Eindhoven University of Technology MASTER Experimental setup for Bluetooth low energy ranging application He, Y.

(1)

Eindhoven University of Technology

MASTER

Experimental setup for Bluetooth low energy ranging application

He, Y.

Award date:

2016

Link to publication

Disclaimer

This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration.

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

• Users may download and print one copy of any publication from the public portal for the purpose of private study or research.

• You may not further distribute the material or use it for any profit-making activity or commercial gain

(2)

EXPERIMENTAL SETUP FOR BLUETOOTH LOW ENERGY

RANGING APPLICATION

Master Thesis

AUGUST 9, 2016

(confidential until 10^th August 2017) DIALOG SEMICONDUCTOR

Den Bosch

Yongchang He (No. 0928242)

Embedded Systems, Department of Mathematics andComputerScience y.he.1@student.tue.nl

Supervisor:

Dr. Majid Nabi Najafabadi (Electronic Systems, TU/e) Dr. Joek de Haas (Advanced Technology, Dialog Semiconductor)

(3)

i

Abstract

Nowadays, there are more needs for indoor and small-scale ranging with low-cost consumer devices.

Bluetooth Low Energy (BLE) is a short-range wireless standard supported by major smartphones, wearable devices and Internet-of-Things (IoT) manufacturers. With the integration of ranging solutions on BLE devices, people can enjoy all possibilities based on ranging between hundreds of millions of devices.

Existing systems for BLE ranging application are mostly based on Received Signal Strength Indicator (RSSI) method only. Until now, no one has yet implemented Time-of-Flight (ToF) solution on a standard BLE product on the market, which shows great commercial and research value of this project.

We need to design ranging methods under the context of BLE specification and upon the hardware from Dialog Semiconductor. Consequently, the general ranging techniques, the BLE specification and the development kit are studied as the basis of our ranging application. In this project, we design and develop three ranging solutions based on Dialog BLE chip DA14681. For each solution, the user case is firstly discussed to ensure that the solution can be integrated on a standard BLE product and will raise enough interest on the market. With attractive user case, the algorithm is developed in mathematics and implemented in MATLAB. After the algorithm is well tested and understood in MATLAB, special BLE application is developed upon the hardware to collect valid data from real BLE transactions. Specific MATLAB script is developed to process these raw data to obtain correct input for the algorithm. In the end, practical measurements are conducted with target ranges and interested environment. The measurement results are analyzed and discussed to understand the characteristics of the solution.

In general, the merits and demerits of all three solutions are well understood through simulation and practical measurements. With this deep-level understanding of BLE ranging, the company can decide which solution to continue with and what improvement to make on current hardware and software design. For the best solution in range accuracy, we achieve 1m under moderate noise condition in MATLAB simulation. 2m accuracy is achieved measuring indoor distance change.

(4)

ii

Acknowledgment

I thought 8 months is a long time but it is actually not. I would like to thank Dialog Semiconductor to offer this great opportunity to conduct this amazing project. Thanks Joek de Haas for your dedicated supervision. You are the one who leads us to the final fruit. Thanks Majid Nabi Najafabadi to be the campus supervisor and for your monitor of the whole procedure. Thanks Sai Janani Ramachandran for your everyday accompany and great cooperation on this topic. Thanks Jan Prummel for your solid RF knowledge support all the way along the project. Thanks Wessel Lubberhuizen, Wik Roovers, Michail Papamichail and Konstantinos Kottikas for your specific support of the project. Thanks Peter de Vreede, Mohammed Aissi & Catalin Tugui for introducing everyday engineering “fake loops”. Thanks everyone in this company for your help and interesting everyday interactions. I would like to thank my parents for their special and unconditional spiritual and financial support. Thanks Aran, hope you can find your true love one day whether it is me.

(5)

iii

Abbreviations

GPS – Global Positioning System IoT – Internet of Things

SIG – Special Interest Group BLE – Bluetooth Low Energy

RSSI – Received Signal Strength Indicator ToF – Time of Flight

IQ – In-phase & Quadrature UWB – Ultra Wideband

TDoA – Time Difference of Arrival TWR - Two-way Ranging

CRB - Cramer-Rao Bound

ISM - Industrial, Scientific and Medical ADC – Analog-Digital Converter AoA – Angle of Arrival

HCI – Host Controller Interface

L2CAP – Logical Link Control and Adaptation GFSK – Gaussian Frequency Shift Keying GAP – Generic Access Profile

AGC – Automatic Gain Control CRC – Cyclic Redundancy Check PDU – Protocol Data Unit

FHSS - Frequency Hopping Spread Spectrum

DUT – Device Under Test

GPIO – General Purpose Input/Output

DMIPS – Dhrystone Million Instructions per Second

PLL – Phase Locking Loop

RFPT – Radio Frequency Production Test DMA – Direct Memory Access

RFIO – Radio Frequency Input/Output LNA – Low Noise Amplifier

VGA – Variable Gain Amplifier IF – Intermediate Frequency

IDE – Integrated Development Environment TX – Transmitted

RX - Received

LSE – Least Square Error SNR – Signal-Noise Ratio ADV – Advertisement LOS – Line of Sight

MIPS – Million Instructions per Second RTOS – Real-time Operating System

(6)

1

List of Figures

Figure 2.1 Illustration of TWR concept [8] ... 10

Figure 2.2 CRB as a function of bandwidth [11] ... 11

Figure 2.3 Comparison of CRB to sampling error as a function of sampling frequency [11] ... 12

Figure 2.4 Measured noise performance as function of SNR [11] ... 12

Figure 2.5 ToF and RSSI fusion ranging blocks [3]... 13

Figure 2.6 BLE protocol stack architecture [19] ... 16

Figure 2.7 State diagram of the Link Layer state machine... 17

Figure 2.8 State machine of peripheral role ... 17

Figure 2.9 State machine of central role ... 18

Figure 2.10 Channel allocation for BLE and Wi-Fi [19] ... 18

Figure 2.11 BLE advertising and active scanning procedure [19] ... 19

Figure 2.12 Advertising packet format [19] ... 20

Figure 2.13 Block diagram of data channel selection algorithm [1] ... 21

Figure 2.14 BLE test packet format [1] ... 21

Figure 2.15 PRO development kit ... 22

Figure 2.16 DA14681 block diagram [21] ... 23

Figure 2.17 Simplified RF block diagram for IQ data capture [22] ... 25

Figure 2.18 Saleae™ Logic Analyzer ... 26

Figure 2.19 ComProbe BPA^® BLE Packet Sniffer ... 26

Figure 2.20 Debugging wave example from logic analyser ... 27

Figure 2.21 BLE traffic information display from the sniffer ... 27

Figure 3.1 Ranging concept with advertising and scanning [24] ... 28

Figure 3.2 Possible phase evolution for GFSK modulated signal [25] ... 29

Figure 3.3 Correct and wrong phase differentiation ... 32

Figure 3.4 TX phase (blue) and RX phase (green) over sample nr. ... 33

Figure 3.5 Experimental setup ... 34

Figure 3.6 Flow chart for BLE advertising task ... 35

Figure 3.7 Flowchart for BLE interrupt routine ... 36

Figure 3.8 Flowchart for MATLAB routine ... 37

Figure 3.9 MATLAB script blocks for asymmetric single channel ranging ... 38

Figure 3.10 Raw IQ data for one example SCAN_REQ packet ... 38

Figure 3.11 Unwrapped phase after IF removal ... 39

Figure 3.12 Data samples of the packet... 40

Figure 3.13 Cross correlation between RX and TX pattern data samples ... 40

Figure 3.14 Fit curve, TX curve, RX curve and error curve after fitting ... 41

Figure 3.15 Indoor measurement environment ... 42

Figure 3.16 ToF histogram for 5m measurement ... 43

Figure 3.17 Symbol timing offset and clock offset compensation mismatch ... 44

Figure 4.1 Symmetric single channel ranging concept ... 45

Figure 4.2 Symbol timing concept for two-way ranging [27] ... 46

(8)

