tags. Below we discuss the design in more detail; weevaluate the performance of the MAC layer in Section 4.5.

2.4.1 Coordinating tags.

Determining when to backscatter: If the incorrect sig-nal is backscattered, data cannot be recovered. The tags needa way to distinguish when to start backscattering signals. Todo this, the transmitter sends a preamble containing a pre-determined sequence of 0s and 1s (we describe this furtherin Sec. 2.4.2). The tag maintains a circular bu�er of receivedbits. If the beginning of the bu�er matches the preamble, thetag know the bu�er contains a backscatter initiate commandfrom the transmitter and not random packets.

Communicating with multiple tags: Since a tag doesnot have su�cient power to do carrier sensing, we designeda random access scheme based on Framed Slotted Alohawhere the transmitter acts as a central coordinator, similar tothe one implemented in RFID backscatter systems[7]. Com-munication is done in rounds with a �xed number of slotsper round. Each round, the tags choose a random slot totransmit. If two tags choose the same slot, there is a collisionand no data is successfully transmitted. At the end of a roundthe transmitter processes data from the tags and adjusts thenumber of slots before proceeding to the next round.

Compared to a stochastically-allocated time-division scheme,random access allows the set of tags to grow and shrinkwithout a speci�c association process. The number of slots isinferred by the receiver from how many packets it receives,as well as any collisions. The receiver passes this informationto the transmitter. If the transmitter sees many collisions,it adds slots. It decreases the number of slots if there aremany un-utilized. To avoid collisions from other users onthe same channel, the transmitter uses carrier sensing be-fore sending messages to the tags. Each round can have anarbitrary amount of delay before the next. This ensures thatthe backscatter system does not hog the channel.

The use of rounds allows for fairness between the backscat-ter system and other users of the channel. The use of slotswithin the backscatter system allows for fairness betweentags. Below we present the low-power transmitter-to-tagcommunication system needed to operate our MAC.

2.4.2 Transmitting coordination messages to tags.One simple solution to enable communication from the trans-mitter to the tags is using a commodity 802.11 decoder ineach tag. However, the decoder implements complex sig-nal processing, which is power-intensive. The challenge isdesigning a transmitter-to-tag communication system thatis low power, i.e. does not require the tags to decode pack-ets. Our solution is a low-power overlay scheme that sitson top of an existing system and can be implemented withcommodity hardware.

Envelope detectors are a low-power component that canbe exploited to implement a transmitter-to-tag communica-tion system. Low-power envelope detectors consumes less

393


0 0.05

0.1 0.15

0.2 0.25

0.3

0 0.5 1 1.5 2

PDF

Packet Duration (ms)

RTS-CTSspectrum sensing

transmitter

tag

other radios

start msgdata stop

other radios TX

time

-1

-0.5

0

0.5

1

-1 -0.5 0 0.5 1

Qua

drat

ure

sign

al

In-phase signal

0001

11 10 0 0.002 0.004 0.006 0.008

0.01 0.012 0.014

0.6 0.8 1 1.2 1.4 1.6 1.8 2

Figure 3: Durations of 30 million packets on ch. 6 col-lected in a lecture hall. We see a bimodal distributionwhere ∼78% of packets last less than 500µs and ∼18%last 1500µs-2700µs. With a pulse-width error boundof 25µs, the probability an ambient packet having thesame length as our pulses is about 0.03%.

than 1µW [20]. To create our transmitter-to-tag communica-tion system, we need parameters that can be easily measuredusing the envelope detector, and can also be modulated atthe transmitter using commodity hardware. Two possibil-ities are implementing amplitude modulation by varyingtransmission strength, or doing on on-o� keying. Packetamplitudes cannot be easily controlled on a per-packet basiswith commodity hardware, and furthermore is not robustat long distances due to low SNR. On-o� keying works atlonger distances, but does not work well with the presenceof ambient network tra�c.

Packet length modulation (PLM): To overcome thoselimitations, we used packet length modulation: packet du-ration is easy for the transmitter to control, works well at arange of distances, and is robust in the presence of ambientnetwork tra�c. PLM is similar to the modulation schemeused in [13]. In our scheme, a 0 bit is represented by pack-ets of duration L0 and a 1 bit by L1. To control the lengthof the packet, our transmitter sends packets of pre-de�neddurations. The tag uses an envelope detector to identify thepresence of a packet and measure the duration. If a pulseduration equals L0 or L1 (within an error bound) a bit isrecorded to a bu�er. This is much more robust in low-SNRenvironments than amplitude modulation because the lengthof a packet does not degrade with distance. If a pulse has aduration besides L0 or L1 it is treated as noise and ignored.This allows bits to be received successfully in the presenceof other transmissions. Our prototype implementation onWiFi operates at approximately 500bps, which is su�cientfor operating the MAC layer.

To send the scheduling messages, the transmitter couldgenerate dummy packets, but a better way is to bu�er ex-isting tra�c before sending it to the NIC, and then re-orderor re-packetize to get the necessary sequence of L0s andL1s. This way, as long as the network is busy, the backscat-ter messages impose negligible overhead on the rest of thechannel.

0

20

40

60

80

100

0 5 10 15 20 25 30 35 40 45 50

Accu

racy (

%)

Distance (m)

Figure 4: Rate of successfully received schedulingmes-sages vs distance transmitting at 15dBm.

