LTE "Basestation" for RF testing

Hi!

I run a tiny EMC consulting business with an anechoic chamber.

To do RF integration testing, I was thinking of implementing a “honeypot” for every cellphone/modem inside the anechoic chamber (I have >120dB shielding, so no worries with any other radio service around) with a limesdr mini 2.0.

The only thing I would need from this “honeypod” is some means to make some traffic on the channel, to check for antenna gain and spurious emissions.

I followed the blog entries on https://www.quantulum.co.uk/ and finally got stuck. For my understanding, everything should be fine and I should see my private network on my smartphone..but I don’t.

While following these blogposts, I found some comments on the rx_gain and tx_gain settings. Those seem to be critical and the given values raise some questions to me since they seem to be for a different version of the limesdr.

So my first (of maybe millions of questions): Is there any known working config to get the limesdr mini 2.0 getting some device to connect an send some “Pings” over the air?

I can’t see any warning/error in any output…so I hope most things are good, but I can’t figure out where to start debugging.

Regards

All current LimeSDR boards use the same LMS7002M RFIC, with the only physical difference being variations in the RF matching on different boards. I’m not sure if there are any differences in how the gains are managed in the driver stack, but @ricardas could confirm.

I’ve not tried running srsRAN with a LimeSDR Mini, but there are some instructions here which have been verified with LimeSDR USB and could make a good starting point:

With any luck it would just be slightly different driver args.

Thanks for this link…

I tried several options and still nothing.

Finally, I fired up my RF gear to see if something’s actually “in the air”.

Up to this point, I didn’t because the laptop usually driving the RF gear is the one running the limesdr mini, and we’re all lazy right?

With the suggested rx/tx gain values (66/47) I can’t see anything in the noisefloor (so it’s well below the TX spurious limit!).

A TX Gain of 80 (default), brings me in the realm of the TX spurious limit… so it would be still “save” to operate outside the chamber!!!

This seems to be pretty wrong, right?

I could do some reverse-calculations from the distance to the next cell-tower, but could somebody suggest some reasonable field strength at the UE?

My educated guess would be 40dBm (10W) -105dB (about 2.5km @1.8GHz)=-65dBm as a minimum and -45dBm for some healthy reception. Is this reasonable?

For the RX-path I have the max TX-power in the etsi standards. So I could just add some attenuator in the RX-path and get the input path tuned in at a value around half-full-scale when presented with the nominal TX-power from the standard.

Is this a reasonable approach to start debugging the whole setup?

Or are there some “white papers” on what to do first?

Regards

Are you certain you have the correct RF paths selected? See:

Also just to note that gain values are arbitrary and not calibrated in e.g. dBm.

The problem is the documentation for me… it’s pretty well dispersed and hidden in a huge pile of sources… and I haven’t found the right spots yet.

That’s why I started with the mentioned blog series as a “known good setup”….

To be honest, I “fixed” (read: I removed several testcases that seem to fail compiling because fedora uses some newer GCC) I was’n really convinced already… But at least the shape of the 3MHz carrier looks realistic to me (compared to what I see from some real base station with my anechoic chambers door opened). Just too low for my liking…

My settings are

device_args = driver=lime,rxant=LNAH,txant=BAND2

My guess is that LNAH means whatever LNA that connects to RX_1 and BAND2 means TX_2…

But I haven’t found any documentation that would tell me what I could put there.

If you could get me some idea where those things could be documented, I’d appreciate it a lot!

That’s why I was asking about any working real-life values…

I can tune in the params until they really fit instead of trail and error.

Regards

The LMS7002M RFIC is 2x2 MIMO and each channel has 3x Rx ports and 2x Tx. With Mini you just have one channel which can be used and not all Rx paths are connected (LNAL is not). See:

So with your args you are selecting the Rx path with matching optimised for 2-2.6 GHz, and Tx path optimised for 0.03-1.9 GHz. I’m not sure what band you’re configuring the eNB for, but seems like your choices could be mismatched. In any case, it should still work.

Ok, I started over with the basics…ie. I ran the test util…. Loopback test failed.

[ TESTING STARTED ]
->Start time: Thu Dec 18 17:39:04 2025
->LimeSuite version: 23.11.0-g524cd2e5

->Device: LimeSDR Mini, media=USB 3.0, module=FT601, addr=24607:1027, serial=1DBB7C2CE7A092, HW=7, GW=2.2
  Serial Number: 1DBB7C2CE7A092
 Chip temperature: 45 C

[ Clock Network Test ]
->REF clock test
  Test results: 26204; 29134; 31957 - PASSED
->VCTCXO test
  Results : 6711007 (min); 6711046 (max) - PASSED
->Clock Network Test PASSED

[ FPGA EEPROM Test ]
->Read EEPROM
FPGA EEPROM not supported in v2
->FPGA EEPROM Test PASSED

[ LMS7002M Test ]
->Perform Registers Test
->External Reset line test
  Reg 0x20: Write value 0xFFFD, Read value 0xFFFD
  Reg 0x20: value after reset 0x0FFFF
->LMS7002M Test PASSED

[ RF Loopback Test ]
->Configure LMS
->Run Tests (TX_2 -> LNA_W):
  CH0 (SXR=1000.0MHz, SXT=1005.0MHz): Result:(-30.2 dBFS, 5.00 MHz) - FAILED
->Run Tests (TX_1 -> LNA_H):
  CH0 (SXR=2100.0MHz, SXT=2105.0MHz): Result:(-23.0 dBFS, 5.00 MHz) - PASSED
->RF Loopback Test FAILED

=> Board tests FAILED <=

Elapsed time: 1.69 seconds

This does not make me happy at all… even though several posts here suggest these are still acceptable values.