3

Figure 4.3 Experimental setup of symmetric single channel ranging ... 47

Figure 4.4 BLE interrupt routine flowchart for scanner ... 48

Figure 4.5 MATLAB script blocks for symmetric single channel ranging ... 49

Figure 4.6 Symbol timing offset on both ends over packet number ... 49

Figure 4.7 ToF histogram for 15m indoor measurement ... 50

Figure 4.8 First indoor measurement ... 51

Figure 4.9 Long time measurement on 1m ... 51

Figure 4.10 (partial) DA14681 Radio transceiver block diagram [21] ... 52

Figure 4.11 Internal-developed RF attenuator ... 53

Figure 4.12 AGC effect measurement ... 53

Figure 4.13 Reset effect measurement... 55

Figure 4.14 Indoor measurement with AGC compensation ... 56

Figure 5.1 Phase relationship on multiple channels [2] ... 60

Figure 5.2 Experimental setup for symmetric multiple channel ranging ... 60

Figure 5.4 Example logic analyzer waveform for ADV packet reception ... 62

Figure 5.3 Program flowchart for the scanner in asymmetric multiple channel ranging ... 63

Figure 5.5 Raw IQ data for 3 ADV packets ... 64

Figure 5.6 MATLAB blocks for asymmetric multiple channel ranging ... 64

Figure 5.7 Phase Difference for ADV one packet pair from 5m outdoor measurement ... 66

Figure 5.8 RX phase difference for all packet pairs from 5m outdoor ... 66

(9)

4

List of Tables

Table 2.1 Sample values for path loss exponent [4] ... 8

Table 2.2 Main difference between BLE and classic Bluetooth ... 15

Table 2.3 BLE operating states ... 16

Table 2.4 Advertising packets ... 19

Table 2.5 BLE test packet length to packet interval ... 22

Table 2.6 Part of possible test signals in RFPT mode [22] ... 24

Table 3.1 LSE fitting simulation results ... 33

Table 3.2 Effect of large time shift ... 33

Table 3.3 Indoor measurement results ... 42

Table 4.1 MATLAB time profiling for major functions ... 57

Table 4.2 (partial) Time profiling on DA14681 ... 58

Table 5.1 Test modes and user functions in the BLE Direct Test Mode program ... 61

Table 5.2 Indoor Measurement ... 65

Table 5.3 Outdoor Measurement ... 65

Table 5.4 Averaged phase difference for all indoor packet pairs ... 67

Table 5.5 Advertising packet interval in the BLE stack [29] ... 67

Table 6.1 Ranging method summary ... 69

(10)

5

1 Introduction

Ranging is probably one of the oldest problems faced by human beings. With the evolving of technologies, we determine the range more and more precise with visual inspection, with rulers, with radar and with laser. Nowadays, the development and deployment of Global Positioning System (GPS) allows us to accurately determine outdoor position worldwide with relatively cheap chips. But, there are more needs for indoor and small-scale ranging with low-cost consumer devices. Huge increase has been seen on the amount of these consumer devices and most people are using these devices in an indoor environment like home, office, shopping mall, station, etc. Variety of services (e.g., localization, proximity and tracking) will be possible once we can measure distance accurately between large amount of cellphones, wearable devices and IoT nodes.

Bluetooth Low Energy [1] is a short-range wireless standard supported by major smartphones, wearable devices and IoT manufacturers. The first standard version is released by the Bluetooth SIG to support new applications in the healthcare, fitness, security and home entertainment fields in June 2010. BLE focuses on ultra-low power consumption, which is very suitable for coin cell batteries or energy-harvesting devices. With the integration of ranging solutions on BLE devices, people can enjoy all possibilities based on hundreds of millions of devices.

1.1 Motivation

Dialog Semiconductor is one of the main manufacturers of BLE chip. Energy consumption is one of the major differentiators of the wireless portfolio of Dialog. By the end of 2015, they have shipped around BLE chips of 25 million dollars, which is four times as that in 2014. The ranging feature integrated on Dialog chip is expected to add great value for this product and to attract the attention of the market.

Many applications rely on the distance information between two radio nodes. A typical example is key fobs from Tile ¹ that can help you find your lost stuff. Besides, with accurate ranging, we can easily calculate the position of the tracker and enable indoor navigation and asset tracking so that movement of users or valuable objects can be tracked in various scenarios. During our development, many customers have already shown their interest in this feature (e.g., Tile, Tesla, Apple).

However, existing systems for BLE devices distance calculation are mostly based on RSSI method only. The receiver measures the power of the received signal which is proportional to the distance of the transmitter. However, RSSI fluctuates significantly in indoor environment and none Line-of-Sight (LOS) scenario which typically has strong multipath and fading effect. So the distance estimation in this way is inaccurate.

Another choice for BLE devices can be the ToF method. The receiver measures the time delay of the received signal which is proportional to the distance of the transmitter. We may choose to calculate in time or phase domain. A lot of work has been done to prove the validity of ToF method based on IEEE

1 https://www.thetileapp.com/

(11)

6 802.15.4 devices (see Section 2.1.2). But until now, no one has yet implemented ToF solution on a standard BLE product in the market, which shows great commercial and research value of this project.

1.2 Goals

This topic is split into two separate projects but close cooperation is involved practically. The work of practical & experimental project is illustrated in this thesis and the work of algorithmic & simulation project is illustrated in [2].

The goals of this project are listed in below:

• For different ranging solutions, there are different requirements for the input data. Although we have example applications to start with, there is no ready-to-use setup in the company. The first goal is to combine many available software features in the company and develop our own software setup to collect valid data for all ranging solutions.

• We cannot directly input the raw data into every algorithm. Some post-processing steps will be needed to have the valid data input. For the obtained results, we always need some graphs, statistics and metrics to analyze and evaluate the quality or the root cause. The second goal of this project is to develop script for raw data processing and result analysis.

• For typical indoor environment, we only have slow moving objects and a range limit for BLE device. For this scenario, we need to develop solutions that can achieve reasonable distance accuracy so that it will make sense for practical user case. The third goal is to achieve distance accuracy (< 5m) for slow moving objects (< 5km/h) at an indoor range of 30m.

• This project only targets on the latest product of the company. Because of the accuracy we hope to achieve, it will probably suffer from hardware or software design of the current chip. Any advice related to this feature will be well valued by the design team. They can update the design in the next-generation product and maybe release the product on the market very quickly. The last goal is to provide advice for future product.

1.3 Contribution

The topic is split into two individual projects with clear separation of tasks and goals although necessary cooperation happens in some parts during the execution of the project. The cooperation parts are listed below:

• Understanding of algorithm for Asymmetric Single Channel Ranging: The algorithm along with MATLAB script is partially provided by the company. We work together to understand algorithm, to learn the script structure, to test it with different inputs and to solve issues.

• Literature study: The current state-of-art approaches from academia and industry are carefully reviewed and studied to inspire the design of our own solutions. Cooperation and discussion happen on key papers and designs.

• Practical results analysis for Asymmetric Single Channel Ranging and Asymmetric Multiple Channel Ranging: We work together to check the validity of data, the intermediate verbose of script and find the root cause for the issues.

(12)

7

• Algorithm design for Symmetric Single Channel Ranging: the algorithm and user case are developed by joint discussion.

For the contribution of algorithmic & simulation project, please refer to [2]. The individual contributions of this project are listed below:

• Experimental setup for all three solutions: An example BLE advertiser C application and MATLAB real-time data acquisition script are provided as the start point. Three different software setups are developed to collect valid data for all three solutions.