Figure 4 shows the rate of decoding success vs distance.The experiments were performed in a long hallway insidean o�ce building. For a reference voltage of 1.8v, the systemis able to successfully decode the scheduling messages withover 70% accuracy when the tag is less than 4m away fromthe transmitter, and can successfully decode preambles withabout 50% a distance of 50m. Due to increased SNR, higheraccuracy is possible at close proximity by increasing thereference voltage in the comparator.

3 IMPLEMENTATIONWe built a prototype of our system using o�-the-shelf com-modity 802.11g/n WiFi, ZigBee, and Bluetooth transceiversand a customized backscatter tag. We describe the implemen-tation details below.

3.1 Hardware platform802.11g/n WiFi transceiver: Our 802.11g/n receiver is aMacBook Pro laptop with a Broadcom BCM43xx WiFi cardthat supports 802.11a/b/g/n/ac. We put the WiFi card intomonitor mode to report packets with bad checksums to oursoftware. After receiving the packets, we use tcpdump toparse them and extract the tag bits.

We use an Intel 5300 WiFi card on an Intel NUC as thestandard 802.11g/n OFDM transmitter (15 dBm). We use the�rmware provided by [10] to control the rate of 802.11g/npackets transmission.

ZigBee transceiver: We use TI CC2650 [4] as the ZigBeetransceiver and set the transmission power to 5dBm, whichis the maximum power allowed by this radio. The CC2650radio dev board CC2650EM-7ID supports two types of an-tennas: a PCB on-board antenna and an antenna with anSMA interface. We use VERT2450 antenna because the beamwidth is wide; it is mounted [2] on the SMA interface.

Bluetooth transceiver: We use TI CC2541 [3] as theBluetooth transceiver. This radio transmits at 1Mbps and0 dBm using FSK modulation with a frequency deviation of250kHz and a bandwidth of 1MHz. The modulation indexused is 0.5 ± 0.01.

FreeRider tag: Figure 5 shows a hardware prototype ofthe FreeRider tag. The tag has two VERT2450 [2] antennas,

394

FreeRider: Backsca�er Using Commodity Radios CoNEXT ’17, December 12–15, 2017, Incheon, Republic of Korea 0

10

20

30

40

50

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5

RX-

to-T

ag D

ista

nce

(m)

TX-to-Tag Distance (m)

802.11g/nZigBee

FSK Radio

RF switch

envelop detector

power source

codeword translator

0

10

20

30

40

50

0.5 1 1.5 2 2.5 3 3.5 4 4.5

RX-

to-T

ag D

ista

nce

(m)


802.11g/n WiFiZigBee

Bluetooth

Figure 5: FreeRider tag hardware prototype.

f1f0

wfrequency

fsk signal backscatter signal

scramblerbytes in

Channel encoder Interleaving Modulation

scramblerbytes in

Channel encoder

Interleaving

descrambler

Channel decoder

De-interleaving

Demodulation

bytes out

-600

-400

-200

0

200

400

600

0 100 200 300 400 500 600 700 800 900 1000

Dis

tanc

e (m

)

Signal Strength (dBm)

110010010…

Modulation

transmitter receiver

b0, b1, …, bn b0, b1, …, bn

Figure 6: Transmission and reception block diagramsused in 802.11g/n.

one for reception and one for transmission. The receptionantenna is connected to an LT5534 envelope detector, whichmeasures when an incoming signal starts. We measured a0.35us delay between the starting point of an exciting signaland the indicator signal from the envelope detector. In otherwords, 0.35µs after the excitation signal actually arrives, theenvelope detector will tell the processor that the excitationsignal has begun. In our evaluations, the performance doesnot degrade when experiencing a 0.35µs delay.

The other antenna is controlled by an ADG902 RF switch,which decides when and how to backscatter the excitingsignal. The codeword translation module is implemented ina low-power FPGA AGLN250. We also have a power man-agement module on the tag which provides 1.5V and 3.3V tothe rest of the system.

Open source FreeRider platform: The source code ofthe FreeRider platform is available on [? ] under an academiclicense to ensure reproducibility of results.

3.2 Implementation challengesEach radio comes with its own physical layer stack with aspeci�c set of channel codes, interleaving techniques andscrambling algorithms, all of which can interfere with code-word translation and render it ine�ective. We discuss howto enable codeword translation despite these challenges.

3.2.1 Challenges backscatteringOFDMWiFi. Figure 6shows three factors that could cause trouble when decodinga backscattered WiFi signal: the scrambler, the convolutionalchannel encoder, and interleaving. The scrambler is a datawhitening engine where it takes the input data and XORs it

0 1 2 3 4 5 6

whitened data

input data

Figure 7: The 802.11g scrambler architecture.with a pseudorandom sequence. A scrambler ensures that thedata transmitted is not all zeros nor all ones, which causesa bad peak-to-average ratio. The channel encoder uses con-volutional encoding to improve its robustness over wirelesstransmission. The interleaving engine re-orders the trans-mitted bits sequence to ensure that even a bursty error onwireless channel does not cause a burst of continuous errorson the received data. We consider these three modules be-cause they are placed before the modulator in an 802.11g/ntransmitter. We explain why such placement could causeunsuccessful backscatter decoding next.