Regards

Some logs… maybe there’s some obvious problem…

Something I noticed: during my tests, I tried various values for RX and TX gain Since the gain values for the RX path did change, the PAD and IAMP values did not.

Active RF plugins: libsrsran_rf_soapy.so
Inactive RF plugins: 
---  Software Radio Systems LTE eNodeB  ---

Reading configuration file enb.conf...

Built in Release mode using commit 1fab3df on branch master.

Opening 1 channels in RF device=soapy with args=driver=lime,rxant=LNAH,txant=BAND1
Supported RF device list: soapy file
Soapy has found device #0: addr=24607:1027, driver=lime, label=LimeSDR Mini [USB 3.0] 1DBB7C2CE7A092, media=USB 3.0, module=FT601, name=LimeSDR Mini, serial=1DBB7C2CE7A092, 
Selecting Soapy device: 0
[INFO] Make connection: 'LimeSDR Mini [USB 3.0] 1DBB7C2CE7A092'
[INFO] Reference clock 40.00 MHz
[INFO] Device name: LimeSDR-Mini_v2
[INFO] Reference: 40 MHz
[INFO] LMS7002M register cache: Disabled
Setting up Rx stream with 1 channel(s)
[INFO] Using channel 0
Setting up Tx stream with 1 channel(s)
[INFO] Using channel 0
[INFO] RX LPF configured
[INFO] Filter calibrated. Filter order-4th, filter bandwidth set to 5 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
[INFO] TX LPF configured
Available device sensors: 
 - clock_locked
 - lms7_temp
Available sensors for Rx channel 0: 
 - lo_locked
Setting Rx channel 0 antenna to LNAH
Setting Tx channel 0 antenna to BAND1
State of gain elements for Rx channel 0 (AGC not supported):
 - TIA: 9.00 dB
 - LNA: 30.00 dB
 - PGA: -7.00 dB
State of gain elements for Tx channel 0 (AGC not supported):
 - PAD: 0.00 dB
 - IAMP: 0.00 dB
Rx antenna set to LNAH
Tx antenna set to BAND1

==== eNodeB started ===
Type <t> to view trace
Trying to start a plot but plots are disabled (ENABLE_GUI constant in sf_worker.cc)
[INFO] RX LPF configured
[INFO] Filter calibrated. Filter order-4th, filter bandwidth set to 11.52 MHz.Real pole 1st order filter set to 2.5 MHz. Preemphasis filter not active
[INFO] TX LPF configured
Setting manual TX/RX offset to 73 samples
Setting frequency: DL=2680.0 Mhz, UL=2560.0 MHz for cc_idx=0 nof_prb=50
[INFO] Tx calibration finished
[INFO] Rx calibration finished
^CStopping ..
---  exiting  ---

Built in Release mode using commit 1fab3df on branch master.


---  Software Radio Systems EPC  ---

Reading configuration file epc.conf...
HSS Initialized.
MME S11 Initialized
MME GTP-C Initialized
MME Initialized. MCC: 0xf001, MNC: 0xff01
SPGW GTP-U Initialized.
SPGW S11 Initialized.
SP-GW Initialized.
Received S1 Setup Request.
S1 Setup Request - eNB Name: srsenb01, eNB id: 0x19b
S1 Setup Request - MCC:001, MNC:01
S1 Setup Request - TAC 7, B-PLMN 0xf110
S1 Setup Request - Paging DRX v128
Sending S1 Setup Response
SCTP Association Shutdown. Association: 0
Received S1 Setup Request.
S1 Setup Request - eNB Name: srsenb01, eNB id: 0x19b
S1 Setup Request - MCC:001, MNC:01
S1 Setup Request - TAC 7, B-PLMN 0xf110
S1 Setup Request - Paging DRX v128
Sending S1 Setup Response
SCTP Association Shutdown. Association: 0
Received S1 Setup Request.
S1 Setup Request - eNB Name: srsenb01, eNB id: 0x19b
S1 Setup Request - MCC:001, MNC:01
S1 Setup Request - TAC 7, B-PLMN 0xf110
S1 Setup Request - Paging DRX v128
Sending S1 Setup Response
SCTP Association Shutdown. Association: 0
^CStopping ..
Deleting eNB context. eNB Id: 0x19b

---  exiting  ---

Some other question… are there some companies/contacts out there that would help me with my setup?

In the end, I “just” need 3 configs that allow me to connect the device under test at some low / “medium” / high frequency band to do some spot checks in the spectrum while creating some traffic in the RF channel.

Before trying myself, I reached out to a company in Berlin, but they did not react within 2 weeks…

regards

Hello there,
I hope you managed to solve this.

If not,
I am also trying to achieve something similar to this. i.e get the cell listed on my phone. I dont have any blank sims so , doing a full test doesn’t seem to be possible

I have some other HW . A limeNet Micro (with the raspberry pi CM3) and also a LImeSDR - USB (with MIMO antennas).

I think the logs that you posted looks more or less OK. The calibration part in LimeQuickTest ([ RF Loopback Test ]) is also fine as others have pointed out (I think the thresholds are too tight by design for LimeQuickTest)

If you are interested , I would like to collaborate with you and solve the problem.

-D

ps:
TBH , I also found Gemini to be very useful in finding out obscure configuration settings. But You probably need a peer (human with the Domain knowledge - pref 2) review to find out that the settings are safe .