• Data processing for all three solutions: Develop the post-processing MATLAB script to extract algorithm input from raw In-phase & Quadrature (IQ) data for all three algorithm. The algorithm and analysis part are integrated into the script to obtain the final results.

• Measurements for all three solutions: The indoor measurements for all three solutions are conducted individually. To help the result analysis, some outdoor and special measurements are done.

• Practical data analysis for Symmetric Single Channel Ranging: I check the validity of data, the intermediate verbose of script, find the root cause for the issues and obtain correct results.

1.4 Outline

The rest of the report is structured as follows. Chapter 2 (Background) gives an overview of ranging techniques that may be used on low-cost electronic devices, Bluetooth Low Energy standard that our solutions should obey, and development kit from Dialog including hardware, software and debugging tools. Chapter 3 (Asymmetric Single Channel Ranging) introduces all the information for this solution, including algorithm, simulation, software setup, data processing and practical results. Chapter 4 (Symmetric Single Channel Ranging) introduces all the information for this solution, including algorithm, software setup, data processing, practical results and initial profiling. Chapter 5 (Asymmetric Multiple Channel Ranging) introduces all the information for this solution, including algorithm, software setup, data processing and practical results. Chapter 6 (Conclusion and Future Work) presents the conclusion on all three solutions and suggested future work for the company.

(13)

8

2 Background

This chapter presents background and context information for readers to understand the three ranging solutions. The first section introduces general indoor ranging techniques on low-cost electronic devices.

The second section introduces BLE standard which we should consider during BLE compliant solution design. The last section introduces development kit provided by the company and used in this project.

The advanced design by the company gives us benefits but also constraints.

2.1 Ranging Techniques

Global Positioning System (GPS) provides world-wide positioning capacity with an accuracy of several meters when the device is equipped with GPS receiver. However, satellite system cannot be used for fine- grained needs of indoor location due to the attenuation of the satellite signals. Angle-of-Arrival (AoA) measurement is a method for determining the direction of propagation of a radio-frequency wave incident on an antenna array. But this method requires special antenna array design which the DA14681 BLE chip does not have and support. Due to mentioned reasons, only RSSI and ToF ranging methods are considered and discussed in this section.

2.1.1 Received Signal Strength Indicator

RSSI is an indication of the signal strength experienced by the receiver for each reception of BLE packet.

For the practical chip used in this project, it is an unsigned 8-bit integer value indicating signal strength varying between -112dBm to -19dBm with a step of 0.47dB/unit, where an increasing value indicates a stronger signal. The value can be easily retrieved in the RX descriptor field of the BLE stack.

The RF power decays as the electromagnetic waves travel through the air. In open space, the relationship between signal strength and distance can be represented by the log-distance path loss model. The model is given in Eq. (2.1) [3], where 𝜌𝜌𝑑𝑑 is the RSSI value at distance d; 𝜌𝜌0 is the RSSI value at a reference distance d0 = 1m, and includes the aggregated effects of transmission power, antenna gains, and frequency attenuation; and α is the path loss exponent that represents the propagation medium properties.

𝜌𝜌_𝑑𝑑 = 𝜌𝜌₀− 10𝛼𝛼𝛼𝛼𝛼𝛼𝛼𝛼_𝑑𝑑^𝑑𝑑

0⇔ 𝑑𝑑 = 𝑑𝑑₀× 10^(𝜌𝜌⁰^−𝜌𝜌^𝑑𝑑^{)/(10𝛼𝛼)} (2.1) [3]

However, in the presence of interference, multipath, changing of indoor environment and none LOS condition, there will be a variation on 𝛼𝛼 depending on the local statistics that typically ranges from 2 to 5.

Some sample values for 𝛼𝛼 in the model are shown in Table 2.1 [4].

Environment Path Loss Exponent

Free space 2

Flat rural 3

Rolling rural 3.5

Suburban, low rise 4

Dense urban, skyscrapers 4.5

Table 2.1 Sample values for path loss exponent [4]

(14)

9 This results in the inaccuracy of this method especially for indoor environment. The iBeacon [5] technology developed by Apple Inc. is a proximity service based on RSSI and BLE. But the distance between transmitting iBeacon and receiving device is categorized into 3 distinct ranges instead of accurate meters.

To improve the stability of the RSSI measurements, the online channel estimation can be applied to update the path-loss model parameters to accommodate the dynamic environment. In [6], the stability of RSSI for BLE devices in real scenarios is empirically studied and the data smoothing performance of different filters is evaluated. After data pre-processing, the online channel estimation are done with particle filtering or simply least squares fitting. In an indoor environment with people movements and other BLE devices enabled, the distance error obtained by particle filtering is around 1m while the result by least squares fitting is 2.885m. Although indoor measurement with particle filtering achieves good accuracy, considerable number of samples, time and computation complexity are needed to accommodate the intrinsic instability of RSSI method.

Another way to improve the distance accuracy is to design a calibration scheme to determine the a-priori knowledge about the environment conditions before measurement. In [7], the a-priori knowledge about the environment is gathered offline by fingerprint. It determines between the received power measurements and the corresponding grid of locations. The practical experiment shows the localization accuracy of around 5cm and good tracking ability for moving object, which is very precise compared to online estimation way. However, a-priori data are usually unavailable for unknown environment, which greatly limits the application of this method.

2.1.2 Time-of-Flight

Once we can measure the signal ToF from one device to another, we can calculate the distance according to the speed of light (1m = 3.3ns). Measuring the RF signal ToF between nodes avoids stability problem of RSSI method, but it is challenging on its own.

2.1.2.1 Clock Synchronization

In the simplest ToF ranging system with two wireless devices A and B, B need to measure the time of arrival of a signal sent by A. To achieve accuracy of 1m, GHz (ns) clock synchronization is required which is not feasible for a low-cost wireless system. Two-way Ranging (TWR) is a good method that mitigates the effect of clock synchronization error [8]. It allows the time offset between transceiver 1 and 2 to be cancelled as is shown in Figure 2.1 [8].

With 100MS/s sampling rate and 50MHz signal in the 2.4GHz ISM band, they achieve 3m range accuracy although no communication standard is compliant. In TWR method, the measurement takes place over a relatively long time. We need to make sure that the clock offset during measurement causes only ns bias on the RF signal.

(15)

10 Figure 2.1 Illustration of TWR concept [8]

Time-Difference-of-Arrival (TDoA) uses a set of wire-synchronized reference nodes at known locations to determine the time difference of arriving ranging signals to or from a blind node for localization. Its ability to operate well in high multipath environments and provide sub-meter ranging accuracy has been demonstrated using Ultra-Wideband (UWB) technology [9]. However, GHz clock is needed and the base station infrastructures are expensive.

2.1.2.2 Noise

A ToF ranging measurement influenced only by white noise has been studied in the context of radar applications. The Cramer-Rao Bound (CRB) [10] provides a lower bound for the variance of the range estimation in white noise . For a one-way ranging system using IEEE 802.15.4 modulation, the CRB is given by Eq. (2.2) [11].

𝜎𝜎𝑟𝑟2 ≥ _4𝜋𝜋₂_∗𝐵𝐵^𝑐𝑐²₂_{∗𝑆𝑆𝑆𝑆𝑆𝑆} (2.2) [11]

The range variance limit is related to speed of light c, signal bandwidth 𝐵𝐵 and signal to noise ratio SNR.

Figure 2.2 [11] shows the CRB as a function of bandwidth for SNR of 10dB and 26dB. We can see that the white noise only does not prevent 1m accuracy for 2MHz bandwidth (BLE and IEEE 802.15.4). In TWR systems, round-trip measurements are made and averaged to obtain range estimation resulting in 𝜎𝜎𝑟𝑟2

reduction of 2 [11].