For any input sequence b0,b1, ...,bn , the transmitted sig-nal S(t) can be formulated as S(t) = f (b0,b1, ...,bn) wheref () represents the operations introduced by the scrambler,channel encoder, interleaver, and modulator. Since the cor-responding demodulator, de-interleaver, channel decoder,and descrambler in the receiver provide the reverse oper-ations f −1(), the receiver is able to decode and output thetransmitted sequence.

Unfortunately, when a FreeRider tag is present and pro-duces a signal д(t0, t1, ..., tn) using tag bits t0, t1, ..., tn , thebackscattered signal B(t) becomes the time-domain productbetween the tag signal and the excitation signal. To see whythis is a problem, let us examine the binary case shown inequation 7. This does not look like a signal that is generatedby XOR of the exciting signal bits and the tag bits and passedthrough f (). Therefore, decoding the tag bits becomes hard.

B(t) = S(t)T (t)= f (b0,b1, ...,bn) × д(t0, t1, ..., tn)! = f (b0 ⊕ t0,b1 ⊕ t1, ...,bn ⊕ tn)

(7)

One insight to solve this problem is redundancy, i.e mapone tag bit to multiple 802.11g/n bits. Instead of directly trans-mitting t0, t1, ..., tn , the tag actually transmits a sequencewhere a tag repeats each bit multiple times before switchingto the next one. We look at each module in the TX/RX chainand understand why redundancy helps solve this problem.

The �rst module is the interleaving engine which inter-leaves the data assigned to each subcarrier. Interleaving isdone per OFDM symbol [1]. In other words, the interleav-ing engine will not interleave data belonging to two OFDMsymbols. Therefore, as long as we can ensure that the tag bitduration is longer than an OFDM symbol, the interleavingengine will not cause troubles.

Now we turn to the other two modules, the scramblerand channel encoder. Both modules produce and maintaina deterministic structure of the data fed into the modulator.

395


f1f0

w

frequency

fsk signal backscatter signal

Figure 8: A FreeRider tag embeds its information on aBluetooth signal.The scrambler uses the structure shown in Figure 7 to dodata whitening. Even when the input is all zeros, the actualdata transmitted is a non-zero sequence. Such data whiteningreduces the peak-to-average power ratio in the RF front end.The mathematical expression of the scrambler is shown inequation 8.

C[k ] = b[k ] ⊕ b[k − 3] ⊕ b[k − 7] (8)

The channel encoder uses Equation 9 to encode the data at6Mbps where b[k] is the input bit andC1[k] andC2[k] are thecodewords generated using a 1/2 coding rate. For other bitrates, the channel encoder is di�erent. The data injected bythe tag will corrupt the structures created by both modulesand make backscatter decoding hard. How do we decode thetag data given the presence of these two modules?

C1[k ] = b[k ] ⊕ b[k − 2] ⊕ b[k − 3] ⊕ b[k − 5] ⊕ b[k − 6]C2[k ] = b[k ] ⊕ b[k − 1] ⊕ b[k − 2] ⊕ b[k − 3] ⊕ b[k − 6]

(9)

We simulated the two modules in Matlab and found thatas long as a tag injects one bit tag data on four OFDM sym-bols (96 WiFi bits in 6Mbps data rate), we are able to ob-tain around 1e−3 bit error rate in decoding the tag bits. Thisis because there is a one-to-one mapping between the in-put sequence b[k] and the output of the two modules C[k]or {C1[k],C2[k]}. Equation 8 and equation 9 show that thesequence of {b[k] ⊕ 1,b[k − 1] ⊕ 1, ...,b[k − 7] ⊕ 1} cangenerate C[k] ⊕ 1 and {C1[k] ⊕ 1,C2[k] ⊕ 1}. Therefore,when the tag does codeword translation and converts C[k]and {C1[k],C2[k]} to C[k] ⊕ 1 and {C1[k] ⊕ 1,C2[k] ⊕ 1},the corresponding modules at the receiver should output{b[k] ⊕ 1,b[k − 1] ⊕ 1, ...,b[k − 7] ⊕ 1}. We prove this viaempirical Matlab simulation and real system implementationwith a MacBook Pro laptop as the backscatter decoder.

The last factor that could impact backscatter decoding isthe pilot tone. Pilot tones in an OFDM symbol are used forcorrecting the phase error. Such phase error correction couldremove the additional phase o�set introduced by a tag, andrender incorrect tag data decoding. Fortunately, many WiFichips, such as Broadcom BCM43xx, do not use pilot tonesfor phase error correction. Therefore, we are often still ableto decode the backscattered tag data.

3.2.2 Challenges backscattering ZigBee. ZigBee usesOQPSK modulation where there is a constant time-domaino�set (half a bit) between the in-phase signal and the quadra-ture signal. Such o�set is introduced for reducing the signal

Peak-to-Average Power Ratio (PAPR) by avoiding the 180ophase transition between neighboring bits. If the tag intro-duces a 180o phase transition between neighboring bits inthe backscattered ZigBee, it could damage the OQPSK signalstructure and cause trouble decoding.

One approach of solving this problem is embedding onetag bit to multiple (N) OQPSK symbols. When a tag transmitsdata one, instead of introducing the 180ophase o�set on asingle OQPSK symbol, the tag actually introduces the same180o additional phase o�set on N OQPSK symbols. The �rsttag-modi�ed OQPSK symbol might be incorrectly decodedby a commercial ZigBee decoder because of the potentialOQPSK signal structure violation discussed above. However,the following N − 1 tag-modi�ed OQPSK symbols can becorrectly decoded because the structure of OQPSK signals ismaintained. Therefore, as long as we choose a large N , wecan embed information in ZigBee tra�c. We found that inpractice a value of N = 8 is su�cient.

