There many wireless devices available on the market now that broadcast in the 2.4 GHz spectrum including Bluetooth, 802.11a/b ethernet (WiFi), Zigbee, wireless USB, cordless phones, wireless mice and keyboards and the humble microwave oven. Depending where you live in the world your government has allocated a roughly 80 MHz block for transmitting all manner of data starting at 2.4 GHz. It's getting a bit crowded in this band, especially if you live in a built up urban area. With this project you can monitor what's going on and figure out what channel to change your WiFi network to in order for it to keep working when your neighbor rudely sets up their wireless network on the same channel as you (that'd be channel 6, you lazy sod).
How to do it? Quite a few companies are now making 2.4 GHz data transceivers crammed into a single chip. These chips are very cheap but pack quite a bit of functionality. One thing they have in common is an RSSI (Receive Signal Strength Indicator) register that lets the chip monitor how much signal power it's receiving. In practice before the chip transmits it's generally a good idea to spend a few milliseconds listening to see if there is anything else broadcasting on the same channel. If the RSSI level is below a certain level it's safe to assume the channel is clear to transmit on.
Taking advantage of this RSSI register allows one to construct a crude but effective spectrum analyser. Cypress Semiconductor make a range of 2.4 GHz transceiver chips intended for short range use such as wireless keyboards and mice. The chip CYWUSB6935 contains an RSSI register with 32 magnitude levels. It also has a radio that starts at 2.4 GHz and is tunable in 1 MHz steps. Unfortunately the chip comes in a "QFN" package with the pins secreted away under the casing of the chip. This make it impossible to hand solder. Fortunately Cypress saw fit to produce the CYM6935 module - it's a little circuit board with the chip, support components and antennas conveniently integrated together. All we need to add is a parallel port, power and software to read the RSSI and see what the pesky neighbor is up to.
2.4 GHz Spectrum Analyser Components
- CYM6935 Module - Can be obtained from Cypress as a sample or purchase through their website and distributors
- 4 10kohm resistors
- 4 15kohm resistors
- 3 silicon diodes
- Ribbon cable
- Male DB-25 connector and backshell
- Hookup wire
- Prototype circuit board (such as Veroboard or a ready made PCB from Elektor
- USB cable (for power only, not data)
2.4 GHz Spectrum Analyser Construction
The CYWUSB6935 is a 2.7V to 3.6V device. The three diodes are designed to drop 5V down to about 3V. My PC PSU only puts out 4.7V so I am using only 2 diodes to get 3.3V. I originally tried to wire all 8 data outs in parallel through a diode each so I could turn the device on and off from software. The current wasn't anywhere near enough in spite of the data sheet for the I/O chip on my motherboard claiming to be able to. As an alternative I chopped up a USB cable and derive my 4.7V from the USB supply. You could be a pedant and use a 3.3V regulator instead of some diodes.
The resistors divide the signal output levels from TTL to 3V CMOS compatible levels. The parallel port is TTL compatible so the 3V signals from the chip can directly drive the parallel port signal inputs.
The module itself uses a header with a 2mm pitch which isn't readily available from your local electronics shop. You can see in the photo below I had to improvise with a cutout, bent wires and bluetack to mount and connect the module onto the main board.
2.4 GHz Spectrum Analyser Software
The provided QTScan Linux and QTScan Windows software I have written is a basic driver and display for the CYWUSB6935. It is a QT application written to run under Linux and Windows. Little or no tweaking of the parallel port driver may mean it will also work in various BSD's and OSX (with a USB-Parallel port device). The QT viewer part shouldn't need changing under any platform.
Building The Software
To build the software ensure you have the QT4.x development and runtime libraries and kernel headers installed. I have already supplied a binary that should work on an Ubuntu Feisty based system. Otherwise, simply run make to build your own copy.
The parallel port driver is a bit banging SPI driver. I have designed it to work in standard (SPP) parallel port mode and have set my BIOS to force SPP mode. The driver also initialises the chip and also provides the scanning function.
The scanning function starts by setting the radio frequency channel to 0. This sets the receive frequency to 2.4 GHz. The RSSI value is then read and the channel number incremented. Each increment corresponds to 1MHz step and a complete scan ends at 2.483 GHz. The radio can go a bit higher but there isn't much point as it's outside of the ISM band. The chip obtains an RSSI value by taking a snapshot of of power levels at the channel in question for 50 microseconds.
By taking successive 50us snapshots of each frequency a complete scan is performed. Unfortunately, reading and writing the parallel port is a very slow process as the port hardware deliberately runs at only several hundred kHz for historical and compatibility reasons. On my system I measure about 600,000 ioctls/sec can be performed. This means that the inb and outb instructions when accessing the parallel port are stalled for a very long duration compared to the clock speed of the CPU. You will notice because of the instruction stalling the System load will peak at close to 100% when running qtscan. In spite of this I get about 23 scans/sec which is a useful speed. The SPI port on the radio chip can run about 10 times faster than what I am able to do with the parallel port - this would translate to well over 200 scans a second. This could be achieved with a dedicated GPIO or SPI port as found in many embedded microprocessors.
You can run qtscan even without any of the hardware as the program blindly drives the parallel port. The scans/sec result upon exiting should be in the low 20's,
The parallel port driver and hardware provide a good start into getting this module to do data transmissions as well as performing the trivial RSSI application.
Results
The qtscan application will display the current scan as a red line. Absolute peak levels are displayed as green bars behind the red line. The ticks on the x-axis are each channel at 1MHz intervals. The span is from 2.4 GHz to 2.483 GHz. The yellow lines are the 13 802.11b channels. The y-axis ticks represent the 32 levels from the RSSI register. Unfortunately I haven't been able to calibrate what each magnitude tick translates to in received power dBm. The data sheet says RSSI values in the range of 28-31 are -40dBm and 0-10 are <-95dBm. I don't think it's a precision measurement nor did Cypress intend it to be.
Because each scan only takes successive 50us snapshots the program needs to be left running to collect peak magnitudes. This peak magnitude plot builds up to give a good indication of the bandwidth and relative magnitude of a signal under observation.
Image 1: This shows my microwave oven about 5 metres away merrily spamming a greater portion of the 2.4GHz band. This was a 50 second observation.
Image 2: This shows my access point centred nicely on channel 9 using 802.11b. You can see how the spectrum bleeds over into the adjacent channels (which is fine). This is a 2 minute observation of just the beacon and associated chatter from the access point with no actual data being sent. The magnitude peaks at maximum level (31) which is no surprise as the AP is only 2 metres away.
Image 3: This shows what I suspect the beacon carrier from a 2.4GHz phone next door at centred around 2.411GHz. I have observed it to jitter and even disappear on occasion but it's usually present. My /proc/cpuinfo says my Athlon's internal clock is at 2.31GHz so I don't think it's my computer.
Image 4: This shows shows the sudden burst of traffic from my USB Bluetooth dongle (about 1m away) when I ran the KDE OBEX client. It must be a broadcast of some kind. This scan lasted about 10 seconds.
In all the images the overall noise floor occupies the first 7 or so levels which I think is a function of the device.
Source: DIY 2.4GHz Spectrum Analyser