(16)

11 Figure 2.2 CRB as a function of bandwidth [11]

2.1.2.3 Sampling Artefacts

It is proved in [12] that the resolution of a ToF measurement suffers from the finite sampling clock- frequency resolution. This occurs when a matched filter is used to estimate the time of arrival with a sampling rate of 𝑓𝑓𝑠𝑠= 2𝐵𝐵. Sampling adds error to ToF result because the estimate space is divided up into range bins of 𝑐𝑐/𝑓𝑓𝑠𝑠 wide. The range uncertainty added by sampling in each bin is given by Eq. (2.3) [11].

𝜎𝜎_𝑠𝑠²=_{12∗𝑓𝑓}^𝑐𝑐²

𝑠𝑠2 (2.3) [11]

To reduce this error, the signal can be oversampled. Figure 2.3 [11] shows the CRB for a 2MHz bandwidth signal with SNR = 26dB, the standard deviation of the sampling error and the combined effect of both error sources. We can see that in this noise condition, when 𝑓𝑓𝑠𝑠> 70𝑀𝑀𝑀𝑀𝑀𝑀, the range error caused by white noise will become dominant. It can also be concluded that with better noise condition, large sampling rate is needed to reduce the error. If the signal is sampled above Nyquist (𝑓𝑓𝑠𝑠> 2𝐵𝐵), the signal’s entire information content is fully captured and better time resolution than 𝜎𝜎𝑠𝑠 is possible. Interpolation between samples can yield significant improvements in resolution [13].

(17)

12 Figure 2.3 Comparison of CRB to sampling error as a function of sampling frequency [11]

Code Modulus Synchronization is presented in [11] as one improved TWR method. In this method, a code is transmitted between both ends and proper cross correlation is calculated between the transmitted and received code to determine ToF. Finally, 1m accuracy is achieved for outdoors and 1-3m is achieved for indoors. Besides, the standard deviation of ranging measurements, the CRB for their system as a function of SNR and the previous ranging binning limit are shown in Figure 2.4 [11]. We can see that the practical results approach CRB when the SNR is low and are limited gradually by sampling frequency error.

Figure 2.4 Measured noise performance as function of SNR [11]

2.1.2.4 ToF by Phase Measurement

In GPS, there are code-phase and carrier-phase methods that can achieve different level of range accuracy and have different level of cost. The code-phase method calculates the cross correlation between received pseudo random code and code replica generated at the received to determine the time shift and the ToF.

This method suffers from all the issues mentioned above and can achieve meter level accuracy [14]. The

(18)

13 carrier-phase method is a measure of the range between a satellite and receiver expressed in units of cycles of the carrier frequency. The pseudo random code has a bit rate of about 1 MHz but its carrier frequency has a cycle rate of over a GHz which is 1000 times faster. This method achieves precision varies from 1 mm to 10 cm, depending on the processing strategy [14]. Similarly, the phase shift of transmitted and received RF signals can be used to measure distance more accurately in low-cost devices.

In [15], the full available ISM bandwidth of 80 MHz and 16 ZigBee channels are utilized to estimate distance with phase difference method. With a low-cost oscillator and sampling frequency of 250MHz, a positioning bias error of 16cm and standard deviation of 3cm are achieved. In [16], only two measurement frequencies in ISM band are needed to perform the distance estimations. 30cm range accuracy is achieved with frequency hub of 75MHz, measurement in RF anechoic chamber and at least 250 samples. The Atmel ranging toolbox [17] uses proprietary algorithm based on phase difference to calculate distance. The full 2.4 GHz ISM band is suggested for best performance and the ranging procedure is not compliant with IEEE 802.15.4.

Because of design convenience, all the ToF methods mentioned in this section is based on IEEE 802.15.4 standard. But the BLE standard also shares similar problems as it is designed for low-cost consumer devices. For example on the DA14681 BLE chip of Dialog, it only has low accuracy clock (16MHz), inaccurate synchronization (1µs), low online processing power (96MHz) and low sampling frequency (8MHz). These are fundamental limits to walk around for the design of accurate ToF ranging solutions on BLE devices.

2.1.3 Fusion of ToF and RSSI

Both ToF and RSSI methods have their own merits and demerits but we can fuse the data to achieve better resolution and stability. In [3] data fusion of RSSI and two-way ToF are applied to improve ranging accuracy. The general blocks are shown in Figure 2.5 [3] where least squares fitting is used to estimate channel parameters and extended Kalman filter is used for range tracking. Dotted lines apply only when ToF data are available. For the experiment with lab environment, the RSSI method only achieves 2.5m accuracy and the fusion method reaches 1.3m accuracy.

Figure 2.5 ToF and RSSI fusion ranging blocks [3]

In [18], the calculated speed and location information from processed ToF and RSSI are fed into two Kalman filters to track the state change. The final output distance value depends more on term with

(19)

14 smaller estimated uncertainty. In their indoor measurement, the RSSI method has accuracy of 0.5m-1.5m and the ToF method has accuracy of 2.5m-3.5m. The fusion algorithm reaches accuracy less than 1m which proves the improvement on individual techniques.

2.2 Bluetooth Low Energy

2.2.1 Overview

Bluetooth is a wireless technology allowing electronic devices to perform short range wireless communication between each other. The classic Bluetooth is originally designed for continuous, streaming data applications like voice and has successfully eliminated wires in many consumer as well as industrial and medical applications. The usage and development of Bluetooth technology are regulated by the Bluetooth Special Interest Group (SIG). The group, which has over 20000 member companies, is responsible for defining the Bluetooth specification as well as to certify that the developed products conform to these specified standards. It operates between 2400 MHz to 2485 MHz, which lies within the globally unlicensed ISM band.

Bluetooth Low Energy (BLE), also known as Bluetooth Smart, is the new generation standard designed by the Bluetooth SIG to support new applications in the healthcare, fitness, security and home entertainment fields in June 2010. The latest specification v4.2 was released on December 2014, which is currently supported by company development kit. BLE is the evolution of current so-called “classic Bluetooth”

standard. It focuses on ultra-low power consumption, which is very suitable for coin cell batteries or energy-harvesting devices. More detailed information about this section can be found in Bluetooth specification v4.2 [1].

2.2.2 Classic Bluetooth vs BLE

The BLE standard is not back-compatible with the classic Bluetooth. Although it reuses existing radio architecture and Host Controller Interface (HCI) transports and Logical Link Control and Adaptation (L2CAP) packets, many new features are introduced such as efficient discovery / connection procedures, very short packets, asymmetric design for peripherals and client server architecture, etc. Table 2.2 lists the main difference between these two Bluetooth standards.

(20)

15

Feature Classic Bluetooth BLE Notes

RF Channels 79 40 Less channels

Channel Bandwidth 1MHz 2MHz Double bandwidth

Modulation GFSK GFSK Simple and effective

Modulation Index 0.25 to 0.35 0.45 to 0.55 Wider signal – more robust Max TX Power +20 dBm (class 1)

+4 dBm (class 2) +10 dBm No “class” structure +10 dBm regulatory limit Rx Sensitivity

(typical) -85 dBm -85 dBm Pathloss = 90 dB for classic

Pathloss = 95 dB for BLE

Range (typical) 30 meters 50 meters Modulation Index,

increased power for class 2

Packet Format 6 2 Advertising / Data for BLE

Max Packet Length 2875 μs 328 μs BLE very short

Max Throughput

Data Rate 2178.1 kb/s 305 kb/s BLE is slower

Encryption Safer+ AES-128 BLE stronger

Discoverable +

Connectable Inquiry + Page Scan

22.5 ms / 1.25 s Advertising

1.25 ms / 1.25 s 20x lower energy Connection time 20 ms (R0 Page Scan) 2.5 ms 8x quicker

Table 2.2 Main difference between BLE and classic Bluetooth 2.2.3 Protocol Stack Architecture

The Bluetooth Core system is shown in Figure 2.6 [19], consisting of a Host, a Primary Controller and zero or more Secondary Controllers. A minimal implementation of a BLE-only core system covers the four lowest layers and associated protocols defined by the Bluetooth specification as well as two common service layer protocols: the Security Manager (SM) and Attribute Protocol (ATT). The overall profile requirements are specified in the Generic Attribute Profile (GATT) and Generic Access Profile (GAP). In this project, we mainly focus on Link Layer in the BLE controller which handles advertising, scanning, creating and maintaining connections.