3.2.3 Challenges backscatteringBluetooth. There aretwo factors, modulation index i , and channel bandwidth w ,that could cause trouble when decoding the backscatteredBluetooth signal. Modulation index i is de�ned as f1−f0

w andrepresents the ratio between the frequency deviation of anFSK signal and the bandwidth it occupies. A commercialBluetooth radio, such as [3], usually uses a modulation index0.5. When a FreeRider tag toggles its RF transistor at ∆f ,while producing the desired backscattered signal, it also pro-duces an undesired signal on the other side of the spectrumas shown in Figure 8. This is because the backscattered signalis the time-domain product between the Bluetooth signaland the tag signal. Therefore a double-sideband backscat-ter signal is produced. We cannot use the single-sidebandbackscatter technique proposed by [13] to eliminate the un-desired signal because we do not know which side (left orright) of the backscattered signal is undesired.

Fortunately, we can eliminate the undesired backscatteredsignal by leveraging the fact that a Bluetooth radio treatssignals outside of a channel as interference and is able toeliminate them. Therefore, the selection of ∆f also needs tosatisfy the following two conditions, which ensure that theundesired signal sits outside of the backscatter channel andwill be eliminated:{

f1 + ∆f > f1 + (1 − i)w2 FSK radio data one

f0 − ∆f < f0 − (1 − i)w2 FSK radio data zero(10)

3.3 Low-power tag designAnother challenge is tag power consumption. TraditionalRFID tags run a low speed clock and consume several mi-crowatts of power. When we incorporate 20MHz frequencyshifting on the tag, how much power does it consume? If we

396


RX

TX

Tag

RX

TX

Tag

(a) LOS deployment

RX

TX

Tag

RX

TX

Tag

RX

22m

(b) NLOS deploymentFigure 9: Floor plan and experimental setup of our system for LOS and NLOS deployments.

0 10 20 30 40 50 60 70

0 5 10 15 20 25 30 35 40 45

Thro

ughp

ut (k

bps)

Distance (m)

(a) Throughput

10-4

10-3

10-2

10-1

100

0 5 10 15 20 25 30 35 40 45B

ERDistance (m)

(b) BER

-95-90-85-80-75-70

0 5 10 15 20 25 30 35 40 45

RSS

I (dB

m)

Distance (m)

(c) RSSIFigure 10: Backscatter throughput, BER, and RSSI across distances in the WiFi LOS deployment.

directly take an o�-the-shelf 20MHz oscillator to drive thesystem, the tag consumes several milliwatts of power [13]and is not low power. [27] and [13] propose the design ofa low-power tag that is able to do such frequency shifting.[27] uses a ring oscillator to produce a 20MHz frequencyshifting while only consuming 20µW of power. [13] designsa low-power phase-lock loop that is able to produce a 36MHzfrequency shifting while only consuming 28µW of power.FreeRider takes the same ring oscillator design as [27] andproduces the square wave signal needed for achieving thedesired frequency shifting. We simulated using the TSMC65nm technology, and the overall power consumption of theFreeRider tag is around 30µW depending on the type of theexcitation signal. Most of the power (19µW) is consumedby the 20MHz clock needed for frequency shifting. 12µW isneeded for operating the RF switch and 1∼3µW is neededfor running the control logic which determines the type ofcodeword translator to run. In the next section we presentan empirical evaluation and analyze the results.

4 EVALUATION4.1 Experimental setupFigure 9(a) and Figure 9(b) show the experimental setup ofour system. We deployed a FreeRider tag 1m away froman exciting signal transmitter (802.11g/n WiFi, ZigBee, orBluetooth). We use these commodity radios with no hard-ware modi�cations or ampli�ers. Then, we move the receiveraway from the tag and measure FreeRider’s throughput, biterror rate (BER), and received signal strength indicator (RSSI).We conducted both line-of-sight (LOS) and non-line-of-sight(NLOS) experiments. In the LOS experiments, all devices areplaced in a hallway. In the NLOS experiments, the transmit-ter and the tag are deployed in a room while the receiver isdeployed in a hallway. In the NLOS deployment, the backscat-tered signal passes through multiple walls.

4.2 FreeRider’s performance4.2.1 Backscatter with 802.11g/n WiFi.LOS deployment: Figure 10(a) shows the throughput of

our system with increasing distance in LOS deployment. The802.11g/n WiFi transmitter sends its OFDM signal at 11dBm,which is the maximum allowed by our hardware. We see thatthe receiver is still able to decode the backscattered signalat 42m, 1.4× longer than the maximum distance reportedby Passive WiFi [16] and Inter-Technology Backscatter [13],and 8.4× longer than the maximum distance achieved byFS-Backscatter [27]. Such long communication distance issu�cient for many Internet-of-Things applications.