(21)

16 Figure 2.6 BLE protocol stack architecture [19]

2.2.4 Operation States & Roles

In BLE systems, there are five operating states in the link layer state machine: Standby, Advertising, Scanning, Initiating and Connection. The description is shown in Table 2.3.

State State Description

Standby Does not transmit or receive packets Advertising Broadcasts advertisements in

advertising channels

Scanning Looks for advertisers

Initiating Initiates connection to advertiser

Connection

Master

Role Communicates with device in the Slave role, defines timings of transmissions Slave

Role Communicates with single device in Master Role

Table 2.3 BLE operating states

The Link Layer may have more than one instance of the state machine at any time. However, the Link Layer state machine allows only one state to be active at a time and a BLE device cannot be master and slave at the same time. The state diagram of the Link Layer state machine is shown in Figure 2.7.

(22)

17 Figure 2.7 State diagram of the Link Layer state machine

BLE GAP layer defines four profile roles: Broadcaster, Observer, Peripheral and Central. Here we only introduce Peripheral and Central roles which are most relevant to our project. A peripheral device is assumed to be a low-power device that exposes information and is able to make connections. It uses connectable advertising packets to broadcast information that any other BLE device within range can hear.

The state machine is shown in Figure 2.8 with valid states blue.

Figure 2.8 State machine of peripheral role

A central device is usually a powered device, including a rechargeable battery and with a greater processing power with respect to peripheral ones (e.g., a smartphone or a tablet). Central devices implement a scanner modality, in which they listen for the advertisements and initiating connection request. The state machine is shown in Figure 2.9 with valid states blue.

(23)

18 Figure 2.9 State machine of central role

Differently from classic Bluetooth, peripheral and central devices are very asymmetric in their resource requirements. This technology has been projected having in mind to minimize complexity, power requirements and costs mainly on the peripheral side. This results in the fact that a peripheral device spends the majority of its life asleep, limiting its consumptions. It only wakes up when it needs to send data or interact with central devices.

2.2.5 Advertising & Scanning

The whole 2.4GHz Bluetooth band is allocated for 40 2MHz channels as is shown in Figure 2.10 [19]. 37 of these channels are reserved for data, only used by devices that have paired with each other. The remaining 3 channels are used for advertisements. These three channels were specifically chosen to avoid the main channels used by Wi-Fi access points, to minimize interferences.

Figure 2.10 Channel allocation for BLE and Wi-Fi [19]

(24)

19 When a peripheral wants to broadcast, it starts an advertising event, where the same packet is transmitted sequentially on each of the three advertising channels. Devices operating as scanners will detect one of these, and pass the information it contains to the higher level protocol stack and application.

Although the primary aim of advertising packets within the specification is to allow for the discovery of devices and make a secure connection, they also permit small amounts of data to be transmitted for other devices to hear. The advertising and active scanning procedure is shown in Figure 2.11 [19].

Figure 2.11 BLE advertising and active scanning procedure [19]

For advertising event, there are totally 7 air interface packets defined, which is shown in Table 2.4.

Type Packet Usage

0000 ADV_IND Connectable undirected advertising event 0001 ADV_DIRECT_IND Connectable directed advertising event 0010 ADV_NONCONN_IND Non-connectable undirected advertising event 0011 SCAN_REQ Scan request for further information from advertiser 0100 SCAN_RSP Response to scan request from scanner

0101 CONNECT_REQ Connect request by Initiator

0110 ADV_DISCOVER_IND Discoverable undirected advertising event Table 2.4 Advertising packets

The format of advertising packets is shown in Figure 2.12 [19]. The whole packet is defined as Preamble, Access Address, Packet Data Unit (PDU) and Cyclic Redundancy Check (CRC) field. The Preamble (0xaa) is used for frequency synchronization and Automatic Gain Control (AGC) training. The Access Address (0x8e89bedd6) is designed for packet detection. CRC is computed over PDU for error check.

(25)

20 Figure 2.12 Advertising packet format [19]

The PDU is composed of payload and header. In the header, packet type, TX/RX address type, payload length and field reserved for future use are defined.

All of our three ranging solutions are based on advertisement & scanning activity for the purpose of convenience. In the next chapters, there are more elaborative descriptions of how these features facilitate our solutions.

2.2.6 Frequency Hopping

Due to the unrestricted nature of the ISM band, BLE must overcome interference from other systems (e.g., Wi-Fi) and minimize its interference on other systems. BLE does this by using a Frequency Hopping Spread Spectrum (FHSS) technique. This spreads the RF power across the spectrum which reduces interference and the spectral power density. FHSS occurs while in a connection. The frequency hops among 37 data channels according to the channel selection algorithms.

The master’s Link Layer shall classify data channels into used channels and unused channels which are called the channel map. The slave shall receive the channel map from the master in connection request.

The channel map can be updated by the master using a channel update message.

The channel selection algorithm consists of two stages: calculation of the unused channel index and then mapping this index to a data channel index from the set of used channels. The complete procedure is shown in Figure 2.13 [1]. The unmappedChannel is the unmapped channel index for the current connection event. The lastUnmappedChannel is the unmapped channel index of the previous connection event which is 0 for the first connection event. At the start of a connection event, unmappedChannel shall be calculated using the following basic algorithm in Eq. (2.4) [1]:

unmappedChannel = (lastUnmappedChannel + hopIncrement) mod 37 ^{(2.4) [1]}

The algorithm then checks if the unmapped channel is used according to the channel map. If it is used, the algorithm will use the unmapped channel. Otherwise the channel is remapped to one of the used channels.

(26)

21 Figure 2.13 Block diagram of data channel selection algorithm [1]

2.2.7 Direct Test Mode

Direct Test Mode is used to control the Device-Under-Test (DUT) and provides a report back to the tester.

The BLE Test packet format shall be as shown in Figure 2.12 [1].

Figure 2.14 BLE test packet format [1]

Test packets are required for physical layer testing using Direct Test Mode. The test packet consists of the following fields: preamble (8 bit), synchronization word (32 bit), PDU header (8 bit), PDU length (8 bit), payload (296-2040 bit) and CRC (24 bit), in total 376-2120 bits. The packets do not have a PDU address field. Depending on the test, the packet payload content may vary. Depending on the test packet length, the test packet interval is defined in Table 2.5.

(27)

22 LE Test Packet Length Packet Interval

≤ 376 μs 625 μs

≥ 377 and ≤ 1000 μs 1250 μs

≥ 1001 and ≤ 1624 μs 1875 μs

≥ 1625 and ≤ 2120 μs 2500 μs

Table 2.5 BLE test packet length to packet interval

2.3 Development Kit

2.3.1 Hardware

For our development, we use the PRO development kit provided by Dialog Semiconductor, which is shown in Figure 2.15. It consists of the PRO motherboard and the PRO daughterboard. Development kit supports DA14680, DA14681, DA15100 and DA15101 SoCs of Dialog Semiconductor.

Figure 2.15 PRO development kit The main features of the mother board are [20]:

– DA1468x/DA1510x SoCs can be accessed over UART and/or JTAG with no additional external hardware.

– Access on all GPIOs provided from the chip, when no sensor board is plugged.

– Press on Reset function.

– General purpose LEDs and Push Button on the PRO motherboard.

– Current monitoring circuit associated with appropriate software on PC.

– Powered from either USB2 (DBG) port or Battery. Dedicated USB (USB1-CHG) port for charging.

– JTAG and UART interfaces over USB2 (DBG) for development purposes – On-daughterboard printed inverted F-type antenna

(28)

23 – RF mechanical switch for conducted RF measurements

2.3.1.1 DA14681 Daughter Board

For specific functional daughter board, we use DA14681 for the BLE applications. The chip block diagram is shown in Figure 2.16 [21]. The DA14681 is a flexible System-on-Chip combining an application processor, memories, cryptography engine, power management unit, digital and analog peripherals and a BLE MAC engine and radio transceiver. The DA14681 is based on an ARM® Cortex®-M0 CPU delivering up to 84 DMIPS and provides a flexible memory architecture, enabling code execution from embedded memory (RAM, ROM) or non-volatile memory (OTP or external Quad-SPI FLASH). The advanced power management unit of the DA14681 enables it to run from primary and secondary batteries, as well as provide power to external devices. The on-chip charger and state-of-charge fuel gauge allow the DA14681 to natively charge rechargeable batteries over USB. An on-chip Phase Locking Loop (PLL) enables on-the- fly tuning of the system clock between 32 kHz and 96 MHz to meet high processing requirements. Several optimized sleep modes are available to reduce power dissipation when there is no activity.

Figure 2.16 DA14681 block diagram [21]

Here are some important features for this project [21]:

• BLE: Complies to Bluetooth v4.2

• Flexible processing power: 0 Hz up to 96 MHz 32-bit ARM Cortex-M0 with 4-way associative cache

• Memories:

– 64 kB One-Time-Programmable (OTP) memory

(29)

24 – 128 kB Data SRAM with retention capabilities

– 16 kB Cache SRAM with retention capabilities – 128 kB ROM (including boot ROM and BLE stack) – 8 MB external FLASH memory

• Digitally controlled oscillators and PLL:

– 16/32 MHz crystal oscillator – 16 MHz RC oscillator

– 32 kHz crystal and RC oscillator – 10.5 kHz RCX oscillator

– low power PLL up to 96 MHz

• Radio transceiver:

– 2.4 GHz CMOS transceiver with integrated balun – 0 dBm transmit output power

– -93 dBm receiver sensitivity (BLE)

– TX current of 3.4 mA and RX current of 3.7 mA (supply current at 3 V) 2.3.1.2 Radio Frequency Production Test

The DA14681 is equipped with the Radio Frequency Production Test (RFPT) mode which can put different internal test signals on the test bus and transfer them to memory by the Direct Memory Access (DMA) channel.The word length of the RFPT test signal data to be transferred is 32 bits and the maximum speed is 16MHz. The transfers can be controlled with an enable signal. The user should program the length, destination address and the test signal in software to setup the RFPT mode and capture desired internal signal data. The maximum size of data that the RFPT block can write using the embedded DMA channel is 128 Kbytes.

Part of the possible test signals are shown in Table 2.7 [22]. Test mode is a programmable parameter and is set to 0 in normal mode where no test data are generated. The rate of the transfer is listed in the second column, i.e. the frequency of the enable signal. The trigger column is the instant where the first transfer occurs. For the test signals shown in this table, the transfer is activated by the enable signal of the demodulator. The rest of the table shows what internal signals are mapped onto the test bus. The adcout_i and adcout_q shown in test mode 1 are the IQ data we need to capture for all the ranging solutions. More test signals can be added in the future if necessary.

Table 2.6 Part of possible test signals in RFPT mode [22]

The simplified RF block diagram for IQ data capture is shown in Figure 2.17 [22]. The RX front-end consists of a selective matching network (RFIO in the figure), a Low Noise Amplifier (LNA) and an down conversion mixer. The intermediate frequency (IF) complex filter with variable gain amplifiers (VGA) provides the necessary signal conditioning prior to digitalization. The two ADCs for I signal and Q signal convert the analog signal to digital samples that are fed in to the digital demodulator block (DEM) which provides a

31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

1 8 MHz dem_en b

2 8 MHz dem_en b

3 8 MHz dem_en 4 8 MHz dem_en

vga3_in_q vga3_in_i vga3_out_q vga3_out_i rssi_raw agc_setting envelope

adcout_i adcout_q hpf output pad output

dnmin dpmin hpf output pad output

Test mode Rate Trigger Testbus

(30)

25 synchronous bit stream. With the setup of RFPT test mode 1 in software, the IQ samples are put on the test bus and transferred to the RAM through the DMA channel in parallel with the normal functionality.

Figure 2.17 Simplified RF block diagram for IQ data capture [22]

2.3.2 Development Environment

Dialog SmartSnippets™ [17] is the integrated development environment we used for two solutions. It is a royalty-free software development platform for Smartbond™ devices. It fully supports the DA1468x family of devices.

SmartSnippets™ contains:

• SmartSnippets™ Toolbox: A tool suite covering all software developer needs, including:

– Power profiling – Programming – Testing

• SmartSnippets™ IDE: Eclipse² based IDE pre-configured plugins allowing easy out of the box setup of build/debug environment. The SmartSnippets™ IDE is supported by an on-board debugger from Segger³. This offers standard debug capabilities such as single stepping, setting breakpoints, SW download and many more.

• SmartSnippets™ SDK

– Preemptive multitasking via a state of the art real time operating system – Access to the on-chip peripherals via Low Level Drivers and Adaptors – Complete integration of a v4.2 compliant Bluetooth Smart stack and radio – Support for firmware upgrade, including over the air

– Structured access to the flash device via a NVMS adaptor that supports wear levelling – Support of the on-chip power management facilities enabling sleep and hibernation

• SmartSnippets™ documentation

Keil μVision4⁴ is another IDE we used for one solution. The µVision IDE combines project management, run-time environment, build facilities, source code editing, and program debugging in a single powerful environment. µVision is easy-to-use and accelerates your embedded software development. It supports multiple screens and allows you to create individual window layouts anywhere on the visual surface. The

2 www.eclipse.org

3 https://www.segger.com/jlink-debug-probes.html

4 http://www.keil.com/uvision/

(31)

26 µVision Debugger provides a single environment in which we can test, verify, and optimize your application code. The debugger includes traditional features like simple and complex breakpoints, watch windows, and execution control and provides full visibility to device peripherals.

2.3.3 Debugging Tools

During the whole project, we have two important debugging tools: BLE packet sniffer and logic analyzer, which greatly ease the way of debugging. The practical hardware is shown in Figure 2.18 and Figure 2.19.

Figure 2.18 Saleae™ Logic Analyzer⁵

Figure 2.19 ComProbe BPA^® BLE Packet Sniffer⁶

In DA14681, there are many RF and BLE MAC engine digital diagnostic signals brought out to certain GPIOs on the mother board. Traditionally, we use oscilloscope to display these signals which is not convenient because we need to test it in the laboratory and it only has 2 or 4 channels available. With the small, portable and inexpensive Saleae™ logic analyzer, we can just plug it into a computer and track 8 digital signals at the same time. The logic analyzer works with USB2.0. It has 8 channels with 100MS/s for digital signal and 10MS/s for analog signal. As many as 10 billion samples can be saved to capture more elusive events. Besides, we can start debugging within 5 minutes of opening the software. We can easily record, setup, navigate, measure, trigger and find signals with the software. One example during debugging is shown in Figure 2.20.