Our system achieves ∼60kbps data rate when the receiveris less than 18m away from the tag. When the receiver movesfarther to ∼26m-36m, throughput degrades to ∼15kbps. Thisis a lower data rate than [25] because OFDM symbols arelonger in duration than DSSS symbols. One interesting ob-servation here is that the bit error rate remains low even atlonger distances as shown in Figure 10(b) despite the fact thatRSSI does degrade across distance as shown in Figure 10(c).For example, we still obtain 1e−3 BER when the receiver is40m away from the tag. This observation tells us that atlonger distances, if a backscattered packet reaches the re-ceiver, then it is very likely that we are able to extract the tagbits with low BER. If the header itself is not decoded, thenwe observe packet loss and lower throughput.

NLOS deployment: We also evaluated the performanceof our system in a non-line-of-sight deployment where boththe 802.11g/n transmitter and the tag are deployed in a roomwhile the receiver moves away in a hallway. Figure 11(a)shows the throughput of our system in the NLOS deploy-ment. The receiver is still able to receive the backscatteredpackets when it is 22m away from the tag. Similar to theLOS deployment, we achieve ∼60kbps data rate when the

397


0 10 20 30 40 50 60

0 5 10 15 20 25

Thro

ughp

ut (k

bps)

Distance (m)

(a) Throughput

10-4

10-3

10-2

10-1

100

0 5 10 15 20 25

BER

Distance (m)

(b) BER

-84-82-80-78-76-74-72-70

0 5 10 15 20 25

RSS

I (dB

m)

Distance (m)

(c) RSSIFigure 11: Backscatter throughput, BER, and RSSI across distances in the WiFi NLOS deployment.

0 2 4 6 8

10 12 14 16

0 5 10 15 20 25

Thro

ughp

ut (k

bps)

Distance (m)

(a) Throughput

10-2

10-1

100

0 5 10 15 20 25

BER

Distance (m)

(b) BER

-100-95-90-85-80-75

0 5 10 15 20 25

RSS

I (dB

m)

Distance (m)

(c) RSSIFigure 12: Backscatter throughput, BER, and RSSI across distances in the ZigBee LOS deployment.

receiver is less than 14m away from the tag. At longer dis-tances, backscatter throughput degrades to ∼20kbps.

Figure 11(b) shows the BER of our system in the NLOS de-ployment. Similar to the LOS deployment, we achieve a lowBER across distances. However, backscatter communicationstops at 22m even though we obtain an RSSI of -84dBm at22m as shown in Figure 11(c). We �nd that when the receiveris more than 22m away from the tag, the backscattered sig-nal actually needs to pass one more wall before reachingthe receiver as shown in Figure 9(b). As a result, the signalbecomes too weak and the packet header cannot be detected.

4.2.2 Backscatter with ZigBee. We also evaluated theperformance of our system when the exciting signal is a5dBm ZigBee signal. Figure 12(a) shows the throughput ofour system when the ZigBee receiver moves away fromthe tag. The receiver receives backscattered packets fromup to 22m away. Figure 12(c) shows that the received sig-nal strength degrades to -97dBm at 22m, close to the noise�oor of the ZigBee radio. Therefore, receiving the backscat-tered packets at longer distances becomes hard. We achieve a∼14kbps backscatter data rate when the receiver is less than12m away from the tag. At farther distances, the throughputdegradation is not severe. We still obtain a 12kbps data rateat a distance of 20m. The bit error rate we achieve is ∼ 5e−2across all distances, higher than the case when the excitingsignal is 802.11g/n WiFi.

4.2.3 Backscatter with Bluetooth. Finally, we evalu-ated the performance of our system when the exciting sig-nal is a 0dBm Bluetooth transmitter. Figure 13(a) shows thethroughput of our system when the receiver moves awayfrom the tag. We see that the receiver decodes backscatter

packets up to 12m. Figure 13(c) shows that the backscat-ter signal has a strength of -100dBm at 12m, close to thenoise �oor. Therefore, decoding the backscattered packetsat farther distance becomes hard. When the receiver is lessthan 10m away from the tag, we achieve a ∼50kbps datarate. Throughput degrades to 19kbps at 12m and the BERincreases to 0.23.

4.3 Impact of TX-to-tag distanceWe also evaluated how the transmitter-to-tag distance im-pacts the communication range of our system. In this exper-iment, we varied the transmitter-to-tag distance and mea-sured the maximum receiver-to-tag distance where backscat-ter communication can be sustained. Figure 14 shows the re-sults. When backscattering 802.11g/n WiFi, at a transmitter-to-tag distance of 4m, the maximum receiver-to-tag dis-tance is 8m. This is less than the 42m achievable when thetransmitter-to-tag distance is 1m. Decreasing the receiver-to-tag communication distance yields a slight increase inthe achievable transmitter-to-tag distance. The operationalregime of our system is shown in the grey area in Figure 14.

When a ZigBee or Bluetooth radio is used, both the transmitter-to-tag distance and the receiver-to-tag distance become shorter.The maximum transmitter-to-tag distance is 2m and 1.5mfor ZigBee and Bluetooth radios respectively, and the corre-sponding operational regime of our system is marked withgreen and purple in Figure 14. Both regimes are smaller com-pared to the case when an 802.11g/n WiFi is used primarilybecause the transmission power of the ZigBee and Bluetoothradios is lower (15dBm vs 5dBm and0dBm ).

398


0 10 20 30 40 50 60

0 2 4 6 8 10 12 14

Thro

ughp

ut (k

bps)

Distance (m)

(a) Throughput

10-2

10-1

100

0 2 4 6 8 10 12 14

BER

Distance (m)

(b) BER

-105-100

-95-90-85-80

0 2 4 6 8 10 12

RSS

I (dB

m)

Distance (m)

(c) RSSIFigure 13: Backscatter throughput, BER, and RSSI across distances in the Bluetooth LOS deployment.