5 https://www.saleae.com/

6 http://www.fte.com/products/BPAlowenergy.aspx

(32)

27 Figure 2.20 Debugging wave example from logic analyser

For our ToF solutions, we need to know detailed information about BLE packets in the air, such as information in each field, exact packet bits, packet interval, channels, etc. ComProbe BPA® BLE packet sniffer packs a serious punch, decoding all traffic including advertising packets, data packets and Link Layer control packets, and providing visibility into all three advertising channels concurrently. The BLE traffic information display in the software is shown in Figure 2.21. The left decode pane shows comprehensive layered decoders of each frame. The summary pane in the middle displays a one-line overview of each data frame. The panes below shows exactly the received bits in binary and hexadecimal. Besides we can easily add filters on packets.

Figure 2.21 BLE traffic information display from the sniffer

(33)

28

3 Asymmetric Single Channel Ranging

In BLE, a device shall first advertise about its own information or scan for connectable devices before entering connection event. Because it always consumes time and energy to initiate and maintain the connection, we first consider the advertising and scanning event for our ranging application.

The ranging concept with advertising and scanning is shown in Figure 3.1 [24]. The advertiser from Dialog transmits ADV_IND packet and receives SCAN_REQ packet from the remote end (e.g., an mobile phone) after 150μs. The remote end can be any BLE-compliant device that is doing active scanning. The payload of SCAN_REQ packet contains 48-bit advertiser address which is known by the advertiser. With this known 48-bit pattern, ToF and range with the remote end can be calculated.

Figure 3.1 Ranging concept with advertising and scanning [24]

In this method, no Dialog chip or software is needed on the remote end. That is why we call it

“asymmetric”. The SCAN_REQ can be only received on one channel out of three advertisement channels.

That is why we call it “single channel”. The algorithm and software setup will be illustrated in the following sections.

3.1 Algorithm

3.1.1 Mathematical Model for Received signal

To determine the ToF with transmitted (TX) signal and received (RX) signal that have the same bit pattern, we need to first find the mathematical relationship between TX and RX signals. Based on the algorithm prepared by the company, the theory in [16] and the cooperation with algorithmic & simulation project, we have the following derivation.

The mathematical description of the TX signal is given in Eq. (3.1). 𝑓𝑓𝑐𝑐 is carrier frequency based on ADV channel, 𝜑𝜑𝑚𝑚(𝑡𝑡) is the phase term due to Gaussian Frequency Shift Keying (GFSK) modulation and 𝜑𝜑_𝑡𝑡 is the unknown phase offset from carrier wave.

𝐸𝐸_{𝑇𝑇𝑇𝑇}(𝑡𝑡) = sin [2𝜋𝜋𝑓𝑓𝑐𝑐𝑡𝑡 + 𝜑𝜑_𝑚𝑚(𝑡𝑡) + 𝜑𝜑_𝑡𝑡] (3.1)

To reduce the complexity of derivation, the details about GFSK modulation and 𝜑𝜑𝑚𝑚(𝑡𝑡) are not explained in detail. Thorough information can be found in Chapter 2 of [25]. The 𝜑𝜑𝑚𝑚(𝑡𝑡) ramps up when the symbol

(34)

29 is ‘1’ and ramps down when the symbol is ‘0’. The possible phase value over the first 5 symbol periods is shown in Figure 3.2 [25].

Figure 3.2 Possible phase evolution for GFSK modulated signal [25]

After transmission in the air, the RX signal is given by Eq. (3.2). The time is shifted by ToF given by distance r and speed of light c.

𝐸𝐸_{𝑆𝑆𝑇𝑇}(𝑟𝑟, 𝑡𝑡) = sin [2𝜋𝜋𝑓𝑓𝑐𝑐(𝑡𝑡 −^𝑟𝑟_𝑐𝑐) + 𝜑𝜑_𝑚𝑚(𝑡𝑡 −^𝑟𝑟_𝑐𝑐) + 𝜑𝜑_𝑡𝑡] (3.2) At the receiver, the local oscillator signal is given by Eq. (3.3) where 𝑓𝑓𝑙𝑙 is the local oscillator frequency and 𝜑𝜑𝑟𝑟 is the unknown phase offset for this wave.

𝐸𝐸𝐿𝐿𝐿𝐿(𝑡𝑡) = sin [2𝜋𝜋𝑓𝑓𝑙𝑙𝑡𝑡 + 𝜑𝜑𝑟𝑟] (3.3)

This signal is multiplied with the RX signal to down-mix it to the intermediate frequency for baseband processing in Eq. (3.4).

𝐸𝐸𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑟𝑟(𝑟𝑟, 𝑡𝑡) = 𝐸𝐸_{𝑆𝑆𝑇𝑇}(𝑟𝑟, 𝑡𝑡) ∗ 𝐸𝐸_{𝐿𝐿𝐿𝐿}(𝑡𝑡) (3.4)

According to basic trigonometric functions that 𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 ∗ 𝑠𝑠𝑠𝑠𝑠𝑠𝐵𝐵 =¹₂(cos(𝑠𝑠 + 𝐵𝐵) − cos (𝑠𝑠 − 𝐵𝐵)), we obtain the result for the down mixing signal in Eq. (3.5).

𝐸𝐸𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑟𝑟(𝑟𝑟, 𝑡𝑡) =¹₂{cos [2𝜋𝜋(𝑓𝑓_𝑐𝑐+ 𝑓𝑓_𝑙𝑙)𝑡𝑡 − 2𝜋𝜋𝑓𝑓_𝑐𝑐^𝑟𝑟_𝑐𝑐+ 𝜑𝜑_𝑚𝑚(𝑡𝑡 −^𝑟𝑟_𝑐𝑐) + 𝜑𝜑_𝑡𝑡+ 𝜑𝜑_𝑟𝑟] −

cos [2𝜋𝜋(𝑓𝑓_𝑐𝑐− 𝑓𝑓_𝑙𝑙)𝑡𝑡 − 2𝜋𝜋𝑓𝑓_𝑐𝑐^𝑟𝑟_𝑐𝑐+ 𝜑𝜑_𝑚𝑚(𝑡𝑡 −^𝑟𝑟_𝑐𝑐) + 𝜑𝜑_𝑡𝑡− 𝜑𝜑_𝑟𝑟)]} (3.5) The first high frequency cosine component is removed in the IF filter and the remaining signal is shown in Eq. (3.6). ∆𝜑𝜑 = 𝜑𝜑𝑡𝑡− 𝜑𝜑_𝑟𝑟 is the carrier frequency offset induced by the RFPLL on carrier and local oscillator wave.