0

10

20

30

40

50

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5

RX-

to-T

ag D

ista

nce

(m)


802.11g/nZigBee

FSK Radio

RF switch

envelop detector

power source

codeword translator

0

10

20

30

40

50

0.5 1 1.5 2 2.5 3 3.5 4 4.5

RX-

to-T

ag D

ista

nce

(m)


802.11g/n WiFiZigBee

Bluetooth

Figure 14: Communication range of our system.

0

0.2

0.4

0.6

0.8

1

26 28 30 32 34 36 38 40 42

CD

F

Throughput (Mbps)

No BackscatterBackscattering WiFi

Backscattering ZigBeeBackscattering Bluetooth

Figure 15: WiFi throughput when backscatter ispresent and absent.

4.4 Co-existence with WiFi networksNext, we see if the FreeRider system can co-exist with exist-ing WiFi networks. In this experiment, we generated arti�cialWiFi tra�c where a laptop transfers �les via WiFi on channel6 (2.437GHz). Then, we run backscatter on ∼2.472-2.48GHz(the exact frequency depends on the type of the excitingsignal). We measure how the WiFi tra�c and backscatterimpact each other when the backscatter channel does notcon�ict with the WiFi channel.

4.4.1 Does backscatter impactWiFi? Figure 15 showsthe WiFi throughput when the backscatter tag is present orabsent. When backscatter is absent, WiFi is able to transmitwith a 37.4Mbps median data rate. Then, we place a backscat-ter tag 1m away from the WiFi receiver and measure theWiFi throughput. The tag runs three codeword translatorssequentially, one for backscattering 802.11g/n WiFi, one forZigBee, and one for Bluetooth. The median WiFi throughputmeasured is 37Mbps, 37.9Mbps, and 36.8Mbps respectively,close to the WiFi throughput when the backscatter tag is notpresent. Therefore, a backscatter tag does not cause interfer-ence on an existing WiFi tra�c.

4.4.2 Does WiFi impact backscatter? Now we turnto the other case to see whether or not concurrent WiFi

tra�c impacts backscatter decoding. When a tag backscat-ters its data in a channel that is occupied by WiFi tra�c,backscatter throughput degrades to zero because the WiFitra�c is usually ∼30dB higher than the backscattered sig-nal [27]. Therefore, backscatter su�ers. In this experiment,we focus on the case where existing WiFi tra�c does notshare the same channel as backscatter, and try to understandhow backscatter performs in the presence of WiFi tra�c onadjacent channels.

Figure 16(a) shows the backscatter throughput when an802.11g/n WiFi is used as the exciting signal, the tag backscat-ters on channel 13 (2.472GHz), and the WiFi tra�c runs onchannel 6 (2.437GHz). When the WiFi tra�c is absent, weachieve 61.8kbps median backscatter throughput. When theWiFi tra�c is present, the backscatter throughput is still61.8kbps. However, we can see that backscatter is able toreach 68kbps for 20% of the time when the WiFi tra�c isabsent, and degrades to 35kbps for 10% of the time when theWiFi tra�c is present. Therefore, the presence of WiFi tra�cdoes impact the backscatter throughput. To minimize thisimpact, we can use a technique similar to the one in [25] anduse RTS-CTS to reserve the channel for backscatter.

Figure 16(b) and Figure 16(c) show the backscatter through-put when a tag backscatters a ZigBee signal and a Bluetoothsignal respectively. In both experiments, the tag backscatterson channel 2.48GHz. We see that the backscatter throughputdi�erence between WiFi tra�c being present or not is only1∼2kbps. Therefore, the existing WiFi tra�c does not impactthe backscatter performance when a ZigBee or Bluetoothradio is leveraged. One reason is because both radios are nar-rowband, and therefore, have better performance in �lteringout-of-band interference.

4.5 Evaluating MAC layer performanceWe look at the performance of our system when communi-cating with multiple tags. Figure 17(a) shows the aggregatedthroughput when we place 4, 8, 12, 16, and 20 tags in frontof the transmitter. The aggregate throughput is lower thanthe single tag case for two reasons: control overhead andcollisions. As the number of tags increases the aggregatedthroughput increases. This is due to the relative ratio of con-trol overhead decreasing when there are more transmissionslots used. If we extend our simulation beyond the 20 tags

399


0 0.2 0.4 0.6 0.8

1

35 40 45 50 55 60 65 70

CD

F

Throughput (kbps)

WiFi PresentWiFi Absent

(a) Backscattering 802.11g/n WiFi signals

0 0.2 0.4 0.6 0.8

1

14 14.5 15 15.5 16

CD

F

Throughput (kbps)


(b) Backscattering ZigBee signals

0 0.2 0.4 0.6 0.8

1

50 52 54 56 58 60 62 64

CD

F

Throughput (kbps)


(c) Backscattering Bluetooth signalsFigure 16: FreeRider backscatter throughput when a WiFi tra�c is present or absent.

0

5

10

15

20

4 8 12 16 20

Thro

ughp

ut (k

bps)

Number of Tags

MeasuredSimulated

(a) Aggregated throughput

0 0.2 0.4 0.6 0.8

1

4 8 12 16 20

Fairn

ess

Inde

x

Number of Tags

(b) Jain’s fairness index

Figure 17: FreeRider throughput and Jain’s fairness in-dex when communicating with 4, 8, 12, 16, and 20 tags.

we had physically available, the throughput asymptotes atabout 18kbps. If there are no collisions (i.e. a TDM scheme),the simulation throughput asymptotes at about 40kbps.

Framed Slotted Aloha is well-suited to applications thathave low data needs and where the number of active tagscan increase or decrease without warning, such as inventorytracking. More data-intensive applications would bene�tfrom a time division scheme, which would be possible toimplement in FreeRider, but we limited the analysis to asingle MAC layer design for space reasons.

Figure 17(b) shows the Jain’s fairness index [14] when 4,8, 12, 16, and 20 tags are present. When the number of tagsincreases, the fairness index stays about the same becausethe scheduler dynamically allocates a larger number of slotswhen more tags are present. The averaged fairness index is0.85 when 20 tags are present, which suggests that most oftags still obtain similar opportunities for data transmission.

5 RELATEDWORKThe range and throughput of backscatter systems has im-proved in recent years [5, 6, 9, 11, 12, 17–19, 22–24, 26]. De-spite the improvements, one remaining bottleneck of de-ploying backscatter systems is the lack of backscatter readerinfrastructure. Therefore, researchers have been looking foropportunities to leverage commodity radios, such as WiFiand Bluetooth. [15] embeds backscatter information on topof WiFi tra�c by changing the strength of the re�ected sig-nal. Due to the interference from the WiFi transmitter, [15]achieves relatively low data rate and short range. [8] and [16]modulate a Bluetooth and an 802.11b baseband signal respec-tively on a single tone signal sent by an emitter. Both enablebackscatter communication with commodity WiFi and Blue-tooth receivers at the cost of deploying a dedicated singletone emitter. [13] removes the single tone emitter and uses a

Bluetooth radio to transmit a speci�c data sequence to gener-ate the tone signal. Therefore, the Bluetooth radio itself can-not be used for productive data communication. [27] enablesWiFi-to-WiFi and Bluetooth-to-Bluetooth backscatter com-munication within a short range. [25] enables backscattercommunication between two 802.11b WiFi radios. However,none of these work with widely deployed commodity radios,such as 802.11n WiFi and Bluetooth, while the excitationsignal transmitter is doing productive data communication.[25] relies on 802.11b signals for backscatter. However, suchsignals do not naturally exist in many locations because mostWiFi clients run 802.11n/ac with OFDM signals wheneverpossible. Additionally, [25] does not support communicationwith multiple tags. [6] requires hardware modi�cations oncommodity WiFi access points. [8] and [16] require an ad-ditional single tone emitter. [13] require speci�c excitationsignals, and therefore, the excitation signal transmitter can-not be used for productive data communication. Our systemis the �rst that works with popular 802.11n WiFi and Blue-tooth radios while the excitation signal transmitter is usedfor productive data communication.

6 CONCLUSIONFreeRider, in our opinion, is the �rst system that enables usto leverage widely-used commodity wireless hardware fordeploying backscatter. FreeRider is also the �rst system thatimplements and evaluates more than one tag communicat-ing with the commodity receiver. Unlike previous work, theexcitation signal can be used for productive data communi-cation, which means that we can deploy backscatter devicesat any location where these commodity radios are available.FreeRider does so by using a technique called codeword trans-lation, which embeds a tag’s information in the backscatteredsignal while ensuring that the backscattered signal can bedecoded by a commodity wireless radio. FreeRider providesthe opportunity to deploy backscatter systems using existingwireless infrastructure, and enables simple ultra-low powerwireless connectivity for IoT devices.

ACKNOWLEDGMENTWe thank the shepherd Kyle Jamieson and the anonymousreviewers for their insightful comments.

400


REFERENCES[1] [n. d.]. 802.11 Reference Design: PHY. https://warpproject.org/trac/

wiki/802.11/PHY.[2] [n. d.]. Ettus Research VERT2450 Antenna. https://www.ettus.com/

product/details/VERT2450.[3] [n. d.]. TI CC2541 radio. http://www.ti.com/product/CC2541.[4] [n. d.]. TI CC2650 radio. http://www.ti.com/product/CC2650.[5] Omid Abari, Deepak Vasisht, Dina Katabi, and Anantha Chandrakasan.

2015. Caraoke: An e-toll transponder network for smart cities. In ACMSIGCOMM Computer Communication Review, Vol. 45. ACM, 297–310.

[6] Dinesh Bharadia, Kiran Raj Joshi, Manikanta Kotaru, and Sachin Katti.2015. BackFi: High Throughput WiFi Backscatter. In Proceedings of the2015 ACM Conference on Special Interest Group on Data Communication.ACM, 283–296.

[7] Michael Buettner and David Wetherall. 2008. An empirical study ofUHF RFID performance. In Proceedings of the 14th ACM internationalconference on Mobile computing and networking. ACM, 223–234.

[8] Joshua F Ensworth and Matthew S Reynolds. 2015. Every smartphone is a backscatter reader: Modulated backscatter compatibilitywith bluetooth 4.0 low energy (ble) devices. In RFID (RFID), 2015 IEEEInternational Conference on. IEEE, 78–85.