𝐸𝐸𝐼𝐼𝐼𝐼(𝑟𝑟, 𝑡𝑡) = cos [2𝜋𝜋(𝑓𝑓𝑐𝑐− 𝑓𝑓𝑙𝑙)𝑡𝑡 − 2𝜋𝜋𝑓𝑓𝑐𝑐𝑟𝑟

𝑐𝑐+ 𝜑𝜑𝑚𝑚(𝑡𝑡 −^𝑟𝑟_𝑐𝑐) + ∆𝜑𝜑] (3.6) Ideally, the intermediate frequency 𝑓𝑓𝐼𝐼𝐼𝐼 = 𝑓𝑓𝑐𝑐− 𝑓𝑓𝑙𝑙 should be constant. Both carrier frequency and local oscillator frequency are generated by individual PLL driven by the local clock. As the two ends are not

(35)

30 perfectly synchronized, there is certain carrier frequency offset ∆𝑓𝑓 added to the IF. So the signal after the IF filter can be expressed as

𝐸𝐸𝐼𝐼𝐼𝐼(𝑟𝑟, 𝑡𝑡) = cos [2𝜋𝜋𝑓𝑓𝐼𝐼𝐼𝐼𝑡𝑡 + 2𝜋𝜋∆𝑓𝑓𝑡𝑡 + 𝜑𝜑𝑚𝑚(𝑡𝑡 −^𝑟𝑟_𝑐𝑐) − 2𝜋𝜋𝑓𝑓𝑐𝑐𝑟𝑟

𝑐𝑐+ ∆𝜑𝜑] (3.7)

If we extract the phase of this signal and ignore the phase term induced by IF, we obtain

φ_{𝐼𝐼𝐼𝐼}(𝑡𝑡) = 𝜑𝜑𝑚𝑚(𝑡𝑡 −^𝑟𝑟_𝑐𝑐) + 2𝜋𝜋∆𝑓𝑓𝑡𝑡 − 2𝜋𝜋𝑓𝑓_𝑐𝑐^𝑟𝑟_𝑐𝑐+ ∆𝜑𝜑 (3.8) We can see from Eq. (3.8) that the received phase after IF filtering contains distance information in the GFSK modulated phase term and phase term induced by carrier frequency. The two phase terms related to ToF are separately discussed and tested in single channel and multiple channel ranging methods. In this ranging method, we only consider the distance information in phase term 𝜑𝜑𝑚𝑚(𝑡𝑡 −^𝑟𝑟_𝑐𝑐) and consider phase term 2𝜋𝜋𝑓𝑓𝑐𝑐𝑟𝑟

𝑐𝑐 to be part of the phase offset ∆𝜑𝜑.

There are two more issues to be considered in this model.

• In the BLE specification, the GFSK modulation index is recommended to be 0.5 and shall be between 0.45 and 0.55 [1]. So it is possible that the TX and RX end have a certain modulation index offset Δh on the GFSK modulated phase amplitude.

• As the two ends are not perfectly synchronized and there is clock offset introducing extra shift for time t. The time on the receiver should be 𝑡𝑡𝑆𝑆𝑇𝑇= �1 +^Δf_𝑓𝑓

𝑐𝑐� ∗ 𝑡𝑡_{𝑇𝑇𝑇𝑇} where clock offset is represented by ^Δf_𝑓𝑓

𝑐𝑐. For the DA14681 chip, the maximum clock offset for crystals is ±20 ppm [21]. Within time period of 48-bit pattern (48µs), the maximum time shift is only 0.96ns (0.29m). So this issue needs only to be considered when we achieve sub-meter accuracy.

3.1.2 Linear Least Square Error Fitting

After the discussion above, we obtain the expression for the received phase. 𝜑𝜑𝑚𝑚(𝑡𝑡) can be seen as the transmitted phase.

φ_{𝑆𝑆𝑇𝑇}(𝑡𝑡) = (1 + Δh) ∗ 𝜑𝜑𝑇𝑇𝑇𝑇�𝑡𝑡 −^𝑟𝑟_𝑐𝑐� + 2𝜋𝜋∆𝑓𝑓𝑡𝑡 + ∆𝜑𝜑 (3.9) With first order Taylor expansion, we have the approximation of

φ𝑇𝑇𝑇𝑇�t −^𝑟𝑟_𝑐𝑐� ≈ φ_{𝑇𝑇𝑇𝑇}(t) −^𝑟𝑟_𝑐𝑐∗^dφ^TX_dt^(t) (3.10) Thus, Eq. (3.9) can be written as

φ_{𝑆𝑆𝑇𝑇}(𝑡𝑡) = (1 + Δh) ∗ 𝜑𝜑𝑇𝑇𝑇𝑇(𝑡𝑡) −^𝑟𝑟_𝑐𝑐∗^dφ_dt^TX^(t)+ 2𝜋𝜋∆𝑓𝑓𝑡𝑡 + ∆𝜑𝜑 (3.11) In practical, the continuous time t is sampled by 8MHz ADC. So Eq. (3.11) can be written in linear equations

𝒚𝒚 = 𝑿𝑿𝑿𝑿 (3.12)

Where (n is the number of available samples)

(36)

31 𝒚𝒚 = �

𝜑𝜑_{𝑆𝑆𝑇𝑇1} 𝜑𝜑_{𝑆𝑆𝑇𝑇2} 𝜑𝜑_{𝑆𝑆𝑇𝑇𝑅𝑅}⋮

� , 𝑿𝑿 =

⎝

⎜⎜

⎛ 𝜑𝜑_{𝑇𝑇𝑇𝑇1} 𝜑𝜑_{𝑇𝑇𝑇𝑇2}

⋮ 𝜑𝜑_{𝑇𝑇𝑇𝑇𝑅𝑅}

^dφ_{dt 1}^TX ^dφ_{dt 2}^TX

⋮ ^dφ_{dt 𝑅𝑅}^TX

𝑡𝑡₁ 𝑡𝑡₂ ⋮ 𝑡𝑡_𝑅𝑅

1 1 ⋮ 1⎠

⎟⎟

⎞, 𝑿𝑿 =

⎝

⎜⎛(1 + 𝛥𝛥ℎ)

−^𝒓𝒓_𝒄𝒄 2𝜋𝜋∆𝑓𝑓

𝛥𝛥𝜑𝜑 ⎠

⎟⎞

With known 48-bit pattern, GFSK modulated phase 𝜑𝜑𝑇𝑇𝑇𝑇(𝑡𝑡) can be easily calculated. The received phase φ_{𝑆𝑆𝑇𝑇}(𝑡𝑡) can be easily calculated with the captured IQ data at the receiver. So the data points in matrix 𝒚𝒚 and 𝑿𝑿 are known, and the linear coefficients in matrix 𝑿𝑿 need to be known. This is a typical Linear Least Square Error (LSE) fitting problem [26].

Eq. (3.12) usually has no solution, so the goal is instead to find the coefficients 𝑿𝑿 which fit the equations best in the sense of solving the quadratic minimization problem.

𝑿𝑿� = 𝑎𝑎𝑟𝑟𝛼𝛼 min_𝑿𝑿 𝑆𝑆(𝑿𝑿) (3.13)

where the objective function 𝑆𝑆(𝑿𝑿) is given by

𝑆𝑆(𝑿𝑿) = ‖𝒚𝒚 − 𝑿𝑿𝑿𝑿‖² (3.14)

By solving the problem in Eq. (3.13), it leads to a closed-form expression for the estimated value of the unknown coefficients β which contains modulation index offset, ToF, carrier frequency offset and carrier phase offset.

𝑿𝑿� = (𝑿𝑿^𝑻𝑻𝑿𝑿)⁻¹𝑿𝑿^𝑻𝑻𝒚𝒚 (3.15)

3.2 Simulation

The BLE signal generator and the LSE fitting routine are prepared by the company in MATLAB. In the script, random 48-bit symbol pattern is used to generate GFSK modulated complex signal. RF impairments namely white noise, modulation index offset, ToF, carrier frequency offset and carrier phase offset are added to the TX signal to create the RX signal. After this, the TX and RX phase pattern are fed into the fitting routine to obtain four estimated parameters.

3.2.1 Bit Pattern Issue

In the beginning, simulation only returns correct results for symbol pattern with equal number of 1s and 0s. This issue is caused by inappropriate phase differentiation calculation. The problem is caused by the usage of diff([phi1 0]) which means to append 0 to phi1 and calculate differentiation. If the unwrapped phase phi1 ends with 0 which means it has balanced number of 0s and 1s, the results is not influenced.

But if the phi1 ends with other value (unbalanced), then this calculation will give very wrong value, which results in wrong fitting results. After I change it to

fm1 = diff(phi1); fm1(end+1)=fm1(end);