[9] Jeremy Gummeson, Pengyu Zhang, and Deepak Ganesan. 2012. Flit:a bulk transmission protocol for r�d-scale sensors. In Proceedings ofthe 10th international conference on Mobile systems, applications, andservices. ACM, 71–84.

[10] Daniel Halperin, Wenjun Hu, Anmol Sheth, and David Wetherall. 2011.Tool release: gathering 802.11 n traces with channel state information.ACM SIGCOMM Computer Communication Review 41, 1 (2011), 53–53.

[11] Pan Hu, Pengyu Zhang, and Deepak Ganesan. 2015. Laissez-Faire:Fully asymmetric backscatter communication. In Proceedings of the2015 ACM Conference on Special Interest Group on Data Communication.ACM, 255–267.

[12] Pan Hu, Pengyu Zhang, Mohammad Rostami, and Deepak Ganesan.2016. Braidio: An integrated active-passive radio for mobile deviceswith asymmetric energy budgets. In Proceedings of the 2016 conferenceon ACM SIGCOMM 2016 Conference. ACM, 384–397.

[13] Vikram Iyer, Vamsi Talla, Bryce Kellogg, Shyamnath Gollakota, andJoshua Smith. 2016. Inter-Technology Backscatter: Towards Inter-net Connectivity for Implanted Devices. In Proceedings of the 2016conference on ACM SIGCOMM 2016 Conference. ACM, 356–369.

[14] Raj Jain, Arjan Durresi, and Gojko Babic. 1999. Throughput fairnessindex: An explanation. Technical Report. Tech. rep., Department ofCIS, The Ohio State University.

[15] Bryce Kellogg, Aaron Parks, Shyamnath Gollakota, Joshua R Smith,and David Wetherall. 2014. Wi-� backscatter: internet connectivityfor rf-powered devices. In Proceedings of the 2014 ACM conference onSIGCOMM. ACM, 607–618.

[16] Bryce Kellogg, Vamsi Talla, Shyamnath Gollakota, and Joshua R Smith.2016. Passive Wi-Fi: bringing low power to Wi-Fi transmissions. In13th USENIX Symposium on Networked Systems Design and Implemen-tation (NSDI 16). 151–164.

[17] Vincent Liu, Vamsi Talla, and Shyamnath Gollakota. 2014. Enablinginstantaneous feedback with full-duplex backscatter. In Proceedingsof the 20th annual international conference on Mobile computing andnetworking. ACM, 67–78.

[18] Jiajue Ou, Mo Li, and Yuanqing Zheng. 2015. Come and be served:Parallel decoding for cots r�d tags. In Proceedings of the 21st AnnualInternational Conference on Mobile Computing and Networking. ACM,500–511.

[19] Aaron N Parks, Angli Liu, Shyamnath Gollakota, and Joshua R Smith.2014. Turbocharging ambient backscatter communication. In Proceed-ings of the 2014 ACM conference on SIGCOMM. ACM, 619–630.

[20] Nathan Pletcher. 2008. Ultra-Low Power Wake-Up Receivers for WirelessSensor Networks. Ph.D. Dissertation. University of California Berkeley.

[21] Vamsi Talla and Joshua R Smith. 2013. Hybrid analog-digital backscat-ter: A new approach for battery-free sensing. In RFID (RFID), 2013IEEE International Conference on. IEEE, 74–81.

[22] Jue Wang, Haitham Hassanieh, Dina Katabi, and Piotr Indyk. 2012.E�cient and reliable low-power backscatter networks. In Proceedingsof the ACM SIGCOMM 2012 conference on Applications, technologies,architectures, and protocols for computer communication. ACM, 61–72.

[23] Jue Wang and Dina Katabi. 2013. Dude, where’s my card?: RFIDpositioning that works with multipath and non-line of sight. In ACMSIGCOMM Computer Communication Review, Vol. 43. ACM, 51–62.

[24] Lei Yang, Yekui Chen, Xiang-Yang Li, Chaowei Xiao, Mo Li, and Yun-hao Liu. 2014. Tagoram: Real-time tracking of mobile RFID tags tohigh precision using COTS devices. In Proceedings of the 20th annualinternational conference on Mobile computing and networking. ACM,237–248.

[25] Pengyu Zhang, Dinesh Bharadia, Kiran Joshi, and Sachin Katti. 2016.Hitchhike: Practical backscatter using commodity wi�. In ACM SEN-SYS.

[26] Pengyu Zhang, Pan Hu, Vijay Pasikanti, and Deepak Ganesan. 2014.EkhoNet: high speed ultra low-power backscatter for next generationsensors. In Proceedings of the 20th annual international conference onMobile computing and networking. ACM, 557–568.

[27] Pengyu Zhang, Mohammad Rostami, Pan Hu, and Deepak Ganesan.2016. Enabling practical backscatter communication for on-bodysensors. In Proceedings of the 2016 conference on ACM SIGCOMM 2016Conference. ACM, 370–383.

401

https://warpproject.org/trac/wiki/802.11/PHY

https://warpproject.org/trac/wiki/802.11/PHY

https://www.ettus.com/product/details/VERT2450

https://www.ettus.com/product/details/VERT2450

http://www.ti.com/product/CC2541

http://www.ti.com/product/CC2650

FreeRider: Backscatter Communication Using Commodity …

Documents

Transcript of FreeRider: Backscatter Communication Using Commodity …